Privacy Policy

This Privacy Policy describes what personal data Subflow collects, how we use it, and when it is shared with third parties. We are committed to transparency and handling your information responsibly, in compliance with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar frameworks.

Data Controller: Vladislav Baranov, Individual Entrepreneur registered in Georgia. Contact: [email protected].

Data collected directly by Subflow

• Email address — provided by you at checkout, used to deliver your license key and subscription communications
• License key usage — which keys are active, when they were last used, and on which devices
• Device fingerprint — a salted SHA-256 hash computed from your machine hostname, username, and operating system platform. This is a one-way cryptographic hash; the underlying hardware details cannot be recovered from the stored value.
• Transcription usage counters — the number of minutes you have transcribed in the current calendar month, used to enforce your subscription's monthly allowance
• Audio content — audio extracted from your After Effects composition during transcription. This is forwarded to Deepgram Nova-3 (see below) and is not persistently stored on Subflow's servers. It passes through our Cloudflare Worker proxy in memory only.
• Server logs — your IP address and request metadata are logged by Cloudflare (our edge infrastructure provider) for security, abuse prevention, and debugging. These logs are retained for a limited period according to Cloudflare's own policies.

Data collected by Dodo Payments (Merchant of Record)

All payment information — including your name, billing address, card details, tax identifiers, and purchase history — is collected and processed directly by Dodo Payments, our Merchant of Record. Subflow does not receive, see, or store your full card details. Dodo Payments handles this data under its own Privacy Policy, available at https://dodopayments.com/privacy-policy.

We use your personal data only for the following purposes:

• Delivering licenses and purchase confirmations — via transactional email
• Providing customer support — responding to your questions and troubleshooting
• Managing access to the plugin — verifying your license, enforcing the device limit, and the monthly transcription allowance
• Generating captions — transmitting your audio content to Deepgram Nova-3 for transcription
• Sending important service and product update notices — for example, security notices or material changes to these policies
• Complying with legal, tax, accounting, and fraud prevention obligations where required by applicable law

We do not sell your personal data to third parties. We do not use your data for advertising or marketing to others.

When you use Subflow to generate captions, the following happens:

1. Subflow extracts audio from your selected After Effects composition
2. The audio file is sent to api.subflow.cc (our Cloudflare Worker backend)
3. Our backend validates your license and forwards the audio to Deepgram Nova-3 for transcription
4. The transcribed word-level timestamps are returned to the plugin, which creates text layers in your composition

Audio files are processed in-memory on our backend and are not persistently stored on Subflow's servers. Deepgram's own handling of audio data is governed by Deepgram's Privacy Policy, available at https://deepgram.com/privacy. At the time of writing, Deepgram does not retain audio submitted through its pay-as-you-go API for model training by default.

You are responsible for ensuring that you have the legal right to transcribe any audio or video content you submit through Subflow.

Subflow uses the following third-party services, each with their own privacy practices:

Each provider processes your data according to its own privacy practices. We have selected providers that are GDPR-compliant and use industry-standard security measures.

The Subflow website uses only cookies and similar technologies that are necessary for basic site functionality and secure checkout. We do not use tracking cookies for advertising or cross-site analytics.

The Subflow plugin itself runs locally inside Adobe After Effects and does not use cookies.

We retain your personal data only as long as reasonably necessary to:

• Maintain your active subscription and provide customer support
• Comply with our legal, tax, and accounting obligations (typically up to 6 years for financial records under Georgian law)
• Prevent fraud and abuse
• Resolve disputes and enforce our agreements

When data is no longer needed, we delete or anonymize it. Specifically:

• License keys and subscription records — retained while your subscription is active and for 6 years after cancellation (for accounting and tax purposes)
• Device fingerprints — retained while your license is active, deleted when you deactivate a device or cancel your subscription
• Audio content — never persistently stored; only held in memory during processing
• Server logs — retained by Cloudflare for a limited period according to their policies

Under GDPR, UK GDPR, and similar laws, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — ask us to correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — ask us to delete your personal data, subject to our legal obligations
• Right to restrict processing — ask us to limit how we use your data
• Right to data portability — request your data in a machine-readable format
• Right to object — object to certain types of processing
• Right to withdraw consent — where processing is based on consent, you can withdraw it at any time
• Right to lodge a complaint — with your local data protection authority

To exercise any of these rights, please email us at [email protected]. We will respond within 30 days. Please note that deletion of your personal data may terminate your active subscription and permanently revoke access to Subflow.

Your data may be processed in countries other than your own. Our service providers (Dodo Payments, Deepgram, Cloudflare, Resend) operate globally and may transfer data between jurisdictions. Where such transfers involve personal data of EU/UK residents, they are protected by appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.

Subflow is not intended for users under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at [email protected] and we will delete it.

We use industry-standard technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. These include:

• Encrypted connections (HTTPS / TLS) for all data transmission
• Secrets (API keys, webhook secrets) stored in Cloudflare Workers secret storage, never in source code
• License keys hashed and bound to device fingerprints
• Payment data handled exclusively by Dodo Payments (PCI-DSS compliant)

No system is perfectly secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and the relevant authorities as required by law.

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date, and where required by law, we will notify existing subscribers by email.

If you have questions or concerns about this Privacy Policy, or if you wish to exercise your data subject rights, please contact us:

Email: [email protected]

Operated by: Vladislav Baranov, Individual Entrepreneur registered in Georgia.