Repflow AI Privacy Policy

Last updated: September 15, 2025

This Privacy Policy explains how SUMOSMASH UG (haftungsbeschränkt) trading as Repflow AI ("Repflow AI," "we," "us," "our") handles personal data when you visit our websites, use our services, or communicate with us.

If you use Repflow AI on behalf of a company, you confirm that you have authority to share information and to receive notices on the company's behalf.

1. Who we are and how to contact us

Controller: SUMOSMASH UG (haftungsbeschränkt), Seydelstr. 12, 10117 Berlin, Germany

Privacy email: privacy@repflow.ai

Legal email: legal@repflow.ai

For terms that govern your use of our services, see the Repflow AI Master Service Terms.

2. Scope

This Policy applies to our public websites, product, APIs, and related services. It does not apply to third-party sites or services that are linked from our pages.

3. Personal data we collect

  • Account and contact data: name, email, company, role, password, authentication data
  • Usage and device data: browser type, device identifiers, IP address, language, pages viewed, actions in the product, crash logs
  • Support and communications: messages, tickets, call recordings if you contact support
  • Customer Content: data, files, prompts, instructions, images, audio, or other content you or your users upload to the product
  • Payment data: handled by our payment processor. We receive limited billing metadata
  • Cookies and similar technologies: see our Cookie Policy for details and choices

We do not knowingly collect information from children and the Services are not directed to children.

4. How we use data and legal bases

We process personal data to:

  • Provide and operate the Services
    Legal bases: contract performance, legitimate interests
  • Secure, monitor, and improve the Services, including fraud prevention and abuse detection
    Legal bases: legitimate interests, legal obligation
  • Customer support and communications
    Legal bases: contract performance, legitimate interests, consent where required
  • Billing and account management
    Legal bases: contract performance, legal obligation
  • Comply with law and enforce terms
    Legal bases: legal obligation, legitimate interests
  • Marketing to business contacts where permitted
    Legal bases: consent where required, legitimate interests

Model training

We do not use Customer Content to train foundation models or the models of our vendors unless you give us written permission. We may use aggregated, de-identified telemetry to improve reliability and security.

5. Cookies and consent

We use necessary cookies and, with your consent, analytics and marketing cookies. In Germany, non-essential cookies require opt in under TTDSG. You can manage choices anytime via the Manage cookies link in the footer. See the Cookie Policy for the cookie table, purposes, and durations.

6. How we share data

We share personal data with:

  • Service providers and subprocessors that help us host, store, analyze, send communications, provide support, and process payments
  • Professional advisors such as auditors and lawyers
  • Authorities when required by law or to protect rights and safety
  • Business transfers in the event of a reorganization, merger, or sale

We publish our current Subprocessors List and update it when vendors change.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising unless you opt in where required. If you opt in, you can opt out at any time and we honor Global Privacy Control signals.

7. International transfers

We may transfer data outside the EEA, the UK, or Switzerland. Where we do, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and UK Addendum. Details are in our Data Processing Addendum (DPA).

8. Data retention

We keep personal data only as long as needed for the purposes in this Policy, to provide the Services, to comply with law, and to resolve disputes. Retention periods vary by data type and are documented in our schedules. You can request deletion as described below.

9. Security

We implement technical and organizational measures designed to protect personal data. No system is perfectly secure. You are responsible for maintaining the security of your account and configuring role-based access within your organization.

10. Your rights

Depending on your location, you may have the right to:

  • access, correct, or delete personal data
  • object to or restrict processing
  • withdraw consent where processing is based on consent
  • receive a copy of data in a portable format
  • lodge a complaint with a supervisory authority

To exercise rights, contact privacy@repflow.ai. We may need to verify your identity. We honor Global Privacy Control signals for opt outs where applicable.

11. End-user data controlled by our customers

When a customer sends us personal data about its users, the customer is the controller and Repflow AI is the processor. We process that data under our DPA, which incorporates the Standard Contractual Clauses where applicable. If you are an end user of a Repflow AI customer, please direct your request to that customer. We will assist the customer in responding to rights requests.

12. Third-party services

Our Services may interoperate with third-party tools and platforms. Your use of third-party services is subject to their privacy policies. If you enable an integration, you instruct us to exchange data with that third party as needed to provide the integration.

13. Marketing communications

If we send you marketing emails, you can unsubscribe using the link in the message. We may still send transactional messages related to your account and service.

14. Changes

We may update this Policy from time to time. We will post changes with a new date and, for material changes, provide reasonable advance notice.

15. Contact

Email: privacy@repflow.ai

Postal: SUMOSMASH UG, Attn: Privacy, Seydelstr. 12, 10117 Berlin, Germany