Privacy Policy

Korall Flow, Inc. ("we," "us," or "our") operates the website located at korallflow.com and the Korall Flow platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use the Service.

This policy is effective as of March 16, 2025 and applies to all users of the Service, including free and paid plan subscribers, workspace members, and visitors to our marketing pages. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

If you have questions or concerns about this policy, please contact us at admin@korallflow.com.

We collect information that you provide directly, information generated through your use of the Service, and limited technical information collected automatically. The categories below describe each type of data in detail.

Account Information

When you create an account, we collect your name, email address, and password. Passwords are stored as bcrypt hashes and are never retained in plaintext. You may optionally upload a profile image, which is stored alongside your account record.

Workspace and Organization Data

When you create or join a workspace, we store workspace names, membership rosters, role assignments (owner, admin, editor, viewer), and audit log entries that record significant actions taken within the workspace. This data is necessary to enforce access controls and provide collaboration features.

Pipeline and Execution Data

The Service stores your pipeline configurations, transformation scripts generated by AI or authored manually, input and output file metadata (such as file names, sizes, row counts, and column schemas), and detailed run logs and events. This data is required to execute, monitor, and troubleshoot your data pipelines.

Billing Information

Payment processing is handled by Stripe. We store your Stripe customer ID, subscription ID, plan tier, and billing status (such as active, past due, or cancelled). We never store credit card numbers, bank account details, or other raw payment credentials on our systems. All payment data is processed in accordance with Stripe's PCI-DSS compliance.

Authentication Data

Depending on how you and your organization configure access, we may store OAuth tokens (for integrations such as Google Sheets), SAML assertions (for enterprise single sign-on), TOTP secrets (for multi-factor authentication), and JWT session tokens used to maintain authenticated sessions.

Encrypted Secrets

When you configure connectors, you may provide API keys, cloud storage credentials, SSH private keys, or other sensitive credentials. These secrets are encrypted at rest using AES-256-GCM with versioned key rotation. They are decrypted only at the moment of pipeline execution and are never exposed in logs, scripts, or API responses.

Usage Data

We track LLM token consumption per user and workspace to enforce plan limits and provide usage dashboards. We also collect feature usage metrics to understand which parts of the Service are most valuable and to inform product improvements.

Technical Data

Our web servers automatically collect IP addresses, browser user-agent strings, and device information through standard server access logs. This information is used for security monitoring, abuse prevention, and debugging.

We use the information we collect for the following purposes:

• Operating and delivering the Service: provisioning workspaces, running pipelines, storing configurations, and providing the core functionality you expect from the platform.
• Authentication and authorization: verifying your identity, enforcing role-based access controls, and managing sessions across devices.
• Executing data pipelines on your behalf: connecting to your configured data sources and destinations, running transformation scripts, and delivering output files.
• Managing billing and subscriptions: processing payments through Stripe, enforcing plan limits, and communicating billing-related events.
• Security monitoring and abuse prevention: detecting unauthorized access attempts, identifying anomalous behavior, and protecting the integrity of the Service.
• Service reliability: monitoring system performance, diagnosing errors, and maintaining uptime.
• Customer support: responding to your inquiries, troubleshooting issues, and providing guidance on platform usage.
• Service communications: sending transactional emails such as pipeline failure alerts, billing receipts, and security notifications. We do not send marketing emails without your explicit consent.

For users in the European Economic Area (EEA), the United Kingdom, and other jurisdictions that require a legal basis for processing personal data, we rely on the following grounds:

• Contract performance: Processing your data is necessary to perform the contract between you and Korall Flow, Inc. — specifically, to operate the Service you have subscribed to, execute your pipelines, manage your account, and handle billing.
• Legitimate interests: We process certain data based on our legitimate interests, including security monitoring and threat detection, fraud prevention, service performance optimization, and product improvement. We balance these interests against your rights and freedoms and do not use this basis where it would be overridden by your interests.
• Consent: For optional integrations, such as connecting your Google account via OAuth for Google Sheets access, we rely on your explicit consent. You may withdraw consent at any time by disconnecting the integration from your workspace settings.
• Legal obligation: We retain certain records, such as billing and tax information, as required by applicable law. We may also process data to comply with valid legal processes, such as court orders or law enforcement requests.

We integrate with a limited number of third-party services to deliver the functionality of the platform. We share only the minimum data necessary for each integration to function. The following services may receive or process your data:

• Stripe: Processes all payment transactions. Stripe is PCI-DSS compliant and receives your billing details (name, email, payment method) directly. We never handle or store raw payment credentials.
• Google OAuth 2.0: Used for Google Sheets integration. When you authorize this connection, we request the spreadsheets and drive.metadata.readonly scopes. We access only the spreadsheets you explicitly select as pipeline sources or destinations.
• AI/LLM providers (Anthropic Claude, Google Gemini, AWS Bedrock, OpenAI): When you use AI-assisted transformation generation, data samples from your pipelines (such as column names and representative row values) are sent to one or more LLM providers to generate transformation code. Your credentials, encrypted secrets, and authentication tokens are never sent to LLM providers under any circumstances.
• Cloud storage (AWS S3, Google Cloud Storage, Azure Blob Storage, Supabase): Data is sent to or retrieved from these services only when you explicitly configure them as pipeline sources or destinations using your own credentials.
• Resend: Handles transactional email delivery for alerts, notifications, and account-related communications. Resend receives the recipient email address and message content necessary to deliver each email.
• SFTP/SSH hosts: Connections to SFTP and SSH servers occur only when you configure these as pipeline sources or destinations. We connect using the credentials you provide, which are encrypted at rest.
• SAML SSO identity providers: Enterprise customers who configure single sign-on exchange authentication assertions with their chosen identity provider. We process only the SAML assertions necessary to authenticate and provision user accounts.

We do not sell, rent, or trade your personal information. We do not share data with advertisers.

We use a single session cookie containing a JSON Web Token (JWT) with an 8-hour expiry. In production, this cookie is marked with the Secure and HttpOnly flags, ensuring it is transmitted only over HTTPS and is not accessible to client-side JavaScript. This is a strictly necessary cookie required for authentication; the Service cannot function without it.

We do not use analytics cookies, advertising cookies, tracking pixels, or any form of cross-site tracking technology. We do not participate in ad networks or retargeting programs.

If we introduce non-essential cookies in the future, we will update this policy and provide appropriate notice and controls, including a cookie consent mechanism where required by applicable law.

We retain your data only as long as necessary to provide the Service and fulfill the purposes described in this policy. Specific retention periods vary by data type and plan tier:

• Account data: Retained while your account is active. Upon receiving an account deletion request, we delete your account data within 30 days. Some data may persist in encrypted backups for a limited additional period before being purged.
• Pipeline execution data: Retained according to your workspace plan tier — Free: 7 days, Starter: 30 days, Pro: 90 days, Enterprise: 365 days. After the retention period, execution data is automatically deleted.
• Billing records: Retained for 7 years as required by applicable tax law. This includes invoices, payment receipts, and subscription history.
• Audit logs: Retained according to your workspace plan tier, following the same schedule as pipeline execution data. Audit logs record significant actions such as membership changes, permission updates, and connector modifications.
• Encrypted secrets: Deleted immediately when you remove the associated connector from your workspace or when your account is deleted. There is no grace period for secret retention.

We implement a layered security approach to protect your data throughout its lifecycle. While no system can guarantee absolute security, we employ the following measures to minimize risk:

• Encryption at rest: All sensitive secrets (API keys, cloud credentials, SSH keys) are encrypted using AES-256-GCM with versioned key rotation. Encryption keys are managed separately from the data they protect.
• Password hashing: User passwords are hashed using bcrypt with appropriate cost factors. Plaintext passwords are never stored or logged.
• Role-based access control: Workspace access is governed by a four-tier role system (owner, admin, editor, viewer). Each role has precisely scoped permissions, and authorization checks are enforced on every API request.
• Secure session management: Session cookies are marked Secure and HttpOnly in production environments, preventing interception and client-side access.
• Comprehensive audit logging: Significant actions within workspaces are logged with timestamps, actor identity, and action details. Audit logs provide a complete trail for security reviews and compliance investigations.
• Multi-factor authentication: Users can enable TOTP-based multi-factor authentication for their accounts. Workspace administrators can enforce MFA for all members through workspace-level access policies.
• Workspace-level access policies: Administrators can configure policies such as mandatory MFA enrollment and allowed email domain restrictions to strengthen workspace security posture.

Depending on your jurisdiction, you may have certain rights regarding your personal data. We are committed to honoring these rights for all users, regardless of location, to the extent practicable.

Rights Under the GDPR (EEA and UK)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data, subject to legal retention requirements.
• Right to data portability: You may request your personal data in a structured, commonly used, machine-readable format.
• Right to restrict processing: You may request that we limit how we process your data under certain circumstances.
• Right to object: You may object to processing based on legitimate interests.
• Right to withdraw consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Rights Under the CCPA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to know: You may request information about the categories and specific pieces of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to opt-out of sale: We do not sell your personal information, so this right does not require action on your part. If our practices change, we will provide notice and a mechanism to opt out.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, please contact us at admin@korallflow.com. We will respond to verified requests within 30 days. In some cases, we may need to verify your identity before fulfilling a request, and we may ask for additional information to do so.

Your data may be processed and stored in the United States, where Korall Flow, Inc. operates its primary infrastructure. If you are located outside the United States, your data will be transferred to and processed in the United States.

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent legally recognized safeguards, to ensure an adequate level of protection for your personal data when it is transferred outside of your home jurisdiction.

Enterprise customers may request a Data Processing Agreement (DPA) that includes additional transfer mechanism details and compliance commitments. To request a DPA, contact us at admin@korallflow.com.

The Service is not directed at individuals under the age of 16. We do not knowingly collect, solicit, or maintain personal information from anyone under 16 years of age. If you are a parent or guardian and believe that your child has provided personal information to us without your consent, please contact us at admin@korallflow.com. Upon verification, we will promptly delete such information from our systems.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page.

If we make material changes that significantly affect how we handle your personal data, we will notify you through one or more of the following channels: an email to the address associated with your account, an in-product notification within the Service, or a prominent notice on our website. We encourage you to review this policy periodically.

Your continued use of the Service after changes to this policy become effective constitutes your acceptance of the revised policy. If you do not agree with the updated terms, you should discontinue use of the Service. Previous versions of this policy are available upon request by contacting us at admin@korallflow.com.

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

For data protection inquiries from users in the European Union or the United Kingdom, including requests to exercise your rights under the GDPR, please contact us at the same email address. We will direct your inquiry to the appropriate team member responsible for data protection matters.