ApudFlow Privacy Policy

Effective Date: 02 Oct 2025
Version: 2025-10-02

This Privacy Policy explains how Loquen Lab LLC ("ApudFlow", "we", "us", "our") collects, uses, retains, protects and discloses information relating to users ("you") of the ApudFlow Platform ("Platform"). By accessing or using the Platform you consent to this Policy. If you disagree, discontinue use.

1. Data Controller / Contact

Loquen Lab LLC is the data controller for processing described herein.
Email: [email protected] (privacy inquiries)
Legal / compliance: [email protected]

2. Categories of Data Collected

We may process the following categories (depending on your interactions):

Category	Examples	Mandatory?
Account Identifiers	Internal user ID, username, auth provider ID	Yes (core usage)
Contact	Email (if provided by identity provider)	Conditional
Technical / Usage	IP address, timestamps, user agent, logs, feature flags, error traces	Yes (security & diagnostics)
Billing & Credits	Credit balance, transactions meta, auto top‑up settings (no full payment card PAN stored)	Conditional (if using paid)
Monetization	Earnings events, pricing configurations, asset IDs	Conditional
Messages	System messages, user‑to‑user messages (thread & metadata)	Conditional
Workflow / Worker Metadata	Names, parameters, structural definitions (not necessarily contents of secret values)	Conditional
Support / Feedback	Tickets, emails, form submissions	Conditional
AI Prompt / Output Fragments	Text you submit to AI assist features + generated responses (may undergo transient logging)	Conditional

Sensitive categories (e.g. government IDs, health data) are neither required nor intentionally collected. Do not submit them.

3. Sources of Data

Direct input (account setup, profile edits, workflow creation).
Authentication provider (OIDC / OAuth claims).
Automatic collection (logs, metrics, security tooling).
Voluntary user messages or feedback.
Payment / billing processors (transaction tokens, status).
AI feature interactions (prompts, completions) processed via integrated model providers.

4. Purposes of Processing

Purpose	Legal Basis (where applicable)
Provide core Platform features	Contract necessity
Account & session security	Legitimate interest / Contract
Billing, credits & monetization	Contract necessity
Abuse, fraud & moderation controls	Legitimate interest
Analytics & performance tuning (aggregate)	Legitimate interest (minimal / pseudonymized)
Legal compliance & enforcement	Legal obligation / Legitimate interest
AI assisted transformations	Contract necessity / Legitimate interest
User communications & support	Contract necessity / Legitimate interest
Marketing (if opted‑in)	Consent

5. Legal Bases (Summary – EEA / Similar Regimes)

Where required by data protection laws we rely on: performance of contract, legitimate interest (balanced test maintained), legal obligation, or consent (for optional communications). We avoid relying on consent when another lawful basis is more appropriate.

6. Data Minimization & Retention

We keep personal data only for as long as needed:

Data Type	Typical Retention	Notes
Account & profile	Life of account + short grace (≤90 days)	Basic identifiers
Logs (standard)	30–180 days	Security, diagnostics, aggregated thereafter
Messages	Until deleted by user or retention policy	Threads may persist anonymized
Billing records	7–10 years (jurisdictional accounting)	Required for audit
AI prompts/output logs	≤30 days (service improvement / abuse)	May be aggregated earlier
Backups	Rolling cycles (e.g. 30–60 days)	Encrypted at rest

Upon expiry we delete or irreversibly anonymize.

7. Security Measures

Controls include: transport encryption (TLS), role‑based access, least privilege, audit logging, anomaly detection, secret management, routine patching, segregated environments, encryption at rest for key data stores. No system is perfectly secure; report suspected issues to [email protected].

We do NOT sell personal data. We may share with:

Infrastructure & hosting providers (cloud, CDN).
Payment processors (processing credit purchases).
Analytics/monitoring (aggregated telemetry).
Moderation / security tooling (threat detection).
Professional advisors (legal, accounting).
Authorities when legally required or to protect rights, safety or comply with law.
Third parties are bound by contractual obligations (data processing agreements) where required.

9. International Transfers

Where data moves outside your jurisdiction we implement appropriate safeguards (e.g. Standard Contractual Clauses, transfer risk assessments). Additional measures (encryption / pseudonymization) may be applied.

10. AI & Automated Processing

AI features may analyze prompts and produce outputs. We do not use your private workflow logic to publicly train models without consent. Limited human review may occur for abuse detection or quality evaluation under confidentiality obligations. No solely automated decision produces legal or similarly significant effects without recourse.

11. Cookies & Similar Technologies

We primarily rely on essential session tokens and minimal local storage for preference or anti‑abuse markers. Non‑essential marketing / tracking cookies are not currently deployed. If adopted, a separate consent banner will describe categories and preferences.

12. Your Rights (Subject to Jurisdiction)

Rights may include: access, rectification, erasure, restriction, objection, portability, withdrawal of consent (prospective), complaint to supervisory authority, opt‑out of certain processing. Exercise via [email protected] (we may need to verify identity). Responses typically within 30 days.

13. Children

The Platform is not directed to children under 16 (or lower age defined locally). We do not knowingly collect such data. If you believe a child provided information, contact us for removal.

14. Third‑Party Links / Integrations

External links or plugins operate under their own policies; review them separately. We disclaim responsibility for third‑party practices.

15. Data Breach Procedure

We maintain incident response playbooks. In the event of a breach impacting personal data, we will notify affected users and/or authorities in accordance with applicable law (content: nature, categories, mitigation steps, contact).

16. Aggregated & Anonymized Data

We may aggregate or anonymize data for statistical insights (performance metrics, adoption trends). Such information no longer constitutes personal data.

17. Automated Communications

Transactional or security emails (e.g. password reset, policy acceptance, moderation) are mandatory. Optional marketing requires prior consent and includes an opt‑out mechanism.

18. California / Regional Addenda (Illustrative)

If required (e.g. CCPA / CPRA), additional disclosures (categories sold/shared = none, right to limit use of sensitive information = not applicable presently) may be published as an Addendum.

19. Changes to this Policy

Revisions will carry a new "Effective Date". Material changes may trigger re‑acceptance. Maintain awareness by checking periodically.

20. Contact

Privacy & data rights: [email protected]
Security: [email protected]
Legal notices: [email protected]

By continuing to use the Platform you acknowledge you have read and understood this Privacy Policy.

Last updated: 02 Oct 2025

1. Data Controller / Contact​

2. Categories of Data Collected​

3. Sources of Data​

4. Purposes of Processing​

5. Legal Bases (Summary – EEA / Similar Regimes)​

6. Data Minimization & Retention​

7. Security Measures​

8. Data Sharing & Disclosures​

9. International Transfers​

10. AI & Automated Processing​

11. Cookies & Similar Technologies​

12. Your Rights (Subject to Jurisdiction)​

13. Children​

14. Third‑Party Links / Integrations​

15. Data Breach Procedure​

16. Aggregated & Anonymized Data​

17. Automated Communications​

18. California / Regional Addenda (Illustrative)​

19. Changes to this Policy​

20. Contact​