Tidyflow Tidyflow Logo

Data Processing Addendum

Last updated May 20, 2026

This Data Processing Addendum (“DPA”) forms part of the Tidyflow Terms of Service and applies where Tidyflow processes Personal Data on behalf of a customer.

1. Definitions

Customer means the entity or individual using the Tidyflow Service.

Tidyflow means the provider of the Service.

Personal Data means any information relating to an identified or identifiable individual that is processed through the Service.

Customer Data means all data submitted to or stored within the Service by Customer.

Applicable Data Protection Laws means, as applicable: (a) the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); (b) the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK Data Protection Laws”); and (c) any other applicable data protection or privacy legislation.

2. Roles of the Parties

For Personal Data included in Customer Data:

  • Customer acts as the Data Controller (or equivalent under Applicable Data Protection Laws).
  • Tidyflow acts as the Data Processor, processing Personal Data solely on behalf of Customer.

Tidyflow does not determine the purposes or means of processing Customer Data.

3. Scope of Processing

Tidyflow processes Personal Data only:

  • To provide and maintain the Service
  • To support Customer requests
  • To ensure system security and reliability
  • To sync, display, compose, send, and manage email communications via connected third-party email services (Gmail, Microsoft 365), where Customer has authorised the connection via OAuth 2.0
  • To allow users to accept, decline, or update calendar events created from meeting invitations received in connected Gmail accounts, via the Google Calendar API where Customer has authorised Calendar access on the same OAuth grant
  • To deliver AI Features within the Service, where Customer has opted in — data transmitted to the AI provider is pseudonymised via tokenisation before leaving the Tidyflow platform, processed in real time, and subject to the minimum retention period required to operate the AI provider’s API
  • As otherwise instructed by Customer through use of the Service

The categories of Personal Data processed depend on what Customer chooses to upload and may include names, contact details, financial information, and documents. Where Email Integration is enabled, email message content, sender and recipient information (names, email addresses), email metadata (timestamps, subject lines, read/unread status, labels or folders), and attachments may also be processed. Where Calendar Integration is enabled, event details (title, time, location, attendees, response status) for events the user has created, updated, or responded to through email invitations in Tidyflow may also be processed. Where AI Features are enabled, email content, workflow descriptions, and task information may also be processed by a third-party AI provider as described in the AI Terms of Use; calendar event data is not transmitted to the AI provider.

Processing occurs primarily in the United States.

4. Confidentiality

Tidyflow ensures that personnel authorized to process Personal Data:

  • Are bound by confidentiality obligations
  • Receive appropriate security awareness training
  • Have access limited to what is necessary to perform their role

5. Security Measures

Tidyflow implements appropriate technical and organizational measures designed to protect Personal Data, including:

  • Encryption in transit (TLS)
  • Encryption of sensitive data at rest
  • Role-based access controls
  • Multi-factor authentication support
  • Logical tenant isolation between customer accounts
  • Restricted internal access to production systems
  • Regular system updates and security monitoring

Further details are available on the Tidyflow Security page.

Personal Data Breach Notification

Tidyflow will notify Customer without undue delay and in any event within 72 hours of becoming aware of a confirmed Personal Data breach affecting Personal Data processed on Customer’s behalf, in accordance with Article 33(2) GDPR. The notification will include, to the extent known at the time, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

6. Sub-processors

Tidyflow may engage trusted third-party service providers (“Sub-processors”) to support the Service.

Tidyflow:

  • Enters into written agreements with Sub-processors
  • Requires Sub-processors to implement appropriate data protection safeguards
  • Remains responsible for Sub-processor compliance with this DPA

Where Customer has enabled Email Integration, Tidyflow accesses email data via the Google Gmail API and/or Microsoft Graph API, as applicable, based on the email provider(s) Customer has connected. Where Customer has additionally authorised Calendar access on a connected Google account, Tidyflow accesses calendar event data via the Google Calendar API solely for events created or modified through user interaction with an email invitation in Tidyflow. Google and Microsoft act as Sub-processors in respect of this email and calendar data. Data is accessed via secure OAuth 2.0 connections authorised by Customer, synced and cached within the Service as required, and processed solely to provide the corresponding integration functionality. Customer may disconnect a linked account at any time to cease processing by the relevant Sub-processor. Tidyflow’s use of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Where Customer has opted in to AI Features, Tidyflow engages OpenAI as a Sub-processor for the purpose of processing data through AI functionality. OpenAI is contractually prohibited from using Customer Data to train, fine-tune, or improve its models. Data transmitted to OpenAI is pseudonymised via tokenisation before leaving the Tidyflow platform. OpenAI is contractually committed to the minimum retention period required to operate its API, as further described in the AI Terms of Use. Customer may disable AI Features at any time to cease data processing by this Sub-processor.

A current list of Sub-processors is available on the Tidyflow Sub-processors page.

7. International Transfers

Tidyflow’s primary infrastructure and data storage are located in the United States. For transfers of Personal Data from the United Kingdom or European Economic Area to the United States, Tidyflow relies on the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) and, for UK-originating Personal Data, the UK International Data Transfer Addendum to those clauses (or the UK International Data Transfer Agreement, as applicable). Where a sub-processor is itself self-certified under the EU-US Data Privacy Framework and/or the UK Extension to the EU-US Data Privacy Framework, Tidyflow may additionally rely on that mechanism for transfers to that sub-processor.

8. Supervisory Authority

The competent supervisory authority shall be determined by reference to the Customer’s establishment. For UK-based Customers, the competent supervisory authority is the Information Commissioner’s Office (ICO).

9. Assistance with Data Subject Requests

To the extent required by Applicable Data Protection Laws, Tidyflow will provide reasonable assistance to Customer in responding to requests from individuals exercising their data protection rights, including rights of access, rectification, erasure, restriction, portability, and objection.

10. Data Retention and Deletion

Customer Data is retained for the duration of the subscription.

Upon termination of the Service:

  • Customer may request export of Customer Data within a reasonable period.
  • Customer Data will be securely deleted in accordance with Tidyflow’s internal retention policies, unless retention is required by law.

11. Audits

Upon reasonable written request, Tidyflow may provide information necessary to demonstrate compliance with this DPA.

Tidyflow may satisfy audit requests through documentation, certifications, or written responses.

12. Governing Terms

This DPA is governed by the same law and jurisdiction as the Tidyflow Terms of Service.

In the event of conflict between this DPA and the Terms of Service, this DPA shall control with respect to data protection matters.

13. Changes to This DPA

Tidyflow may update this DPA from time to time. Where a change is material — for example, a change to security measures, sub-processor categories, transfer mechanisms, or breach notification commitments — Tidyflow will provide at least 30 days’ prior notice by email or in-product notification before the change takes effect.