Policyflow logo
Policyflow← Back to home

Privacy Policy

Last updated: April 2025

Who we are

Policyflow is operated by Applikeable. We build software that helps organisations manage policy distribution and employee attestation. If you have questions about this policy, contact us at hello@applikeable.com.

What data we collect

We collect the minimum needed to run the service:

  • Account data — name, work email address, and password hash for anyone who creates or manages a Policyflow account.
  • Attestation records — when a recipient confirms a policy, we record their name, email address, the policy version they saw, and the timestamp of their confirmation.
  • Directory data — when you connect an Azure Active Directory or Google Workspace directory, we sync user and group information to determine who should receive which policies. We store only what is needed to route policies correctly.
  • Usage data — standard server logs including IP addresses, browser type, and pages visited. We use this to keep the service running and diagnose problems.

Why we collect it

  • To provide the service you have signed up for.
  • To generate the attestation records and audit exports your organisation relies on for compliance purposes.
  • To send transactional emails (policy distribution links, reminders, and account notifications).
  • To improve reliability and fix bugs in the product.

The legal basis for processing is performance of a contract (your subscription) and, where applicable, our legitimate interests in operating a secure and reliable service. Attestation records may also be processed on the basis of your organisation's legal compliance obligations.

Who we share data with

We do not sell personal data. We share data only with the sub-processors needed to deliver the service:

  • Supabase — database and authentication hosting.
  • Scaleway — email delivery infrastructure.
  • OpenAI — AI-assisted policy editing features. Text submitted to the AI editor is processed by OpenAI's API. We do not send attestation records or personal data to OpenAI.
  • Vercel — application hosting and edge infrastructure.

All sub-processors are required to handle data in accordance with GDPR. We will update this list if we add new sub-processors.

How long we keep data

Account data is kept for as long as your subscription is active, plus 30 days after cancellation to allow for reinstatement. Attestation records are retained for as long as your account is active — these form part of your compliance evidence and deleting them prematurely would undermine their purpose. After account closure, all data is deleted within 60 days unless you request an export first.

Your rights under GDPR

If you are located in the EEA or UK, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your data (subject to our retention obligations above).
  • Object to or restrict certain types of processing.
  • Receive a copy of your data in a portable format.
  • Lodge a complaint with your national data protection authority.

To exercise any of these rights, email us at hello@applikeable.com. We will respond within 30 days.

Cookies

We use only the cookies necessary to keep you logged in and to maintain session state. We do not use tracking cookies or third-party advertising cookies.

Changes to this policy

If we make material changes, we will notify account holders by email before the changes take effect. The “last updated” date at the top of this page will always reflect the current version.