Log in Start free →

Legal

Privacy Policy

Last updated: 16 April 2026

1. Who we are

Worflo (ABN 30 198 625 249) is an Australian business registered with ASIC. We operate the website worflo.io and the application at app.worflo.io.

In this policy, "Worflo", "we", "us", and "our" refers to this business. "You" refers to the person or organisation using our services.

Questions about this policy: hello@worflo.io

2. What data we collect

2.1 Account data

When you connect your HubSpot portal or invite team members, we collect: name, email address, HubSpot portal ID and portal name, and subscription details (plan tier, renewal date — not payment card details).

2.2 HubSpot portal data

When you authorise Worflo via HubSpot OAuth, we access and store the following from your HubSpot portal:

  • Workflow definitions — name, trigger conditions, action steps, and enabled/disabled status
  • Workflow version history — snapshots of each workflow definition each time a change is detected, used for version comparison and rollback
  • Workflow execution events — enrollment, step completion, step errors, and unenrollment events for contacts, deals, and companies
  • Contact and deal object IDs — used to identify records in execution logs. We store IDs only, not full contact or deal records.
  • Portal metadata — portal ID, portal name, account timezone

This data is accessed read-only. The only write operation Worflo performs is the rollback feature, which reconstructs a previous workflow definition with your explicit instruction.

2.3 Usage and technical data

We collect information about how you use the application (pages visited, features used) and standard web server data (IP address, browser type, timestamps). We use Sentry for error monitoring, which may capture technical stack traces when an error occurs.

3. How we use your data

  • Providing the service — workflow version control, execution tracing, error alerting, diff viewing, and all features you use
  • Account administration — managing subscriptions, team members, and portal connections
  • Billing — processing subscription payments via Stripe
  • Error alerts — sending email or webhook notifications when workflows error, if you have enabled these
  • Service communications — weekly digest emails and account notifications, if enabled
  • Product improvement — understanding feature usage to prioritise development
  • Legal compliance — maintaining records we are required to keep

We do not sell, rent, or share your data with third parties for marketing. We do not use your HubSpot portal data to train AI models or for any purpose other than providing the service to you.

4. HubSpot OAuth scopes

Worflo requests the following OAuth scopes when you connect your portal. We only request scopes we actively use:

Scope Purpose
automation Reading workflow definitions and execution events; writing rollback changes
crm.objects.contacts.read Reading contact property values for the workflow simulation feature
crm.objects.deals.read Reading deal property values for the workflow simulation feature
oauth Standard OAuth authentication

You can revoke access at any time from HubSpot → Settings → Integrations → Connected Apps. Revocation stops all data syncing and triggers deletion of your portal data within 30 days.

5. Third-party sub-processors

We use the following services to operate Worflo. All process data in the United States:

Provider Purpose
Amazon Web ServicesCloud hosting, database, storage
Stripe Inc.Subscription billing and payment processing
HubSpot Inc.Integration platform (data source)
Postmark (ActiveCampaign)Transactional email delivery
Anthropic PBCAI-generated workflow diff summaries and error explanations
SentryApplication error monitoring

Under APP 8 of the Australian Privacy Act 1988, we remain accountable for how our sub-processors handle personal information. We have data processing agreements with each provider above.

6. Payment and billing

Subscription payments are processed by Stripe Inc. Worflo does not store, see, or have access to your credit card number, CVV, or full payment credentials. These are handled entirely by Stripe's secure payment infrastructure. We store your Stripe customer ID, plan tier, and billing status.

7. Data retention

  • Free plan — execution traces retained for 7 days; maximum of 100 traces stored
  • Pro and Agency plans — execution traces retained for 90 days
  • Enterprise plans — retention periods agreed in writing
  • Account data — retained for the life of your subscription plus 30 days after cancellation, then permanently deleted
  • HubSpot portal data — deleted within 30 days of account cancellation or OAuth revocation
  • Billing records — retained for 7 years as required by Australian tax law

8. Overseas data transfers

Your data is processed and stored in the United States by our sub-processors listed in section 5. By using Worflo, you consent to this transfer.

Under APP 8 of the Australian Privacy Act 1988, we remain liable for how overseas recipients handle personal information. We have contractual data processing agreements with each sub-processor to ensure data is handled consistently with Australian Privacy Principles.

9. Security

  • All data encrypted in transit using TLS 1.2 or higher
  • Data encrypted at rest using AES-256
  • HubSpot OAuth tokens encrypted at the application level before storage
  • Access to production systems restricted to authorised personnel
  • Automated vulnerability scanning on every deployment
  • We comply with the Australian Notifiable Data Breaches (NDB) scheme — if a qualifying breach occurs, we will notify the OAIC and affected individuals within 30 days

10. Your rights

Under the Australian Privacy Act 1988, you have the right to access, correct, and request deletion of your personal information. Email hello@worflo.io — we respond within 30 days.

You may also disconnect HubSpot at any time from Settings, which revokes our OAuth access immediately and triggers deletion of your portal data.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

11. Cookies

The Worflo marketing website (worflo.io) uses only essential session cookies. We do not use advertising or tracking cookies. The application (app.worflo.io) uses browser localStorage to maintain your login session; no cookies are set by the application itself.

12. Changes to this policy

We will notify you by email of material changes at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

13. Governing law

This policy is governed by the laws of Australia. Disputes are subject to the jurisdiction of Australian courts.

14. Contact

Privacy enquiries: hello@worflo.io
Worflo (ABN 30 198 625 249), Australia