Privacy

Privacy Policy

Last updated: 3 July 2026

This Privacy Policy explains how Scriptiflow collects, uses, shares and protects personal data when you use our platform for car dealerships (the “Service”) and our website at scriptiflow.com.

Scriptiflow is a tool for businesses. For most of the personal data that flows through the Service we act on behalf of the dealership that uses it — see “Our two roles” below. We apply the EU General Data Protection Regulation (GDPR) to everyone, wherever they are based.

01Who we are

Scriptiflow (“Scriptiflow”, “we”, “us”) provides a marketing, sales and customer-management platform for car dealerships. We are based in Prishtinë, Kosovo. You can reach us at info@scriptiflow.com.

This policy covers the Service and our website. Where a third party (for example a mailbox provider or an advertising platform) also processes your data under its own terms, that party’s own privacy policy applies in addition to this one.

02Our two roles: controller and processor

Because Scriptiflow is used by businesses to manage their own customers, the law treats us in two different ways depending on the data:

We are the controller
for the data we decide the purpose of: your dealership account and user profiles, billing data, website-visitor and analytics data, and your support communications.
We are the processor
for the data a dealership loads or generates about its own customers and leads inside the Service — contacts, deals, contracts, synced emails and messages. Here the dealership is the controller and we process the data on its instructions.

If you are a customer of a dealership and want to exercise your rights over data the dealership holds about you, please contact that dealership. We will help them respond.

03Information we collect

Account and profile data

  • Your name, business email and phone number.
  • Your company / dealership name, role and permissions.
  • Your password — managed by our authentication provider; we never see or store it in plain text.
  • For invoicing: legal name, VAT ID or tax number, and business address.

Billing and payment data

  • Your subscription plan and status, billing name and address.
  • Invoices and payment history.
  • Card metadata only — type, brand and the last four digits. Full card numbers are entered on our payment provider’s secure page and are never stored on our systems.

Customer data you put into the Service (processed on your behalf)

When you use the Service you upload or generate data about your customers and leads. Depending on how you use it, this can include:

  • Contacts and leads: names, email addresses, phone numbers, lead source, the vehicle a person is interested in, tags and notes.
  • Deals and transactions: buyer details, agreed price and a snapshot of the vehicle.
  • Contracts and signed documents: buyer information (which may include identity or date-of-birth details you enter), the contract text, documents you upload (e.g. ID or proof documents) and electronic-signature records.
  • Communications: the content of emails you sync from Gmail or Outlook (including attachments), and the WhatsApp, Instagram and Facebook Messenger conversations you connect — message text, media, and the other party’s phone number or handle.

Vehicle and inventory data

  • Your vehicle listings and their details (make, model, price, mileage, images, features).
  • Seller and contact details attached to listings, synced from marketplaces such as mobile.de and AutoScout24.

Connected-account credentials

When you connect Google, Microsoft, Meta (Facebook / Instagram / WhatsApp) or TikTok, we store the access tokens those services issue so we can act for you. These tokens are encrypted at rest.

Usage, device and log data

  • IP address, browser / user-agent, session and login records, pages viewed, actions taken and analytics events.
  • On our public website we also record visitor and demo-request information: name, email, company, IP address, approximate location, device, pages visited and referrer.

Support data

  • The content of support requests and messages you send us.

04How we use your data, and our legal bases

We process personal data for the purposes below, relying on the GDPR legal basis noted for each:

  • Provide, operate and secure the Service and manage your account — performance of our contract with you.
  • Process the customer data you load, on your instructions, to deliver the features you use — performance of your contract (we act as processor).
  • Bill you, take payment and issue invoices — performance of contract and compliance with legal (tax) obligations.
  • Send you service, security and transactional messages — contract and legitimate interests.
  • Improve and develop the Service and keep it secure and free from abuse — legitimate interests.
  • Product and website analytics — your consent where required, otherwise legitimate interests.
  • Marketing to businesses and prospects — legitimate interests or consent, with an opt-out in every message.
  • Comply with legal obligations and establish, exercise or defend legal claims — legal obligation and legitimate interests.

05AI-assisted features

Some features use AI to help you create content — for example generating ad copy, captions and marketing angles. To do this we send the relevant context (such as vehicle details and your campaign settings) to our AI providers, currently Anthropic (Claude) and OpenAI.

These providers process the data only to return a result to us; under their business / API terms they do not use it to train their models. AI output is a suggestion — you review it and decide what to publish.

06Cookies and tracking

We use cookies and similar technologies. Essential cookies are required to run the Service; others are used only where permitted.

sf_session (essential)
Keeps you securely signed in. HTTP-only, valid for up to 60 days on a sliding window.
csrf-token (essential)
Protects forms and requests against cross-site request forgery. Expires after one hour.
Product analytics (PostHog)
Usage analytics and, on parts of the app, session replay with input fields masked. Hosted in the EU.
Website analytics and advertising
On our public website we use Google Analytics and the Meta (Facebook) Pixel to measure traffic and the performance of our own advertising.

You can control non-essential cookies through your browser and, where offered, our cookie settings. Where the law requires consent for analytics or advertising cookies, we ask for it first. Blocking essential cookies will stop the Service from working.

07How we share data

We do not sell your personal data. We share it only with the service providers (“sub-processors”) that help us run the Service, and only as needed. Our main sub-processors are:

Supabase
Primary database, authentication and file storage (EU). Processes essentially all Service data.
Hetzner
Server hosting and infrastructure (EU); also stores generated documents and files.
Mailgun
Sends and receives transactional and dealership email, including open/click tracking. EU endpoint.
Meta (Facebook, Instagram, WhatsApp)
Advertising, WhatsApp Business messaging and the Conversions API (see the next section).
Google and Microsoft
Email and calendar sync for the mailboxes you connect (Gmail / Outlook).
TikTok
Publishing video content to the accounts you connect.
Documenso
Electronic signing of contracts (self-hosted on our own infrastructure).
UPC / e-Commerce Connect (Raiffeisen Bank Kosovo)
Card payment processing. Card details are entered on their secure page.
Anthropic and OpenAI
AI generation of marketing content (inference only — no model training).
PostHog, Google Analytics, Meta Pixel
Product and website analytics and advertising measurement.
Vehicle marketplaces (mobile.de, AutoScout24 and similar)
Syncing your inventory listings and related contact details.

We may also disclose data to comply with the law or a valid legal request, to enforce our terms, to protect our rights and the safety of our users, or in connection with a merger, acquisition or sale of assets (with notice where the law requires).

08Sharing customer data with advertising platforms

This deserves its own note because it is easy to miss. When you run ads or use click-to-WhatsApp campaigns, our advertising-measurement feature (the Meta Conversions API) sends conversion information to Meta so your ads can be optimised.

This can include a customer’s email address and phone number in hashed (pseudonymised) form, an ad click identifier, the vehicle involved, and the value and type of the conversion, together with technical data such as IP address. As the dealership, you are responsible for having a lawful basis and the necessary notices or consent before using this feature for your customers.

09International data transfers

We keep data in the EU wherever we can — Supabase, Hetzner, Mailgun and PostHog are EU-hosted. Some providers, such as Meta, Google, Microsoft, TikTok, Anthropic and OpenAI, may process data outside the European Economic Area. Where they do, transfers are covered by appropriate safeguards such as the EU Standard Contractual Clauses or an adequacy decision.

10How long we keep data

We keep personal data for as long as your account is active and as needed to provide the Service.

  • Account and Service data is retained while your account is open. Some records are soft-deleted (hidden) before being removed.
  • When you close your account, we delete or anonymise your data within 90 days, unless we are required to keep it longer.
  • Invoices and other records we are legally required to keep for tax and accounting are retained for the statutory period, which can be up to 10 years.
  • Session tokens expire automatically; connected-mailbox and social credentials are removed when you disconnect them.

11How we protect your data

We use appropriate technical and organisational measures, including encryption in transit (HTTPS) and encryption at rest for connected-account tokens, hashed passwords, row-level database access controls, rotating session tokens with theft detection, and internal access controls. No system is perfectly secure, but we work to protect your data and, where the law requires, to notify you and the authorities of a data breach.

12Your rights

Depending on where you are, you have some or all of these rights over your personal data:

  • Access — a copy of the data we hold about you.
  • Rectification — correction of inaccurate data.
  • Erasure — deletion of your data (“right to be forgotten”).
  • Restriction — limiting how we use your data.
  • Portability — receiving your data in a portable format.
  • Objection — including to direct marketing.
  • Withdrawal of consent — at any time, where processing is based on consent.

To exercise any of these, contact us using the details below. You also have the right to complain to your local data protection authority. If your data is held by a dealership that uses Scriptiflow, please contact that dealership first — we will support them in responding.

13Your responsibilities if you are a dealership

If you use Scriptiflow to process data about your own customers, you are the controller of that data. You are responsible for having a lawful basis and any required consent — for example before emailing or messaging customers, running ads, or syncing a mailbox — for honouring your customers’ privacy rights, and for telling them how you use their data. A data processing agreement is available on request.

14Children

Scriptiflow is a business tool and is not directed to children. We do not knowingly collect personal data from children.

15Changes to this policy

We may update this policy from time to time. If a change is material we will notify you by email or within the Service. The date at the top shows when it was last changed.

Contact us

Operator
Scriptiflow — Prishtinë, Kosovo