CleanFlow Privacy Notice
Last updated: 15 July 2026.
This notice explains how we use personal data when you visit CleanFlow, ask for a demonstration, apply for an account or use the platform. It is written for account owners, managers, cleaners, customer contacts and website visitors.
Operator: FORGEAI STUDIO LTD (trading as NovaStack), company number 17175307, registered in England and Wales.
Registered office: West Bromwich, England, B70 6LE.
CleanFlow contact: cleanflowsupport@novastacks.co.uk.
1. Our roles
We are a controller for website enquiries, sales, account administration, security logs, billing and our direct communications with you. For workforce and client information entered by a customer organisation, that customer is normally the controller and we act as its processor. The CleanFlow DPA governs that processing.
2. Information we may process
- identity, business contact, account, role and authentication information;
- company, client, site, schedule, job, checklist, inspection, invoice and support records;
- workforce records supplied by the customer, including availability, time, leave, documents and payroll-related values;
- on-site evidence such as timestamps, approximate or precise device location, notes, signatures and photographs when a customer enables those workflows;
- device, browser, IP, audit, error and security-event data; and
- contract, payment status and billing identifiers. Full card details are handled by Stripe and are not stored by CleanFlow.
3. Why and lawful bases
We use data to provide and secure the service, authenticate users, support customers, bill accounts, meet legal obligations, prevent fraud, maintain records and improve reliability. Our lawful bases are performance of a contract, legal obligation, legitimate interests in operating and protecting a B2B service, and consent where consent is specifically requested. A customer remains responsible for identifying a lawful basis and giving its workers and contacts appropriate privacy information for data it puts into CleanFlow.
4. Sharing and service providers
We disclose data only where needed to operate the service, comply with law, protect rights, or complete an authorised business transaction. Current infrastructure and operational providers include Supabase for database and authentication services, Cloudflare for application delivery and security, Stripe for payment processing, and Resend for transactional email. Professional advisers and authorities may receive limited information where legally necessary. Providers act under contractual confidentiality and data-protection obligations.
5. International transfers
Some service providers may process data outside the UK. Where UK data-protection law requires a safeguard, we use an adequacy regulation, the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses, together with appropriate assessments and supplementary measures.
6. Retention
Account and operational data is kept while the customer account is active and then for a limited period needed for export, recovery, disputes and legal obligations. Contract, invoice and tax records are generally kept for up to six years after the relevant relationship or accounting period. Security and email-delivery logs are retained for shorter periods according to operational need. Customers can configure or request deletion subject to legal holds and backup rotation.
7. Your rights
Depending on the circumstances, you may have rights to be informed, access, rectification, erasure, restriction, portability and objection, and rights concerning solely automated decisions. Contact us to exercise a right. If your request concerns data controlled by your employer or another CleanFlow customer, we may direct it to that controller. You may complain to the Information Commissioner’s Office at ico.org.uk.
8. Security, children and changes
CleanFlow is a business service and is not directed to children. We use access controls, tenant isolation, encryption in transit, audit records and operational safeguards described in our Security Statement. We will update this notice before materially changing how controller data is used and will provide additional notice where required.
For the ICO’s current transparency guidance, see its right to be informed guidance. UK data-protection law includes the UK GDPR, Data Protection Act 2018 and changes made by the Data (Use and Access) Act 2025.
