Privacy Policy

At BPMN AI, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our BPMN diagram generation and collaboration platform.

BPMN AI is operated by Adisa Technologies FZE, registered in Sharjah Publishing City Free Zone, United Arab Emirates. For privacy inquiries, contact us at support@bpmnai.com.

Please read this Privacy Policy carefully. By accessing or using BPMN AI, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy.

2.1 Personal Information

We may collect personal information that you voluntarily provide to us when you:

• Register for an account
• Subscribe to our services
• Request customer support
• Sign up for our newsletter

The personal information we collect may include:

• Name
• Email address
• Password (stored in an encrypted format)
• Profile information
• Billing information

Information from Third-Party Authentication Providers. If you choose to sign in using a third-party service such as Google, we receive your name, email address, and profile picture from that provider. We use this information solely to create and manage your BPMN AI account. We do not request or store your Google password, and we only request the minimum permissions needed (your basic profile information and email address).

2.2 Diagram Content and Usage Data

We collect the content of the BPMN diagrams you create, edit, and store on our platform. We also collect usage data such as:

• Features you use
• Actions you take
• Time spent on the platform
• Interactions with other users

2.3 Technical Information

Our servers automatically collect certain information when you use BPMN AI, including:

• IP address
• Browser type
• Operating system
• Device information
• Access dates and times
• Pages visited
• Referring website addresses

2.4 Cookies and Similar Technologies

We group cookies and similar technologies into three tiers. You control the non-essential tiers through the Cookie preferences link in the footer of every page.

• Essential (always on): Supabase authentication session, CSRF protection, your consent preference itself, Sentry error tracking (legitimate interest — used only to detect and fix errors), and cookieless traffic measurement via Vercel Analytics and Vercel Speed Insights. These are required for the service to work and do not identify you personally.
• Analytics (consent required): PostHog product analytics, session properties, and in-app surveys. Google Analytics for aggregate traffic and SEO attribution via Google Search Console. When you reject this category, PostHog does not load and Google Analytics runs in Google Consent Mode v2 "denied" state, sending only anonymous, cookieless signals used for aggregate reporting.
• Advertising (consent required, not currently active): Reserved for Google Ads conversion tracking and remarketing, which will be used only if and when we run paid advertising campaigns. We will re-prompt you for consent before this category becomes active.

You can change your choice at any time by clicking Cookie preferences in the footer. You can also manage cookies through your browser settings.

We may use the information we collect for various purposes, including to:

• Provide, maintain, and improve our services
• Process transactions and send related information
• Send administrative information, such as updates, security alerts, and support messages
• Respond to your comments, questions, and requests
• Develop new products, services, features, and functionality
• Monitor and analyze trends, usage, and activities in connection with our services
• Detect, prevent, and address technical issues, fraud, and illegal activities
• Personalize your experience on our platform
• Verify your identity when you sign in, including through third-party authentication providers like Google

We process your personal data on the following legal bases:

• Contractual necessity: Account registration, service delivery, billing, and customer support — these are required to provide the Service to you.
• Legitimate interest: Product analytics, usage trends, fraud detection, and security — we balance these against your privacy rights.
• Consent: Marketing emails and product update newsletters — you may unsubscribe at any time via the link in any email.
• Legal obligation: Tax and billing record retention as required by applicable law.

Your diagram content and process data are used solely to generate and deliver your BPMN diagrams. To provide this functionality, your input is sent to our AI providers (currently OpenAI and Anthropic) for processing.

We do not currently use your content to train, fine-tune, or improve our own AI models. If we decide to do so in the future, we will update this policy and obtain your explicit consent before using any identifiable content for that purpose.

Our AI providers have their own data handling policies. We use their APIs in a manner that excludes customer data from their model training programs where such options are available.

We may share your information in the following situations:

• With Your Consent: We may disclose your information when you have given us permission to do so.
• With Service Providers: We may share your information with third-party vendors, consultants, and other service providers who need access to your information to perform services on our behalf.
• For Collaboration: When you choose to share diagrams or collaborate with other users, your name, profile information, and shared content will be visible to those users.
• For Legal Reasons: We may disclose your information if required to do so by law or in response to valid requests by public authorities.
• Business Transfers: We may share or transfer your information in connection with a merger, acquisition, reorganization, or sale of assets.

We use the following third-party services to operate the platform:

• Vercel (San Francisco, US) — Website hosting and content delivery
• Supabase (San Francisco, US) — Database, authentication, and file storage
• Stripe (UAE) — Payment processing and subscription billing
• OpenAI (San Francisco, US) — AI-powered diagram generation
• Anthropic (San Francisco, US) — AI-powered diagram generation
• PostHog (EU) — Product analytics (consent-gated)
• Google Analytics (United States) — Aggregate traffic, SEO attribution, and conversion reporting (consent-gated; runs in Consent Mode v2 "denied" state when declined)
• Sentry (United States) — Error tracking and diagnostics (legitimate interest)
• Google (United States) — Authentication services for optional "Sign in with Google" functionality. Subject to Google's Privacy Policy and the Google API Services User Data Policy.

Each provider processes data on our behalf under their standard data processing terms.

We implement appropriate technical and organizational measures to protect the security of your personal information. However, please note that no method of transmission over the Internet or method of electronic storage is 100% secure.

We retain different categories of data for different periods:

• Account and profile data: Retained while your account is active. You can delete your account at any time from Settings → Account; this removes your profile, diagrams, and conversations immediately, cancels any active subscription, removes you from our analytics provider (PostHog) and marketing audiences (Resend), and propagates out of routine backups within 30 days. If you prefer, you can also email support@bpmnai.com and we will complete the deletion for you.
• Diagram content: Retained while your account is active. Deleted together with your account when you trigger self-service deletion; otherwise within 90 days of account closure.
• Billing and transaction records: Retained for 7 years after the transaction date to comply with tax and accounting obligations.
• Analytics and usage data: Retained in identifiable form for up to 24 months, then anonymized or deleted.
• Marketing preferences: Retained until you unsubscribe or withdraw consent.
• Technical logs: Retained for up to 90 days for security and debugging purposes.

Depending on your location, you may have certain rights regarding your personal information, including:

• The right to access your personal information
• The right to rectify inaccurate personal information
• The right to delete your personal information — you can do this yourself from Settings → Account
• The right to restrict processing of your personal information
• The right to data portability — you can download a ZIP of your personal data (profile, diagrams, conversations) from Settings → Account
• The right to object to processing of your personal information
• The right to withdraw consent

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

To provide the Service, your data is processed in the following locations:

• United Arab Emirates: Payment processing (Stripe)
• European Union: Product analytics (PostHog EU region)
• United States: Cloud hosting (Vercel), database and authentication (Supabase), AI processing (OpenAI, Anthropic), error tracking (Sentry), and web analytics (Google Analytics)

We select service providers who maintain appropriate security standards. Where your data is transferred outside your country of residence, we rely on the data protection terms provided by our service providers and, where applicable, your consent to use the Service.

If you are located in the United Arab Emirates, your personal data is subject to Federal Decree-Law No. 45 of 2021 (the Personal Data Protection Law). You have the right to access your personal data, request correction of inaccurate data, request deletion of your data, and object to certain types of processing. To exercise these rights, contact support@bpmnai.com. We will respond within 30 days.

If you are a California resident, you have the right to know what personal information we collect and how it is used, request deletion of your personal information, and opt out of the sale of personal information. We do not sell your personal information. To exercise these rights, contact support@bpmnai.com.

In the event of a personal data breach that we believe poses a risk to your rights, we will notify affected users by email as soon as reasonably practicable and no later than 72 hours after becoming aware of the breach.

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top.

BPMN AI's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

If you have any questions about this Privacy Policy, please contact us at support@bpmnai.com.