Privacy Policy

Last Updated: 12th March 2026

Welcome to Workflow Machine (“we,” “our,” or “us”). Workflow Machine is a workflow automation platform that allows users to create, run, and manage automated workflows, integrations, and AI-powered processes (the “Service”).

Your privacy is important to us. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

We collect information in the following ways:

a. Account Information

When you create an account, we may collect:

  • Name
  • Email address
  • Login credentials
  • Profile information you choose to provide

b. Connection & Integration Data

When you connect third-party services (e.g., Google, Slack, email providers, storage services), we may collect and store:

  • OAuth tokens
  • API credentials (encrypted)
  • Account identifiers from connected services
  • Metadata necessary to operate integrations

We do not access your third-party data unless required to perform actions explicitly configured by your workflows.

c. Workflow & Automation Data

To operate the Service, we may process data that passes through your workflows, including:

  • Text inputs
  • Files and attachments
  • API responses
  • Automation configuration settings
  • Logs of workflow executions

This data may include personal data depending on how you configure your workflows.

d. Usage Information

We automatically collect certain technical data:

  • IP address
  • Browser type and device information
  • Access times
  • Feature usage and performance metrics
  • Error logs

We use cookies and similar technologies (such as local storage, pixels, and analytics tags) to operate and improve the Service.

For analytics, we use Google Analytics to understand aggregate usage patterns (for example, page views, feature usage, and traffic sources). Google Analytics may set cookies or collect device and usage identifiers.

You can control cookies through your browser settings and can opt out of Google Analytics using Google's opt-out tools.

e. AI Processing Data

If you use AI features, inputs you send to AI actions (e.g., prompts, documents, or messages) are processed to generate outputs. These inputs and outputs may be temporarily stored for:

  • Providing the feature
  • Debugging failures
  • Improving reliability and safety

We do not use your content to train our own AI models unless explicitly stated and consented to.

2. How We Use Your Information

We use collected information to:

  • Provide and operate the Service
  • Execute your workflows and automations
  • Authenticate users
  • Maintain integrations with third-party services
  • Process AI actions requested by you
  • Improve product performance and reliability
  • Prevent abuse, fraud, and unauthorized access
  • Provide support and respond to inquiries
  • Comply with legal obligations

3. How Workflows Process Data

Our platform acts as a data processor on your behalf.

Any data processed inside workflows is processed solely according to your configuration and instructions. You control:

  • what data enters the workflow
  • where it is sent
  • which services receive it
  • how long it is retained

We do not review workflow contents except:

  • when required for troubleshooting you requested
  • when required for security investigation
  • when required by law

For account administration, billing, service security, abuse prevention, and operational analytics, we act as an independent data controller.

Where required by law or contract, we can enter into a Data Processing Addendum (DPA) that governs our processing of personal data on your behalf.

4. User Responsibility for Data Processed in Workflows

You are solely responsible for the data you choose to process using the Service.

You represent and warrant that you have all necessary rights, permissions, and legal bases (including consent where required) to collect, use, and transmit any personal data through workflows you create.

You agree not to use the Service to process:

  • unlawful data
  • data obtained without proper authorization
  • sensitive personal data (such as health, biometric, financial account credentials, or government identifiers) unless you are legally permitted to do so

We do not determine the legality of your workflows and do not act as a controller of data processed through them.

5. Third-Party Integrations and Subprocessors

The Service allows you to connect and interact with third-party services (“Integrations”) and also relies on service providers that process data on our behalf (“Subprocessors”).

a. Integrations You Enable

When you enable an Integration, data may be transmitted to or received from that third party strictly according to the workflows and instructions you configure.

By enabling an Integration, you instruct us to process and transmit data on your behalf to that provider.

We do not control and are not responsible for how third-party services process data once transmitted. Each provider operates under its own privacy policy and terms.

Examples of supported integrations include:

Communication & Productivity Providers

  • Slack — https://slack.com/privacy-policy
  • Notion — https://www.notion.so/help/privacy
  • Airtable — https://www.airtable.com/privacy
  • Google Workspace services (Gmail, Google Drive, Google Sheets, Google Calendar) — https://policies.google.com/privacy
  • Microsoft Outlook — https://privacy.microsoft.com/privacystatement
  • Telegram — https://telegram.org/privacy

AI Processing Providers

When you use AI features, content you provide may be sent to AI model providers to generate outputs:

  • OpenAI — https://openai.com/policies/privacy-policy
  • Anthropic — https://www.anthropic.com/privacy
  • Google Gemini — https://policies.google.com/privacy
  • DeepSeek — https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html
  • Grok (xAI) — https://x.ai/legal/privacy-policy

We do not control how these providers store or process data. You are responsible for ensuring that you have the legal right to send data to these services.

Payment Processor

  • Stripe — https://stripe.com/privacy

We do not store full payment card information. Payment data is handled directly by Stripe.

b. Our Subprocessors (Service Providers)

We use subprocessors to support core operations of the Service. These providers process data under our instructions for limited business purposes such as hosting, storage, security, payments, analytics, and AI processing.

Categories of subprocessors include:

  • Cloud infrastructure providers (including Google Cloud Platform)
  • Payment processor (Stripe)
  • AI processing providers listed above when you use AI features
  • Product analytics providers (including Google Analytics)

Examples of current SaaS service providers include:

  • Google Cloud Platform (hosting, storage, and infrastructure services) — https://cloud.google.com/terms/cloud-privacy-notice
  • MongoDB (database services) — https://www.mongodb.com/legal/privacy-policy
  • Redis (caching/in-memory data services) — https://redis.io/legal/privacy-policy/
  • Postmark (transactional email delivery) — https://postmarkapp.com/privacy-policy

For subprocessor-related requests, you may contact us using the details in Section 18.

6. AI-Generated Content

The Service may generate outputs using artificial intelligence systems.

AI-generated outputs:

  • may be inaccurate
  • may be incomplete
  • may not reflect real-world facts

You are solely responsible for reviewing and validating any AI-generated content before relying on it, sending it to others, or using it in decision-making.

We do not provide professional, legal, financial, medical, or compliance advice through AI features.

7. Google API Services User Data

Our use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only access Google user data to provide features explicitly requested by the user.
  • We do not use Google Workspace data (including Gmail content) to train generalized AI or machine learning models.
  • We do not sell Google user data.
  • We do not share Google user data with third parties except as required to perform actions initiated by the user’s workflows.

Google user data is only retained as long as necessary to provide the Service functionality.

8. LLM Data Handling

When you use AI features, data sent to LLM-powered actions is handled under tenancy, residency, and retention controls.

a. LLM Data Tenancy

  • Customer data (including prompts, context, attachments, and model outputs) is logically separated by team or account tenancy boundaries in our systems.
  • We implement access controls designed to prevent one customer from accessing another customer’s AI data.
  • LLM requests are processed only to provide the AI features you invoke and are not shared with unrelated customers.
  • Where third-party AI providers are used, they act as subprocessors under our instructions for inference services.
  • We do not use your content to train our own generalized AI models unless explicitly stated and consented to.
  • Retention and deletion of LLM-related data follow the retention, archival, and deletion timelines described in Sections 11 and 12.

b. LLM Data Residency

  • We currently use us-central1 (Google Cloud Platform, United States) as the primary region for LLM-related data processing and storage.
  • LLM-related data submitted through the Service is processed and stored in us-central1 by default.
  • Some third-party AI providers may process data in their own supported regions based on their infrastructure and terms.
  • Some operational metadata, security logs, and backup systems may be processed in other regions only when required for reliability, abuse prevention, legal compliance, or incident response.
  • When cross-border transfers occur, we apply reasonable contractual and technical safeguards consistent with this Privacy Policy.

c. LLM Retention Settings

  • Where provider controls are available, we configure them to disable use of customer content for model training.
  • Where provider controls are available, we configure them to minimize or disable provider-side data retention.
  • If a provider requires temporary retention for abuse monitoring, safety, reliability, or legal compliance, we limit usage to providers with appropriate contractual and technical safeguards.
  • We periodically review provider settings and subprocessor terms to confirm they remain aligned with this policy.

9. Data Storage and Security

We implement reasonable administrative, technical, and organizational safeguards, including:

  • Primary data storage in us-central1 (Google Cloud Platform, United States)
  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive credentials
  • Access control and authentication
  • Secure infrastructure providers

However, no system can be completely secure, and we cannot guarantee absolute security.

10. Security Incidents

If we become aware of a security incident affecting your personal data, we will take reasonable steps to investigate and, where required by law, notify affected users and relevant authorities.

11. Data Retention

We retain data only as long as necessary to provide the Service, including:

  • Account data: retained while your account is active
  • Workflow logs: retained for operational and debugging purposes
  • Integration credentials: retained until you disconnect the integration
  • Backups: retained for a limited recovery period

You may delete workflows, connections, or your account at any time.

Upon account deletion, your personal data will be deleted or anonymized within a reasonable timeframe, except where retention is legally required.

12. Data Archival and Deletion

To support reliability and recovery, certain data may be moved from active systems into archived storage.

a. Archival

  • Workflow execution logs and related operational records may be archived after they are no longer needed for active product use.
  • Archived data is retained only for limited business purposes, such as recovery, security investigations, and legal compliance.
  • Archived data remains protected under the same security controls described in this Privacy Policy.

b. Deletion

  • When you delete workflows, connections, or other resources, they are removed from active systems.
  • Unless otherwise stated, the deletion retention period is up to 30 days from the date of your deletion action or valid deletion request.
  • During this period, deleted data is isolated from normal product use and retained only for recovery, security, and integrity purposes.
  • After this period, automated background jobs permanently delete the data from active systems and scheduled backup rotation processes.
  • We process account deletion requests and remove or anonymize personal data within a reasonable period, unless we must retain certain data for legal, tax, fraud-prevention, dispute-resolution, or security reasons.

c. Deletion Requests and Exceptions

  • You may request deletion of your account data by contacting us using the details in Section 18.
  • We may retain minimum necessary records where required by applicable law, valid legal process, or legitimate security and abuse-prevention needs.
  • We may maintain records of deletion requests and deletion operations for compliance and audit purposes.
  • Once retention obligations expire, we delete or anonymize the remaining data.

13. Data Sharing and Disclosure

We do not sell your personal data.

We may share data only in the following cases:

  • With infrastructure providers (hosting, database, monitoring) strictly to operate the Service
  • With services you explicitly connect through workflows
  • To comply with legal obligations or law enforcement requests
  • To protect the rights, safety, and security of the Service and users

14. International Data Transfers

Your data is primarily processed and stored in us-central1 (Google Cloud Platform, United States), which may be outside your country. By using the Service, you consent to such transfers where necessary to operate the platform.

We take reasonable steps to ensure appropriate safeguards are in place.

15. Your Rights

Depending on your jurisdiction (including GDPR and Singapore PDPA), you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion
  • Withdraw consent
  • Request data export

You may exercise these rights by contacting us at the email below.

16. Children’s Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from individuals under 18.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users by updating the “Last Updated” date or via the Service when required.

Continued use of the Service after updates constitutes acceptance of the revised policy.

18. Contact Us

If you have any questions or requests regarding this Privacy Policy, please contact:

© 2026 Workflow Machine
Privacy
Terms