Privacy Policy

Last updated: February 7, 2026

PullyFlow ("we", "our", or "us") operates the pullyflow.com website and the PullyFlow SaaS platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

We collect information you provide directly to us:

• Account Information: When you register, we collect your name and email address. We use passkey (WebAuthn) authentication, so we do not store passwords.
• Payment Information: Payment processing is handled by Stripe and/or Whop. We do not store credit card numbers. We retain your Stripe customer ID and subscription status.
• Portal Configurations: Workflow definitions and portal configuration JSON you create within the service.
• Usage Data: Workflow execution logs, timestamps, and performance metrics.

2. Portal Credentials

When you configure PullyFlow to automate a web portal, you may provide login credentials for that portal. These credentials are:

• Stored as encrypted Cloudflare Worker secrets
• Never logged, exposed in API responses, or shared with third parties
• Used only to authenticate with the target portal during workflow execution
• Deletable at any time by you through the Cloudflare dashboard or CLI

3. How We Use Your Information

• To provide, maintain, and improve our service
• To process your subscription and payments
• To send transactional emails (via EmailIt) such as welcome messages, billing receipts, and usage alerts
• To monitor service performance and detect errors
• To respond to your support requests

4. Data Storage and Security

Your data is stored on Cloudflare's global network infrastructure. We use:

• HTTPS encryption for all data in transit
• Cloudflare KV for session and account data with encryption at rest
• Cloudflare Workers secrets for sensitive credentials
• Security headers including HSTS, CSP, and X-Frame-Options on all responses

5. Third-Party Services

We use the following third-party services:

• Cloudflare: Infrastructure, CDN, and Worker runtime
• Stripe: Payment processing and subscription management
• Whop: Alternative payment processing (when enabled)
• EmailIt: Transactional email delivery

Each service has its own privacy policy governing their handling of your data.

6. Data Retention

• Account data is retained while your account is active
• Workflow execution logs and screenshots are retained for 30 days
• Payment records are retained as required by law (typically 7 years)
• You may request deletion of your account and associated data at any time

7. Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Opt out of marketing communications

8. Cookies

We use minimal cookies. Session tokens are stored in your browser's local storage using secure, httpOnly-equivalent mechanisms. We do not use third-party tracking cookies.

9. Children's Privacy

Our service is not directed to children under 13. We do not knowingly collect personal information from children under 13.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the service. Your continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at:

privacy@pullyflow.com