Privacy Policy

KYC SOFTWARE LIMITED operates Bisonflow, the SaaS product available through bisonflow.com and related application surfaces. In this Privacy Policy, "we", "us", and "our" mean KYC SOFTWARE LIMITED.

Our current publication details are: registered office Unit 2A, 17/F, Glenealy Tower, No.1 Glenealy, Central, Hong Kong S.A.R, business registration number 80075762.

This Privacy Policy applies to personal data processed when you visit our marketing site, create or use an account, administer or join a workspace, submit support requests, purchase a subscription, upload files, use documentation and collaboration features, or send text or voice instructions to the assistant features inside Bisonflow.

This policy does not override your separate obligations to your own customers, colleagues, or end users when you choose what information to store or process inside the service.

• Account and identity data: name, email address, authentication identifiers, organization membership details, profile image, and related sign-in metadata.
• Workspace and customer content: projects, tasks, task descriptions, comments, version planning data, documentation pages, attachments, and other information you or your workspace members submit to the service.
• Billing and subscription data: plan selection, seat counts, Stripe customer and subscription identifiers, invoice status, billing interval, and related commercial records. We do not store full payment card details ourselves.
• Assistant, AI, and voice data: text prompts, preview transcripts, uploaded audio snippets, transcribed text, assistant run metadata, and limited task or project context required to process your request.
• Technical, usage, and security data: IP-address-derived telemetry, device and browser information, log data, error data, API or workflow events, session state, and product usage information used to operate, secure, and improve the service.
• Support and contact data: messages you send to us, commercial inquiries, and correspondence regarding product, billing, legal, or compliance matters.

• Provide and maintain the service, including authentication, workspace collaboration, document editing, file storage, billing operations, and customer support.
• Process AI and voice workflows, including transcribing audio, interpreting commands, generating assistant responses, and recording workflow results or usage metrics.
• Secure the service, detect abuse, investigate incidents, enforce our Terms of Use, and protect users, systems, and content.
• Communicate with you, including transactional notices, support responses, operational updates, and important policy or product changes.
• Improve and develop the product, including debugging, reliability work, measuring feature usage, and planning future functionality.
• Meet legal, accounting, tax, and regulatory obligations.

Where data protection laws such as the GDPR or UK GDPR apply, we generally rely on contract necessity to provide the service you request, legitimate interests to secure, maintain, and improve the service, legal obligations where retention or disclosure is required by law, and consent where a law specifically requires it.

For Hong Kong users, we also aim to provide the information usually expected in a Personal Information Collection Statement and Privacy Policy Statement, including our purposes of use, possible transfers, and a contact channel for access and correction requests.

We share personal data only where necessary to operate the service, comply with law, or protect legitimate interests. This may include sharing data with the following categories of recipients:

• Authentication provider: Clerk, for sign-in, session management, and organization membership flows.
• Payment processor: Stripe, for subscriptions, invoices, payment operations, and customer billing support.
• Application infrastructure and data platform: Convex, for application database, backend logic, and related service operations.
• Object storage provider: Cloudflare R2, for attachments, documentation images, and generated assets.
• AI provider: OpenAI, for assistant processing and voice transcription features.
• Workflow orchestration provider: Inngest, for queued assistant and background workflow execution.
• Professional advisers, regulators, and authorities: where required for legal compliance, dispute handling, fraud prevention, or protection of rights.

Our current vendor list is summarized on the Service Providers page.

Because we operate an online SaaS and use international service providers, personal data may be processed outside Hong Kong and outside the country where you are located. This includes transfers to service providers that help us authenticate users, store files, process payments, run backend workflows, and provide AI features.

Where applicable, we use contractual, technical, and organizational safeguards that are designed to protect transferred data. If you need more information about transfer safeguards that apply to your use case, contact contact@bisonflow.com.

We keep personal data for as long as reasonably necessary to provide the service, maintain security and audit trails, comply with law, resolve disputes, and enforce our agreements.

• Workspace content and account records are generally retained until deleted by a workspace administrator, deleted through product workflows, or removed according to our operational retention practices.
• Billing and tax records may be retained for longer periods where accounting or legal rules require it.
• Security, incident, and operational logs may be retained for shorter rolling periods or longer where needed for abuse prevention or investigations.

We use administrative, technical, and organizational measures designed to protect personal data. These measures are intended to include authenticated access controls, encrypted connections, role-based restrictions where supported, vendor-managed infrastructure security, and operational logging for reliability and abuse prevention.

No internet service is completely secure. You remain responsible for keeping credentials confidential and for controlling the data that you and your workspace choose to place into the service.

Depending on your location and applicable law, you may have rights to request access, correction, deletion, portability, restriction, objection, withdrawal of consent where consent is used, or to lodge a complaint with a relevant authority.

For Hong Kong data subjects, this includes the ability to ask for access to and correction of personal data that we hold, subject to the limits and procedures allowed by applicable law.

To exercise rights or ask a privacy question, contact contact@bisonflow.com. We may ask for reasonable identity verification before completing a request.

Bisonflow is intended for business, professional, and team productivity use. It is not directed to children. If you believe that personal data relating to a child has been submitted to the service in error, contact us so we can review and address the issue.

We may update this Privacy Policy from time to time. If we make a material change, we may update the date above and take additional steps that are reasonable in the circumstances, such as posting an in-app notice or notifying account owners.

Questions, requests, or legal notices about privacy should be sent to contact@bisonflow.com. You can also review our Terms of Use, Cookies, and Service Providers pages.