Privacy Policy

CancelFlow is a trading name of Xyliase Technologies Ltd, a company registered in Scotland (company number SC888385) with its registered office at Unit 29 Eliburn Industrial Park, Livingston, Scotland, EH54 6GQ.

Xyliase Technologies Ltd is the data controller for the personal data processed through the CancelFlow service. In this policy, “CancelFlow”, “we”, “us”, and “our” refer to Xyliase Technologies Ltd trading as CancelFlow.

Questions about this policy can be sent to hello@cancelflow.dev.

We process your personal data on the following lawful bases under UK GDPR Article 6:

• Performance of a contract (Article 6(1)(b)): Processing your email address, subscription details, and embed configuration is necessary to provide the CancelFlow service you have signed up for.
• Legitimate interests (Article 6(1)(f)): We process usage events, analytics, and technical logs to maintain service quality, detect abuse, prevent fraud, and improve the product. These interests do not override your rights.
• Compliance with a legal obligation (Article 6(1)(c)): We may retain billing records to comply with applicable financial and tax regulations.

Dashboard users (SaaS operators):

• Email address (collected during magic link sign-in via Resend)
• Stripe customer ID, subscription plan, and billing status
• Embed configuration data (offer settings, Stripe secret keys encrypted at rest using AES-256-GCM, plan hierarchies)
• Usage events — when your end-users accept, skip, or cancel through your embed
• Discord user ID (if you voluntarily link your Discord account for notifications)

End-users of your embeds:

• We receive the Stripe subscription ID passed by your script when the cancellation flow is triggered
• We record which retention offer was accepted or skipped, and any cancel reason collected
• IP addresses are processed transiently for rate limiting purposes and are not stored persistently
• We do not collect end-user names, emails, or payment details directly

Website visitors:

• We use privacy-focused, cookie-free analytics (self-hosted Plausible) that does not collect personal data, does not use cookies, and does not track individual users across sessions

• To authenticate and manage your dashboard account
• To process your subscription and provide access to paid features
• To serve your embed configuration to your script tag (via our CDN API)
• To apply Stripe subscription changes (pause, discount, downgrade) on your behalf using your stored Stripe secret key
• To send transactional emails (save notifications, billing alerts, usage limit warnings, trial welcome, abandoned checkout reminders) via Resend
• To send Discord DM notifications if you have linked your Discord account
• To display analytics and retention metrics in your dashboard
• To enforce plan limits (embed count, monthly request quotas)
• To detect and prevent abuse, fraud, and unauthorised access

We do not sell your data to third parties. We do not use your data for advertising, profiling, or automated decision-making purposes.

We share personal data with the following third-party processors, each of which processes data strictly as required to deliver the CancelFlow service:

• Stripe — payment processing, subscription management, and Billing Portal. Stripe processes your payment method details directly; we never see or store your full card number. stripe.com/privacy
• MongoDB Atlas — database hosting. Your data is stored in MongoDB Atlas. mongodb.com privacy policy
• Resend — transactional email delivery (magic link sign-in, save notifications, billing alerts). resend.com/privacy
• Vercel — hosting, serverless functions, and cron jobs. vercel.com privacy policy
• Cloudflare — CDN delivery of the embed script and font assets via Cloudflare R2. cloudflare.com privacy policy
• Discord — optional account linking for DM notifications and community role sync. discord.com/privacy
• Plausible Analytics (self-hosted) — privacy-focused, cookie-free website analytics. No personal data is collected or transmitted to third parties. plausible.io/data-policy

We do not share your data with any other third parties except where required by law.

Some of our third-party processors (Stripe, MongoDB Atlas, Vercel, Cloudflare) may process data outside the UK and EEA. Where this occurs, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or the processor’s certification under recognised data protection frameworks to ensure your data receives an adequate level of protection.

Stripe secret keys stored for embed operation are encrypted at rest using AES-256-GCM with a server-side encryption key. Keys are never transmitted to the browser or exposed in API responses.

All data is transmitted over TLS (HTTPS). Access to the database is restricted to our application servers. We enforce HSTS, CSP, and other security headers on all responses.

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

Account data is retained for as long as you have an active account. You may delete your account at any time from the Settings page — this permanently deletes all associated embeds, events, and configuration data from our database.

Webhook idempotency records are automatically purged after 30 days via a TTL index.

Stripe customer records are retained by Stripe according to their own data retention policy.

We may retain anonymised, aggregated data indefinitely for statistical purposes.

Essential cookies only. We use a single session cookie (__Secure-authjs.session-token or authjs.session-token) strictly required for authentication. This cookie is:

• Set only when you sign in to the dashboard
• HttpOnly — not accessible to JavaScript
• Secure — transmitted only over HTTPS
• SameSite: Lax — sent only with same-site or top-level navigation requests

We do not use advertising cookies or third-party tracking cookies.

Our analytics are provided by a self-hosted Plausible instance that is fully cookie-free and does not track individuals across sessions or sites. No consent banner is required for this analytics approach under UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

The CancelFlow embed script loaded on your customers’ sites does not set any cookies, does not use local storage, and does not track users.

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your data (you can also do this directly from Settings)
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — request your data in a structured, machine-readable format (available as JSON export from Settings)
• Right to object — object to processing based on legitimate interests

To exercise any of these rights, email hello@cancelflow.dev. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (the ICO in the UK) within 72 hours of becoming aware of it, in accordance with UK GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

To report a suspected security issue, please contact hello@cancelflow.dev.

We may update this policy from time to time. If changes are significant, we will notify you by email at least 14 days in advance. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

For any questions about this Privacy Policy or our data practices, contact us at:

Xyliase Technologies Ltd (trading as CancelFlow)
Unit 29 Eliburn Industrial Park
Livingston, Scotland, EH54 6GQ
hello@cancelflow.dev