RoleFlow

Privacy Policy

Last updated: April 4, 2026

1. Who we are

RoleFlow is operated by EVOLV BV, a Belgian company registered at:

EVOLV BV is the data controller for the personal data processed through RoleFlow. We are subject to the General Data Protection Regulation (GDPR) as an EU-based company.

2. What data we collect

We collect and process the following personal data:

Account information (from Google OAuth sign-in)

  • Email address
  • Full name
  • Profile picture URL
  • Google account identifier

Google Workspace data (read-only)

  • Google Workspace group memberships (group names, member email addresses)
  • GA4, Google Tag Manager, and Google Ads user access lists (to sync permissions)

OAuth tokens

  • OAuth refresh tokens for each connected Google product (GA4, GTM, Google Ads, Workspace Directory)
  • These tokens are encrypted at rest using Google Cloud KMS before storage

Sync and usage data

  • Sync logs (timestamps, which mappings were synced, success/failure status)
  • Group-to-role mapping configurations you create

What we do NOT collect

  • Analytics data, reports, or metrics from your GA4 properties
  • Tag configurations or container content from GTM
  • Campaign data, ad content, or billing information from Google Ads
  • Payment card numbers (Stripe handles all payment processing)

3. Why we process your data (lawful basis)

We process your personal data under the following lawful bases as defined by the GDPR:

  • Performance of a contract (Art. 6(1)(b)): We need your account information, OAuth tokens, and Workspace group data to provide the RoleFlow service you signed up for — syncing group memberships to GA4, GTM, and Google Ads access.
  • Legitimate interest (Art. 6(1)(f)): We keep sync logs to help you audit access changes, troubleshoot issues, and improve the reliability of the service.
  • Consent (Art. 6(1)(a)): We use Google Analytics on the marketing site (roleflow.eu) only, with your consent via the cookie banner. The RoleFlow application (app.roleflow.eu) does not use any analytics or tracking cookies.

4. Cookies

RoleFlow application (app.roleflow.eu)

The application uses only two essential cookies:

  • Session cookie: An httpOnly, SameSite cookie that keeps you logged in. It contains no personal data and expires when your session ends.
  • CSRF cookie: A security cookie that protects against cross-site request forgery attacks.

We do not use any analytics, advertising, or tracking cookies in the application.

Marketing site (roleflow.eu)

The marketing site uses Google Analytics (gtag.js) to understand how visitors find and use the site. This sets cookies from Google. You can opt out of Google Analytics by using a browser extension or declining cookies when prompted.

5. Where your data is stored

All data is stored in the European Union:

  • Database: Google Cloud Firestore, europe-west1 region (Belgium)
  • Encryption: OAuth tokens are encrypted at rest using Google Cloud Key Management Service (KMS)
  • Infrastructure: Google Cloud Platform, EU region

Your data does not leave the European Union. We do not transfer personal data to countries outside the EU/EEA.

6. Third-party services

We use the following third-party services to operate RoleFlow:

Google Cloud Platform (infrastructure)

Hosts the application and database. EU region only. Subject to Google Cloud Data Processing Addendum.

Google OAuth (authentication)

Used for signing in and connecting Google products. Google receives your authentication request directly.

Stripe (payment processing)

Handles all payment processing for the Business plan. RoleFlow does not store, process, or have access to your payment card details. Stripe is a PCI-DSS Level 1 certified payment processor. See Stripe's Privacy Policy.

Resend (transactional email)

Sends account-related emails (e.g., sync failure notifications). Receives only the email address necessary to deliver each message.

Google Analytics (marketing site only)

Used on roleflow.eu (not in the app) to understand site traffic. Can be declined via the cookie banner.

7. Data retention

  • Account data: Retained for as long as your account is active. Deleted upon account deletion request.
  • OAuth tokens: Retained while your product connections are active. Deleted when you disconnect a product or delete your account.
  • Sync logs: Retained for the lifetime of your account to provide audit trail functionality. Deleted upon account deletion.
  • Group-to-role mappings: Retained while your account is active. Deleted upon account deletion.

8. Your rights under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access (Art. 15): You can request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): You can ask us to correct inaccurate personal data. Since your profile data comes from Google, updating your Google profile will update it in RoleFlow on next sign-in.
  • Right to erasure (Art. 17): You can request deletion of your account and all associated data. We will delete everything within 30 days of your request.
  • Right to restriction (Art. 18): You can ask us to restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): You can request your data in a structured, machine-readable format.
  • Right to object (Art. 21): You can object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7): Where processing is based on consent (e.g., marketing site analytics), you can withdraw consent at any time.

To exercise any of these rights, email us at support@roleflow.eu. We will respond within 30 days as required by the GDPR.

You also have the right to lodge a complaint with a supervisory authority. The relevant authority for EVOLV BV is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / GBA):

9. Data security

We take reasonable technical and organizational measures to protect your personal data:

  • OAuth tokens are encrypted at rest using Google Cloud KMS
  • All data in transit is encrypted via TLS
  • The application uses httpOnly, SameSite cookies and CSRF protection
  • Access to production infrastructure is restricted and logged
  • All data is stored in EU-based data centers

10. Children's privacy

RoleFlow is a business tool designed for Google Workspace administrators. It is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or by posting a notice on the RoleFlow application. The "last updated" date at the top of this page reflects the most recent revision.

12. Contact us

If you have any questions about this Privacy Policy or how we handle your data, contact us at: