Privacy Policy

Last updated: April 2026

TL;DR: PumpFlow is an AI sales agent for HVAC companies that qualifies leads on WhatsApp. We collect the minimum data needed to run the service, we don't sell it to anyone, and you have full control to access, correct, or delete your data at any time.

1. Data controller

The controller of your data is PumpFlow, with registered office at Madrid, Spain and tax ID registered as autónomo in Spain. You can contact us at privacy@pumpflow.co.

2. Data we collect

Customer data (HVAC companies)

Account: company name, email, password (hashed)
Company info: phone, WhatsApp number, services, coverage area, brands, pricing, assistant personality
Billing data: handled by Stripe (we never store card numbers)
Google Calendar OAuth tokens (encrypted), to sync appointments
Dashboard usage logs (login timestamps, actions taken)

Lead data (end customers of HVAC companies)

WhatsApp phone number
Name (if provided during the conversation)
Content of messages sent to the assistant
Qualification data: property type, square meters, current heating, location, appointment date
AI-generated lead score

Technical data

IP address (for security and rate limiting only)
Browser user agent
Error and exception logs

3. How we use it

Operate the service: process WhatsApp messages, qualify leads, book appointments, sync with Google Calendar, display the dashboard
Manage your account: authentication, billing, support
Operational communications: welcome emails, confirmations, password resets, receipts
Improve the product: aggregated and anonymized usage analytics
Security: prevent fraud, abuse, and unauthorized access
Legal obligations: invoicing, tax compliance, responding to lawful requests

We do not use your data or your leads' data to train AI models.

4. Legal basis (GDPR)

Contract performance (Art. 6(1)(b) GDPR): to deliver the service you subscribed to
Consent (Art. 6(1)(a) GDPR): when a lead messages you on WhatsApp, initiating the conversation
Legitimate interest (Art. 6(1)(f) GDPR): security, fraud prevention, product improvement
Legal obligation (Art. 6(1)(c) GDPR): invoicing and accounting retention

5. Who we share your data with

We work with the following processors, all under signed data processing agreements:

Anthropic (United States) — Claude AI model for generating responses
OpenAI (United States) — GPT-4 AI model as fallback
Meta / WhatsApp Business API (United States) — sending and receiving WhatsApp messages
Google (United States) — Google Calendar OAuth for appointment sync
Stripe (United States / Ireland) — payment processing and subscription management
Resend (United States) — transactional email delivery
Railway (United States) — hosting infrastructure

We don't sell your data to anyone. We don't use your customer or lead data for advertising. We do use the Meta Pixel for website-visit analytics on our landing pages, but only when you accept it in the cookie banner — see our cookie policy for details.

6. How long we keep data

Active account: as long as you have an account with us
After cancellation: data is deleted after 30 days, unless legal obligations apply (e.g., invoices: 5 years under Spanish tax law)
Lead conversations: 12 months by default, configurable
Technical logs: 90 days

7. International transfers

Some of our processors (Anthropic, OpenAI, Meta, Google, Stripe, Resend, Railway) handle data in the United States. These transfers are performed under:

Standard Contractual Clauses approved by the European Commission
EU-U.S. Data Privacy Framework (where applicable)

8. Your rights

Under the GDPR and Spanish LOPDGDD you have the right to:

Access: know what data we hold about you
Rectification: correct inaccurate data
Erasure: request deletion ("right to be forgotten")
Objection: object to certain processing
Restriction: ask us to limit processing
Portability: receive your data in structured format
Withdraw consent: at any time, without retroactive effect

To exercise any right, email privacy@pumpflow.co. We'll respond within 30 days.

You may also lodge a complaint with the Spanish Data Protection Agency (aepd.es) or your local EU data protection authority.

9. Security

We use the following safeguards:

TLS encryption on all communications
Passwords stored with hash + salt (never in plaintext)
OAuth tokens and credentials encrypted at rest
Access control via API keys and sessions
Rate limiting to prevent abuse
HMAC signature verification on incoming webhooks
Automatic database backups

10. Changes to this policy

If we make significant changes, we'll notify you by email at least 30 days in advance. The current version will always be published on this page with the last-updated date.

11. Contact

For any questions about this policy, email privacy@pumpflow.co.