CustomrflowCustomrflow
← Back to HomepageDE

Privacy Policy

Last updated: March 27, 2026

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

customrflow

by BURD digital solutions and consulting LLC

1309 Coffeen Avenue STE 1200

Sheridan, Wyoming 82801, USA

Email: privacy@customrflow.com

Website: https://customrflow.com

2. Overview of Processed Data

In connection with the use of our Platform and all associated services, we process the following categories of personal data:

Account Data

  • Name, email address
  • Organization name, location information
  • Password (stored hashed)
  • Subscription and payment information (via Stripe)

CRM Data (Your Customer Contacts)

  • First and last name, email, phone number
  • Company, address, date of birth
  • Custom fields
  • Communication history and activity log

Appointment Booking Data

  • Appointment time, booked services, assigned resources
  • Booking reference, status, cancellation reason
  • Email addresses for confirmations and reminders
  • Google Calendar Event IDs (when synchronization is enabled)

Marketing & Analytics Data

  • Tracking data (page views, conversions, campaign attribution)
  • Ad spend and performance metrics
  • Lead form data and conversion events
  • IP addresses (anonymized for analytics)

Integration Data

  • OAuth access tokens (AES-256-GCM encrypted)
  • Linked accounts with third-party providers (Meta, Google, TikTok, etc.)
  • Synchronization tokens and webhook configurations

Form & Website Data

  • Submissions to created forms
  • Website content and design configurations
  • Uploaded media and assets

3. Legal Basis for Processing

The processing of personal data is based on:

  • Art. 6(1)(b) GDPR — Contract performance: Processing to provide the Platform and its services
  • Art. 6(1)(a) GDPR — Consent: Particularly for optional integrations, tracking consents, and email notifications
  • Art. 6(1)(f) GDPR — Legitimate interest: Ensuring platform security, fraud prevention, error analysis
  • Art. 6(1)(c) GDPR — Legal obligation: Compliance with statutory retention requirements

4. Google Calendar Integration

When Google Calendar synchronization is enabled, the following provisions apply:

Scope of Access

We request the OAuth scope https://www.googleapis.com/auth/calendar, which grants read and write access to your Google Calendars.

Processed Data

  • Calendar list (name, ID, color)
  • Events (title, time range, description, attendees)
  • Change notifications via Google Push Notifications

Token Storage

OAuth access and refresh tokens are stored encrypted with AES-256-GCM and automatically renewed. When revoked, all tokens and synchronization data are deleted.

Revocation

You can disconnect at any time in your calendar settings or revoke access in your Google Account.

5. Other Third-Party Integrations

When using third-party integrations, data is exchanged with the following services:

ServicePurposeData
Meta (Facebook)Ad campaigns, lead forms, Conversion APICampaign data, costs, leads
Google AdsAd campaign trackingCampaign data, costs, conversions
Google CalendarBidirectional calendar syncEvents, attendees, metadata
TikTokAd campaign trackingCampaign data, costs
StripePayment processingPayment info, subscriptions

All integrations are optional and only become active after explicit activation by the user.

6. Email Notifications

Automated emails are sent as part of appointment management:

  • Appointment confirmations to customers and guests
  • Appointment reminders (configurable lead times)
  • Status change and cancellation notifications
  • Guest invitations to appointments

Sending can be enabled or disabled per calendar in the notification settings.

7. Data Security

We implement extensive technical and organizational measures:

  • Encryption: Sensitive data stored with AES-256-GCM
  • Transport encryption: All connections use HTTPS/TLS
  • Authentication: JWT-based access control with tenant isolation
  • CSRF protection: OAuth flows use signed state parameters
  • Access control: Role-based permissions at organization and location level
  • Audit logging: Security-relevant actions are logged
  • Automatic token renewal: Expiring tokens are automatically renewed

8. Cookies and Tracking

The Platform uses functionally necessary cookies for authentication and session management.

Websites and forms created through the Platform may include tracking pixels. The user is responsible for providing GDPR-compliant consent management. The Platform supports Google Consent Mode v2.

9. Data Retention

Personal data is only stored for as long as necessary:

  • Account data: Until account deletion
  • CRM data: Until deletion by user or account deletion
  • Appointment data: Until deletion by user; cancellation reasons are archived
  • Integration tokens: Until disconnection; immediately deleted
  • Analytics data: According to configured retention periods
  • Billing data: 10 years per legal requirements

10. Your Rights

Under the GDPR, you have the following rights:

Right of access

Art. 15 GDPR

Right to rectification

Art. 16 GDPR

Right to erasure

Art. 17 GDPR

Right to restriction

Art. 18 GDPR

Right to data portability

Art. 20 GDPR

Right to object

Art. 21 GDPR

Contact: privacy@customrflow.com

You also have the right to lodge a complaint with a supervisory authority.

11. Data Processing Agreement

Insofar as you process personal data of your customers, we act as a data processor within the meaning of Art. 28 GDPR. A Data Processing Agreement (DPA) can be provided upon request.

12. International Data Transfers

When using third-party integrations, data may be transferred to third countries. These transfers are based on Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR or an adequacy decision by the European Commission.

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy as needed. The current version is always available on this page.

See also our Terms of Use · Meta Privacy Policy