Privacy Policy

Last updated: March 8, 2026

1. Introduction

MetricFlow ("we," "our," or "us") operates the MetricFlow platform at metric-flow.app. This Privacy Policy describes how we collect, use, store, and share your information when you use our services.

2. Information We Collect

Account Information

When you create an account, we collect your email address and password (stored in hashed form).

Platform Integration Data

When you connect third-party platforms (such as Google Ads, Google Analytics, Facebook Ads, or other supported services), we collect and store:

• OAuth access tokens and refresh tokens (encrypted at rest)
• Account identifiers and metadata from connected platforms
• Marketing and advertising metrics synced from your connected accounts (e.g., campaign performance, spend data, conversion metrics)
• Financial and analytics data you authorize us to access

Usage Data

We collect information about how you interact with our platform, including pages visited, features used, and dashboards created.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the MetricFlow platform
• Sync and normalize metrics across your connected platforms
• Generate correlation analyses, dashboards, and AI-powered insights
• Authenticate your identity and manage your account
• Communicate with you about your account and our services

4. Google API Services — Limited Use Disclosure

MetricFlow's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we limit our use of Google user data as follows:

• We only access Google data that you explicitly authorize through the OAuth consent flow
• We use Google data solely to provide and improve the MetricFlow features you have requested (metric syncing, dashboards, correlations, and AI insights)
• We do not sell Google user data to third parties
• We do not use Google user data for advertising purposes unrelated to the services you requested
• We do not allow humans to read your Google user data unless: (a) we have your explicit consent, (b) it is necessary for security purposes (such as investigating abuse), (c) it is necessary to comply with applicable law, or (d) our use is limited to internal operations and the data has been aggregated and anonymized

5. Data Storage and Security

We take the security of your data seriously. All OAuth tokens (access tokens and refresh tokens) are encrypted at rest using industry-standard encryption (AES-256-GCM via Cloak). Data is stored in secured databases with access controls and encryption in transit (TLS/SSL).

While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Sharing

We do not sell your personal information. We may share your information only in the following circumstances:

• With your consent: When you explicitly authorize sharing, such as connecting a platform via OAuth
• Agency access: If your account is managed by an agency through our white-label feature, the agency team may have access to your connected data as determined by your access configuration
• Service providers: We use third-party services for infrastructure (hosting, email delivery) that may process data on our behalf under strict data protection agreements
• AI processing: When you use AI-powered features (insights, chat), your metric data may be sent to third-party AI providers for processing. This data is not retained by AI providers beyond the immediate request
• Legal requirements: When required by law, legal process, or to protect our rights and safety

7. Data Retention and Deletion

We retain your data for as long as your account is active. When you delete your account or disconnect a platform integration:

• OAuth tokens for disconnected integrations are immediately revoked and deleted
• Synced metric data associated with your account is deleted
• Account data is permanently removed within 30 days of account deletion

You may request deletion of your data at any time by contacting us at the email address below.

8. Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Disconnect any platform integration at any time, revoking our access
• Export your data in a portable format

9. Cookies

We use essential cookies required for authentication and session management. We do not use third-party tracking cookies or advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our platform or sending you an email.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

privacy@metric-flow.app