Privacy Policy.

The data controller is VoxaFlow, a company based in Madrid, Spain, available at voxaflow.app.

Contact: voxaflowia@gmail.com

VoxaFlow collects the following data:

• Sign-up data — Name, email address, profile picture (via Google OAuth or email signup)
• Analysis data — Uploaded CSV files containing customer feedback, AI analysis results
• Store API keys — Shopify/Trustpilot access keys you provide for automated monitoring (stored encrypted with AES-256-GCM)
• Payment data — Processed exclusively by Stripe. VoxaFlow never stores card numbers.
• Technical data — IP address, browser type, via Vercel server logs

• Provide the feedback analysis service
• Manage your account and subscription
• Run automated store monitoring
• Send analysis recap emails (if monitoring is enabled)
• Improve the service and fix bugs

• Performance of the contract — Processing is necessary to provide the service you signed up for (GDPR Art. 6.1.b)
• Consent — For monitoring email delivery and connecting your API keys (GDPR Art. 6.1.a)
• Legitimate interest — For service improvement and security (GDPR Art. 6.1.f)

Your data is processed by the following subprocessors:

• Supabase (database, authentication) — EU/US hosting, privacy policy
• Vercel (application hosting) — US hosting, privacy policy
• Google (Gemini) (AI model for analysis) — CSV data is sent to Google’s Gemini API for processing, privacy policy
• Stripe (payments) — PCI DSS Level 1, privacy policy
• Resend (email delivery) — privacy policy

• Account data — Kept while the account is active. Deleted immediately on account deletion.
• Analyses — Kept while the account is active. Deleted with the account.
• Encrypted API keys — Deleted when the source is disconnected or the account is removed.
• Uploaded CSV files — Not stored. Processed in memory during analysis then destroyed.

• API keys are encrypted with AES-256-GCM before storage
• Passwords are managed by Supabase Auth (bcrypt)
• Payments are processed by Stripe (PCI DSS Level 1)
• All communications are encrypted via HTTPS/TLS
• Database access is protected by Row Level Security (RLS)

Under the General Data Protection Regulation (GDPR) you have the following rights:

• Right of access — Obtain a copy of your data
• Right to rectification — Edit your details on the Settings page
• Right to erasure — Delete your account and all your data from the Settings page (Danger Zone)
• Right to portability — Export your analyses as PDF
• Right to object — Disable monitoring and emails at any time

To exercise these rights, contact us at voxaflowia@gmail.com. We respond within a maximum of 30 days.

VoxaFlow only uses cookies essential to the service (Supabase authentication session). No advertising or tracking cookies are used.

This policy may be updated. In case of substantial change, users will be notified by email. The last-updated date is shown at the top of this page.

For any question regarding your personal data: voxaflowia@gmail.com

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es