Privacy Policy
How DPAFlow approaches personal data across our website and the vendor-monitoring application — written plainly for privacy teams.
Last updated: June 24, 2026
01Overview
This Privacy Policy explains how DPAFlow handles personal data when you use our website and the DPAFlow application for vendor and subprocessor change monitoring. It is written to be clear for privacy professionals and to reflect how the product actually works.
DPAFlow monitors the public pages you choose to watch, captures dated evidence when they change, and helps your team review and export those records. We aim to collect only what that work needs.
02Who we are
DPAFlow (“we”, “us”) provides the vendor-monitoring service described on this site. For data you process inside your workspace, you act as the controller and DPAFlow acts as a processor on your behalf, as set out in our Data Processing Addendum.
Questions about this policy or our data protection practices can be directed through our contact page.
03What data we process
Depending on how you use DPAFlow, we may process:
- Account data — name, work email, and workspace membership for the people you invite.
- Configuration data — the source URLs you choose to monitor and your review settings.
- Evidence data — captures of the public pages you monitor, with timestamps and content hashes.
- Usage data — aggregated, largely non-identifying information about how the product is used.
- Support and contact data — messages you send us and the context you choose to include.
04How we use data
We use personal data to:
- Provide and operate the monitoring, evidence, and review features you configure.
- Secure workspaces, authenticate users, and apply role-based access.
- Provide support and respond to your inquiries.
- Improve reliability and usability using aggregated insights.
We do not sell personal data.
05Legal bases
Where the GDPR applies, we rely on the legal basis appropriate to each purpose — typically performance of a contract (providing the service you signed up for), our legitimate interests (security and product improvement, balanced against your rights), and consent where required (for example, non-essential cookies).
We apply the legal basis appropriate to each processing activity and purpose.
07International transfers
Workspace data is hosted in the EU by default. Where personal data is transferred outside the EEA, we use an appropriate transfer mechanism such as Standard Contractual Clauses, together with supplementary measures where needed. Details of the transfer mechanisms we rely on are available on request.
08Retention
We keep personal data for as long as needed to provide the service and to meet legal and operational requirements. Evidence records are your customer-controlled data: you can export them, and they are removed in line with your account terms when you no longer need DPAFlow. Specific retention periods depend on the type of data and applicable legal requirements.
09Your rights
Subject to applicable law, you may have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability. Where we rely on consent, you can withdraw it at any time.
To exercise these rights, contact us via the contact page. If DPAFlow processes data on behalf of your organization, requests may be directed through that organization as controller.
11Changes to this policy
We may update this policy as the product and our legal obligations evolve. Material changes will be reflected here with an updated date.
12Contact
Questions about this policy or your data? Reach us through the contact page and select the Privacy / DPA subject.