Privacy Policy

Last updated: February 2026

1. Information We Collect

We collect the following types of information when you use POFlow:

  • Account information — your name, email address, password, and role within your organization.
  • Organization data — your organization name, settings, and configuration preferences.
  • Uploaded documents — PDF purchase orders and any associated metadata you provide.
  • Extracted data — structured data produced by AI extraction from your uploaded documents, including line items, vendor details, and part numbers.
  • Usage data — information about how you interact with the Service, including pages visited, features used, and timestamps of activity.

2. How We Use Information

We use your information to:

  • Provide, maintain, and improve the Service.
  • Process uploaded purchase orders using AI extraction and part matching.
  • Generate analytics and reporting within your organization's dashboard.
  • Process subscription billing and manage your account.
  • Communicate with you about your account, updates, and support requests.
  • Ensure the security and integrity of the Service.

3. Data Storage & Security

Your data is stored in Supabase, a hosted PostgreSQL database service, with row-level security (RLS) policies that enforce strict organization-scoped data isolation. This means your organization's data is logically separated from all other tenants at the database level.

All data is encrypted at rest and in transit. Uploaded PDF files are stored in private, organization-scoped storage buckets with their own RLS policies. We implement industry-standard security practices including secure authentication, session management, and access controls.

4. Third-Party Services

We use the following third-party services to operate the platform:

  • Supabase — database hosting, authentication, and file storage. Your account data, extracted records, and uploaded files are stored in Supabase infrastructure.
  • Anthropic (Claude API) — AI-powered data extraction. Uploaded purchase order documents are sent to the Claude API for processing. See Section 5 for details on AI data handling.
  • Stripe — payment processing and subscription management. Stripe processes your payment information directly; we do not store your full credit card details on our servers.

Each third-party service operates under its own privacy policy and data handling practices. We encourage you to review their respective policies.

5. AI Data Processing

When you upload a purchase order, the document is sent to the Anthropic Claude API for AI-powered data extraction. Important details about this process:

  • Documents are transmitted securely to the Claude API and processed in real-time to extract structured data.
  • Your documents are not used by Anthropic for model training or improvement purposes under our commercial API agreement.
  • Anthropic does not persistently store the content of your documents after processing is complete.
  • Extracted data is returned to our Service and stored within your organization's database scope.

6. Data Retention

We retain your data according to the following policies:

  • Active accounts — all data is retained for the duration of your active subscription.
  • Deleted accounts — account data and associated records are retained for 30 days after account deletion to allow for recovery, then permanently deleted.
  • Uploaded PDFs — retention of uploaded documents is configurable through your organization's settings. You may delete individual documents or configure automatic retention periods.

7. Your Rights

You have the following rights regarding your data:

  • Access — you may request a copy of all personal data we hold about you.
  • Export — you may export your purchase orders, extracted data, and product catalog at any time through the Service's built-in CSV export functionality.
  • Deletion — you may request deletion of your account and all associated data.
  • Data portability — you may request your data in a standard, machine-readable format.

To exercise any of these rights, contact us at privacy@poprocessing.com.

8. Cookies & Tracking

The Service uses session cookies strictly for authentication and maintaining your logged-in state. We do not use third-party tracking cookies, advertising pixels, or analytics services that track you across other websites. No personally identifiable information is shared with advertising networks or data brokers.

9. Children's Privacy

POFlow is a business-to-business service and is not designed for or directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a user is under 18, we will take steps to delete their account and associated data.

10. International Data

The Service is hosted and operated in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take appropriate measures to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

11. Changes to Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email or through a prominent notice within the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

12. Contact

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@poprocessing.com.