Last Updated: 03/02/2026 (dd/mm/yyyy) This Privacy Policy (“Policy”) describes how Denev Operations LTD, a provider of cloud‑based automation and workflow management software (“Service”), collects, uses, stores, discloses, and protects Personal Data in connection with the use of our websites, applications, and services. We are committed to ensuring the confidentiality, integrity, and availability of Personal Data and to complying with all applicable privacy and data protection laws, including: • EU General Data Protection Regulation (GDPR) • UK GDPR and Data Protection Act 2018 • California Consumer Privacy Act (CCPA) • Canadian PIPEDA • Australian Privacy Act 1988 • Applicable U.S. state privacy laws This Policy forms part of our Terms of Service and applies to all users of our platform. 1. Definitions For the purposes of this Policy: • “Personal Data” means any information relating to an identified or identifiable natural person. • “Processing” means any operation performed on Personal Data, whether automated or not. • “Controller” means the entity determining the purposes and means of processing Personal Data. • “Processor” means the entity processing Personal Data on behalf of the Controller. • “Sub‑Processor” means any third party engaged by us to process Personal Data on your behalf. • “User‑Generated Content” means any data, files, workflows, automations, or materials you create or upload to the Service. • “Service” means our SaaS automation and workflow platform, including all related websites, APIs, and tools. 2. Data Controller and Contact Information Denev Operations LTD Registered Address: Strandza 4 9704 - Shumen Bulgaria Email: contact@vynflow.cloud Data Protection Officer: Milen Denev We act as: • Data Controller for account, billing, and website data. • Data Processor for workflow data and User‑Generated Content processed on your behalf. 3. Categories of Personal Data We Collect We collect the following categories of Personal Data: 3.1 Account Registration Data • Full name • Email address • Password (hashed and salted) • Address • Country • Postal code • Company name (if applicable) • Tax Identification Number (TIN) for business accounts 3.2 Billing and Payment Data • Billing address • Subscription details • Payment metadata • Payment card information is processed exclusively by Stripe; we do not store or access card numbers. 3.3 User‑Generated Content We store and process data you create within the platform, including: • Workflow definitions • Automation rules • Uploaded files • Logs, metadata, and execution results • API keys or credentials you choose to store (encrypted) • Any content you input into the Service 3.4 Technical and Usage Data • IP address • Browser type and version • Device identifiers • Authentication logs • Server logs • Error reports • Time zone and locale • Cookie identifiers (strictly necessary cookies only) 3.5 Automatically Collected Data We may collect limited telemetry to ensure platform stability, including: • Performance metrics • Resource usage • API call metadata • System events We do not use analytics or tracking cookies. 4. Purposes and Legal Bases for Processing We process Personal Data for the following purposes: 4.1 Contractual Necessity To provide the Service, including: • Account creation • Authentication • Workflow execution • Customer support • Subscription management 4.2 Legal Obligations To comply with: • Tax and accounting requirements • Anti‑fraud and security obligations • Regulatory reporting 4.3 Legitimate Interests To: • Maintain and improve the Service • Prevent abuse and ensure security • Monitor system performance • Conduct troubleshooting and diagnostics 4.4 Consent Where required by law (e.g., marketing communications), we rely on your explicit consent. We do not sell or rent Personal Data. 5. How We Use Personal Data We use Personal Data to: • Operate and maintain the Service • Authenticate and authorize users • Process payments and manage subscriptions • Provide customer support • Store and execute workflows • Improve platform reliability and performance • Detect, prevent, and investigate security incidents • Comply with legal obligations We do not use Personal Data for automated decision‑making that produces legal or significant effects. 6. Data Sharing and Sub‑Processors We only share Personal Data with trusted third parties necessary to operate the Service. 6.1 Stripe (Payment Processor) • Processes payment information • Acts as an independent controller for payment data 6.2 OVH (Cloud Infrastructure Provider) • Hosts servers, databases, and compute resources • Acts as a data processor 6.3 Wasabi (Object Storage Provider) • Stores user files and workflow‑related data • Acts as a data processor 6.4 Temporary In‑Memory Processing Some operations use encrypted, isolated, ephemeral environments. No Personal Data is retained after processing. 6.5 No Other Third‑Party Access We do not share Personal Data with: • Advertisers • Data brokers • Social media platforms • Analytics providers 7. International Data Transfers We serve users in the USA, Canada, UK, EU, and Australia. Where Personal Data is transferred outside the EU/UK, we rely on: • Standard Contractual Clauses (SCCs) • Adequacy decisions • Technical safeguards (encryption, access controls) • Organizational safeguards (policies, training, audits) 8. Data Retention We retain Personal Data only as long as necessary for the purposes described in this Policy. Data Type Retention Period Account information Until account deletion Billing & tax records 7–10 years Workflow data Until account deletion Logs 30–180 days Backups 30–90 days (rotating) Upon account deletion, all associated data is permanently removed from active systems and scheduled for deletion from backups. 9. Security Measures We implement industry‑standard security measures, including: • Encryption in transit (TLS 1.3+) • Encryption at rest (AES‑256) • Zero‑trust access controls • Role‑based access control (RBAC) • Multi‑factor authentication for internal systems • Network segmentation • Firewalls and intrusion detection • Regular vulnerability scanning • Encrypted in‑memory sandbox environments • Principle of least privilege • Secure development lifecycle (SDLC) practices 10. Your Rights Depending on your jurisdiction, you may have the right to: • Access your Personal Data • Correct inaccurate data • Request deletion • Restrict processing • Object to processing • Data portability • Withdraw consent • Opt out of sale/sharing (CCPA) • Lodge a complaint with a supervisory authority To exercise your rights, contact: contact@vynflow.cloud 11. Data Processing Agreement (DPA‑Style Provisions) When you use our Service to process Personal Data, we act as your Data Processor. 11.1 Processor Obligations We will: • Process Personal Data only on your documented instructions • Ensure confidentiality of personnel • Implement appropriate technical and organizational measures • Assist you in responding to data subject requests • Assist with DPIAs where required • Notify you of data breaches without undue delay • Delete or return Personal Data upon termination • Make available information necessary to demonstrate compliance 11.2 Sub‑Processor Management We: • Maintain a list of authorized Sub‑Processors • Require Sub‑Processors to sign GDPR‑compliant agreements • Remain fully liable for Sub‑Processor actions 11.3 Customer Obligations You agree to: • Ensure you have a lawful basis for processing • Not upload unlawful or prohibited data • Configure the Service in a secure manner • Notify us of any suspected misuse 12. Cookies Policy We use only strictly necessary cookies essential for the operation of the Service. 12.1 Cookies Used Cookie Name Purpose Type Duration auth-cookie Maintains authenticated session Essential Session ui-lock-state Stores UI lock state Essential Persistent 12.2 No Consent Required Because these cookies are essential, they do not require user consent under GDPR. We do not use: • Analytics cookies • Advertising cookies • Third‑party tracking cookies 13. Children’s Privacy The Service is not intended for individuals under 16. We do not knowingly collect children’s data. 14. Changes to This Policy We may update this Policy from time to time. Material changes will be communicated via email or in‑app notification. 15. Contact Information For privacy inquiries or rights requests: Denev Operations LTD Email: contact@vynflow.cloud Address: Strandza 4 9704 - Shumen Bulgaria