Privacy Policy
Your trust is our priority. This page explains how Xenaflow collects, uses, and protects your personal data, in accordance with the GDPR and French law.
Updated on September 1, 2025
Your trust is our priority. This page explains how Xenaflow collects, uses, and protects your personal data, in accordance with the GDPR and French law.
Updated on September 1, 2025
We only collect the data needed for Xenaflow to operate (account, usage, security, business relationship). Your data are hosted in France, we do not sell them, and you remain in control via your GDPR rights (access, rectification, deletion, objection, portability, restriction).
This document is informational and does not replace legal advice tailored to your situation.
Xenaflow provides a SaaS platform for workflow automation and industrial process management. For this policy, Xenaflow acts as a controller for data processed on its websites and for account administration, and as a processor for production data processed on behalf of customers within the application.
Privacy/DPO contact: privacy@xenaflow.com
Full registered address and legal identity: see legal notice.
First/last name, company, role, work email, phone (optional).
Login credentials, account settings, roles, activation history, billing information (via payment provider).
Technical logs, application events, preferences, performance and aggregated telemetry.
IP addresses, technical fingerprints, access logs, anti-fraud checks, audit trails.
Workflow schemas, asset metadata, operational documents/measurements/events. You remain the owner of this data. Xenaflow acts as a processor and processes this data according to your contractual instructions.
| Purpose | Examples | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Service provision | Account creation, authentication, workflow execution, support. | Performance of a contract (b) |
| Improvement & measurement | Aggregated statistics, quality, performance, UX. | Legitimate interests (f) |
| Security | Abuse prevention, incident detection, audit logging. | Legitimate interests (f) & Legal obligation (c) |
| Business relationship | Relevant B2B prospecting, responding to requests, invoicing. | Legitimate interests (f) / Consent (a) if required |
| Compliance | Regulatory obligations, requests from authorities. | Legal obligation (c) |
Where consent is required (e.g., certain cookies/marketing), you may withdraw it at any time.
| Category | Period | Criteria |
|---|---|---|
| Account & contract | For the contractual relationship + 5 years (legal archiving) | Commercial/contractual limitation periods |
| Security logs | 6 to 12 months | Security and audit necessity |
| B2B prospecting | 3 years after last contact | CNIL recommendations |
| Production data | For the contract term / per your settings | Customer parameters, contractual obligations |
At the end of these periods, data are securely deleted or anonymized.
We share data only with:
We do not sell your data. A list of processors can be provided on request and is contractually kept up to date.
Our production environments and backups are hosted in France. If any services were to involve a transfer outside the EU, we would implement appropriate safeguards (standard contractual clauses, assessment of the third country’s laws, additional measures where relevant) and inform you.
You have the rights of access, rectification, erasure, objection, portability, and restriction (Arts. 15–22 GDPR). You may also set post-mortem directives and lodge a complaint with the CNIL.
Email privacy@xenaflow.com specifying:
We reply within one month (extendable in complex cases).
In the application, you can manage certain account settings, download exports, and delete content according to your roles and permissions.
We may update this policy to reflect legal or technical changes. We will inform you by appropriate means in case of significant changes. Last updated: September 1, 2025.
For any question about this policy or your data: