Last updated: May 13, 2026
Privacy Policy
This policy explains what data ProcFlow collects when you use our service, why we collect it, who we share it with, and what rights you have over it. We've written it in plain language because we think that's what the law actually requires — and because it's the right thing to do.
1. Who is responsible for your data
The data controller is Matej Sakelšek, operating ProcFlow, based in Slovenia, European Union.
If you have any questions about this policy or want to exercise your rights, contact us at hello@procflow.net. We respond personally, usually within a few business days.
2. What data we collect and why
Account and profile data
When you create a buyer account we collect your name, work email address, company name, job title, and phone number. When you create a supplier account we collect your name, email, and company name. We need this to operate the service — identify you, send you notifications, and display your information to counterparties in the RFQ process.
RFQ and procurement data
RFQs, supplier lists, quotes, BOM files, delivery addresses, and uploaded specification documents you create or upload are stored so the service can function. This data is yours — it lives in your account and we don't use it for any purpose beyond operating ProcFlow.
Usage and analytics data
We collect anonymised data about how you use ProcFlow — which pages you visit, which features you use, what actions you take. This helps us understand what's working and what to improve. Analytics cookies are only set after you explicitly accept them via the cookie banner. If you decline, no analytics cookies are placed.
Error and diagnostic data
When the application encounters an error, we capture a technical report that includes your user ID, email address, and a description of what went wrong. This is used solely to fix bugs. We use Sentry for this (see the processors section below).
Payment data
We do not store payment card details. Stripe processes all payments and handles payment data directly. We receive confirmation of payment success or failure and a subscription status, but never see or store your card number, CVV, or bank account details.
Email communication
We send transactional emails — RFQ invitations, quote notifications, team invitations, and lifecycle messages (e.g. trial started). These are sent using Resend. We don't send marketing emails without your consent.
3. Supplier contacts — data we receive from buyers
When a buyer uses ProcFlow to send an RFQ, they provide us with their suppliers' contact details — typically a name, email address, and company name. This data comes from the buyer's own supplier relationships; we receive it because the buyer entered it into ProcFlow.
We use this data to:
- Send RFQ invitation emails to suppliers on the buyer's behalf
- Notify suppliers of award decisions (won or not selected)
- Allow the buyer to track whether invitations have been viewed and responded to
- Allow registered suppliers to log in and manage their quotes via the supplier portal
The invitation email itself discloses that the buyer's company is using ProcFlow to manage their RFQ process and that the supplier's contact details were entered by that buyer. No supplier contact data is shared with any other buyer or third party.
If you received a ProcFlow email as a supplier contact and want to know what data we hold about you, have it corrected, or be removed from a buyer's supplier list, email us at hello@procflow.net. We will action removal requests within 30 days and inform the relevant buyer.
4. Legal basis for processing (GDPR)
| Processing activity | Legal basis |
|---|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b)) |
| Operating the RFQ and procurement workflow | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (RFQ invitations, notifications) | Contract performance (Art. 6(1)(b)) |
| Processing payments via Stripe | Contract performance (Art. 6(1)(b)) |
| Sending RFQ invitations to supplier contacts on behalf of buyers | Legitimate interest of the buyer (Art. 6(1)(f)) |
| Detecting and fixing application errors (Sentry) | Legitimate interest (Art. 6(1)(f)) |
| Analytics cookies (GA4, PostHog) | Consent (Art. 6(1)(a)) |
5. Cookies
Cookies are small text files stored in your browser. ProcFlow uses three categories:
Essential cookies — always active
These are required for the service to function. You cannot opt out of them while using ProcFlow.
| Cookie | Purpose | Expires |
|---|---|---|
| sb-* (Supabase session) | Keeps you logged in | Session / 1 week |
| locale | Remembers your language preference | 1 year |
| ga_consent | Stores your cookie choice from this banner | 1 year |
Analytics cookies — require consent
These are only set if you click Accept in the cookie banner. If you click Decline or dismiss the banner, these cookies are not set.
| Cookie | Provider | Purpose | Expires |
|---|---|---|---|
| _ga | Google Analytics 4 | Distinguishes unique visitors | 2 years |
| _ga_CLWFMLEFQJ | Google Analytics 4 | Maintains session state | 2 years |
| ph_* cookies | PostHog | Product analytics and session tracking | 1 year |
You can change your cookie preference at any time by clearing your browser cookies and reloading the page — the consent banner will reappear. You can also manage analytics cookies through your browser settings or a browser extension such as uBlock Origin.
6. Who we share your data with
We do not sell your data to anyone. We share data only with the service providers ("processors") listed below, and only to the extent necessary to operate ProcFlow.
| Provider | What data | Where | Purpose |
|---|---|---|---|
| Supabase | All account, RFQ, and file data | EU (AWS eu-central-1) | Database, authentication, file storage |
| Google Analytics 4 | Anonymised usage events (consent required) | US (EU SCCs) | Product analytics |
| PostHog | Anonymised usage events (consent required) | EU (eu.posthog.com) | Product analytics |
| Sentry | User ID, email, error reports | US (EU SCCs) | Error monitoring |
| Resend | Email address, email content | US (EU SCCs) | Transactional email delivery |
| Stripe | Billing contact details, subscription status | US (EU SCCs) | Payment processing |
| Anthropic / OpenAI | Document content you submit for AI analysis | US (EU SCCs) | AI-powered BOM and spec extraction |
"EU SCCs" means the European Commission's Standard Contractual Clauses — the legal mechanism that allows personal data to flow from the EU to the US with appropriate safeguards.
We may also disclose data if required by law or to protect the rights and safety of our users.
7. AI features
When you upload a specification document or BOM file and ask ProcFlow to extract information from it, the document content is sent to Anthropic (Claude) or OpenAI (GPT-4) for processing. We do not use your documents to train these models — both providers contractually agree to this for API customers. Document content is used only for the immediate extraction task and is not retained by the AI providers beyond their standard API request logging window.
8. How long we keep your data
| Data type | Retention period |
|---|---|
| Account and profile data | Until you request account deletion |
| RFQ, quote, and procurement data | Until you request deletion or account closure |
| Uploaded specification files | Until you delete them or close your account |
| Supplier contact data (entered by buyers) | Until the buyer deletes the supplier or closes their account |
| Analytics data (GA4) | 14 months (Google's default) |
| Analytics data (PostHog) | Per PostHog plan terms |
| Error reports (Sentry) | 90 days |
| Payment records | 7 years (legal requirement for financial records) |
| Email delivery logs (Resend) | 30 days |
To request deletion of your account and all associated data, email us at hello@procflow.net. We'll process deletion requests within 30 days.
9. Your rights under GDPR
As an EU resident, you have the following rights over your personal data:
- Access. Request a copy of the personal data we hold about you.
- Rectification. Ask us to correct inaccurate or incomplete data.
- Erasure. Ask us to delete your data (subject to legal retention obligations).
- Portability. Receive your data in a structured, machine-readable format.
- Restriction. Ask us to limit how we process your data while a dispute is resolved.
- Objection. Object to processing based on legitimate interests.
- Withdraw consent. Withdraw analytics consent at any time by clearing your cookies and declining in the banner that appears on reload.
To exercise any of these rights, email hello@procflow.net. We will respond within one month. No charge applies for reasonable requests.
10. Right to lodge a complaint
If you believe we are processing your personal data in breach of GDPR, you have the right to lodge a complaint with the supervisory authority in your country of residence.
In Slovenia, the supervisory authority is the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec):
- Website: www.ip-rs.si
- Phone: +386 1 230 97 30
- Email: gp.ip@ip-rs.si
You may also contact the supervisory authority in any EU member state where you reside or work.
11. Changes to this policy
We'll update this policy when our data practices change. For material changes — new data categories, new processors, new legal basis — we'll notify account holders by email at least 14 days before the change takes effect. The "last updated" date at the top of this page always reflects the current version.
Questions?
If anything in this policy is unclear or you want to exercise your rights, email us directly. We read every message and respond personally.
hello@procflow.net