GCFLOWBack to home

Privacy Policy

Effective: May 11, 2026

Last updated: May 11, 2026

This Privacy Policy explains how Chippie LLC, a Wyoming limited liability company doing business as GCFlow (“GCFlow,” “we,” “us,” or “our”), collects, uses, shares, and protects information when you use gcflow.co and the GCFlow construction management platform (the “Service”). Capitalized terms not defined here have the meaning given in our Terms of Service.

1. Overview

GCFlow is a B2B SaaS tool that general contractors use to manage projects, vendors, compliance documents, job costing, change orders, pay applications, and invoices. Most of the personal data we process is provided by our business customers (employers) and relates to their employees, subcontractors, vendors, and clients. Where we act as a service provider (or “processor”), our business customer is responsible for ensuring it has the right to provide that data and for the lawful basis on which the data is processed.

We never sell personal data, and we do not use it for cross-context behavioral advertising.

2. Data We Collect

(a) Account data. Name, email address, password (stored only as a salted bcrypt hash), team/company name, role, and (optional) phone number. If you enable two-factor authentication, we store a TOTP secret tied to your account.

(b) Billing data. Plan, billing period, subscription status, trial status, and Stripe customer / subscription identifiers. Payment card details are entered directly into Stripe and are not stored on GCFlow servers; we only receive a tokenized reference and last-four digits.

(c) Customer Content. Project data, vendor and subcontractor records, client information, addresses, drawings, daily logs, pay applications, invoices, compliance documents, lien waivers, and any files you upload.

(d) Usage data. Pages viewed, features used, timestamps, IP address, browser type, operating system, device identifiers, and approximate location (derived from IP). We use this to operate, secure, and improve the Service.

(e) Session and security data. Authentication tokens, session identifiers, last-active timestamps, IP addresses of sessions, and audit logs of security-sensitive actions (sign-ins, 2FA changes, password resets, owner-initiated changes).

(f) Communications. Messages you send to support, feedback you submit, and emails we send you. We may retain this for support quality and legal recordkeeping.

3. How We Use Your Data

We process data only as needed to:

  • Provide, maintain, and support the Service;
  • Authenticate you, secure your account, and prevent fraud and abuse;
  • Process subscriptions and payments through Stripe;
  • Send transactional emails (sign-up confirmation, password resets, billing notifications, trial-ending notices, security alerts) via Brevo (primary) or Amazon SES (fallback);
  • Diagnose and fix bugs, monitor performance, and analyze usage in aggregate;
  • Respond to support requests and communicate operational changes;
  • Comply with legal obligations and enforce our Terms.

Legal bases (EU/UK users). Where the GDPR applies, our lawful bases are: performance of the contract (to deliver the Service), legitimate interests (security, fraud prevention, service improvement), legal obligation (tax, accounting, responding to lawful requests), and consent (where required, e.g., for optional cookies).

Automated decision-making. We do not make decisions that produce legal or similarly significant effects based solely on automated processing.

4. How We Share Data

We share data only as described below:

  • Within your team. Other members of your GCFlow team see Customer Content and basic profile information of teammates, subject to roles and permissions configured by your team's admin.
  • Sub-processors. Third parties we use to operate the Service (see Section 5).
  • Legal compliance. When required by law, valid legal process, or to protect our or others' rights, property, or safety. We will challenge requests we believe to be overly broad or unlawful and, where lawful, notify you.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets. Any successor will be bound by this policy or one substantially similar.
  • With your consent. For any other purpose disclosed at the time of consent.

We do not sell or rent personal data, and we do not share it for cross-context behavioral advertising.

5. Sub-processors

We use the following sub-processors to provide the Service. Each is bound by contractual data-protection obligations.

ProviderPurposeLocation
Stripe, Inc.Payment processing, billing portal, invoicesUSA
Amazon Web Services (AWS)Compute (EC2), file storage (S3), content delivery (CloudFront), email fallback (SES)USA (us-east-1)
Neon, Inc.Managed PostgreSQL database (encrypted at rest)USA
Sendinblue SAS (Brevo)Transactional email delivery (primary)France / EU
Intuit (optional)QuickBooks integration, only if you enable itUSA

We will provide at least 30 days' notice via email or in-product notice before adding a new sub-processor that materially changes how we process your data.

6. Cookies and Tracking

GCFlow uses only strictly necessary cookies for authentication and session management:

  • session — short-lived signed JWT used to authenticate API requests.
  • sessionId — long-lived opaque identifier tied to a database session record.
  • 2fa_challenge — short-lived token issued during two-factor sign-in.
  • impersonation — set only when a GCFlow operator is providing approved support access.

All cookies are marked httpOnly and Secure, with SameSite=Lax. We do not use advertising cookies, third-party analytics cookies, or cross-site trackers. We do not honor “Do Not Track” browser signals because we do not engage in tracking; we do honor the Global Privacy Control (GPC) where applicable.

7. Security

We use industry-standard security controls, including:

  • TLS encryption (HTTPS) for all data in transit;
  • Encryption at rest for the database and S3 storage (AES-256);
  • Password hashing with bcrypt and per-user salts;
  • Optional time-based one-time password (TOTP) two-factor authentication;
  • Short-lived (15-minute) JWTs with database-validated long-lived sessions;
  • Presigned, time-limited URLs for file access;
  • Network isolation, least-privilege IAM, and audit logging for operator actions;
  • Regular dependency updates and security patches.

No system is perfectly secure. If we become aware of a personal-data breach that affects you, we will notify affected customers and (where required) regulators within the timelines required by applicable law. Send security reports to security@gcflow.co.

8. Data Retention

Data typeRetention
Active account data and Customer ContentFor the lifetime of your account
Customer Content after account closure30 days, then deleted from active systems
Encrypted backupsUp to 90 days, then overwritten
Audit and security logsUp to 2 years
Billing records (invoices, receipts)7 years (tax/accounting compliance)
Support communications3 years

We may retain data longer where required by law or to defend legal claims.

9. Your Rights

Regardless of your location, you can:

  • Access and update your profile and account settings at any time;
  • Export your data through built-in export tools or by emailing support;
  • Delete your account, which triggers the retention schedule in Section 8;
  • Withdraw consent where processing is based on consent (this does not affect prior lawful processing);
  • Object or restrict certain processing, subject to applicable law.

Send rights requests to privacy@gcflow.co. We will verify your identity and respond within 30 days (or as required by applicable law). If you are a user of a business customer's GCFlow account, we may direct your request to that customer (who controls the data).

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights:

  • Right to know what personal information we collect, use, and disclose;
  • Right to delete personal information, subject to legal exceptions;
  • Right to correct inaccurate personal information;
  • Right to opt out of the “sale” or “sharing” of personal information (we do not sell or share, so there is nothing to opt out of);
  • Right to limit use of sensitive personal information (we do not use sensitive PI for purposes beyond what is reasonably necessary to provide the Service);
  • Right to non-discrimination for exercising these rights.

We do not sell or share personal information, including the personal information of minors under 16, and have not done so in the preceding 12 months. To exercise your CCPA rights, email privacy@gcflow.co. You may also designate an authorized agent to act on your behalf.

11. EU/UK Privacy Rights (GDPR / UK GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights regarding your personal data:

  • Right of access;
  • Right to rectification;
  • Right to erasure (“right to be forgotten”);
  • Right to restrict processing;
  • Right to data portability;
  • Right to object to processing based on legitimate interests;
  • Right to withdraw consent;
  • Right to lodge a complaint with your local data protection authority.

For business customers who require a Data Processing Addendum (DPA) under Article 28 GDPR, contact privacy@gcflow.co.

12. International Data Transfers

GCFlow is operated from the United States, and most of our infrastructure (AWS compute, S3 storage, Neon database, Stripe) is located in the United States. Our transactional email provider, Brevo (Sendinblue SAS), is located in France and processes the limited personal data needed to deliver emails (recipient address, sender, subject, message body) within the European Union.

If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and, for outbound transactional emails, the European Union. Where required (e.g., for transfers from the EU/UK to the United States, or onward transfers between sub-processors), we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms recognized under applicable law.

13. Children’s Privacy

The Service is not directed to children under 13 (or under 16 in the EU/UK), and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact privacy@gcflow.co and we will delete it.

14. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and/or in-product notice at least 30 days before the change takes effect (or sooner if the change addresses a legal or security requirement). The “Last updated” date at the top of this page indicates the most recent revision.

15. Contact

Chippie LLC, d/b/a GCFlow
30 North Gould Street
Sheridan, WY 82801, USA

Privacy requests: privacy@gcflow.co
Security reports: security@gcflow.co
Legal notices: legal@gcflow.co

← Back to homeTerms of Service →