Privacy Policy

Data Controller

Fira Automation, Inc. ("Fira," "we," "our," or "us") is the data controller responsible for your personal data. If you have any questions about how we process your data, you can reach our privacy team at privacy@firaflow.io.

Introduction

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our workflow automation platform and related services (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

Information We Collect

Information You Provide

• Account Information: Name, email address, password, and organization details when you register.
• Payment Information: Billing address and payment method details processed securely through our payment providers (e.g., Stripe). We do not store full card numbers.
• Workflow Data: The workflows, configurations, and automation logic you create using our platform.
• Integration Credentials: API keys and authentication tokens for third-party services you connect.
• Communications: Information you provide when contacting our support team or participating in surveys.

Information Collected Automatically

• Usage Data: Workflow execution logs, feature usage, and interaction patterns.
• Device Information: Browser type, operating system, device identifiers, and IP address.
• Cookies: Session cookies, preference cookies, and (with your consent) analytics cookies. See Cookie Policy below.

Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms.

How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our Service
• Process transactions and send related information
• Send administrative information, updates, and security alerts
• Respond to your comments, questions, and support requests
• Analyze usage patterns to improve our Service
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our terms

Data Processing for AI Features

When you use AI-powered features in your workflows, data may be processed by third-party AI sub-processors, including:

• OpenAI (GPT models) — Privacy Policy
• Anthropic (Claude models) — Privacy Policy
• Google (Gemini models) — Privacy Policy

We recommend reviewing these policies before using AI features with sensitive data.

Important: Your workflow data is never used to train AI models. We process data only to execute your workflows as configured.

AI Disclosure: Messages generated through AI-powered workflow actions are produced by artificial intelligence, not humans. If you use Fira to communicate with your own customers or end-users via AI-generated messages, you may be required by applicable law (including the EU AI Act and various US state laws) to disclose that the communication is AI-generated. You are responsible for compliance with such disclosure obligations in your jurisdiction.

Automated Decision-Making

Our AI-powered features may involve automated processing of data within your workflows. However, we do not use automated decision-making (including profiling) that produces legal effects or similarly significant effects on individuals without human involvement. If you configure workflows that make decisions affecting individuals, you are responsible for ensuring appropriate human oversight as required under GDPR Article 22.

Data Sharing and Disclosure

We may share your information with:

• Service Providers: Third-party vendors who assist in operating our Service (hosting via Google Cloud Platform, payment processing via Stripe, AI providers listed above).
• Integration Partners: Third-party services you explicitly connect to your workflows.
• Legal Requirements: When required by law, court order, or governmental authority.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.

We do not sell, rent, or share your personal information with third parties for marketing or cross-context behavioral advertising purposes.

Data Security

We implement industry-standard security measures to protect your data, including:

• End-to-end encryption for data in transit (TLS 1.3)
• AES-256 encryption for data at rest
• Regular security audits and vulnerability assessments
• Role-based access controls and audit logging

For more details, please visit our Security page.

Data Retention

We retain personal data according to the following schedule:

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required for legal or legitimate business purposes as outlined above.

Your Rights (EEA/UK)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under GDPR:

• Access (Art. 15): Request a copy of your personal data
• Rectification (Art. 16): Request correction of inaccurate data
• Erasure (Art. 17): Request deletion of your personal data
• Portability (Art. 20): Request your data in a machine-readable format
• Objection (Art. 21): Object to processing based on legitimate interest
• Restriction (Art. 18): Request restriction of processing
• Withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at privacy@firaflow.io. We will respond within 30 days.

Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. For a list of EEA authorities, visit the EDPB website.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

Categories of Personal Information Collected

Your California Rights

• Right to Know: Request the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.

To exercise these rights, contact us at privacy@firaflow.io. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

Do Not Sell or Share

Fira does not sell your personal information and does not share your personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.

Do Not Track / Global Privacy Control

We honor Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we treat it as a valid opt-out request under the CCPA/CPRA.

International Data Transfers

Your information is primarily stored and processed in the United States (Google Cloud Platform, us-central1 region). Data may also be processed by our AI sub-processors in the United States.

For transfers from the EEA/UK to the United States, we rely on the EU-US Data Privacy Framework where applicable, and Standard Contractual Clauses (SCCs) approved by the European Commission as supplementary safeguards. We have conducted Transfer Impact Assessments (TIAs) for our key data transfers. You may request a copy of our SCCs by contacting privacy@firaflow.io.

Data Processing Agreement

Where Fira processes personal data on your behalf (i.e., as a data processor), a Data Processing Agreement (DPA) is required under GDPR Article 28. Our standard DPA is available upon request. To obtain a copy, contact legal@firaflow.io.

Our DPA covers the subject-matter of processing, duration, nature and purpose, type of personal data, categories of data subjects, and your obligations and rights as a controller.

Cookie Policy

We use the following types of cookies:

• Essential Cookies: Required for the Service to function properly. These cannot be disabled.
• Analytics Cookies: Help us understand how you use our Service. Set only with your consent.
• Preference Cookies: Remember your settings and preferences. Set only with your consent.

Non-essential cookies are not set until you provide affirmative consent via our cookie banner. You can manage or withdraw your cookie preferences at any time using the "Cookie Settings" link in our website footer.

Children's Privacy

Our Service is not intended for children under 13 in the United States (per COPPA) or under 16 in the European Economic Area (per GDPR). We do not knowingly collect personal information from children under these ages. If you believe we have collected information from a child, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For changes that affect processing based on your consent, we will request renewed consent before applying those changes to your data.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: