Privacy Policy

Last updated: April 24, 2026

AutoFlowed (“AutoFlowed,” “we,” “our,” “us”) operates autoflowed.com and the AutoFlowed software platform. We provide AI-powered front-desk, reservation, guest-messaging, and review-response tools to independent hotel operators and small businesses.

This policy explains what information we collect, how we use and store it, who we share it with, and the rights you have. It applies to both people who sign up to use AutoFlowed (“Customers”) and people whose information passes through AutoFlowed because a Customer uses our product to serve them (“End Users,” typically hotel guests).

1. Information We Collect

We collect the following categories of information:

Account information

  • Name, email address, password (stored as a hashed value, never in plaintext)
  • Business name, business address, business phone, industry
  • Account settings, branding, and automation preferences

Operational information you provide

  • Guest reservation records (guest name, phone, email, check-in/out dates, room type)
  • Property details, room types, rates, availability
  • Owner contact information used for alerts
  • Payment information (processed by Stripe — we never store raw card numbers)

Communications processed through AutoFlowed

  • Inbound and outbound phone calls handled by our AI front desk, including audio recordings and text transcripts
  • SMS messages sent and received via our platform
  • Email communications initiated through AutoFlowed
  • Chat conversations with in-product AI assistants

Third-party integration data (only when you connect the integration)

  • Google Business Profile: OAuth access and refresh tokens, Google account and location identifiers, guest reviews (rating, reviewer name, review text, review time, reviewer profile photo URL), and reply history
  • Google Calendar: OAuth access and refresh tokens, calendar event metadata, event times (used only to schedule appointments and reminders on your behalf)
  • Cloudbeds (Property Management System): OAuth access and refresh tokens, reservations, rate plans, availability, and guest records synced to AutoFlowed

Automatically collected

  • Log and diagnostic data: IP address, browser type, request timestamps, error traces
  • Authentication cookies required to keep you signed in

Forward-looking integrations

We may introduce Plaid-powered financial integrations in the future. If and when we do, connecting Plaid would let AutoFlowed access bank account, balance, and transaction data that you authorize. Plaid data will be governed by the same principles described in this policy, and we will update this document before enabling any Plaid-backed feature. Until then, AutoFlowed does not collect banking or financial-account information.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the AutoFlowed service
  • Authenticate you and secure your account
  • Answer calls, take reservations, and send transactional messages (confirmations, reminders, review requests)
  • Sync reservations and availability with connected property management systems
  • Fetch your Google Business Profile reviews and publish reply responses that you have explicitly approved
  • Generate AI-drafted responses that you review and approve before they are sent anywhere
  • Produce aggregated reports and usage summaries for the Customer who owns the account
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not use your information, or any data retrieved from Google APIs, to train generalized AI models, build advertising profiles, or serve third-party advertisements.

3. Google API Data and Limited Use

When you connect Google Business Profile or Google Calendar to AutoFlowed, we request only the scopes required to power the features you have enabled. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We use Google user data only to provide or improve user-facing features visible to you inside AutoFlowed (e.g., displaying your reviews, drafting and posting replies you approve, scheduling your appointments).
  • We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with your notice.
  • We do not use Google user data for serving advertisements, including retargeted, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data unless (a) you have given explicit consent for your own data, (b) it is necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) the data has been aggregated and anonymized.

You can disconnect Google Business Profile or Google Calendar at any time from your AutoFlowed account settings, which revokes the stored tokens and stops any further access.

4. How We Share Information

We do not sell your personal information. We do not share your personal information for marketing purposes. We share information only with the service providers that make AutoFlowed work, under contractual confidentiality obligations, and only to the extent needed to provide their specific function. The complete list of sub-processors we currently use is:

  • Vercel — application hosting and serverless compute
  • Neon — Postgres database hosting
  • Anthropic (Claude) — AI language models used to draft responses, summaries, and conversational replies
  • Vapi — AI voice-agent infrastructure for phone calls (call routing, transcription, telephony orchestration)
  • ElevenLabs — text-to-speech voice synthesis for our AI front desk
  • Twilio — SMS, MMS, and phone-number infrastructure
  • Stripe — payment processing and subscription billing
  • Resend — transactional email delivery
  • Google — Google Business Profile and Google Calendar APIs (only for Customers who connect those integrations)
  • Cloudbeds — Property Management System integration (only for Customers who connect it)
  • Plaid (future) — financial data aggregation, only if and when a Plaid-powered feature is enabled

We may also disclose information when required by valid legal process (subpoena, court order, or equivalent), or to protect the rights, property, or safety of AutoFlowed, our Customers, or the public. In a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to continued protection under a policy materially similar to this one.

5. Data Retention

We retain information only as long as needed to provide the service, meet legal obligations, and resolve disputes. Typical retention periods:

  • Account records — kept for the life of your account. Deleted within 30 days after account closure unless retention is required by law (e.g., tax records).
  • Reservations and guest records — retained for as long as the Customer account is active, then deleted within 30 days of account closure.
  • Call recordings and transcripts — stored for up to 90 days by default for quality, training (of our own rule-based systems, never third-party model training), and dispute resolution, unless the Customer configures a shorter retention in settings.
  • SMS and email logs — retained for up to 24 months for deliverability diagnostics and compliance with carrier rules.
  • OAuth tokens for Google and other integrations — kept only while the integration is connected. Revoked within 7 days of disconnect or account closure.
  • Google Business Profile review data — retained while the integration is connected and for 30 days after disconnect to support re-connection without data loss. Permanently deleted thereafter.
  • Aggregated, anonymized analytics — may be retained indefinitely as they no longer identify any individual.

If you request deletion (see Section 7), we will delete your data on the timelines described above, or sooner if feasible.

6. Data Security

We protect your data with industry-standard safeguards, including: TLS encryption for data in transit, encryption at rest for databases and backups, hashed password storage (bcrypt), OAuth token storage with access scoped per-tenant, role-based access controls, audit logging of administrative actions, and regular security reviews. No system is perfectly secure, but we design AutoFlowed with the goal of minimizing the blast radius of any single failure.

7. Your Rights & How to Delete Your Data

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your personal information
  • Export your personal information in a portable format
  • Withdraw consent or object to processing where we rely on consent or legitimate interest
  • Disconnect integrations (Google, Cloudbeds, etc.) at any time from within your AutoFlowed settings, which revokes the relevant tokens

To exercise any of these rights, email privacy@autoflowed.com from the address associated with your account. We will acknowledge your request within 7 days and complete verified requests within 30 days. We may need to verify your identity before fulfilling a deletion request. If you are an End User (for example, a hotel guest) whose data is held by a Customer of AutoFlowed, we will forward your request to that Customer and assist with fulfillment.

8. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you additional rights:

  • The right to know what categories of personal information we collect, the sources, the purposes, and the third parties with whom we share it
  • The right to request deletion of your personal information
  • The right to correct inaccurate personal information
  • The right to opt out of the sale or sharing of your personal information — AutoFlowed does not sell personal information and does not share it for cross-context behavioral advertising
  • The right to limit the use of sensitive personal information
  • The right not to be retaliated against for exercising these rights

To exercise your California rights, email privacy@autoflowed.com. We verify California requests by matching the requesting email to an account email and, where appropriate, confirming recent account activity.

9. SMS Messaging

When you or your guests provide a phone number to AutoFlowed, that consent covers transactional messages (appointment reminders, reservation confirmations, review requests, follow-ups) sent on behalf of the relevant business. Message frequency varies. Message and data rates may apply. Reply STOP to opt out of any sender. Reply HELP for assistance. We do not use phone numbers for unrelated marketing.

10. International Data Transfers

AutoFlowed is operated from the United States and our primary infrastructure is located in the United States. If you access AutoFlowed from outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws different from your country. By using AutoFlowed, you consent to this transfer.

11. Children’s Privacy

AutoFlowed is a business tool and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child, email privacy@autoflowed.com and we will delete it promptly.

12. Changes to This Policy

We may update this policy as the product evolves (for example, when we add a new integration such as Plaid). Material changes will be announced in-product or by email at least 14 days before taking effect. The date at the top of this page always reflects the current version.

13. Contact

For any question about this policy or about your data, email privacy@autoflowed.com. We read every message.