Privacy Policy for ClearFlow LLC
Last updated: May 25, 2025
ClearFlow LLC is committed to safeguarding the privacy and security of both Website Visitors and Authorized Users of our Software as a Service (SaaS) platform. This Privacy Policy outlines how we collect, use, disclose, and protect Personal Data and Customer Data for both groups, including integrations with AWS GovCloud, ESRI ArcGIS Online, and other trusted third-party services. ClearFlow’s platform infrastructure is hosted in AWS GovCloud, a FedRAMP Moderate-authorized environment, and we implement security and privacy controls aligned with FedRAMP Moderate standards.
We do not sell personal information. We use personal data to provide, improve, and market our services when submitted by Website Visitors through forms. By accessing our Website or Platform, You agree to the collection and use of information as outlined in this Policy. This Privacy Policy applies to Website Visitors, Authorized Users, and government entities (e.g., municipalities), and outlines how we comply with applicable data protection and public records laws.
1. Interpretation and Definitions
1.1. Interpretation The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
1.2. Definitions For the purposes of this Privacy Policy:
1.2.1. “Company” (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to ClearFlow LLC, 7722 Gooseneck Ct West Olive, MI 49460.
1.2.2. "Agreement" refers to this Privacy Policy, the ClearFlow Master Services Agreement (MSA), and any other related documents, including but not limited to Quotes and Statements of Work (SOWs).
1.2.3. "Customer Data" refers to all operational, geospatial, website usage, and any other information provided by the Customer or Authorized Users. This data is processed, stored, or transmitted through the Platform, and includes data managed via third-party services like ESRI ArcGIS Online and AWS GovCloud, subject to both this Privacy Policy and third-party policies.
1.2.4. "Platform" or "SaaS Platform" refers to the Company’s Software-as-a-Service (SaaS) Platform, including the Website and all related applications, integrations (including ESRI ArcGIS Online), and services provided to the Customer. The Platform encompasses the provision of services, user access, and data processing governed by the MSA, EULA, and this Privacy Policy.
1.2.5. "Personal Data" refers to any information related to an identified or identifiable individual, including but not limited to names, addresses, email addresses, phone numbers, and other identifiers. Personal Data may be collected from Website Visitors, Platform Users, or other individuals interacting with the Company's services.
1.2.6. "Authorized Users" or “Users” refers to employees, contractors, subcontractors, vendors, or agents of the Customer who are granted access to the Platform under the MSA. "Authorized Users" must comply with the MSA, EULA, and this Privacy Policy. If accessing the Platform on behalf of a company or other entity, " Users" also refers to that entity.
1.2.7. “Service Level Agreement” or “SLA” refers to the performance standards, uptime commitments, response times, and other service metrics the Company agrees to meet in the provision of the Platform and related services as specified in the MSA.
1.2.8. “ESRI ArcGIS Online” refers to the third-party platform used for geospatial data and GIS services, which is integrated into The Company’s SaaS platform. Any data processed or stored on ESRI ArcGIS Online is subject to ESRI’s data security and privacy policies.
1.2.9. “Government Entity” refers to municipalities, local governments, or other public sector clients using The Company’s platform for water and wastewater management, GIS operations, and reporting.
1.2.10. “Confidential Information” refers to any non-public information disclosed by either Party in connection with this Agreement that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and the circumstances of disclosure.
1.2.11. “Affiliate” means an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for the election of directors or other managing authority.
1.2.12. “Cookies” are small files that are placed on your computer, mobile device, or any other device by a website, containing the details of your browsing history on that website among its many uses.
1.2.13. “Device” means any device that can access the Service such as a computer, a cellphone, or a digital tablet.
1.2.14. “Service” refers to the Website and Platform provided by the Company.
1.2.15. “Service Provider” means any third party that processes data on behalf of the Company, including those involved in operating or analyzing the Platform or Website.
1.2.16. “Usage Data” refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
1.2.17. “Website” refers to the Company Website, accessible from https://www.clearflow.net
1.2.18. "Website Visitors" refers to individuals who access or interact with the Company's website, including those submitting forms, requesting information, browsing, or utilizing any online services provided through the website.
1.2.19. “You/Your” refers to either Website Visitors interacting with the Company’s website or Authorized Users utilizing the Platform, as defined in the context.
1.2.20. "Data Controller" refers to the entity (the Company) that determines the purposes and means of processing Personal Data.
1.2.21. "Data Processor" refers to any entity that processes Personal Data on behalf of the Data Controller.
2. Data Collected. We collect and use the following types of data:
2.1. Data Collected from Website Visitors Who Fill in Forms or Request Information. We collect Personal Data from Website Visitors who fill out forms, request information, or contact us via our website. This includes names, email addresses, phone numbers, and message content. This data is processed for communication purposes, improving our services, and providing requested information. We do not share visitor data with third parties unless necessary to fulfill requests or comply with legal obligations. All collected data is handled in accordance with this Privacy Policy.
2.2. Data Users Provide to Access the Platform. We collect Personal Data when Users access the Platform. This may include names, contact details, job titles, and message content. Personally identifiable information collected is used for user authentication, account setup, and service access. We do not share visitor data with third parties unless it is necessary to provide services on the Platform or comply with legal obligations. All collected data is handled in accordance with this Privacy Policy.
2.3. Data Collected via Third-Party Services (e.g., AWS GovCloud, ESRI ArcGIS). The Company may process Customer Data through trusted third-party service providers, including but not limited to AWS GovCloud (FedRAMP Moderate-authorized) and ESRI ArcGIS. These services are used for hosting, GIS integration, and related platform functions, and are governed by their own privacy policies in addition to this one. While The Company ensures secure data transmission and access control, Customers are responsible for reviewing applicable third-party policies for services used in conjunction with the Company’s Platform.
2.4. Automatically Collected Data (Usage Data). We collect Usage Data automatically when You use our Platform or website. This includes information such as Your Device’s IP address, browser type, version, the pages you visit, the time and date of Your visit, time spent on those pages, and diagnostic data. If You access our service via a mobile device, we collect information such as mobile device type, unique device ID, IP address, mobile operating system, and Internet browser type.
2.5. Tracking Technology and Cookies. We use cookies, web beacons, and other tracking technologies to improve and analyze Our services. You can manage cookie preferences through your browser settings. Cookies can be persistent or session-based and serve purposes such as maintaining security, enhancing the user experience, and personalizing content.
2.5.1. Necessary/Essential Cookies: These session cookies are necessary to authenticate users and provide services on our website.
2.5.2. Notice Acceptance Cookies: Persistent cookies to track whether users have accepted cookies on the website.
2.5.3. Web Beacons: Used to count users visiting specific pages or to monitor emails opened for website statistics
3. Use of Your Personal Data. The Company may use Personal Data for the following purposes:
3.1. Provision of Services: We use Customer Data and Personal Information to provide platform access, ensure operational functionality, and integrate with third-party services like ESRI ArcGIS and AWS GovCloud.
3.1.1. Platform Access: Personal Data is used to authenticate users and provide core features like GIS mapping and water/wastewater management.
3.1.2. ESRI ArcGIS Integration: Data processed through ESRI is governed by their privacy policies. The Company ensures secure transmission between platforms but remains separate from ESRI’s data handling practices.
3.1.3. AWS GovCloud Hosting: The Company’s platform is hosted within AWS GovCloud, a FedRAMP Moderate–authorized environment. While the Company ensures secure handling and transmission of data within this infrastructure, AWS governs its own internal data security and privacy practices in accordance with its published policies
3.1.4. Customer Support: Data may be used to provide technical support, troubleshoot issues, and improve the user experience.
3.2. Service Improvement: We analyze data to improve platform performance, operational workflows, and GIS integration, in compliance with this Privacy Policy and third-party policies like ESRI’s.
3.3. Compliance and Reporting:
3.3.1. Government Reporting: We assist government customers in complying with FOIA requests while protecting sensitive or proprietary information.
3.3.2. Legal Obligations: We may use or disclose data to comply with legal obligations, enforce agreements, or resolve disputes.
3.4. Marketing and Communications:
3.4.1. Customer and Website Visitor Communication: We use Personal Information to send updates, notifications, and service changes. Marketing communications will only be sent with prior consent, where applicable.
3.4.2. By submitting forms on our Website or using our Platform, You grant the Company permission to contact You using the information provided, such as email or phone number, to respond to inquiries, provide requested information, or send service-related communications. You may opt out of future communications at any time by following unsubscribe instructions or contacting Us directly
3.5. Product Improvement: Data may be used to enhance our platform, add features, and develop tailored solutions.
3.6. Data Sharing and Third Parties
3.6.1. Third-Party Service Providers: We may share Customer Data with third-party service providers for platform operations, such as hosting, payment processing, and customer support. Data shared with ESRI for geospatial services is subject to their privacy policy. In legal or compliance matters, data may be disclosed if required by law. We also share data with affiliates or business partners to enhance services or in business transactions like mergers. We will not share personal data without prior consent except as outlined in this policy.
3.6.2. Legal or Compliance Disclosures: Data may be disclosed if required by law or for public records requests.
3.6.3. Affiliates and Business Partners: We may share data with affiliates or partners to enhance services.
3.6.4. Business Transactions: Data may be transferred during mergers or acquisitions, ensuring compliance with data protection laws.
3.6.5. With Your Consent: We will not disclose personal data to third parties without obtaining prior consent, except as outlined in this policy.
3.7. Additional Uses of Data
3.7.1. Account Management: Personal data is used to manage user registration and access to the platform.
3.7.2. Technical Support: Data is used to assist with technical issues, ensuring accurate data processing.
3.7.3. Contract Performance: Your data may be used for developing, complying with, and fulfilling the contracts related to the services you have purchased, or any other contract established between you and The Company. This also includes interactions with third-party services like ESRI ArcGIS Online.
3.7.4. Communication: We may contact Users to provide updates or security notifications.
3.7.5. Business Transfers: Data may be transferred in case of mergers, acquisitions, or sales. In such an event, The Company will ensure that any such transfer of data is done in compliance with applicable data protection laws and that the acquiring entity is contractually bound to maintain the privacy and security of Customer Data.
4. Data Security, Access, Processing, and Retention:
4.1. Data Security Measures: The Company implements industry-standard security protocols aligned with FedRAMP Moderate controls, including AES-256 encryption at rest, TLS 1.2+ encryption in transit, multi-factor authentication (MFA), role-based access controls, audit logging, and daily backups. The Company performs regular third-party penetration testing and maintains a documented incident response and disaster recovery plan, both available to Customers upon written request. Customers and their Authorized Users are responsible for safeguarding access credentials and must report unauthorized access immediately. While the Company ensures secure data transmission between its Platform and third-party services (e.g., AWS GovCloud, ESRI ArcGIS), it is not liable for breaches originating from third-party platforms.
4.2. Third-Party Hosting & Integration Security (ESRI & AWS): When using the Platform in conjunction with ESRI ArcGIS Online or hosted via AWS GovCloud, data security for information stored on those third-party platforms is governed by their respective security measures. While the Company ensures secure data handling and transmission between its own systems and these third-party services, the Company is not liable for breaches or incidents originating within those external platforms. Customers are encouraged to review the security policies of both ESRI and AWS GovCloud to understand how their data is managed beyond the Company’s application layer.
4.3. For municipal and other government Customers, The Company ensures that its data protection measures comply with applicable data privacy and security regulations, including federal, state, and local government data protection laws. This ensures that sensitive municipal data is safeguarded against unauthorized access, breaches, or disclosures in accordance with public sector requirements.
4.4. Access Control: Access to Customer Data within the Company’s Platform is restricted to authorized personnel using role-based access control (RBAC). Each user is assigned permissions based on their role and responsibilities. Strong password policies and multi-factor authentication (MFA) are enforced across all accounts, and all access activity is logged for auditing and security review.
4.5. Data Retention: The Company retains Customer Data for the duration of the customer agreement or as required to comply with legal and regulatory obligations, including applicable public records and FOIA laws. Data stored on third-party platforms such as ESRI ArcGIS is subject to their respective retention policies, and Customers are encouraged to review those directly. Data collected from website visitors is retained only as long as necessary to fulfill the purpose of the interaction and may be deleted upon request.
4.6. Data Breach Notifications: In the unlikely event of a data breach involving Customer Data, The Company will notify affected Customers promptly, in accordance with applicable state and federal breach notification laws. The Company will work collaboratively with Customers—especially government entities—to meet any additional regulatory requirements and provide supporting documentation as needed. Customers are responsible for notifying their end users, where applicable, and The Company will assist with public-sector-specific reporting obligations governed by FOIA or other local statutes.
4.7. Data Processing: Data processing is governed by this Privacy Policy, the MSA, and the EULA. Users must comply with all data processing terms, including public records laws, and review third-party data protection policies, such as those of ESRI ArcGIS.
5. Data Protection Rights
5.1. Customers and Authorized Users: The Company ensures Customers and Authorized Users maintain full control over their personal data. Depending on applicable laws, such as the CCPA, you may have the following rights:
5.1.1. Right to Access: You may request a copy of personal information we collect, use, or share. The Company will provide specific details about how Your data is collected and shared.
5.1.2. Right to Know: You can request information regarding:
5.1.2.1. Categories of personal information collected.
5.1.2.2. Sources of this information.
5.1.2.3. Business purposes for collection/sharing.
5.1.2.4. Third parties with whom your data is shared.
5.1.2.5. Specific data collected about you.
5.1.3. Right to Correct: You may request the correction of inaccurate personal data, and we will ensure your data is accurate based on the information provided.
5.1.4. Right to Delete: You may request the deletion of your personal data, except where legal requirements prevent deletion (e.g., compliance with FOIA or public records laws). We will assist with compliance and protect sensitive data.
5.1.5. Right to Restrict Processing: You may request limits on how your data is processed, such as when you dispute its accuracy.
5.1.6. Right to Object to Processing: You can object to specific data processing, such as direct marketing or profiling, unless compelling legal reasons exist for continuing.
5.1.7. Right to Data Portability: You may request a copy of your personal data in a portable, machine-readable format and request its transfer to another service provider, where feasible.
5.1.8. Right to Opt-Out: You can opt out of the sale or processing of your data for targeted advertising or profiling. While the Company does not sell data, you may control certain data-sharing practices by contacting us directly.
5.1.9. Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your data protection rights. The Company will not:
5.1.9.1. Deny services.
5.1.9.2. Charge different prices or rates.
5.1.9.3. Provide a different level of service.
5.1.9.4. Suggest that you may receive different pricing or quality.
5.1.10. Public Records and Government Customers: The Company acknowledges that certain Customer Data may be subject to public records laws such as the Freedom of Information Act (FOIA). Customers retain full ownership and control of their data. The Company will assist Customers in responding to lawful public records requests and will take reasonable measures to protect sensitive or proprietary information to the extent permitted by law..
5.2. Website Visitors: Website visitors have the following rights under applicable privacy laws (e.g., CCPA), including:
5.2.1. Right to Access: You may request a copy of personal data collected from you, such as information submitted via forms.
5.2.2. Right to Know: You may request information about categories of data collected, purposes for collection, and any third-party sharing.
5.2.3. Right to Correct: You can request corrections to inaccurate data submitted through the website.
5.2.4. Right to Delete: You may request the deletion of personal data, subject to legal exceptions.
5.2.5. Right to Opt-Out of Sale or Sharing: You may opt out of data-sharing practices, such as cookies or marketing data collection.
5.2.6. Right to Non-Discrimination: The Company will not deny services or alter the level of service for visitors exercising their privacy rights.
6. Exercising Your Policy Rights. Website visitors, Customers, and/or Authorized Users may submit verifiable requests to exercise their rights under this Privacy Policy. Only the individual or someone legally authorized may submit a request. To submit a request:
6.1. Email us at: [email protected]
6.2. To protect Your personal data, we require sufficient information to verify the identity of any individual submitting a request including:
6.2.1. Valid email or account number for Customers/Authorized Users.
6.2.2. For website visitors, verifiable details like email or name used during inquiries.
6.3. Requests Must:
6.3.1. Allow us to verify your identity or authorization
6.3.2. Provide sufficient detail for us to respond appropriately.
6.4. We cannot respond if we cannot verify your identity or authority.
6.5. For government entities, certain data may be exempt from deletion or modification requests if required to be retained under public records laws. The Company will assist with compliance in accordance with the MSA and applicable public records laws while protecting sensitive information to the fullest extent allowed by law.
6.6. You may only submit a verifiable consumer request for access or data portability up to twice within a 12-month period.