CauseFlowAI

Privacy Policy

Last updated: Last updated: February 2026

Data Collected

CauseFlow AI collects the following categories of personal and non-personal data:

  • Account information: Full name, work email address, company name, and team size provided during registration.
  • Usage data: Pages visited, features used, investigation frequency, integration configurations, and session duration.
  • Technical data: Browser type, operating system, IP address, device identifiers, and referral URLs.
  • Communication data: Messages sent through support channels and feedback submissions.

How We Use Data

We use the collected data for the following purposes:

  • Service operation: To provide, maintain, and improve the CauseFlow AI platform, including incident investigation, root cause analysis, and report generation.
  • Communication: To send transactional emails (investigation reports, account notifications), and with your consent, marketing communications about new features and product updates.
  • Analytics: To understand usage patterns and improve the user experience. We use Google Analytics 4 and Hotjar for anonymized behavioral analytics.
  • Security: To detect, prevent, and respond to fraud, abuse, or security incidents.

Customer Data

During incident investigations, CauseFlow AI accesses customer data from connected integrations (Slack, GitHub, Jira, CloudWatch, HubSpot, databases). This data is handled under strict security protocols:

  • Read on demand: The AI agent reads data only during active investigations. Data is accessed in real-time, analyzed in-memory, and discarded immediately after the investigation concludes.
  • No persistence: Raw customer data from integrations is never stored on our servers. Only the investigation report (root cause, timeline, recommendations) is retained.
  • Never used for training: Customer data is never used to train, fine-tune, or improve AI models for other customers or third parties. Each tenant's data is strictly isolated.
  • PII redaction: Sensitive data such as emails, phone numbers, social security numbers, and payment card numbers are automatically detected and anonymized using Microsoft Presidio before LLM processing.

Data Sharing

CauseFlow AI does not sell, rent, or share your personal data with third parties for marketing purposes. We share data only in the following limited circumstances:

  • AWS Bedrock (LLM provider): Investigation data is sent to AWS Bedrock for AI processing under strict contractual terms. AWS does not use customer data to train models, and model providers have zero access to prompts or completions. AWS Bedrock holds ISO/IEC 42001 certification.
  • Service providers: We use essential infrastructure providers (AWS for hosting, Stripe for payments, Formspree for form submissions) under data processing agreements that prohibit use of data for any purpose other than providing their services.
  • Legal obligations: We may disclose data when required by law, regulation, legal process, or governmental request.

Data Retention

  • Account data: Retained for the duration of your active account. Upon account deletion, all personal data is purged within 30 days, except where retention is required by law.
  • Investigation audit trails: Retained according to your plan and contractual terms. Audit trails are stored in immutable S3 Object Lock (WORM) storage. Enterprise customers can configure custom retention periods.
  • Analytics data: Anonymized usage data may be retained indefinitely for aggregate statistical analysis.

LGPD Rights

If you are located in Brazil, you are entitled to the following rights under the Lei Geral de Proteção de Dados (LGPD):

  • Right of access: Obtain confirmation of the existence of processing and access to your personal data.
  • Right of correction: Request correction of incomplete, inaccurate, or outdated data.
  • Right of deletion: Request deletion of personal data processed with your consent or in excess of the purpose.
  • Right of portability: Request transfer of your personal data to another service provider in a structured, commonly used format.
  • Right to information: Be informed about third parties with whom your data is shared.
  • Right to revoke consent: Revoke your consent at any time, without affecting the lawfulness of processing performed prior to revocation.

We will fulfill all LGPD data subject requests within 15 calendar days. Breach notifications will be sent to the ANPD and affected data subjects within 72 hours of detection.

GDPR Rights

If you are located in the European Economic Area (EEA) or the United Kingdom, you are entitled to the following rights under the General Data Protection Regulation (GDPR):

  • Right of access: Request a copy of the personal data we hold about you.
  • Right of rectification: Request correction of inaccurate or incomplete personal data.
  • Right of erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
  • Right of portability: Receive your personal data in a structured, machine-readable format.
  • Right to object: Object to processing of your personal data for direct marketing or based on legitimate interests.
  • Right to restrict processing: Request restriction of processing while we verify accuracy or assess an objection.
  • Right to automated decision review: Request human review of any decisions made solely through automated processing that significantly affect you.

We will respond to all GDPR data subject requests within 30 calendar days. Data breach notifications will be submitted to the relevant supervisory authority within 72 hours of detection.

International Transfers

CauseFlow AI processes data primarily on AWS infrastructure in the United States. For transfers of personal data from the EEA, UK, or Brazil to third countries, we rely on:

  • Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses as the legal mechanism for cross-border data transfers, ensuring adequate protection regardless of destination.
  • Supplementary measures: Encryption in transit (TLS 1.3) and at rest (AES-256 via KMS per-tenant), access controls, and regular security assessments.

DPO / Data Controller Contact

For any privacy-related questions, data subject requests, or concerns, please contact our Data Protection Officer:

  • Email: privacy@causeflow.ai
  • Address: CauseFlow AI, Data Protection Officer

We are committed to resolving any complaints about our collection or use of your personal data. If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority.