1. Purpose

This Privacy Policy describes how Boltflow LLC (“Boltflow,” “we,” “us,” or “our”) collects, uses, stores, and shares personal information in connection with our business operations and the implementation services we provide to clients. Boltflow is committed to handling personal information responsibly and in accordance with applicable privacy laws and regulations.

2. Scope

This Policy applies to personal information collected about:

• Client contacts — individuals at client organizations who engage with Boltflow in connection with contracted services
• Website visitors — individuals who visit boltflow.io or interact with Boltflow’s online presence
• Personnel and contractors — covered separately under internal employment and contractor agreements, and by reference where relevant

This Policy does not govern the personal data that Boltflow’s clients store within Airtable environments built or managed by Boltflow. That data is governed by the applicable client agreement and Airtable’s own privacy and security policies.

3. Personal Information We Collect

3.1 Client Contacts

When engaging with clients, Boltflow may collect:

• Name, job title, and organizational affiliation
• Business email address and phone number
• Communication records related to the engagement
• Information provided during scoping, onboarding, or project delivery

3.2 Website Visitors

When individuals visit boltflow.io, Boltflow may collect:

• IP address and browser/device information
• Pages visited and time spent on site
• Referral source
• Information submitted through contact or inquiry forms (name, email, message)

Boltflow does not use invasive tracking technologies or sell visitor data to third parties.

4. How We Use Personal Information

Boltflow collects and uses personal information only to the extent necessary to:

• deliver contracted implementation services to clients
• communicate with client contacts regarding the engagement
• respond to inquiries submitted via the website or email
• maintain business records and fulfill legal or contractual obligations
• improve internal processes and service delivery

Personal information is not used for marketing to individuals without their consent, sold to third parties, or processed for any purpose incompatible with the original reason for collection.

5. Legal Basis for Processing

Where applicable law requires a legal basis for processing, Boltflow relies on:

• Contract performance — processing necessary to deliver services under a client agreement
• Legitimate interests — processing necessary for Boltflow’s business operations, where those interests are not overridden by individual rights
• Legal obligation — processing required to comply with applicable law
• Consent — where explicitly obtained (e.g., marketing communications)

6. Data Sharing and Third Parties

Boltflow does not sell personal information. We may share personal information only in the following limited circumstances:

• Airtable — as the primary platform used to deliver client services. Airtable acts as a separate vendor and its own privacy and security policies apply
• Subcontractors — who assist in delivery of client services, bound by confidentiality obligations consistent with this Policy
• Legal requirements — where disclosure is required by law, regulation, or legal process
• Business transfers — in the event of a merger, acquisition, or sale of assets, personal information may be transferred subject to equivalent protections

7. Data Retention

Boltflow retains personal information only for as long as necessary to fulfill the purposes described in this Policy, including:

• for the duration of an active client engagement plus a reasonable post-engagement period for business record purposes
• as required by applicable law or contractual obligation

When personal information is no longer needed, it is deleted or anonymized in a manner appropriate to the sensitivity of the data.

8. Data Subject Rights

Individuals whose personal information Boltflow holds may have rights under applicable law, including the right to:

• Access — request a copy of personal information Boltflow holds about them
• Correction — request correction of inaccurate or incomplete information
• Deletion — request deletion of personal information, subject to legal or contractual retention obligations
• Restriction — request that processing be restricted in certain circumstances
• Portability — receive personal information in a structured, commonly used format where applicable
• Objection — object to processing based on legitimate interests

To exercise any of these rights, individuals may contact Boltflow at privacy@boltflow.io. Requests will be acknowledged promptly and acted upon within a timeframe consistent with applicable law.

Where Boltflow processes personal data on behalf of a client (e.g., data within an Airtable environment), data subject requests related to that data should be directed to the client organization as the data controller. Boltflow will cooperate with clients to facilitate such requests.

9. Regulatory Compliance

Boltflow serves clients across multiple sectors and jurisdictions. We are committed to respecting applicable privacy regulations based on the nature of each engagement, including:

• FERPA — for U.S. educational institutions and student records
• GDPR — for customers or data subjects located in the European Union
• CCPA — for California-based customers or residents
• HIPAA — where health-related data is in scope
• GLBA — for customers in the financial services sector
• NY SHIELD Act — for customers handling private information of New York residents
• TX TDPSA — for customers handling personal data of Texas residents

Specific obligations are addressed in the applicable client agreement for each engagement.

10. Security

Boltflow applies appropriate technical and organizational measures to protect personal information against unauthorized access, disclosure, alteration, or loss. These measures are described in detail in Boltflow’s Security White Paper, available upon request.

All personnel and contractors with access to personal information are subject to confidentiality obligations and are required to sign non-disclosure agreements prior to engagement.

11. AI and Automated Processing

Boltflow does not use personal information to train AI models or make automated decisions affecting individuals. AI tools used internally by Boltflow are subject to the restrictions described in Boltflow’s AI Usage Policy, which prohibits the submission of personal or regulated data into AI systems. No personal information collected under this Policy is used as input to AI tools.

12. Cookies and Tracking

Boltflow’s website may use basic cookies or analytics tools to understand visitor behavior and improve the site experience. No personally identifiable information is collected through cookies without consent. Visitors may adjust browser settings to limit cookie use.

13. Contact and Privacy Requests

For any questions about this Policy, or to submit a data subject request, please contact:

privacy@boltflow.io

Boltflow will respond to all privacy inquiries promptly and in good faith.

14. Updates to This Policy

Boltflow may update this Policy periodically to reflect changes in our practices, applicable law, or customer requirements. Material changes will be communicated to affected parties where required.

Last Modified: 11/01/25