Privacy Policy

1. Introduction

SetFlow ("SetFlow," "we," "us," or "our") provides a productivity, classroom, and AI tutoring platform (the "Service") that helps students, educators, schools, founders, and teams plan work, study, collaborate, and learn. This Privacy Policy ("Policy") explains what information we collect, how we use it, who we share it with, and the choices and rights you have.

This Policy applies to getsetflow.app, all SetFlow subdomains, our mobile and desktop interfaces, our marketing pages, our APIs, and any other product surface we operate that links to this Policy (collectively, the "Service"). It does not apply to third-party services that integrate with SetFlow — those services are governed by their own privacy policies.

By creating an account or otherwise using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with it, do not use the Service.

2. Who we are and how to contact us

SetFlow is operated by its founders, including Sanithu Hulathduwage, based in Wichita Falls, Texas, United States.

• Privacy questions, data-subject requests. Email <a href="mailto:[email protected]">[email protected]</a> or submit a request through our <a href="/privacy-request">privacy request form</a>. We respond within 30 days.

• Security vulnerabilities. Email <a href="mailto:[email protected]">[email protected]</a>. Acknowledged within 48 hours.

• GDPR data protection contact. Email <a href="mailto:[email protected]">[email protected]</a>.

• Mailing address. SetFlow / Sanithu Hulathduwage, Wichita Falls, TX, USA.

3. Information we collect

We collect information in three ways: (a) information you provide directly to us; (b) information we collect automatically through your use of the Service; and (c) information we receive from third parties such as identity providers, schools, payment processors, and integration partners.

• Account & profile information. Name, email address, profile picture, password hash (where applicable), authentication identifiers from Google or other identity providers, role (student, educator, admin, founder, team member, individual), school or organization affiliation, time zone, language preferences, two-factor authentication status. Birthday (month and day only, used to trigger a confetti welcome on your birthday).

• Content you create or upload. Tasks, notes, chat messages, attachments, files, comments, classroom materials, assignments, quizzes, quiz responses and grades, lecture materials, textbook uploads (PDFs and parsed text), flashcards, study sessions, whiteboards, canvas content, projects, calendar events, GitHub commit metadata you connect, marketing assets and campaigns you create, writing drafts and instructor feedback, course discussions, and any other content you submit while using the Service ("User Content").

• AI inputs and outputs. When you use Tori or other AI features, we collect your messages, the context you select (such as a chat thread, assignment, classroom roster, note, or textbook chapter), the system prompt assembled for the request (which includes your first name and any memory facts Tori has stored about your preferences), and the AI response. These exchanges are retained so you and your collaborators can revisit them. See §8 for the full detail of what is sent to AI providers.

• Adaptive learning model data (school deployments only). When Tori tutors a student in a school deployment, we build a learning model that personalizes her teaching to that specific student. The model tracks behavioural signals like average response time, which types of explanations work best, frustration and breakthrough indicators, and how long the student stays engaged before needing a break. It does not record conversation content — only behavioural signals derived from how the student interacts. In BYODB deployments this model lives in the school's database. Students and admins can reset it at any time from the student's profile.

• Accommodation and accessibility data (school deployments only). Teachers may record accessibility information for students, including IEP or 504 plan status, learning differences (such as dyslexia or ADHD), preferred communication style, extended-time multiplier, text-to-speech voice, and teacher notes for Tori. This information is used only to personalize Tori's teaching approach for that student. It is never shared with other institutions and never used for any commercial purpose.

• Exam integrity data (Academy proctored exams only). During proctored Academy exams, webcam access is used to detect whether a face is present, whether multiple faces appear, and whether eye gaze moves off-screen. We store only yes/no flags for each detection event — not raw images, video recordings, or biometric templates. We also record paste / blur / fullscreen-exit events during exams. These flags are visible to instructors and are deleted 90 days after the exam attempt is reviewed.

• Safety signals. To protect student wellbeing, a small set of patterns screens messages for content that may indicate a student is in distress (self-harm, abuse disclosures). When a pattern matches, the message excerpt is reviewed by an AI classifier to determine whether a wellbeing flag should be created. Flagged messages may be visible to school counselors or administrators. This is a child-safety feature, not general surveillance, and is active only in school deployments where the school has enabled counselor access.

• Communications. Messages you send to us through email, the support chat on our marketing site (handled by our own AI assistant Tori, with a human on call), feedback forms, support tickets, the Tori AI assistant, video calls placed through Jitsi, and any other communication channel we make available.

• Payment information (when applicable). When paid plans are enabled, payment is processed by Stripe. We do not store full payment-card numbers on our servers. We may receive billing metadata such as last-four digits, card brand, billing zip code, and transaction status.

• Authentication & integration data. When you sign in with Google, Microsoft, Clever, or ClassLink, we receive your basic profile information and email address from that provider. When you connect optional integrations (such as Google Classroom or GitHub), we request only the OAuth scopes needed for the feature you opted into and we store the resulting access and refresh tokens encrypted at rest using AES-256-GCM.

• Device, log, and usage data. We automatically collect IP address, browser type, operating system, device identifiers, referring URLs, pages viewed, features used, click and scroll events, session timestamps, error and crash reports, and approximate location derived from your IP (city, region, and country level — used, for example, to render the admin live globe and to localize weather context for morning briefings). This data is generated by routine server logs and product analytics.

• Cookies, local storage, and similar technologies. We use first-party cookies and local storage to keep you signed in, remember preferences, secure sessions, and run analytics. Section 13 explains your choices around cookies.

• Information from schools and educators. If your school, educator, or organization invites you to SetFlow, we may receive your name, email, role, classroom assignment, and accommodations directly from them. Schools and educators are responsible for the accuracy of this information and for obtaining any consent required under applicable law before sharing it with us.

4. How we use information

We use the information we collect for the following purposes:

• Operate the Service. Authenticate you, render your workspaces, deliver messages and notifications, sync data across devices, and provide the features you request. Lawful basis (EEA/UK): performance of a contract.

• Personalize your experience. Remember preferences, surface relevant content, tailor onboarding to your role, route AI prompts with the right context, and apply student accommodations to AI behavior and quiz timing. Lawful basis: performance of a contract / legitimate interests.

• Adaptive learning (school deployments). Build a per-student behavioural model so Tori's teaching adapts to the student's pace and style. Lawful basis: legitimate interests (educational effectiveness) or school consent. Students may reset their model at any time.

• Child-safety screening. Run safety-classifier pattern matching on messages and route flagged content for counselor review. Lawful basis: legitimate interests (child safety) — limited and proportionate.

• Improve the Service. Analyze aggregated usage, debug errors, evaluate feature performance, run product experiments, and prioritize roadmap work. Lawful basis: legitimate interests.

• Provide AI features. Send prompts and selected context to AI subprocessors so Tori, Study mode, flashcard generation, textbook parsing, and similar features can produce results. Lawful basis: performance of a contract.

• Communicate with you. Send transactional messages (sign-in alerts, invitations, password resets, billing receipts), product announcements, security notices, support replies, and — only with your consent where required — marketing emails. Lawful basis: contract / consent.

• Maintain security & prevent abuse. Detect, investigate, and prevent fraudulent transactions, account takeovers, abuse, harassment, spam, and violations of our Terms or applicable law. Lawful basis: legitimate interests / legal obligation.

• Meet legal obligations. Comply with applicable laws, court orders, lawful requests from public authorities, and our recordkeeping requirements. Lawful basis: legal obligation.

• Enforce our agreements. Enforce the Terms, this Policy, our Acceptable Use rules, and any other agreement between you and us. Lawful basis: legitimate interests.

5. Legal bases for processing (EU/UK/EEA residents)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the lawful bases identified next to each processing purpose in §4 to process your personal data under the GDPR or UK GDPR. In summary:

• Performance of a contract. To provide the Service you signed up for and fulfill our obligations under our Terms.

• Legitimate interests. To secure the Service, prevent abuse, improve features, communicate with users, build the adaptive learning model, and protect child safety in ways that do not override your fundamental rights.

• Consent. For marketing communications, optional cookies, and any processing that requires consent under applicable law. You may withdraw consent at any time without affecting prior lawful processing.

• Legal obligation. To comply with tax, accounting, fraud-prevention, security, and other legal duties.

• Explicit consent (Article 9). For accommodation/disability data and proctoring biometrics, where applicable, we rely on explicit consent obtained by your school as part of the educational service.

6. How we share information

We do not sell or rent personal information. We do not "share" personal information for cross-context behavioral advertising as those terms are defined under California law. We share information only as described in this Policy:

• With other users by your direction. Content you publish to a project, classroom, channel, or chat is visible to the people you have shared it with. Educators may see student assignment submissions, quiz responses, and accommodations they assigned. Schools and admins may see organization-wide usage and audit logs for their tenant.

• With service providers (subprocessors). We use vetted vendors who process data on our behalf to operate the Service. See §7 for the current list.

• For legal reasons. When we believe disclosure is reasonably necessary to comply with law, regulation, or legal process; protect the rights, property, or safety of users, the public, or SetFlow; investigate or prevent fraud, abuse, or security incidents; or enforce our agreements.

• In a business transfer. If SetFlow is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, your information may be transferred as part of that transaction. We will require any successor to honor commitments made in this Policy or notify you of material changes.

• With your consent. Where you ask us to or otherwise direct us to share your information.

7. Service providers and subprocessors

We rely on the following subprocessors to deliver the Service. We perform reasonable diligence on each and require contractual data-protection commitments. The complete, versioned list with change history is published at getsetflow.app/subprocessors. We will notify institutions 30 days in advance of adding any new subprocessor that receives student personally identifiable information.

• Hosting & application platform. Vercel Inc. (US) — application hosting, edge network, serverless functions, deploy logs, file storage via Vercel Blob.

• Database. Neon (US) — managed PostgreSQL hosting our central application data (authentication, billing, tenant configuration).

• Authentication & SSO. Google LLC (US) — Sign-In with Google; Microsoft Corporation (US) — Sign-In with Microsoft / Azure AD; Clever Inc. (US) — K-12 SSO and rostering; ClassLink Inc. (US) — K-12 SSO and OneRoster.

• AI providers. Anthropic PBC (US) — Tori, study tools, agent features. OpenAI, L.L.C. (US) — fallback Tori provider and audio transcription / text-to-speech. Google LLC (US) — Gemini fallback provider. Per their published API policies, none of these providers train foundation models on data submitted via their APIs.

• Audio (text-to-speech). ElevenLabs Inc. (US) — optional higher-quality text-to-speech for course audio and Tori voice replies. Receives only system-generated content for audio synthesis.

• Email. Resend (US) — transactional and marketing email delivery.

• Live chat & support. Operated by SetFlow on a dedicated support service at support.getsetflow.app. Conversations are stored on our own infrastructure (no third-party chat vendor). The AI side is powered by the same AI providers listed elsewhere in this section.

• Network, security, and edge. Cloudflare, Inc. (US) — DDoS protection, CDN, bot mitigation.

• Error monitoring. Sentry / Functional Software, Inc. (US) — application error reporting and performance monitoring.

• Product analytics. PostHog, Inc. (US) — anonymized product usage analytics on authenticated surfaces. Gated by your cookie consent.

• Marketing-page analytics. Google Analytics 4 (Google LLC, US) — aggregate pageview analytics on our public marketing pages only. Not active on authenticated student or educator pages. IP addresses are anonymized before storage. Disabled when your browser sends a Do Not Track signal.

• Video calls. Jitsi (8x8, Inc.) — embedded video calling.

• Payments (when enabled). Stripe, Inc. (US) — payment processing and subscription billing.

• Source-code integrations. GitHub, Inc. (US) — when you connect GitHub for commit, repository, or pull-request context.

• Video search. YouTube Data API (Google LLC, US) — used by Tori's video-finder feature to locate educational videos. Search query text is sent; no student name or identifying information is included in the API call.

• GIF search. Giphy, Inc. (US) — search query text is sent for GIF results; queries are not linked to user identity.

• Open content. OpenStax (Rice University) — when you import freely available textbooks for classroom use.

• Context (weather). Open-Meteo (open-meteo.com) — city-level location derived from IP is used to fetch weather for Tori's morning briefings.

Subscribe to change notifications: email [email protected] with subject "Subprocessor change notifications" and we will email you 30 days before any new subprocessor that receives student PII is added.

8. AI features and Tori

When you use Tori or other AI features, your messages and the context needed to answer them are sent to one of our AI providers (Anthropic, OpenAI, or Google). The context we send includes:

• Your messages. The text or audio you send to Tori for the current turn.

• Recent replies. The last 10 to 12 turns of conversation, so Tori can maintain context.

• Your first name. So Tori can address you personally. (Last name is not sent unless you typed it in.)

• The lesson or assignment you are working on. The body of the lesson, assignment description, or course material (truncated to roughly 6,000 characters) so Tori can answer in context.

• Memory facts (if any). Short notes Tori has stored about your preferences and learning style — for example, "prefers worked-examples over verbal explanation." You can view and delete these at any time from your profile.

• Accommodation profile (if set by your teacher). So Tori adapts pace, complexity, and voice to your needs.

No model training on your content. Anthropic's and OpenAI's API terms prohibit model training on customer data. Google's paid Gemini API has the same commitment. We do not build or train any first-party AI model on student data. If we ever change that, we will give you a meaningful opportunity to opt out, or obtain your opt-in consent where required by law.

Audio: Voice input is transcribed by OpenAI Whisper. Text-to-speech audio is generated by OpenAI or, optionally, ElevenLabs. Neither provider trains on this content per their API terms.

Safety screening: A small set of patterns screens messages for content suggesting distress or risk. Matched messages are reviewed by an AI classifier; some may produce a wellbeing flag visible to school counselors. Active only in school deployments where the school has enabled counselor access. AI outputs are generated by statistical models and may be inaccurate, incomplete, biased, outdated, or otherwise inappropriate. Do not rely on AI output for medical, legal, financial, safety-critical, or other consequential decisions without independent verification by a qualified human professional.

9. Schools, students, and educational use

SetFlow is designed in part for use in schools and other educational settings. We support two deployment modes:

• Central-DB school tenant. SetFlow is the service provider / school official under FERPA. Student records are stored on SetFlow's central database (Neon, US). The educational institution is the data controller.

• Bring Your Own Database (BYODB). SetFlow holds only configuration, billing, and an AES-256-GCM encrypted database connection string. All student personally identifiable information lives in the institution's own Postgres database — not on SetFlow's servers. The institution has direct control: revoke the connection string and SetFlow loses access within one cache cycle.

Educational Institutions are responsible for: (a) ensuring they have lawful authority and any required parental consent before adding student accounts (including under FERPA, COPPA where the student is under 13, the GDPR for students in the EU/UK/EEA, and analogous state laws); (b) configuring rosters, accommodations, and access controls accurately; and (c) issuing data-subject responses to parents or eligible students who request access, correction, or deletion of education records.

SetFlow commitments: We will not use student personal information for advertising, build advertising profiles of students, sell or share student personal information, or knowingly retain student personal information beyond the period necessary to provide the Service to the Educational Institution, except as required by law. Upon written request from a verified Educational Institution, we will return or delete student data covered by that institution's SetFlow tenant within 30 days of contract termination.

Subprocessor change notice: We will notify the institution's designated contact at least 30 days before adding any new subprocessor that receives student personally identifiable information.

Standard DPAs: We sign the SDPC NDPA, Texas Education Code 32.151, California AB 1584, and most district-specific data privacy agreements. Email [email protected] — we respond within 5 business days.

10. Children under 13 (COPPA)

SetFlow serves K-12 students, which includes children under 13. We take COPPA compliance seriously.

• For school deployments. Schools deploy SetFlow under COPPA's school-consent exception per FTC guidance. The school has obtained any required parental consent as part of student enrollment, and SetFlow operates as a service provider to the school.

• For direct Academy signups. If a user indicates they are under 13 during signup, we require verifiable parental consent before creating an account. The parent or guardian must approve the account via a verified email link before any account is provisioned and before any personal data beyond the parent's email is collected.

• Minor mode (under-13 accounts). When the account belongs to a user under 13, the following are disabled: the behavioural adaptive-learning model, biometric proctoring, third-party analytics (PostHog and Google Analytics), and marketing email. Data collection is limited to what is strictly necessary to provide the educational service.

• Parental rights. Parents and guardians may request access to, correction of, or deletion of their child's data at any time by emailing <a href="mailto:[email protected]">[email protected]</a>, using our <a href="/privacy-request">privacy request form</a>, or contacting the school directly (for school deployments).

• No marketing to children. We do not target advertising to children under 13. We do not build advertising profiles of children. We do not sell or share children's personal information.

If you believe a child under 13 has provided personal information to us outside of a school deployment and outside of the verifiable parental consent flow, please contact us so we can promptly delete the account and associated data.

11. FERPA — education records

When SetFlow is used by a K-12 or higher-education institution, we operate as a school official with a legitimate educational interest under FERPA (20 U.S.C. § 1232g(b)(1)(B)). We perform functions for which the institution would otherwise use its own employees, we are under the institution's direct control with respect to use and maintenance of education records, and we do not re-disclose education records or use them for any other purpose.

In BYODB deployments, the institution holds the database that contains the education records; SetFlow accesses those records only to provide the contracted service and never stores a copy on its own infrastructure. The institution has direct control by holding the encryption key for the connection string and can unilaterally revoke SetFlow's access at any time.

Retention is aligned with the institution's policy. On contract termination, we will return or delete education records within 30 days of written request, except where retention is required by law.

For Data Processing Agreements (including the SDPC NDPA, Texas Education Code 32.151, California AB 1584, and most district-specific addenda), email [email protected].

12. GDPR — controller and processor

For school and institutional accounts, the educational institution is the data controller and SetFlow is the data processor. The institution determines the purposes and means of processing student personal data; SetFlow processes that data only on the institution's documented instructions.

For individual, founder, and team accounts created without a school deployment, SetFlow is the data controller for your account-level personal data.

A Data Processing Agreement incorporating Standard Contractual Clauses (SCCs) is available on request — email [email protected].

13. Cookies and similar technologies

We use first-party cookies and similar technologies (local storage, session storage, pixels) in three categories:

• Essential. Authentication, CSRF protection, session security, role-based UI. Cannot be disabled — the Service does not work without them.

• Functional. Preferences (theme, locale), cookie-consent state. Disabled means the Service will not remember your preferences between visits.

• Analytics. PostHog on authenticated surfaces (product improvement) and Google Analytics 4 on public marketing pages (aggregate visitor counts). Both honor your cookie-consent choices and the browser Do Not Track signal.

You can manage non-essential cookie categories through our in-product cookie banner.

14. Data retention

We retain personal information only as long as we need it. Specific retention periods by data type:

• Account profile. Duration of the account, plus 30 days after a deletion request to allow cancellation.

• Tori conversation logs (ToriRun, ToriSession, ToriMessage). 12 months by default. Schools may request shorter retention windows.

• Chat messages (non-pinned). 30 days, then automatically deleted by a daily cron job.

• Private Tori chat ("supportive mode"). 24 hours, hard-deleted by a daily cron job.

• Exam integrity flags. 90 days after the instructor reviews the exam attempt.

• Adaptive learning model. Deleted when the student account is deleted. Can be reset by the student at any time.

• Accommodation / IEP data. Deleted when the student account is deleted, or when the school removes the record.

• Safety flags. Until resolved, plus 1 year for accountability.

• Audit logs. 7 years (for FERPA-aligned accountability and security investigations).

• Backups. 35 days (Neon point-in-time restore window).

• Payment records. 7 years (legal recordkeeping requirement).

• Authentication tokens (magic links, verification codes). Deleted automatically on expiry — typically 10 minutes to 7 days depending on token type.

When you delete your account, we will delete or anonymize personal information within 30 days, except where retention is required by law (for example, payment records) or to resolve open disputes, billing, or security investigations.

15. Security and breach notification

We use administrative, technical, and organizational safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Specific measures include:

• In transit. TLS 1.2+ on every connection. Strict-Transport-Security with a 2-year max-age and includeSubDomains.

• At rest. AES-256-GCM authenticated encryption for credentials, OAuth tokens, and BYODB connection strings. AES-256 on the Neon-managed central database and Vercel Blob file storage.

• Tenant isolation. Per-tenant Prisma client factory ensures institution data routes only to that institution's database.

• Authentication. NextAuth with magic-link, Google OAuth, Microsoft OAuth, Clever, and ClassLink providers. Per-user TOTP two-factor authentication available; required for admin accounts.

• LTI 1.3 hardening. Full JWT signature, issuer, audience, expiry, nonce, and version verification. Origin / Referer cross-check on launch endpoints. DNS-TXT domain ownership verification for platforms. Partitioned cookies for iframe contexts.

• Application security. Content Security Policy with explicit allow-list, X-Content-Type-Options, Referrer-Policy, COOP/CORP. Server actions for all mutations. Prisma parameterized queries for all database access.

• Operational. Least-privilege staff access, audit logging, automated dependency scanning, bot-mitigation at the edge.

Breach notification commitment: We will notify affected institutions in writing within 72 hours of confirming unauthorized access to their data. We will notify individual users as required by applicable law. Notifications will be sent to the institution's designated contact on file and will include a description of what happened, what data was affected, what we are doing to investigate and remediate, and what affected individuals can do to protect themselves.

No system is perfectly secure. We cannot and do not guarantee that information will not be accessed, disclosed, altered, or destroyed by breach of any of our safeguards. You are responsible for protecting your account credentials and for promptly notifying us at [email protected] of any suspected compromise.

16. International data transfers

SetFlow is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate. These countries may have data-protection laws different from the laws of your country.

When we transfer personal data from the EEA, the UK, or Switzerland to the United States or other countries that the European Commission has not deemed to provide an adequate level of data protection, we rely on appropriate safeguards such as the Standard Contractual Clauses approved by the European Commission, supplementary measures where required, and equivalent mechanisms under the UK GDPR and Swiss law.

17. Your rights and choices

Depending on where you live, you may have the following rights with respect to your personal information. We honor all valid requests to the fullest extent required by law. The simplest way to exercise any of these rights is through our privacy request form or by emailing [email protected].

• Access. Request confirmation of whether we process your personal information and a copy of it. Self-serve export: Settings → Account → Export your data.

• Correction. Request correction of inaccurate or incomplete information. Self-serve for profile fields: Settings → Profile.

• Deletion. Request deletion of personal information, subject to legal retention obligations. Self-serve: Settings → Delete Account.

• Portability. Receive a copy of certain information in a portable format (JSON archive).

• Objection / restriction. Object to or restrict certain processing, including processing based on legitimate interests (such as the adaptive learning model).

• Withdraw consent. Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.

• Opt out of automated decision-making. You can reset the adaptive learning model at any time from your profile. Schools can disable it for the whole tenant. For under-13 accounts it is disabled by default.

• Non-discrimination. Exercise privacy rights without discriminatory treatment.

• Lodge a complaint. Complain to your local data-protection authority. EU residents may contact their national DPA; UK residents may contact the ICO. We would, however, appreciate the chance to address your concerns first.

18. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), gives you specific rights regarding your personal information.

Categories of personal information we collect, as defined by the CCPA, may include: identifiers (name, email, IP address); internet or other network activity (usage data, log data); commercial information (subscription records); geolocation (city/region from IP); professional or education-related information; audio/visual data (if you upload it); sensitive personal information (accommodation/disability data, where applicable); and inferences drawn from the foregoing (such as the adaptive learning model).

We do not sell personal information for monetary consideration and do not "share" personal information for cross-context behavioral advertising as those terms are defined under California law. We do not knowingly sell or share personal information of consumers under 16.

You may exercise your rights to know, delete, correct, and limit the use of sensitive personal information by contacting us at [email protected] or using our privacy request form. We will verify your identity before responding. You may designate an authorized agent to make a request on your behalf.

19. Do Not Track

Some browsers transmit a "Do Not Track" (DNT) signal to websites. SetFlow honors DNT as follows:

• Marketing pages (Google Analytics 4). When your browser sends DNT, we disable Google Analytics 4 on our public marketing pages. No pageview events are sent.

• Authenticated product surfaces (PostHog). PostHog respects the cookie-consent choice you set in our in-product cookie banner. Until you accept analytics cookies, PostHog stores no persistent identifier and sends no identified events.

20. Third-party sites and integrations

The Service may link to or integrate with third-party websites, services, or content that we do not operate. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with personal information or enabling them inside SetFlow.

21. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide notice through the Service or by other reasonable means (such as email to the address on your account) at least 30 days before the changes take effect, except where applicable law requires a shorter notice period. The "Effective date" at the top reflects the latest revision. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

22. Contact us

See §2 for the complete list of contact addresses. The fastest way to exercise a privacy right is through our privacy request form.