Last updated: April 2026
OffGridFlow LLC ("OffGridFlow," "we," "us") is the data controller for personal data collected via our marketing pages and the data processor for Customer Data uploaded to the Platform. You (or your organization) remain the controller of your Customer Data.
Account information: name, email address, company name, job title, and password hash (never the plaintext password).
Billing information: processed directly by Stripe; OffGridFlow stores only a Stripe customer identifier and subscription status. OffGridFlow never receives or stores full card numbers, CVVs, or bank details.
Customer Data: emissions activity records, utility bills, cloud carbon footprint data, facility identifiers, and other content you import or connect to the Platform.
Usage data: IP address, user agent, pages visited, API endpoints called, timestamps. Used for security, auditability, and service operations.
We do not use Customer Data to train third-party machine-learning models. We do not sell or rent personal information. We do not use Customer Data for advertising or profiling.
We process personal data under the following legal bases: (a) contract — to provide the Platform you subscribed to; (b) legitimate interests — for security, fraud prevention, and service improvement; (c) legal obligation — for tax, accounting, and regulatory compliance; (d) consent — where required for marketing communications or non-essential cookies.
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via managed Postgres volumes). We enforce multi-tenant isolation so one customer cannot access another's data; isolation is enforced at the database query level (WHERE tenant_id = $1). Access to production data is restricted to named administrators with MFA. See the Trust Center for the full security architecture.
OffGridFlow engages the following third-party subprocessors to operate the Platform. Each is contractually bound to maintain appropriate security and confidentiality.
| Subprocessor | Purpose | Data accessed | Region | Safeguards |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing | Name, billing email, payment method, billing address | United States | PCI DSS Level 1; SOC 1/2 Type II; signed DPA |
| Railway Corp. | Application hosting, compute, managed PostgreSQL | All Customer Data at rest (encrypted) and in transit within Railway infrastructure | United States (us-west) | SOC 2 Type II; encrypted volumes; network isolation; signed DPA |
| Twilio SendGrid, Inc. | Transactional email (verification, password reset, notifications) | Recipient email address, email content, delivery metadata | United States | SOC 2 Type II; ISO 27001; signed DPA |
| Google LLC (Analytics & Ads) | Marketing analytics and conversion measurement on public pages only | Anonymous page views, device/browser, referrer, conversion events on marketing pages (not in-app) | Global | Google Ads Data Processing Terms; IP anonymization enabled |
| Cloudflare, Inc. (CDN / DNS) | DNS resolution and edge delivery for marketing domain | IP address, request metadata | Global edge | SOC 2 Type II; ISO 27001; signed DPA |
This list is updated when material changes occur. Customers may subscribe to subprocessor change notifications via a signed DPA.
OffGridFlow primarily hosts data in the United States. Transfers of personal data from the EEA, UK, or Switzerland to the U.S. rely on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as applicable. Customers may request a copy of the SCCs from contact@off-grid-flow.com.
If you are in the European Economic Area, United Kingdom, or Switzerland, you have the right to: access your personal data; correct inaccurate data; delete your data; restrict or object to processing; portability (receive your data in machine-readable format); and to withdraw consent where processing is consent-based. Lodge complaints with your supervisory authority. Exercise rights at contact@off-grid-flow.com.
California residents have the rights to: know what personal information is collected; access and portability; delete personal information; correct inaccurate information; and limit use of sensitive personal information. OffGridFlow does not sell or share personal information for cross-context behavioral advertising. You may exercise these rights at contact@off-grid-flow.com or via the Do Not Sell or Share section below. You have the right not to be discriminated against for exercising any of these rights.
OffGridFlow does not sell personal information and does not share personal information for cross-context behavioral advertising. If this policy changes, a Do Not Sell mechanism will be provided here. California residents may confirm non-sale status in writing by emailing contact@off-grid-flow.com.
Marketing pages use strictly necessary cookies and, where consented, analytics and conversion measurement cookies (Google Ads). Cookies are not used within the authenticated Platform beyond session management. See our cookie disclosure on first visit.
Account data is retained for the duration of your subscription plus thirty (30) days for export recovery. Emissions activity data and calculation ledger entries are retained for seven (7) years for audit and compliance purposes, consistent with common accounting and regulatory record-keeping expectations, unless an earlier deletion is requested. Audit logs are retained for seven (7) years. See the Trust Center for the full retention schedule.
The Platform is not directed at children under 16 and we do not knowingly collect personal information from children. If we become aware of such collection, we will delete the information.
OffGridFlow will notify affected customers of a personal data breach without undue delay and in any case within seventy-two (72) hours of becoming aware, where required by law and feasible, with the information required by applicable regulation.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least thirty (30) days before taking effect.
For privacy questions or to exercise your rights: contact@off-grid-flow.com
OffGridFlow LLC