PragFlow Privacy Policy

This Privacy Policy explains how PragFlow OÜ ("PragFlow", "we", "us", or "our"), collects, uses, and protects personal data when you use our website and platform.

We are committed to being transparent about our data practices and giving you control over your information.

1. Who We Are and Our Roles

PragFlow acts in two different roles depending on the context:

- We are the Data Controller for account registration, billing, support interactions, website analytics, and service security. This means we decide why and how this data is processed.

- We are the Data Processor for all the data inside your workspaces (inspections, registers, lab results, personnel records, biometric data, chat messages, etc.). In this role, we process data only according to your instructions as set out in our Data Processing Agreement.

2. What Data We Collect

We collect different types of data depending on how you use PragFlow:

Account and contact information: Name, email address, phone number, job title, and company name.

Billing information: Company details, VAT ID, and payment information processed through Stripe.

Workspace data: Everything you and your team create or upload inside the platform, including inspection records, photos, lab results, asset information, personnel profiles, QR scan logs, chat messages, and AI interaction history.

Usage and technical data: IP addresses, browser information, device details, login timestamps, and how you interact with the platform.

3. Sensitive Data

We process two types of sensitive data:

Biometric data: Facial recognition templates are only collected when you explicitly enable the Enterprise facial recognition feature. We never use this data for any purpose other than check-in verification, and it is never sent to any AI system.

Health and safety data: Information that may appear in safety inspections or incident reports. You determine the legal basis for processing this data.

4. Why We Process Your Data

We process data for the following main purposes:

- To provide and maintain the PragFlow platform (contractual necessity)
- To improve and develop our product and services (legitimate interest)
- To ensure security and prevent fraud (legitimate interest)
- To send important notifications and support messages (contractual necessity)
- To comply with legal obligations

We do not sell any personal data to anyone, ever. Your data is only accessed by our internal team when necessary for investigating technical issues, improving the product, or providing customer support.

5. AI Features

PragFlow offers several AI-powered features, including checklist import, lab result extraction, CAPA suggestions, and image analysis.

All AI processing happens within the European Union using Google Cloud services. We do not use your identifiable data to train third-party AI models unless you explicitly opt in. Biometric data is not sent to any AI system.

6. Data Sharing

We only share data with trusted service providers who help us operate the platform:

- Hetzner (Germany/Finland) – Hosting and infrastructure
- Google Cloud (EU) – AI processing (no biometric data)
- Stripe (United States) – Payment processing (billing data only)

We have Data Processing Agreements in place with all of these providers. We never sell your data or share it with third parties for marketing purposes.

7. International Data Transfers

All customer data is stored and processed within the European Union. The only exception is Stripe for billing, which is protected by Standard Contractual Clauses and the EU-US Data Privacy Framework.

Biometric data never leaves the European Union under any circumstances.

8. Your Rights

You have the following rights under GDPR and other applicable laws:

- Access your personal data
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Restrict processing
- Data portability
- Object to processing based on legitimate interest

To exercise these rights, please contact us at privacy@pragflow.com. We will respond within 30 days.

9. Data Retention

We keep your data only as long as necessary:

- Active customer data: While your subscription is active
- After termination: Reasonable export period, then deletion from active systems
- Biometric templates: Deleted within 48 hours of consent withdrawal
- Billing records: 7 years (legal requirement)
- Service logs: Up to 12 months for security purposes

10. Security

We use industry-standard security measures, including AES-256 encryption at rest, TLS encryption in transit, tenant isolation, multi-factor authentication for administrative access, and regular security audits.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the platform. Your continued use of PragFlow after changes take effect means you accept the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us at:

privacy@pragflow.com

PragFlow OÜ
Kungla tn 13-4
Tallinn Harjumaa 10411
Estonia

Supervisory authority: Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, Estonia

Last updated: May 7, 2026