Kinflo Pty Ltd (“Kinflo”, “we”, “us”, “our”) is an Australian company committed to protecting the privacy of your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy explains how we collect, use, store, and disclose your personal information when you use the Kinflo platform — an AI readiness assessment and AI automation platform — at https://kinflo.com.

1. Information We Collect

Account Information

Name, email address, and optionally profile picture, provided via Google sign-in, email and password registration, or magic link authentication
Company name, industry, and company size

Assessment Data

Your responses to AI readiness assessment questions, covering areas such as AI strategy, data practices, governance, budgets, talent, and technology
Assessment scores and generated reports

Workspace Data

Automation configurations, workflow definitions, and task histories created within your workspace
Approval requests, scheduling preferences, and integration connection details (authentication tokens are encrypted at rest)
Content processed by your AI automations, including inputs you provide and outputs generated

Payment Information

Payment transactions are processed entirely by Stripe. We do not store, process, or have access to your credit card details. We retain only a transaction reference and the amount paid.

Usage Data

Pages visited, features used, and assessment completion status
Browser type, device information, and IP address
Automation execution logs and usage metrics within your workspace

2. How We Use Your Information

We use your personal information to:

Provide AI readiness assessments and generate personalised reports based on your responses
Operate AI automations within your workspace, including executing tasks, processing approvals, and managing integrations
Process payments for paid tiers via Stripe
Send transactional emails, including assessment results, payment confirmations, automation notifications, and account updates
Improve our platform and assessment methodology using anonymised, aggregated data (your individual responses are never shared publicly)
Send you relevant communications about your account, new features, or services where you have provided consent
Comply with legal obligations under Australian law

3. Third-Party Services

We use the following third-party services to deliver the platform. We want to be upfront about this:

Google (Authentication & Workspace Integrations)

For authentication: We use Google OAuth to sign in. When you sign in with Google, we receive your name, email address, and profile picture.

For workspace integrations: When you connect Google services in your workspace, we request additional permissions to access Gmail (read and send emails on your behalf), Google Sheets (read and write spreadsheet data), Google Calendar (read and manage events), and Google Drive (read files). These permissions are requested separately from sign-in, only when you explicitly choose to connect each service. You can disconnect any Google service at any time from your workspace connections page. Access tokens are encrypted at rest.

Kinflo’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Anthropic (Claude AI)

Your assessment responses, company profile, and workspace data are sent to Anthropic’s Claude API for AI-powered analysis, report generation, and automation execution. This is a core part of how the platform works.

Anthropic processes this data under their data usage policy. Importantly, Anthropic does not use data submitted via their API to train their models.

Stripe (Payments)

Payment processing is handled entirely by Stripe. Your card details are submitted directly to Stripe and are never sent to or stored on our servers.

Amazon Web Services (Hosting)

Our application, database, and email infrastructure are hosted on AWS in the Asia Pacific (Sydney) region (ap-southeast-2). This means your data is stored on servers physically located in Australia. Transactional emails are sent via AWS Simple Email Service (SES) within the same region. Operational logs are stored in AWS CloudWatch within the same region and may contain automation execution metadata.

Composio (Integration Platform)

When you connect third-party services to your workspace (beyond Google services), we use Composio to facilitate those connections. Composio manages OAuth tokens and processes API calls to third-party services on behalf of your automations. Data shared with connected services is limited to what is necessary to execute your automation tasks. You can disconnect any integration at any time from your workspace connections page.

All third-party processors are bound by their respective privacy policies and, where applicable, data processing agreements.

4. Data Storage and Security

Your data is stored in the AWS Asia Pacific (Sydney) region (ap-southeast-2) on servers physically located in Australia. Our security measures include:

All data is encrypted in transit using HTTPS/TLS
Database encryption at rest
Database access is restricted to application servers with no direct public access
Passwords are hashed using bcrypt
Integration tokens are encrypted at rest using AES-256-GCM
Access to systems is controlled via role-based authentication
Workspace data is logically isolated between customers. Each workspace operates independently and cannot access data belonging to other workspaces.

No method of electronic storage or transmission is 100% secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security.

5. Cookies

Session cookies: We use session cookies for authentication. These cookies identify your login session and expire when you log out or after a period of inactivity. They are essential for the platform to function.
No tracking cookies: We do not use Google Analytics, Facebook Pixel, or any third-party tracking cookies.
No advertising cookies: We do not serve or facilitate targeted advertising.

6. Data Retention

Account data (name, email, company details) is retained for as long as your account remains active.
Assessment data (responses, scores, and reports) is retained for 2 years from your last activity on the platform.
Workspace data (automation configurations, task histories, execution logs) is retained for as long as your workspace is active, and for 90 days after workspace deletion.
Payment records are retained as required by Australian tax law (generally 5 years).
You may request deletion of your data at any time (see Your Rights below).

7. Your Rights

Under the Australian Privacy Principles, you have the right to:

Access the personal information we hold about you
Request correction of any inaccurate, incomplete, or out-of-date information
Request deletion of your personal information and workspace data (subject to any legal obligations requiring us to retain it)
Export your data in a portable format upon request
Withdraw consent for non-essential communications at any time
Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs. You can contact the OAIC at www.oaic.gov.au

To exercise any of these rights, email us at hello@kinflo.com. We will respond within 30 days.

8. Children

Kinflo is a business platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a person under 18, we will delete it promptly.

9. International Users and Cross-Border Transfers

Kinflo is operated from Australia and your primary data is stored in the AWS Asia Pacific (Sydney) region. If you access the platform from outside Australia, your data will be transferred to and processed in Australia. By using the platform, you consent to this transfer.

Certain third-party service providers process data outside Australia, specifically:

Anthropic(Claude AI) — United States
Stripe(payments) — United States
Composio(integration services) — United States

These transfers are necessary to provide the services. Each provider operates under their own privacy policies and data protection commitments.

Additional Rights for EU/EEA and UK Users

If you are located in the European Economic Area or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including the right to:

Request restriction of processing of your personal data
Object to processing based on legitimate interests
Data portability (receive your data in a structured, machine-readable format)
Lodge a complaint with your local data protection authority

Our lawful basis for processing your personal data is: (a) contractual necessity (to provide the services you have signed up for), (b) legitimate interest (to improve our platform and prevent fraud), and (c) consent (for marketing communications, which you may withdraw at any time).

Where your data is transferred outside the EEA/UK, we rely on adequacy decisions, standard contractual clauses, or other appropriate safeguards recognised under applicable data protection law.

10. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

Notify affected individuals as soon as practicable after becoming aware of the breach
Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme of the Privacy Act 1988
Include in our notification the nature of the breach, the types of information involved, and recommended steps individuals should take in response

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email. The “Last updated” date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically.

12. Contact

If you have any questions about this Privacy Policy or how we handle your personal information, please contact us:

Email: hello@kinflo.com
Website: https://kinflo.com
Entity: Kinflo Pty Ltd (ABN 71 605 512 776)