nflo
Legal
Privacy Policy
This Privacy Policy explains how The Bearded Developer Ltd (“we”, “us”, “our”) collects, uses, and protects your personal data when you use nflo (“the Service”) at my.nflo.app.
We are committed to handling your data responsibly and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
The Bearded Developer Ltd is the data controller for personal data processed through nflo.
For any privacy-related questions or requests, contact us at: [email protected]
2. What data we collect
Account data
When you sign in via GitHub, we receive from GitHub and store:
- Your name
- Your email address
- Your GitHub profile avatar URL
- An OAuth account reference (used to link your GitHub login to your nflo account)
We do not receive or store your GitHub password. We do not post to GitHub on your behalf.
Content you create
nflo stores the data you enter while using the Service, including:
- Clients, projects, and tasks (titles, descriptions, statuses, priorities, due dates, points)
- Time entries (start time, end time, duration, description, linked client)
- Documents and notes (stored as markdown files)
- Folder structure for your document library
- Gamification data (streak, points, daily task counts)
Session data
We store a session record to keep you signed in. This is a standard authentication mechanism and contains no personal data beyond a reference to your account.
Data we do not collect
- We do not use analytics tools — no page views, click tracking, or behavioural data is collected
- We do not collect payment information — nflo is currently free to use
- We do not serve advertising or share data with advertisers
3. How we use your data
| Purpose | Legal basis |
|---|---|
| Providing and operating the Service (storing your tasks, projects, time entries, and documents) | Performance of a contract (UK GDPR Art. 6(1)(b)) |
| Authenticating you via GitHub OAuth | Performance of a contract (UK GDPR Art. 6(1)(b)) |
| AI-powered task prioritisation — sending task context to the Claude API to generate focus suggestions | Performance of a contract (UK GDPR Art. 6(1)(b)) |
| Maintaining security, preventing fraud, and resolving technical issues | Legitimate interests (UK GDPR Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (UK GDPR Art. 6(1)(c)) |
4. AI features and the Claude API
The “Today’s Focus” feature sends a subset of your task data (task titles, due dates, priorities, and points values) to the Claude API, provided by Anthropic, PBC, to generate personalised focus suggestions.
This data is transmitted securely. Anthropic processes this data as a data processor acting on our behalf. We do not send document content, time entries, or client names to the AI. Anthropic’s data processing is governed by their Privacy Policy.
5. Who we share your data with
We do not sell your data. We share data only with the following infrastructure providers who process it on our behalf as data processors:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Database (D1) and file storage (R2) hosting your account, content, and documents | United States (with global edge infrastructure) |
| Anthropic, PBC | AI task prioritisation via the Claude API | United States |
| GitHub, Inc. | OAuth authentication provider | United States |
6. International data transfers
All three processors above are based in the United States. Transfers of your personal data to the United States are made under appropriate safeguards, including Standard Contractual Clauses (SCCs) as recognised under the UK GDPR and the UK’s International Data Transfer Agreements (IDTAs) where applicable.
By using nflo, you acknowledge that your data will be processed in the United States for the purposes described in this policy.
7. Cookies and local storage
nflo uses a single session cookie to keep you signed in. This cookie:
- Is strictly necessary for the Service to function
- Contains only a session identifier — no personal data
- Is not used for tracking or advertising
- Is deleted when you sign out
We do not use any third-party tracking cookies or analytics scripts.
8. How long we keep your data
| Data | Retention |
|---|---|
| Account data (name, email, avatar) | Until you delete your account |
| Tasks, projects, clients, time entries | Until you delete them or delete your account |
| Documents | Until you delete them or delete your account |
| Session data | Until the session expires or you sign out |
| AI request data (sent to Claude API) | Not retained by us after the request; subject to Anthropic’s retention policy |
9. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate data
- Right to erasure — ask us to delete your data (“right to be forgotten”)
- Right to restriction — ask us to limit how we process your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
To exercise any of these rights, email [email protected]. We will respond within one calendar month.
10. Children
nflo is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has provided us with their data, please contact us at [email protected] and we will delete it promptly.
11. Security
We take reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS), authentication-gated access to all data, and scoping all database queries to your individual account. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
12. Changes to this policy
We may update this Privacy Policy from time to time. Where changes are material, we will make reasonable efforts to notify you. The “last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.
13. Complaints
If you have concerns about how we handle your data and are not satisfied with our response, you have the right to lodge a complaint with the UK’s supervisory authority:
Information Commissioner’s Office (ICO)
ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
14. Contact
For any privacy-related questions, requests, or concerns:
The Bearded Developer Ltd
[email protected]