OnboardFlow
Pricing

Privacy Policy

Last updated: March 16, 2026

1. Information We Collect

When you use OnboardFlow, we collect the following information:

  • Account information: Your name, email address, and company name when you create an account.
  • Client data: Names, email addresses, phone numbers, case types, and notes that you enter for your clients.
  • Documents: Document metadata (names, types, Google Drive URLs). Documents themselves are stored in your Google Drive, not on our servers.
  • Usage data: Activity logs, login timestamps, and feature usage for improving the service.
  • Payment data: Subscription plan and billing status. Credit card numbers and payment details are handled exclusively by Stripe and never touch our servers.

2. How We Store Your Data

  • Data is stored in a managed PostgreSQL database (Neon) with encryption at the database level.
  • All data in transit is encrypted via TLS/HTTPS (256-bit encryption).
  • Passwords are hashed using bcrypt and never stored in plaintext.
  • Documents are stored in Google Drive under your account, protected by Google's enterprise-grade security.
  • We do not log personally identifiable information (PII) such as names, emails, or phone numbers in our application logs.

3. Who Can Access Your Data

  • You can access your own account data and client records at any time.
  • Your clients' data is visible only to the assigned consultant and platform administrators.
  • Tenant isolation is enforced — consultants cannot see other consultants' clients.
  • OnboardFlow staff may access data only for support purposes, with your consent, or as required by law.
  • We do not sell, rent, or share your data with third parties for marketing purposes.

4. Payment Data & Stripe

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. OnboardFlow never receives, processes, or stores your credit card numbers. When you enter payment information during checkout, you interact directly with Stripe's secure servers.

What we store locally:

  • Stripe Customer ID — a non-sensitive identifier linking your account to your Stripe customer record.
  • Subscription status — whether your subscription is active, trialing, past due, or cancelled.
  • Plan name — which plan you are subscribed to (Starter, Pro, or Agency).
  • Subscription ID — a Stripe reference for managing your subscription.

We do not store: card numbers, CVV, expiration dates, bank account details, or any other financial instrument data. All sensitive payment data is handled entirely by Stripe under their Privacy Policy.

5. Third-Party Services

We use the following third-party services to provide OnboardFlow:

  • Google Workspace APIs — for Drive folder creation and document management.
  • Stripe — for payment processing and subscription management.
  • Neon — for managed PostgreSQL database hosting.
  • Render — for application hosting.

Each service has its own privacy policy and security certifications.

6. Data Retention

We retain your account and client data for as long as your account is active. When you cancel your subscription, your data is retained for 90 days to allow for reactivation, after which it is permanently deleted upon request. You can request immediate data deletion at any time by contacting us.

7. Your Rights

  • Access: You can export your client data at any time from the dashboard.
  • Correction: You can update your account and client information at any time.
  • Deletion: You can request complete deletion of your account and all associated data.
  • Portability: Your documents remain in your Google Drive and are yours to keep.

8. Contact Us

If you have questions about this privacy policy or your data, contact us at support@onboardflow.net.