Privacy Policy
Effective date: July 1, 2026 Last updated: July 1, 2026
This Privacy Policy explains how Hoppflow ("Hoppflow", "we", "us", or "our") collects, uses, shares, and protects information in connection with the Hoppflow website at www.hoppflow.com (the "Site"), the Hoppflow application (currently in development) and any related mobile apps, and related services (together, the "Services").
Hoppflow is a workspace-first, agentic operating system that helps founders and small teams plan, research, run meetings, manage tasks, and automate work, including by connecting tools you already use and by applying AI to your workspace content. Because of this, please read the sections on Connected Integrations, How We Use Artificial Intelligence, and Google API Services / Limited Use carefully.
If you do not agree with this Policy, please do not use the Services.
Current status — please read. Hoppflow is in pre-launch. Today, the Services consist solely of this website, including the waitlist and contact forms (which are delivered to us by email) and basic website analytics. Sections of this Policy that describe the Hoppflow application — such as accounts, billing, connected integrations, AI processing of your content, and related security measures — describe planned functionality and apply only once those features become available to you. Where this Policy uses the present tense for those features, read it as describing what the Services will do when launched.
1. Quick summary
This summary is for convenience only and does not replace the full Policy below.
- What we collect: account and profile details, the content you create or connect into your workspace, payment and billing data, communications with us, and technical and usage data.
- Why: to provide and secure the Services, operate AI features you ask for, bill you, support you, comply with law, and improve the product.
- AI: we use AI models (our own and trusted third-party providers) to process your workspace content so the Services can work. We do not use your workspace content to train third-party foundation models, and outbound or external AI actions are gated behind your approval by default.
- Integrations: when you connect tools like Google, Microsoft, Slack, Notion, or GitHub, we access only the data needed for the features you enable, and we follow each provider's data rules (including the Google API Services User Data Policy and its Limited Use requirements).
- Sharing: we do not sell your personal information. We share it only with service providers ("sub-processors") that help us run the Services, when required by law, or with your direction.
- Your choices: depending on where you live, you can access, correct, delete, export, or restrict your data, and object to certain processing. See Your Rights.
- Contact: privacy@hoppflow.com.
2. Definitions
- "Personal Data" / "Personal Information" means information that identifies, relates to, or could reasonably be linked to an identified or identifiable individual.
- "Workspace" means the tenant space in Hoppflow that belongs to a customer organization or individual, containing projects, tasks, meetings, documents, and connected data.
- "Workspace Content" / "Customer Data" means the data you and your teammates create, upload, or connect into a Workspace, including content brought in from Connected Integrations.
- "Controller" means the party that determines the purposes and means of processing Personal Data. "Processor" means a party that processes Personal Data on behalf of, and under the instructions of, a Controller.
- "Sub-processor" means a third party we engage to process Personal Data to help deliver the Services.
- "Connected Integration" means a third-party service you connect to Hoppflow (for example Gmail, Google Calendar, Google Drive, Microsoft Outlook or Teams, Slack, Notion, or GitHub).
3. Who we are, and our role (Controller vs. Processor)
Hoppflow is responsible for the Services described in this Policy and plays two different roles depending on the data:
- As a Controller. For data we collect to run our business and relationship with you, for example account registration details, billing data, Site analytics, marketing communications, and support interactions, Hoppflow is the Controller and this Policy governs that processing.
- As a Processor. For Workspace Content that a customer organization puts into Hoppflow, Hoppflow generally acts as a Processor (or "service provider" under U.S. law) and processes that content on the customer's behalf and on their instructions. The customer organization (your employer or the Workspace owner) is the Controller of that content and is responsible for how it is collected and used within their Workspace. If you are an end user in someone else's Workspace and have questions about your data, please contact that Workspace's owner or administrator first. Where required, our processing of Customer Data is governed by a Data Processing Addendum (DPA) available at /dpa.
4. Information we collect
4.1 Information you provide directly
- Website forms: when you join the waitlist or contact us, we collect your email address and the details you choose to share (such as your name, company, the topic you select, and your message).
- Account and authentication data: name, email address, password or single sign-on identifiers (for example when you sign in with Google), and, if you choose, a phone number for verification.
- Profile data: your display name, role, job function, photo or avatar, bio, and links you add (for example to a public company or founder profile you choose to publish).
- Workspace and company data: workspace name, company details and context you provide (such as what your company does, stage, and team), projects, tasks, meetings, notes, documents you upload, and other content you create.
- Payment and billing data (when accounts and paid plans become available): plan selection and billing contact details. Card and payment instrument details will be collected and processed by our third-party payment processor; we will not store full card numbers on our own systems.
- Communications: messages you send us (support requests, emails, feedback), and content of in-product communications such as comments and mentions.
4.2 Information from Connected Integrations
When you connect a third-party tool, you authorize Hoppflow (through that provider's OAuth flow or equivalent) to access specific data needed for the features you enable. Depending on the integration and the scopes you grant, this may include:
- Email (e.g., Gmail, Microsoft Outlook): message metadata and content needed to surface, summarize, or act on email within your Workspace.
- Calendar (e.g., Google Calendar, Outlook Calendar): events, attendees, and scheduling details to power meeting preparation and coordination.
- Files and documents (e.g., Google Drive, Google Docs/Sheets/Slides): file metadata and content you choose to bring into your Workspace's knowledge or company brain.
- Messaging and collaboration (e.g., Slack, Microsoft Teams): messages and channel data you choose to surface or ingest.
- Knowledge and code tools (e.g., Notion, GitHub): pages, issues, pull requests, and related metadata.
We request the minimum scopes needed for the feature you turn on, and you can disconnect any integration at any time from the Integrations settings, which revokes our ongoing access. See Google API Services / Limited Use for additional commitments specific to Google data.
4.3 Information collected automatically
- Device and technical data: IP address, browser type, operating system, device identifiers, and language.
- Usage data: pages and features used, actions taken, timestamps, referring pages, and diagnostic and performance logs.
- Cookies and similar technologies: see Cookies and tracking technologies. The Site uses Google Analytics 4 (with Google Signals) for analytics.
4.4 Information from other sources
- Authentication providers (for example Google) when you choose to sign in with them.
- Payment processor confirmation of transaction status.
- Teammates and Workspace owners who invite you, assign you work, or add you to a Workspace.
We do not intentionally collect special category / sensitive data (such as health, race, or religious data) and ask that you not store such data in the Services unless necessary and lawful.
5. How we use information
We use information for the following purposes, relying on the legal bases noted (for users in the EEA/UK):
- Provide and operate the Services including creating and securing your account, running your Workspace, and delivering the features you use. (Legal basis: performance of a contract.)
- Operate AI and automation features you request, such as drafting, research, summaries, briefings, and suggestions. (Legal basis: performance of a contract; legitimate interests in providing useful functionality.)
- Process Connected Integration data to deliver the integration features you enable. (Legal basis: performance of a contract; consent where required for the connection.)
- Respond to your messages and manage the early-access waitlist. (Legal basis: legitimate interests; steps taken at your request.)
- Billing and payments. (Legal basis: performance of a contract; legal obligation.)
- Security, fraud prevention, and abuse detection, including maintaining audit logs and enforcing tenant isolation between Workspaces. (Legal basis: legitimate interests; legal obligation.)
- Support and communication with you about the Services, including service and transactional messages. (Legal basis: performance of a contract; legitimate interests.)
- Improve and develop the Services, including troubleshooting, analytics, and aggregated or de-identified analysis. (Legal basis: legitimate interests.)
- Marketing, where permitted, to send you product news you can opt out of at any time. (Legal basis: consent where required; otherwise legitimate interests.)
- Comply with law and respond to lawful requests. (Legal basis: legal obligation.)
We will not use Personal Data for materially different, unrelated, or incompatible purposes without notifying you and, where required, obtaining your consent.
6. How we use Artificial Intelligence
AI is central to Hoppflow, so we want to be clear about it.
- What AI does. When the Hoppflow application launches, it will process Workspace Content with AI models, including large language models and embedding/vectorization models, to power the features you request — drafting, summarization, research, briefings, task and meeting assistance, and suggestions.
- Providers (sub-processors). Some AI processing happens through trusted third-party AI providers that act as our sub-processors. We send them only the content needed to perform the requested operation.
- No training of third-party foundation models on your content. We will not permit our AI sub-processors to use your Workspace Content to train or improve their general/foundation models, and we do not sell your content to anyone. We intend to engage AI providers under no-training, limited-retention terms.
- Human oversight and approvals. Actions that send something externally or take a consequential step (for example sending an email or a calendar invite) are, by design, routed to an approvals step and are not performed automatically without your authorization.
- Embeddings and the "company brain." To make your Workspace searchable and context-aware, we may create vector embeddings of your content and store them in our systems. These remain within your Workspace and are subject to the same access controls and isolation as your other content.
- Accuracy. AI outputs can be wrong or incomplete. You are responsible for reviewing AI-generated content before relying on or acting on it.
See Automated Decision-Making for your rights regarding automated processing.
7. Google API Services / Limited Use disclosure
Hoppflow's use and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, when you connect a Google service (such as Gmail, Google Calendar, or Google Drive):
- We only request access to the scopes necessary to provide the features you enable.
- We use Google user data only to provide and improve those user-facing features within Hoppflow.
- We do not transfer or sell Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger or acquisition.
- We do not use Google user data to serve advertisements.
- We do not allow humans to read Google user data unless (a) we have your affirmative consent for specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) the data is aggregated and de-identified and used for internal operations in line with applicable requirements.
- We do not use Google Workspace data (including Gmail content) to train, develop, or improve generalized or non-personalized AI/ML models.
You can review and revoke Hoppflow's access to your Google data at any time via your Google Account permissions and in Hoppflow's Integrations settings.
Microsoft, Slack, Notion, GitHub, and other providers. When you connect non-Google services, we similarly request only the scopes needed for the features you enable, use the data only to provide those features, and follow each provider's applicable developer and data-use terms. You can revoke access at any time from Hoppflow's Integrations settings or the provider's own settings.
8. How we share and disclose information
We do not sell your Personal Data for money. We do not use the Site for advertising; however, because the Site uses Google Analytics with Google Signals, some analytics activity may be considered a "sale" or "share" for cross-context behavioral advertising under California law. You can opt out as described in our Cookie Notice. We disclose information only as follows:
- Service providers / sub-processors who process data on our behalf under contract and only on our instructions (for example website hosting, form delivery, analytics, and, for the application, cloud hosting, AI processing, and payments). See the sub-processor list below.
- Within your Workspace. Content you create or connect is visible to other members of your Workspace according to their roles and the access controls you set (for example, items you mark private are restricted to you).
- At your direction. When you choose to publish or share something, for example a public company or founder profile via a shareable link, the information in it becomes viewable by anyone with the link until you revoke or expire it.
- Legal and safety. When required by law, legal process, or a lawful government request, or to protect the rights, property, or safety of Hoppflow, our users, or others, or to enforce our terms.
- Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to this Policy and applicable law.
- Aggregated or de-identified data that cannot reasonably be used to identify you.
Current sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel | Website hosting and content delivery | United States |
| Web3Forms | Delivery of contact and waitlist form submissions | Global |
| Google LLC (Google Analytics) | Website analytics | United States |
As we launch the Hoppflow application, we will add the providers that power it (such as cloud infrastructure, AI processing, transactional email, and payments) and keep this list current. The third-party tools you choose to connect (Google, Microsoft, Slack, Notion, GitHub) are data sources you authorize, not sub-processors we impose.
9. Cookies and tracking technologies
We and our providers use cookies and similar technologies to keep the Services working, remember preferences, secure the Services, and understand usage. These include:
- Strictly necessary cookies (for the application: authentication, session security, and load balancing).
- Functional cookies and local storage (preferences such as theme and active workspace).
- Analytics cookies. The Site uses Google Analytics 4 (provided by Google LLC) to understand how it is used. With Google Signals enabled, Google may also provide aggregated demographics and interests and may associate activity across devices for signed-in Google users who allow ad personalization. Google Analytics sets cookies such as
_gaand_ga_<id>.
We do not use cookies for cross-context behavioral advertising.
Your choices. When you first visit, a consent banner lets you accept or reject analytics cookies; we do not load Google Analytics (or Google Signals) unless you accept, and you can change your choice at any time using the Cookie preferences link in the footer. We honor Global Privacy Control (GPC) as a rejection. You can also control or delete cookies in your browser settings, or install the Google Analytics opt-out browser add-on from https://tools.google.com/dlpage/gaoptout. For details, see our Cookie Notice.
10. Data retention
We retain Personal Data only as long as needed for the purposes described in this Policy, including:
- Website form submissions (contact and waitlist): kept only as long as needed to respond to you or manage early access, and deleted when you ask us to or when no longer needed. Waitlist entries are kept until launch or until you opt out.
- Analytics data: retained for up to 14 months.
- Workspace Content: for as long as your Workspace is active. When you delete content or a Workspace, we delete or de-identify it within 90 days, subject to backups that are purged on a rolling schedule and to legal retention obligations.
- Account data: for the life of your account and for a reasonable period afterward to meet legal, tax, accounting, security, and dispute-resolution needs.
- Logs and security data: for a limited period appropriate to security and operational needs.
- Billing records: as required by applicable tax and accounting law.
When retention is no longer justified, we delete or irreversibly de-identify the data.
11. How we protect your information
Today, the personal data associated with the Site is what you submit through our waitlist and contact forms (delivered to us by email through our forms provider) and analytics data, all transmitted over encrypted (TLS) connections. When the Hoppflow application becomes available, we will implement technical and organizational measures designed to protect Personal Data, expected to include:
- Encryption in transit (TLS) and encryption at rest for stored data, including encryption of sensitive credentials such as third-party access tokens.
- Tenant isolation so that data in one Workspace is not accessible from another.
- Access controls based on roles and least privilege, with administrative access limited to personnel who need it.
- Audit logging of significant actions.
- Secret management that keeps credentials separate from application code and the agent sandbox.
- Monitoring for security and abuse.
No method of transmission or storage is completely secure. While we work hard to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for the data you choose to connect or publish.
If we become aware of a personal data breach affecting your information, we will notify you and relevant authorities as required by applicable law.
12. International data transfers
We operate and use providers that may process data in countries other than where you live, including the United States and others. Where we transfer Personal Data internationally, we rely on lawful transfer mechanisms, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), or other valid safeguards. You may request more information about these safeguards using the contact details below.
13. Your rights and choices
Depending on where you live, you may have some or all of the following rights:
- Access the Personal Data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten"), subject to exceptions.
- Restrict or object to certain processing, including processing based on legitimate interests and direct marketing.
- Portability: receive your data in a portable format.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your local data protection authority.
For users in the EEA / UK (GDPR / UK GDPR): the rights above apply. If our processing relies on legitimate interests, you can ask us about our balancing assessment. You can complain to your supervisory authority.
For users in California (CCPA/CPRA): you have the right to know, access, delete, and correct your Personal Information, and to opt out of "sale" or "sharing." We do not sell your Personal Information for money; because the Site uses Google Analytics with Google Signals, some activity may be considered a "sale" or "share," and you can opt out as described in our Cookie Notice. You also have rights regarding sensitive Personal Information. We will not discriminate against you for exercising your rights. You may use an authorized agent to submit requests.
For other regions (including users in Pakistan and the MENA and SEA regions): we honor applicable local data protection rights. Contact us and we will respond as required by the laws that apply to you.
How to exercise your rights. Email privacy@hoppflow.com or use in-product controls. We will verify your identity before acting and respond within the timeframe required by applicable law. If your data sits inside a Workspace controlled by an organization, we may direct your request to that organization (the Controller) or act on their instructions.
14. Automated decision-making and profiling
Hoppflow uses automation and AI to assist you, for example by suggesting assignees, drafting content, or surfacing relevant information. These features are decision-support tools; consequential external actions are gated behind your approval. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without a lawful basis and appropriate safeguards. Where such processing applies to you under GDPR Article 22, you may request human review, express your point of view, and contest the decision.
15. Children's privacy
The Services are intended for business use by adults aged 18 or over and are not directed to children. We do not knowingly collect Personal Data from anyone under 16. If you believe a child has provided us Personal Data, contact us and we will delete it.
16. Third-party services and links
The Services may link to or interoperate with third-party websites and services, including the tools you connect. This Policy does not cover those third parties. Their use of your data is governed by their own privacy policies, and we encourage you to review them.
17. Marketing communications
If you receive marketing emails from us, you can opt out at any time using the unsubscribe link or by contacting us. We will still send you necessary service and transactional messages (for example security, billing, and account notices).
18. Region-specific disclosures
- EEA / UK: the Controller is Hoppflow, and our privacy contact is privacy@hoppflow.com.
- California: see the CCPA/CPRA rights in Your Rights. The categories of Personal Information we collect, the purposes, and the categories of recipients are described in sections 4, 5, and 8.
- Other jurisdictions: additional disclosures may apply based on where you use the Services, and we comply with applicable local law.
19. App store and mobile platform disclosures
If you use a Hoppflow mobile app, the platform (Apple App Store or Google Play) may also collect data under its own policies. Our data practices are described in this Policy and reflected in the app store data disclosures (for example Apple's "App Privacy" labels and Google Play's "Data safety" section). Permissions the app requests (such as notifications) are used only for the related features and can be managed in your device settings.
20. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate or required, notify you (for example by email or an in-product notice). Your continued use of the Services after the changes take effect means you accept the updated Policy.
21. Contact us
If you have questions, requests, or complaints about this Policy or your Personal Data, contact us at:
- Privacy and data requests: privacy@hoppflow.com
- Legal and terms questions: legal@hoppflow.com
- Company: Hoppflow
We will do our best to resolve your concern. If you are in the EEA or UK and are not satisfied, you have the right to complain to your local supervisory authority.