Privacy Policy

Last updated: April 14, 2026

VariantFlow ("we", "us", "our") operates the VariantFlow platform at thevariantflow.com. This policy explains what data we collect, why, and how you can control it.

1. Who This Policy Applies To

This policy covers two groups:

• Platform Users — people who use the VariantFlow dashboard to create and manage experiments (our customers).
• Website Visitors — people who visit websites that use the VariantFlow script for A/B testing and personalization (our customers' visitors).

2. Data We Collect from Platform Users

When you create a VariantFlow account, we collect:

• Email address and name (provided during account setup)
• Password (stored as a salted hash — we never store or see your actual password)
• Actions you take in the dashboard (for audit logging and security)

We use this data to authenticate you, manage your account, and maintain security.

3. Data We Collect from Website Visitors

When the VariantFlow script runs on a customer's website, it collects:

• Anonymous identifier — a randomly generated ID stored in the visitor's browser (localStorage). This is not linked to any real identity.
• Session identifier — a temporary ID for the current browsing session.
• Device type — desktop, mobile, or tablet (parsed from the browser's user agent).
• Browser type — Chrome, Safari, Firefox, etc.
• Page URL and referrer — which pages are visited and where the visitor came from.
• Experiment data — which variant was shown and whether a conversion goal was met.
• Engagement data — time on page, scroll depth (when consent is granted).

4. What We Do NOT Collect

• Names, email addresses, or any personally identifiable information of website visitors
• IP addresses (we do not store visitor IP addresses)
• Credit card numbers, Social Security numbers, or financial data
• Passwords or authentication tokens from visited URLs (these are actively stripped)

5. Consent and the Cookie Banner

The VariantFlow script includes a built-in consent banner that appears before any behavioral data is collected. Website owners can also disable this banner if they manage consent through their own system.

• Before consent — only basic A/B test variant assignment occurs (random, no personal data). Persona detection and behavioral profiling are blocked.
• After consent is granted — full event tracking, persona inference, and engagement measurement are enabled.
• If consent is denied — all stored visitor data is cleared from the browser. No events are sent. The experiment observer is disconnected.

6. How We Use the Data

• To assign visitors to experiment variants and measure conversion rates
• To display analytics and experiment results in the dashboard
• To detect visitor personas for personalization (with consent)
• To generate AI-powered experiment suggestions (when enabled by the customer)

We do not sell data to third parties. We do not use visitor data for advertising.

7. Data Storage and Security

• All data is stored in an encrypted SQLite database on a secured server.
• Passwords are hashed using scrypt (NIST-approved) with random salts.
• All connections use HTTPS with HSTS enforcement.
• Session tokens use 256-bit cryptographic randomness.
• The database is backed up hourly with 7-day retention.
• Rate limiting protects all endpoints against abuse.

8. Data Retention

• Event data — retained for up to 365 days, then automatically deleted.
• Audit logs — retained for 90 days.
• Account data — retained until the account is deleted.

9. Your Rights (GDPR and CCPA)

If you are a website visitor:

• Right to access — you can request what data we hold about your anonymous ID.
• Right to deletion — you can request deletion of all data associated with your anonymous ID. Website owners can also delete visitor data through the dashboard or via our API.
• Right to opt out — decline the consent banner, and no behavioral data is collected or stored.

If you are a platform user:

• You can update your profile information in the dashboard settings.
• You can request full account deletion by contacting us.

10. Third-Party Services

• Google Firebase — used for optional Google Sign-In authentication. Subject to Google's Privacy Policy.
• Resend — used to send transactional emails (welcome emails, password resets). Subject to Resend's Privacy Policy.
• Anthropic / OpenAI — used for optional AI features (experiment suggestions, copy generation). Page content may be sent to these services when AI features are explicitly triggered by a platform user. No visitor personal data is included.

11. Children's Privacy

VariantFlow is not directed at children under 13. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. We will not materially reduce your rights without notice.

13. Contact

For privacy questions or data requests, contact us at: [email protected]