Privacy Policy

Overview

SmartFlowCraft, Inc. ('SmartFlowCraft', 'we', 'our') operates SmartFlowCraft Health, a workflow automation platform for healthcare organizations. This Privacy Policy describes how we collect, use, and protect information in connection with the SmartFlowCraft Health platform and the health.smartflowcraft.com website.

Our platform is architecturally designed so that Protected Health Information (PHI) as defined by HIPAA is never transmitted to, stored on, or processed by SmartFlowCraft infrastructure. Patient-identifiable data remains exclusively within your cloud environment (AWS, Azure, or GCP) under your existing Business Associate Agreement with your cloud provider.

Information We Collect

Account information: When you create an account or request a demo, we collect your name, work email address, company name, and role. This information is used to provision your account, respond to inquiries, and provide the services.

Workflow metadata: Our control plane receives anonymized workflow execution metadata — counts, statuses, and timing data. This data contains no PHI. It is used for billing, capacity planning, and platform reliability.

Usage analytics: We collect aggregate usage statistics (page views, feature adoption, performance metrics) using privacy-respecting analytics. No cross-site tracking.

Communications: If you contact us for support or security inquiries, we retain those communications to resolve your issue and improve our services.

What We Do Not Collect

We do not collect, receive, store, or process any of the following: patient names, dates of birth, addresses, medical record numbers, diagnoses, clinical notes, scan files (STL, DICOM, or otherwise), insurance information, or any other field that constitutes PHI under HIPAA.

Our API engine is engineered to reject PHI-shaped fields at the schema layer. Every workflow template enforces additionalProperties: false and a server-side field deny-list. If a request contains a field matching a known PHI pattern, it is rejected with an error before processing.

How We Use Information

Account information is used to: authenticate users, provision platform access, communicate regarding your subscription and account, and send product updates you have opted in to.

Workflow metadata is used to: calculate billable usage, generate your usage dashboard, detect anomalies and platform issues, and plan infrastructure capacity.

We do not sell, rent, or share personal information with third parties for their own marketing purposes.

Data Retention

Account information is retained for the duration of your subscription and for six years thereafter, consistent with standard commercial retention practices.

Workflow execution metadata is retained for 24 months and then aggregated into billing records. Individual run records are deleted.

You may request deletion of your account and associated personal information by contacting privacy@smartflowcraft.com. We will process deletion requests within 30 days.

Sub-Processors

We use the following categories of sub-processors for our control plane infrastructure: hosting and compute (Vercel, Railway), identity and authentication (Supabase), and transactional email. None of these sub-processors receive PHI.

A complete sub-processor list with service descriptions is available on our Security page. We maintain a notification process for sub-processor changes.

Security

We implement administrative, technical, and physical safeguards appropriate for a SaaS platform that handles business metadata. Our control plane uses TLS 1.2 minimum for all connections, HSTS enforcement, and IAM least-privilege policies across all infrastructure.

For details on the architecture governing PHI separation, see our Security page.

Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or restrict processing of personal information we hold about you. To exercise these rights, contact privacy@smartflowcraft.com.

California residents: Under the California Consumer Privacy Act (CCPA), you have the right to know what personal information we collect, to delete personal information, and to opt out of sale (we do not sell personal information).

EEA/UK residents: We rely on contractual necessity and legitimate interests as our lawful bases for processing. You may lodge a complaint with your local supervisory authority.

Changes to This Policy

We will post any material changes to this Privacy Policy on this page and update the effective date. For changes that materially affect your rights or how we use your data, we will provide additional notice via email to the address associated with your account.

Contact

For privacy questions, deletion requests, or to exercise your rights, contact us at privacy@smartflowcraft.com.

For security-related inquiries: security@smartflowcraft.com.

SmartFlowCraft, Inc. — health.smartflowcraft.com