Privacy Policy

Last updated: April 4, 2026

1. Who We Are

Kuriflow ("we," "us," "our") is a business process automation platform operated by Filos AI Co., Ltd. Our platform helps organizations automate back-office tasks such as payroll, HR, finance, and procurement using AI-powered workflows.

2. Information We Collect

We collect the following categories of information:

  • Account information: email address, name, and organization name when you sign up.
  • Uploaded documents: files you upload for processing (e.g., attendance data, employee records, policies). These are processed only for the purpose you specify.
  • Google account data: when you connect your Google account, we access only the data necessary for the features you enable (see Section 4).
  • Usage data: workflow execution logs, timestamps, and error logs for debugging and improvement.

3. How We Use Your Information

  • To execute the automated workflows you configure.
  • To read and process files from your Google Drive when you configure a Google Drive input source.
  • To monitor your Gmail inbox for trigger emails when you configure an email-based trigger.
  • To deliver output files via email when you configure email delivery.
  • To export results to Google Sheets when you configure spreadsheet output.
  • To improve our service and fix bugs (using anonymized execution logs).

4. Google API Scopes and Usage

When you connect your Google account, Kuriflow requests access to specific Google services. We only access data within the scopes you authorize:

Gmail Read Access (read-only)

Kuriflow monitors your Gmail inbox for emails with file attachments (e.g., bank statements, invoices, attendance reports). When an email matching your configured trigger arrives, Kuriflow reads the attachment and passes it to your automated workflow. We use read-only access — Kuriflow never modifies, sends, or deletes your emails.

Google Drive Read Access (read-only)

Users configure Google Drive folders as input sources for their workflows. Kuriflow reads files from the specific folder you designate (e.g., a shared folder where HR uploads attendance data). Only the configured folder is accessed — we do not scan or browse your Drive.

Google Drive File Access (app-created files only)

When a workflow produces an output file (e.g., a reconciliation report, a payroll summary, an analytics dashboard, or a Google Sheet), Kuriflow writes it to the Google Drive folder you select as the delivery destination. This scope restricts Kuriflow to files it creates — we cannot see, modify, or delete any other files in your Drive.

Kuriflow does not:

  • Sell, share, or transfer your Google data to third parties.
  • Use your Google data for advertising or profiling.
  • Access data outside of the specific features you enable.
  • Retain your Google data after you disconnect your account.

5. Data Storage and Security

  • OAuth tokens are encrypted at rest using AES-256 encryption.
  • All data is transmitted over HTTPS/TLS.
  • Uploaded files are processed in isolated environments and are not shared between organizations.
  • We use multi-tenant isolation — each organization's data is logically separated and access-controlled.
  • We do not store your Google account password. Authentication is handled entirely by Google's OAuth 2.0.

6. Data Retention

  • Account data: retained while your account is active. Deleted within 30 days of account closure.
  • Uploaded files: retained for the duration of your subscription. You can delete files at any time.
  • Google OAuth tokens: revoked and deleted immediately when you disconnect your Google account.
  • Execution logs: retained for 90 days for debugging, then automatically purged.

7. Your Rights

You have the right to:

  • Disconnect your Google account at any time from Settings.
  • Request deletion of your account and all associated data.
  • Export your data.
  • Revoke Kuriflow's access via your Google Account permissions.

8. Third-Party Services

Kuriflow uses the following third-party services to operate:

  • Anthropic (Claude): AI processing for document extraction and workflow generation.
  • Google APIs: Gmail, Drive, and Sheets integration as described above.
  • Railway: Cloud infrastructure hosting.
  • Vercel: Frontend hosting.
  • Resend: Transactional email delivery.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or in-app notification.

10. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

Email: privacy@kuriflow.com

Company: Filos AI Co., Ltd.