Legal

Privacy Policy

Last updated: 22 May 2025

1. Introduction

PopFlow (“we”, “us”, or “our”) operates the PopFlow service available at popflow.dev (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using PopFlow, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

Information you provide directly:

  • Your Webflow account information (name, email address) obtained via Webflow OAuth authorisation.
  • Popup configurations you create: names, trigger settings, content (headlines, body text, images), and style settings.

Information collected automatically:

  • Webflow site IDs and site names associated with your installations.
  • An OAuth access token, stored encrypted at rest, required to call the Webflow API on your behalf.
  • Standard server log data including IP addresses, browser type, and pages visited, retained for up to 30 days.

Information collected from your site visitors:

  • If you enable the email capture feature in a popup, email addresses submitted by your site’s visitors are transmitted to our API and associated with your installation. You are responsible for obtaining appropriate consent from your site visitors before collecting their data.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the PopFlow Service.
  • Authenticate with the Webflow API to inject and manage custom code on your behalf.
  • Store and serve your popup configurations to your Webflow site visitors.
  • Communicate with you about your account, including important service updates.
  • Improve and develop new features for the Service.
  • Comply with legal obligations.

We do not sell, trade, or rent your personal information to third parties.

4. Data Storage and Security

Your data is stored in a PostgreSQL database hosted by Neon (serverless Postgres) and our application runs on Vercel infrastructure. Both services are SOC 2 compliant.

We implement industry-standard security measures to protect your data. OAuth tokens are stored encrypted at rest. However, no method of transmission over the internet or electronic storage is 100% secure.

5. Third-Party Services

We use the following third-party services to operate PopFlow:

  • Webflow — We use the Webflow OAuth 2.0 API to read your site information and inject custom scripts. Your use of Webflow is also governed by Webflow’s Privacy Policy.
  • Vercel — Hosts our application. See Vercel’s Privacy Policy.
  • Neon — Hosts our database. See Neon’s Privacy Policy.
  • Resend — Sends email notifications to you (the site owner) when a visitor submits their email through one of your popups. The lead’s email address is included in that notification. See Resend’s Privacy Policy.

6. Cookies & Local Storage

The script PopFlow injects into your Webflow site does not set cookies and does not track visitors across other websites or for advertising. It does use your visitors’ browser local storage and session storage for a single purpose: to remember which popups or announcement bars a visitor has already seen, so we can respect your “show frequency” setting (for example, “once per session” or “once per week”). This data stays in the visitor’s browser and is not sent to us.

Our dashboard application does not use advertising or tracking cookies.

7. Data Retention

We retain your account data for as long as your installation is active. If you disconnect PopFlow from your Webflow site or request deletion, we will delete your installation data, popup configurations, and any associated email addresses within 30 days.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — Request a copy of the data we hold about you.
  • Rectification — Request correction of inaccurate data.
  • Erasure — Request deletion of your data.
  • Portability — Request your data in a portable format.
  • Objection — Object to certain types of processing.

To exercise any of these rights, email us at hello@popflow.dev. We will respond within 30 days.

9. Children's Privacy

PopFlow is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us at hello@popflow.dev.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, please contact us: