Privacy Policy

Effective Date: March 15, 2026 Last Updated: March 29, 2026 Company: Keilani Media Group LLC ("CustomerFlows," "we," "us," or "our") Address: 30 N Gould St, Sheridan, WY 82801, United States Contact: [email protected]

1. Introduction

CustomerFlows is a revenue operating system for home service businesses. This Privacy Policy describes how Keilani Media Group LLC, doing business as CustomerFlows, collects, uses, stores, shares, and protects your personal information when you visit our website at customerflows.com, use our web application at app.customerflows.com, or interact with any of our services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use the Service.

This Privacy Policy applies to two categories of individuals:

Visitors: People who visit our marketing website, read our content, or use tools such as the ROI Calculator.
Customers: Businesses and their authorized users who create an account and use the CustomerFlows platform to manage leads, conversations, pipelines, and related business operations.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account, subscribe to a plan, or contact us, we collect:

Account information: Name, email address, phone number, business name, business address, and trade type (e.g., HVAC, roofing, plumbing).
Billing information: Payment card details and billing address. Payment card information is processed and stored exclusively by our payment processor, Stripe, Inc. We do not store complete card numbers on our servers.
Communication content: Messages you send to us via email, contact forms, or support channels.
WhatsApp Business configuration: When you connect a phone number to the Service, we collect the phone number and associated WhatsApp Business Account (WABA) identifiers required to send and receive messages on your behalf through the Meta WhatsApp Cloud API.

2.2 Information Generated Through Your Use of the Service

When you use the CustomerFlows platform, the following data is generated and stored:

Lead and contact records: Names, phone numbers, email addresses, and other details of the leads and customers that you or your end-customers create within the platform.
Conversation data: WhatsApp messages, chatbot interactions, and other communications processed through the unified inbox. These messages are transmitted via the Meta WhatsApp Cloud API and stored within our systems to enable inbox, pipeline, and automation features.
Pipeline and deal data: Deal names, values, stages, notes, and associated activities.
Automation and workflow data: Rules, triggers, conditions, and execution logs for workflows you create.
AI interaction data: Prompts and responses generated when the AI chatbot qualifies leads or assists with conversations. AI features are powered by third-party providers including OpenAI and Anthropic. We send conversation context to these providers to generate responses; see Section 4 for details on how these providers handle data.

2.3 Information Collected Automatically

When you visit our website or use the application, we automatically collect:

Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, and language preference.
Usage data: Pages viewed, features used, clicks, session duration, referring URL, and interactions within the application.
Tracking data: If you arrive at our website via a marketing campaign, we collect campaign attribution data including UTM parameters, Google Click Identifiers (GCLID), and Meta Click Identifiers (FBCLID) to attribute leads to their marketing source.
Cookies and similar technologies: See Section 7 for details.

2.4 Information About Your End-Customers

When your end-customers interact with your business through CustomerFlows (for example, by sending a WhatsApp message to your connected business number), the following data is collected and stored within your CustomerFlows account:

Phone number and WhatsApp profile name
Message content and timestamps
Engagement data (e.g., messages read, links clicked)
Any information your end-customer voluntarily provides during a chatbot conversation (e.g., name, service type, address, preferred appointment time)

You are the data controller for your end-customer data. We process this data on your behalf as a data processor. You are responsible for ensuring that your collection and use of end-customer data complies with all applicable laws, including obtaining any necessary consents for WhatsApp communication.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Operate the Service

Creating and managing your account
Processing WhatsApp messages and chatbot conversations
Displaying leads, contacts, and deals in your CRM pipeline
Executing automation workflows you configure
Running AI-powered lead qualification and conversation assistance
Processing subscription payments and managing billing
Providing customer support

3.2 To Improve the Service

Analyzing usage patterns to improve features and user experience
Identifying and fixing bugs and performance issues
Developing new features based on aggregated usage trends
Training and improving our AI models using anonymized and aggregated data (we do not use your identifiable business data or your end-customer data to train AI models without your explicit consent)

3.3 To Communicate With You

Sending transactional emails (account confirmation, password reset, billing receipts)
Sending product updates and feature announcements relevant to your account
Responding to your support requests and inquiries
Sending marketing communications if you have opted in (you may unsubscribe at any time)

3.4 To Ensure Security and Prevent Fraud

Detecting and preventing unauthorized access, fraud, and abuse
Enforcing our Terms of Service
Complying with legal obligations

3.5 For Marketing Attribution

Connecting ad clicks to lead creation and deal outcomes within your account, so you can see which marketing campaigns produce revenue
Generating aggregated, anonymized benchmarks for our published research and statistics (no individual business data is ever identifiable in published material)

We do not sell your personal information. We share information only in the following circumstances:

4.1 Third-Party Service Providers

We use the following third-party services to operate CustomerFlows. Each provider receives only the minimum data necessary to perform its function:

Provider	Purpose	Data Shared	Provider's Privacy Policy
Stripe, Inc.	Payment processing	Billing name, email, payment card details, billing address	https://stripe.com/privacy
Meta Platforms, Inc. (WhatsApp Cloud API)	WhatsApp messaging infrastructure	Phone numbers, message content, delivery status, WABA configuration	https://www.whatsapp.com/legal/privacy-policy
Meta Platforms, Inc. (Marketing API)	Advertising attribution, campaign reporting, and offline conversion upload	Meta Ads campaign data, ad spend, click identifiers (FBCLID), offline conversion events (deal value, conversion timestamp), ad account identifiers	https://www.facebook.com/privacy/policy/
Meta Platforms, Inc. (Conversions API)	Server-side conversion tracking	Hashed customer data (email, phone), conversion events, event timestamps, click identifiers (fbc/fbp)	https://www.facebook.com/privacy/policy/
Meta Platforms, Inc. (Facebook Login)	Account authentication	Facebook account email, name, and profile identifier (used solely for authentication)	https://www.facebook.com/privacy/policy/
OpenAI, Inc.	AI chatbot and lead qualification	Conversation context sent for AI response generation	https://openai.com/policies/privacy-policy
Anthropic, PBC	AI chatbot and lead qualification	Conversation context sent for AI response generation	https://www.anthropic.com/privacy
Google LLC (Google Analytics)	Website analytics	IP address (anonymized), page views, session data, device info	https://policies.google.com/privacy
Google LLC (Google Ads API)	Advertising attribution and offline conversion upload	Google Ads campaign data, ad spend, click identifiers (GCLID), offline conversion events (deal value, conversion timestamp)	https://policies.google.com/privacy
Google LLC (Google OAuth)	Account authentication for Google services integration	Google account email, name, and profile identifier (used solely for authentication)	https://policies.google.com/privacy

Regarding AI providers: When we send conversation data to OpenAI or Anthropic for AI-powered features, we use their API services. Per their API data usage policies, data submitted through the API is not used to train their models. We do not opt into any optional training data sharing programs on your behalf.

4.2 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

If Keilani Media Group LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change via email or prominent notice on our website.

We may share your information in other ways if you give us explicit consent to do so.

5. Google User Data Disclosure

CustomerFlows integrates with Google services to provide advertising attribution and account authentication. This section describes how we access, use, store, share, and protect Google user data in compliance with the Google API Services User Data Policy and the Google APIs Terms of Service.

5.1 Google User Data We Access

When you connect your Google account to CustomerFlows, we access the following data depending on which Google services you authorize:

Google OAuth (Authentication):

Your Google account email address
Your Google account display name
Your Google account profile identifier

Google Ads (Advertising Attribution):

Campaign names, ad group names, and keyword data
Ad spend and cost data
Click identifiers (GCLID) associated with website visitors who convert to leads
Campaign performance metrics (impressions, clicks, conversions)
Google Ads account and customer identifiers

We request only the minimum permissions (OAuth scopes) necessary to provide the features described above. We do not access your Gmail, Google Drive, Google Calendar, Google Contacts, or any other Google service data unless explicitly stated and authorized by you.

5.2 How We Use Google User Data

We use Google user data exclusively for the following purposes:

Google OAuth data is used solely to authenticate your identity when connecting Google services to your CustomerFlows account. We use your email and name to identify your account within CustomerFlows. We do not use Google OAuth data for marketing, advertising, profiling, or any purpose unrelated to service authentication.

Google Ads data is used to:

Display your campaign performance (spend, leads, revenue, and profit return) within the CustomerFlows attribution dashboard
Connect ad clicks (via GCLID) to leads and closed deals in your pipeline, so you can see which campaigns produce paying customers
Upload offline conversion events back to your Google Ads account when a deal is closed, so Google's bidding algorithms can optimize for your actual business outcomes
Calculate PROAS (Profit Return on Ad Spend) and ROAS (Return on Ad Spend) metrics per campaign

We do not use Google Ads data to target advertising to you. We do not use Google user data to build user profiles for advertising purposes. We do not use Google user data for any purpose that is not directly described in this section.

We do not sell, rent, lease, or trade Google user data to any third party.

We share Google user data only in the following limited circumstances:

Back to Google (offline conversions): When you close a deal in CustomerFlows that originated from a Google Ad click, we send a conversion event back to your Google Ads account via the Google Ads API. This event includes the original click identifier (GCLID), the conversion value (deal amount), and the conversion timestamp. This data is sent to your own Google Ads account Ã¢â‚¬â€ not to any third party.

Infrastructure providers: Google user data may be stored on infrastructure operated by our cloud hosting provider as part of normal service operation. Our hosting provider processes this data solely on our behalf under a data processing agreement and does not access, use, or share it independently.

We do not share Google user data with any advertising networks, data brokers, analytics providers, or any other third parties beyond what is described above.

5.4 How We Store and Protect Google User Data

Google user data is stored and protected using the same security measures we apply to all customer data:

Encryption in transit: All data transmitted between your browser, our servers, and Google's APIs is encrypted using TLS 1.2 or higher.
Encryption at rest: Stored Google user data is encrypted at rest using AES-256 encryption.
Access control: Access to Google user data within our systems is restricted to authorized personnel on a need-to-know basis. All access is protected by multi-factor authentication and logged for audit purposes.
Infrastructure security: Data is hosted on infrastructure that maintains SOC 2 Type II compliance within the United States.
OAuth token security: Google OAuth access tokens and refresh tokens are stored encrypted and are never exposed to client-side code, logged in plaintext, or shared with any third party.

5.5 Google User Data Retention and Deletion

Google OAuth data (email, name, profile ID): Retained for the duration of your active CustomerFlows account. Deleted within 30 days of account closure or upon your request.

Google Ads campaign and performance data: Retained for the duration of your active subscription to provide attribution reporting. Deleted within 90 days of account closure or disconnection of the Google Ads integration.

Google Ads click identifiers (GCLID): Retained as part of lead and deal records for the duration of your subscription to maintain attribution accuracy. Deleted within 90 days of account closure.

Google OAuth tokens: Access tokens and refresh tokens are deleted immediately when you disconnect your Google account from CustomerFlows, or within 30 days of account closure.

How to request deletion: You may request deletion of all Google user data at any time by:

Disconnecting Google services from the Integrations page in your CustomerFlows account (this revokes our access and deletes stored tokens immediately)
Emailing [email protected] to request deletion of all Google-related data
Deleting your CustomerFlows account from Settings, which deletes all data including Google user data

You may also revoke CustomerFlows' access to your Google account at any time by visiting your Google Account permissions page at https://myaccount.google.com/permissions.

Upon receiving a deletion request, we will delete or anonymize all Google user data within 30 days and confirm the deletion to you in writing.

5.6 Google API Services Compliance

CustomerFlows' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6. Meta User Data Disclosure

CustomerFlows integrates with Meta services (Facebook, Instagram, and WhatsApp) to provide social advertising attribution, offline conversion tracking, WhatsApp messaging, and optional account authentication. This section describes how we access, use, store, share, and protect Meta user data in compliance with Meta's Platform Terms and Developer Policies.

6.1 Meta User Data We Access

When you connect your Meta account(s) to CustomerFlows, we access the following data depending on which Meta services you authorize:

Facebook Login (Authentication):

Your Facebook account email address
Your Facebook account display name
Your Facebook profile identifier

Meta Marketing API (Advertising Attribution):

Ad account identifiers and account names
Campaign names, ad set names, and ad names
Ad spend and cost data
Performance metrics (impressions, clicks, reach, conversions)
Click identifiers (FBCLID) associated with website visitors who convert to leads

Meta Conversions API (Offline Conversion Upload):

We send conversion event data TO Meta on your behalf (this is outbound data, not data we access from Meta)
Events include: event name (e.g., "Purchase"), event timestamp, conversion value, and hashed customer identifiers (email and/or phone number hashed with SHA-256 before transmission)

WhatsApp Cloud API (Messaging):

Phone numbers and WhatsApp profile names of people who message your business number
Message content and delivery status
WhatsApp Business Account (WABA) configuration identifiers

We request only the minimum permissions necessary. We do not access your personal Facebook posts, photos, friends list, Instagram content, or any Meta data unrelated to advertising and WhatsApp messaging.

6.2 How We Use Meta User Data

Facebook Login data is used solely to authenticate your identity when signing in to CustomerFlows. We use your email and name to identify your account. We do not use Facebook Login data for marketing, advertising, profiling, or any purpose unrelated to service authentication.

Meta Marketing API data is used to:

Display your Facebook and Instagram campaign performance (spend, leads, revenue, profit return) in the CustomerFlows attribution dashboard
Connect ad clicks (via FBCLID) to leads and closed deals in your pipeline
Compare Meta campaign performance alongside Google Ads campaigns
Calculate PROAS (Profit Return on Ad Spend) and ROAS (Return on Ad Spend) per campaign

Meta Conversions API data is used to:

Upload offline conversion events when a deal closes in your pipeline, so Meta's bidding algorithms learn which ad clicks produce paying customers
Improve the quality of your ad targeting over time by providing Meta with real business outcome signals (signed contracts, not just clicks or form fills)
All customer data sent to Meta via the Conversions API is hashed using SHA-256 before transmission Ã¢â‚¬â€ we never send plain-text personal information

WhatsApp Cloud API data is used to:

Deliver and receive messages between your business and your customers
Power the AI chatbot for lead qualification
Display conversations in your unified inbox
Create deal records in your pipeline from qualified leads

We do not use Meta user data to build advertising profiles about you. We do not use Meta user data for any purpose not directly described in this section.

We do not sell, rent, lease, or trade Meta user data to any third party.

We share Meta user data only in the following limited circumstances:

Back to Meta (Conversions API): When you close a deal that originated from a Meta ad, we send a hashed conversion event back to your Meta ad account via the Conversions API. This event includes a hashed customer identifier (SHA-256 hashed email or phone), the conversion value, and the event timestamp. This data is sent to your own Meta ad account to improve your campaign performance.

Back to Meta (WhatsApp): Messages sent through the CustomerFlows inbox are delivered via Meta's WhatsApp Cloud API. Meta processes these messages in accordance with their WhatsApp Privacy Policy.

AI providers (conversation context): When the AI chatbot generates responses to WhatsApp messages, conversation context is sent to our AI providers (OpenAI and Anthropic) via their API services. See Section 4.1 for details.

Infrastructure providers: Meta user data may be stored on infrastructure operated by our cloud hosting provider as part of normal service operation, under a data processing agreement.

We do not share Meta user data with advertising networks, data brokers, or any other third parties beyond what is described above.

6.4 How We Store and Protect Meta User Data

Meta user data is stored and protected using the same security measures we apply to all customer data:

Encryption in transit: All data transmitted between your browser, our servers, and Meta's APIs is encrypted using TLS 1.2 or higher.
Encryption at rest: Stored Meta user data is encrypted at rest using AES-256 encryption.
Access control: Access to Meta user data within our systems is restricted to authorized personnel on a need-to-know basis, protected by multi-factor authentication and audit logging.
Infrastructure security: Data is hosted on infrastructure that maintains SOC 2 Type II compliance within the United States.
Token security: Meta OAuth access tokens and system user tokens are stored encrypted and are never exposed to client-side code, logged in plaintext, or shared with any third party.
Data hashing: All customer personal data sent to Meta via the Conversions API is hashed using SHA-256 before leaving our servers. We never transmit plain-text customer email addresses or phone numbers to Meta.

6.5 Meta User Data Retention and Deletion

Facebook Login data (email, name, profile ID): Retained for the duration of your active CustomerFlows account. Deleted within 30 days of account closure or upon your request.

Meta Marketing API data (campaigns, spend, performance): Retained for the duration of your active subscription to provide attribution reporting. Deleted within 90 days of account closure or disconnection of the Meta Ads integration.

Meta click identifiers (FBCLID): Retained as part of lead and deal records for the duration of your subscription. Deleted within 90 days of account closure.

WhatsApp conversation data: Retained for the duration of your subscription to power the inbox, pipeline, and automation features. Deleted within 90 days of account closure.

Meta OAuth and API tokens: Deleted immediately when you disconnect your Meta account from CustomerFlows, or within 30 days of account closure.

How to request deletion: You may request deletion of all Meta user data at any time by:

Disconnecting Meta services from the Integrations page in your CustomerFlows account
Emailing [email protected] to request deletion of all Meta-related data
Deleting your CustomerFlows account from Settings, which deletes all data including Meta user data

You may also revoke CustomerFlows' access to your Meta account at any time by visiting your Facebook Settings Ã¢â€ â€™ Apps and Websites at https://www.facebook.com/settings?tab=applications.

Upon receiving a deletion request, we will delete or anonymize all Meta user data within 30 days and confirm the deletion to you in writing.

6.6 Meta Platform Compliance

CustomerFlows' use of data received from Meta APIs complies with the Meta Platform Terms and Meta Developer Policies. We process Meta user data only for the purposes described in this section and only with the explicit authorization of the user who connects their Meta account.

7. Cookies and Tracking Technologies

7.1 Cookies We Use

Cookie Category	Purpose	Examples	Required?
Strictly Necessary	Authentication, session management, security	Session ID, CSRF token	Yes Ã¢â‚¬â€ the Service cannot function without these
Analytics	Understanding how visitors use our website and application	Google Analytics (`_ga`, `_gid`)	No Ã¢â‚¬â€ you may opt out
Marketing Attribution	Connecting ad clicks to conversions	GCLID, FBCLID, UTM parameters stored in first-party cookies	No Ã¢â‚¬â€ you may opt out

Browser settings: Most browsers allow you to block or delete cookies through their settings. Note that blocking strictly necessary cookies may prevent the Service from functioning correctly.
Google Analytics opt-out: You can install the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout.
Do Not Track: We respect "Do Not Track" (DNT) signals sent by your browser. When we detect a DNT signal, we disable non-essential analytics and tracking cookies.

8. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

Account data: Retained for the duration of your active subscription plus 90 days after account closure to allow for reactivation or data export.
Billing records: Retained for 7 years to comply with tax and accounting obligations.
End-customer data within your account: Retained for the duration of your subscription. Upon account closure, this data is permanently deleted within 90 days unless you request earlier deletion.
Conversation data (WhatsApp messages): Retained for the duration of your subscription. Messages are stored within our systems to power the inbox, pipeline, and automation features.
Website analytics data: Aggregated analytics data is retained indefinitely. Individual session data is retained for 26 months in accordance with Google Analytics defaults.
AI interaction logs: Retained for 30 days for debugging and quality assurance, then automatically deleted.
Support correspondence: Retained for 2 years after the last interaction.

Upon request, we will delete your personal information within 30 days, subject to any legal retention requirements. See Section 10 for how to submit a deletion request.

9. Data Security

We implement industry-standard technical and organizational measures to protect your information:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest: Stored data is encrypted at rest using AES-256 encryption.
Access control: Employee and contractor access to customer data is restricted on a need-to-know basis and protected by multi-factor authentication.
Infrastructure security: Our application is hosted on infrastructure that maintains SOC 2 Type II compliance. Database backups are encrypted and stored in geographically separated locations within the United States.
Incident response: We maintain an incident response plan. In the event of a data breach affecting your personal information, we will notify you within 72 hours of becoming aware of the breach, as required by applicable law.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Your Rights and Choices

10.1 All Users

Regardless of your location, you may:

Access your data: Request a copy of the personal information we hold about you.
Correct your data: Request correction of inaccurate or incomplete information.
Delete your data: Request deletion of your personal information, subject to legal retention requirements.
Export your data: Request a machine-readable export of your account data.
Opt out of marketing emails: Unsubscribe at any time using the link in any marketing email, or by contacting us.

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected, the sources from which it was collected, the business purposes for collection, and the categories of third parties with whom we share it.
Right to delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
Right to opt out of sale: We do not sell your personal information. If this changes in the future, we will provide a "Do Not Sell My Personal Information" link.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Right to correct: You may request that we correct inaccurate personal information.
Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.

To exercise any of these rights, contact us at [email protected]. We will verify your identity before processing your request and respond within 45 days.

10.3 Residents of Other U.S. States

Several U.S. states have enacted consumer privacy laws that grant residents rights similar to those described above, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and Montana (MCDPA). If you are a resident of any state with an applicable consumer privacy law, you may exercise your rights by contacting us at [email protected].

11. Children's Privacy

CustomerFlows is designed for use by businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a person under 18, please contact us at [email protected] and we will promptly delete it.

12. Third-Party Links

Our website and application may contain links to third-party websites, integrations, and services (e.g., Google Ads, Stripe billing portal, WhatsApp). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you interact with.

13. International Data Transfers

CustomerFlows is operated from the United States and our data is stored within the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will update the "Last Updated" date at the top of this page.
We will notify registered users via email at least 14 days before the changes take effect.
We will post a prominent notice on our website.

Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the changes.

15. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about our data practices, contact us at:

Keilani Media Group LLC d/b/a CustomerFlows 30 N Gould St Sheridan, WY 82801 United States

Email: [email protected] Phone: +1 (307) 317-0832

We aim to respond to all privacy inquiries within 10 business days.