Privacy
Privacy Policy
Last updated: 3 July 2026
This Privacy Policy explains how Scriptiflow collects, uses, shares and protects personal data when you use our platform for car dealerships (the “Service”) and our website at scriptiflow.com.
Scriptiflow is a tool for businesses. For most of the personal data that flows through the Service we act on behalf of the dealership that uses it — see “Our two roles” below. We apply the EU General Data Protection Regulation (GDPR) to everyone, wherever they are based.
01Who we are
Scriptiflow (“Scriptiflow”, “we”, “us”) provides a marketing, sales and customer-management platform for car dealerships. We are based in Prishtinë, Kosovo. You can reach us at info@scriptiflow.com.
This policy covers the Service and our website. Where a third party (for example a mailbox provider or an advertising platform) also processes your data under its own terms, that party’s own privacy policy applies in addition to this one.
02Our two roles: controller and processor
Because Scriptiflow is used by businesses to manage their own customers, the law treats us in two different ways depending on the data:
- We are the controller
- for the data we decide the purpose of: your dealership account and user profiles, billing data, website-visitor and analytics data, and your support communications.
- We are the processor
- for the data a dealership loads or generates about its own customers and leads inside the Service — contacts, deals, contracts, synced emails and messages. Here the dealership is the controller and we process the data on its instructions.
If you are a customer of a dealership and want to exercise your rights over data the dealership holds about you, please contact that dealership. We will help them respond.
03Information we collect
Account and profile data
- Your name, business email and phone number.
- Your company / dealership name, role and permissions.
- Your password — managed by our authentication provider; we never see or store it in plain text.
- For invoicing: legal name, VAT ID or tax number, and business address.
Billing and payment data
- Your subscription plan and status, billing name and address.
- Invoices and payment history.
- Card metadata only — type, brand and the last four digits. Full card numbers are entered on our payment provider’s secure page and are never stored on our systems.
Customer data you put into the Service (processed on your behalf)
When you use the Service you upload or generate data about your customers and leads. Depending on how you use it, this can include:
- Contacts and leads: names, email addresses, phone numbers, lead source, the vehicle a person is interested in, tags and notes.
- Deals and transactions: buyer details, agreed price and a snapshot of the vehicle.
- Contracts and signed documents: buyer information (which may include identity or date-of-birth details you enter), the contract text, documents you upload (e.g. ID or proof documents) and electronic-signature records.
- Communications: the content of emails you sync from Gmail or Outlook (including attachments), and the WhatsApp, Instagram and Facebook Messenger conversations you connect — message text, media, and the other party’s phone number or handle.
Vehicle and inventory data
- Your vehicle listings and their details (make, model, price, mileage, images, features).
- Seller and contact details attached to listings, synced from marketplaces such as mobile.de and AutoScout24.
Connected-account credentials
When you connect Google, Microsoft, Meta (Facebook / Instagram / WhatsApp) or TikTok, we store the access tokens those services issue so we can act for you. These tokens are encrypted at rest.
Usage, device and log data
- IP address, browser / user-agent, session and login records, pages viewed, actions taken and analytics events.
- On our public website we also record visitor and demo-request information: name, email, company, IP address, approximate location, device, pages visited and referrer.
Support data
- The content of support requests and messages you send us.
04How we use your data, and our legal bases
We process personal data for the purposes below, relying on the GDPR legal basis noted for each:
- Provide, operate and secure the Service and manage your account — performance of our contract with you.
- Process the customer data you load, on your instructions, to deliver the features you use — performance of your contract (we act as processor).
- Bill you, take payment and issue invoices — performance of contract and compliance with legal (tax) obligations.
- Send you service, security and transactional messages — contract and legitimate interests.
- Improve and develop the Service and keep it secure and free from abuse — legitimate interests.
- Product and website analytics — your consent where required, otherwise legitimate interests.
- Marketing to businesses and prospects — legitimate interests or consent, with an opt-out in every message.
- Comply with legal obligations and establish, exercise or defend legal claims — legal obligation and legitimate interests.
05AI-assisted features
Some features use AI to help you create content — for example generating ad copy, captions and marketing angles. To do this we send the relevant context (such as vehicle details and your campaign settings) to our AI providers, currently Anthropic (Claude) and OpenAI.
These providers process the data only to return a result to us; under their business / API terms they do not use it to train their models. AI output is a suggestion — you review it and decide what to publish.
08Sharing customer data with advertising platforms
This deserves its own note because it is easy to miss. When you run ads or use click-to-WhatsApp campaigns, our advertising-measurement feature (the Meta Conversions API) sends conversion information to Meta so your ads can be optimised.
This can include a customer’s email address and phone number in hashed (pseudonymised) form, an ad click identifier, the vehicle involved, and the value and type of the conversion, together with technical data such as IP address. As the dealership, you are responsible for having a lawful basis and the necessary notices or consent before using this feature for your customers.
09International data transfers
We keep data in the EU wherever we can — Supabase, Hetzner, Mailgun and PostHog are EU-hosted. Some providers, such as Meta, Google, Microsoft, TikTok, Anthropic and OpenAI, may process data outside the European Economic Area. Where they do, transfers are covered by appropriate safeguards such as the EU Standard Contractual Clauses or an adequacy decision.
10How long we keep data
We keep personal data for as long as your account is active and as needed to provide the Service.
- Account and Service data is retained while your account is open. Some records are soft-deleted (hidden) before being removed.
- When you close your account, we delete or anonymise your data within 90 days, unless we are required to keep it longer.
- Invoices and other records we are legally required to keep for tax and accounting are retained for the statutory period, which can be up to 10 years.
- Session tokens expire automatically; connected-mailbox and social credentials are removed when you disconnect them.
11How we protect your data
We use appropriate technical and organisational measures, including encryption in transit (HTTPS) and encryption at rest for connected-account tokens, hashed passwords, row-level database access controls, rotating session tokens with theft detection, and internal access controls. No system is perfectly secure, but we work to protect your data and, where the law requires, to notify you and the authorities of a data breach.
12Your rights
Depending on where you are, you have some or all of these rights over your personal data:
- Access — a copy of the data we hold about you.
- Rectification — correction of inaccurate data.
- Erasure — deletion of your data (“right to be forgotten”).
- Restriction — limiting how we use your data.
- Portability — receiving your data in a portable format.
- Objection — including to direct marketing.
- Withdrawal of consent — at any time, where processing is based on consent.
To exercise any of these, contact us using the details below. You also have the right to complain to your local data protection authority. If your data is held by a dealership that uses Scriptiflow, please contact that dealership first — we will support them in responding.
13Your responsibilities if you are a dealership
If you use Scriptiflow to process data about your own customers, you are the controller of that data. You are responsible for having a lawful basis and any required consent — for example before emailing or messaging customers, running ads, or syncing a mailbox — for honouring your customers’ privacy rights, and for telling them how you use their data. A data processing agreement is available on request.
14Children
Scriptiflow is a business tool and is not directed to children. We do not knowingly collect personal data from children.
15Changes to this policy
We may update this policy from time to time. If a change is material we will notify you by email or within the Service. The date at the top shows when it was last changed.
Contact us
- Operator
- Scriptiflow — Prishtinë, Kosovo
- info@scriptiflow.com
- Phone
- +383 44 885 500