Legal · Privacy

Privacy Policy

EditionFlow is architected so your subscribers, content, AI prompts, and OAuth tokens never reach our servers. This policy documents the small data set our subscription service must process to bill you, license your software, and keep the service running.

Last updated: 2026-06-04

01Who we are

EditionFlow is operated by Pent-AI-Efficient Solutions LLC (referred to as "EditionFlow," "we," "us," and "our" in this policy), a Maryland limited liability company. We provide a Google Workspace add-on that helps small organizations create and send email newsletters in minutes rather than hours.

02What we collect

Account & billing data

When you start a subscription, the following is collected:

• Your email address (used as your account identifier)
• Your name and billing address (passed to Stripe; we do not store these on our own systems)
• Your payment method (handled entirely by Stripe; we receive only a customer ID and subscription status)
• A randomly-generated license key tied to your subscription

Service telemetry

The EditionFlow license server records:

• License key validation requests (timestamp, IP-derived country, browser user-agent)
• Subscription lifecycle events from Stripe (created, updated, canceled, payment failures)
• Customer Portal session creation requests

03What we don't collect

Specifically, EditionFlow does not collect or process:

• Your subscriber lists or contact information
• Your newsletter content, drafts, or sent emails
• Your AI prompts or AI-generated content
• Your Google OAuth tokens (these stay inside your Apps Script project)
• Your Drive files, Sheets, or any content from your Google Workspace
• Your Gemini API key (you paste it into your own Sheet; AI calls run under your account)

The EditionFlow Apps Script Library executes under your Google identity inside your Workspace, with only the OAuth scopes you grant in your own project's manifest. We have no path to your data even if we wanted one.

04How we use this data

• Billing. To process your subscription via Stripe.
• Licensing. To verify your license key when your Apps Script Library checks in.
• Service reliability. To detect abuse, debug issues, and provide support.
• Communications. Transactional emails only (welcome, renewal reminders, important security or pricing notices). We do not send marketing emails without consent.

05Third-party processors

We use the following service providers under data processing agreements:

We do not use third-party analytics, advertising trackers, behavioral profiling tools, or session-recording tools.

06Cookies & tracking

The EditionFlow website (editionflow.app) uses only first-party functional cookies required for the Stripe Checkout and Customer Portal flows. Stripe sets its own cookies during checkout for fraud prevention and session continuity — these are governed by Stripe's privacy policy.

The EditionFlow Apps Script Library, running in your Google Workspace, uses only the storage primitives provided by Apps Script (Properties Service, Cache Service) within your own project. None of this is accessible to us.

07Data retention

• Billing records. Retained as long as required by applicable tax and accounting law (typically 7 years), then deleted.
• Subscription state. Retained while your subscription is active, plus 30 days after cancellation.
• License-server telemetry. Rotated and purged after 90 days.
• Transactional emails. Not retained on our side beyond Resend's standard delivery logs.

08Your rights

Depending on your jurisdiction, you may have the following rights:

• Access. Request a copy of the data we hold about you.
• Correction. Request that inaccurate data be corrected.
• Deletion. Request that we delete your account and associated data.
• Portability. Receive your data in a structured, machine-readable format.
• Objection. Object to specific types of processing.
• Withdraw consent. Where processing is based on consent.

To exercise any of these rights, email [email protected]. We respond within 30 days.

For EU/UK customers: the GDPR's lawful bases for our processing are contract (Stripe billing, license validation) and legitimate interest (service reliability, abuse prevention).

For California customers: your CCPA / CPRA rights to know, delete, correct, and opt out of "sale" apply. We do not sell or share personal information for cross-context behavioral advertising.

09International data transfers

EditionFlow's license server runs on Cloudflare's global network and may process requests in any region where Cloudflare operates. Stripe processes payments primarily in the United States. We rely on Cloudflare's and Stripe's published Standard Contractual Clauses (SCCs) for transfers outside the EU, UK, and Switzerland.

10Security

• All data in transit is encrypted via HTTPS / TLS 1.2 or higher
• Stripe-stored payment data is PCI DSS Level 1 compliant
• License-server data at rest is encrypted by Cloudflare D1
• Access to production systems is restricted to LLC principals using strong authentication

We do not store passwords (authentication runs through Google's OAuth) or payment card numbers (Stripe holds those).

11Children's privacy

EditionFlow is not directed to children under 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with information, please contact us at [email protected] and we will delete it.

12Changes to this policy

We may update this policy from time to time. We will post any changes on this page and update the "Last updated" date. Material changes will be announced via email to active subscribers at least 30 days before they take effect.

13Contact