Back to Home

Privacy Policy

Last Updated:

1. Introduction

Robinflow LLC ("we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, password
  • Payment Information: Billing details (processed securely through Stripe)
  • Profile Information: Trading preferences, watchlists, custom alerts
  • Communications: Messages sent to customer support
  • Compliance Information: First name, last name, country, and address — collected during account setup for users who sign up via Google OAuth, for legal compliance and audit purposes

2.2 Automatically Collected Information

  • Usage Data: Pages viewed, features used, time spent on platform
  • Device Information: IP address, browser type, operating system
  • Analytics Data: Aggregated and anonymized usage patterns
  • Consent Audit Data: IP address and browser user agent recorded at the time you accept our Terms of Service, for legal compliance purposes (retained per Section 6: Data Retention)

3. How We Use Your Information

We use your information to:

  • Provide and maintain our services
  • Process payments and manage subscriptions
  • Send you service updates and important notifications
  • Improve our platform and develop new features
  • Provide customer support
  • Detect and prevent fraud or abuse
  • Comply with legal obligations
  • Send marketing communications (with your consent)

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information with:

4.1 Service Providers

  • Payment Processing: Stripe (for secure payment processing)
  • Analytics: Google Analytics (with IP anonymization enabled)
  • Cloud Hosting: AWS and Vercel (for infrastructure)
  • Security: Cloudflare (for CAPTCHA verification and infrastructure protection)
  • Email Services: Transactional email providers

4.2 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

5. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Regular security audits and updates
  • Access controls and authentication
  • Secure password hashing

However, no method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. Upon account deletion:

  • Personal data (name, email, IP address) is permanently deleted immediately
  • Payment data is deleted from Stripe, our payment processor
  • Consent records (e.g., date you accepted our Terms of Service) are anonymized and retained for up to 3 years to comply with legal obligations and resolve potential disputes. These records contain no personally identifiable information.
  • Fraud prevention data (e.g., whether a free trial was used) may be retained to prevent abuse

Anonymized and aggregated data may be retained indefinitely for analytics purposes.

7. Your Rights and Choices

You have the right to:

  • Access: Request a copy of your personal information
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and data
  • Export: Download your data in a portable format
  • Opt-Out: Unsubscribe from marketing emails
  • Object: Object to certain processing activities

To exercise these rights, contact us at support@robinflow.io. We will respond within 30 days (or 45 days for requests made under the California Consumer Privacy Act).

8. Cookies and Tracking

We use cookies and similar technologies to operate our platform securely and improve your experience. Below is a detailed breakdown of every cookie category we use.

8.1 Essential Cookies (Always Active)

These cookies are strictly necessary for the platform to function. They cannot be disabled.

Authentication & Session

When you sign in, we set the following httpOnly, Secure cookies (SameSite=Lax) to maintain your session:

  • access_token, id_token — JWT tokens for authenticating your requests. Tokens expire after 15 minutes and are automatically refreshed using your refresh token.
  • refresh_token — Used to obtain new access/id tokens without re-entering your password. Cookie duration: 30 days if you select "Remember me," or 12 hours otherwise.
  • _rt_fp — Refresh token fingerprint for replay protection.
  • access_expires_at, session_started_at — Timestamps used to schedule token refreshes and track session age.
  • auth_method — Records whether you signed in with email/password or Google OAuth.
  • remember_me — Stores your "Remember me" preference to determine session duration.
  • device_key — Identifies a trusted device so you are not prompted for MFA on every sign-in.

Multi-Factor Authentication (MFA)

  • mfa_device_token, mfa_device_user, mfa_device_expires_at — httpOnly cookies (30 days) that allow trusted devices to bypass the MFA prompt.

Security

  • csrf_token — A 64-character random token used for Cross-Site Request Forgery protection (Double Submit Cookie pattern). This cookie is readable by JavaScript by design. Duration: 30 days.

OAuth Flow (Temporary)

  • oauth_state — A random value used to prevent CSRF during Google sign-in. Expires after 10 minutes.
  • oauth_remember_me — Carries your "Remember me" preference through the OAuth redirect. Expires after 10 minutes.

CAPTCHA (Cloudflare Turnstile)

We use Cloudflare Turnstile to protect sign-up and sign-in forms from bots. Turnstile may set its own cookies, which are managed by Cloudflare. We do not control the names or duration of these cookies. See Cloudflare's Turnstile Privacy Addendum for details.

8.2 Analytics Cookies (Consent Required)

These cookies are only set if you accept analytics in the cookie consent banner.

  • _ga — Google Analytics 4 client identifier. Duration: 2 years.
  • _ga_[MEASUREMENT_ID] — GA4 session tracking cookie. Duration: 1 year.
  • _gid — GA4 session identifier. Duration: 24 hours.

IP anonymization is enabled, so your full IP address is never stored by Google Analytics. If you reject analytics or withdraw consent, these cookies are immediately deleted.

8.3 Preference Storage

  • rf:cookie_consent — This is stored in your browser's localStorage (not an HTTP cookie). It records whether you accepted or rejected analytics cookies. For logged-in users, this preference is also synced to our server so it applies across devices.

8.4 Third-Party Services

Stripe: Payment processing is handled entirely on Stripe's hosted checkout page. No Stripe cookies are set on our domain.

We do not use any advertising, retargeting, or third-party tracking cookies. We do not sell data to advertisers.

8.5 Managing Your Preferences

You can manage your cookie preferences at any time using the "Cookies" link in the footer, which will re-open the consent banner. You can also clear cookies through your browser settings.

9. Third-Party Links

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

10. Children's Privacy

Our services are not intended for individuals under 18 years of age. Consistent with our Terms of Service (Section 3), users must be at least 18 years old to create an account. We do not knowingly collect personal information from children under 18. If we become aware of such collection, we will delete the information immediately.

11. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers and service providers are located. These transfers are necessary for the performance of our contract with you (providing the Service). We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable laws.

12. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to opt-out of the sale of personal information
  • Right to deletion of personal information
  • Right to correct inaccurate personal information
  • Right to limit use and disclosure of sensitive personal information
  • Right to non-discrimination for exercising your privacy rights

We do not sell or share your personal information as defined under the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than providing the Service. To exercise any of these rights, contact us at support@robinflow.io. We will respond within 45 days of receiving a verifiable consumer request.

13. European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Lawful basis: We process your personal data on the following bases: performance of a contract (to provide the Service), legitimate interests (fraud prevention, security, platform improvement), consent (analytics cookies), and legal obligation (compliance record-keeping).
  • Right to restrict processing: You may request that we limit how we use your data.
  • Right to data portability: You may request a copy of your data in a structured, commonly used, machine-readable format.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully.

Your data may be transferred to and processed in the United States, where our servers are located. These transfers are necessary for the performance of our contract with you. To exercise any of these rights, contact us at support@robinflow.io. We will respond within 30 days.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through a prominent notice on our platform. The "Last Updated" date at the top indicates when changes were last made.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

Email: support@robinflow.io
Address: Robinflow LLC, 1710 Keller Parkway #9843, Keller, TX 76248