Privacy Policy

Introduction

NetroFlex CIP™ ("we," "us," or "our") is a Conversion Intelligence Platform developed and operated by NetroFlex, a US-based software company. We are committed to protecting your privacy and being transparent about the data we collect, how we use it, and your rights.

This Privacy Policy applies to our website at netroflex.com, the NetroFlex CIP™ account registration system, the NetroFlex CIP™ WordPress plugin, the base.netroflex.com user portal, our early access waitlist, and any future SaaS platform, Shopify integration, or Pro Add-On features we release (collectively, the "Services").

By using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our Services.

We design our practices to align with applicable privacy laws, including GDPR and CCPA where relevant. We do not claim perfection — if you have concerns, contact us at privacy@netroflex.com.

Who We Are

NetroFlex CIP™ is a performance optimization system based on engagement signals. Our platform helps marketers, creators, and agencies capture, score, and understand leads through intelligent tracking and automation.

• Business Location: United States
• Contact Email: privacy@netroflex.com
• Website: https://netroflex.com

All software, source code, platform architecture, and related intellectual property associated with NetroFlex CIP™ is proprietary and confidential.

NetroFlex CIP™ is designed solely as a marketing workflow and lead prioritisation tool. It is not a system for evaluating individuals in any legal, financial, employment, credit, housing, or eligibility context.

Information We Collect

3.1 Information You Provide at Account Registration

When you create a NetroFlex CIP™ account, we collect the following:

• First name (required, maximum 100 characters) — used to personalise your account and communications. Last name is not collected at registration and may optionally be added after login.
• Email address (required) — used as your account identifier, for login, and to send platform notifications and updates. Validated server-side.
• Website domain (optional at signup) — used to associate your account with your site for plugin integration. Can be added or updated from account settings after registration.
• Password (required, minimum 8 characters) — immediately hashed using bcrypt at cost 12. The plaintext password is never stored, logged, or recoverable by NetroFlex or anyone else.
• Plan selection (required) — Starter (free, 500 leads) or Pro Founders ($49/mo, 10,000 leads). Used to configure your account features and billing tier.
• Consent acknowledgement (required) — you must explicitly check the consent checkbox to register. Consent is enforced server-side and cannot be bypassed through the browser or API.

3.2 Information You Provide to the Waitlist

If you join our early access waitlist before registering a full account, we collect:

• Email address (required) — used to send your waitlist confirmation and early access invite
• Name (collected when provided) — used to personalise communications
• Plan preference — used to assign you to the correct pricing tier and feature set
• Phone number (if provided or enabled by site operator via Pro Add-On) — used for communication features where opted in

3.3 Information Collected Automatically

When you interact with our Services, we automatically collect:

• Hashed IP address (form submissions) — your IP address is immediately converted to a one-way SHA-256 cryptographic hash before storage. The raw IP is discarded and never written to our database. Used solely for bot blocking and fraud detection.
• Raw IP address (account registration and consent audit) — when you create an account, your validated IP address is stored in your consent audit record as part of the legal paper trail proving you agreed to our Terms and Privacy Policy at the time of registration. This IP is stored in its original form specifically for legal compliance purposes and is treated as personal data.
• Browser user agent string — your browser type, version, and device information, capped at 512 characters. Stored in your consent audit record alongside your IP address to establish the technical context of your registration consent.
• UTM parameters (utm_source, utm_campaign, utm_medium, utm_content, utm_term) — collected when present in the URL to understand which marketing campaigns drive signups
• Page source / referral — the page title or URL where a form was submitted
• Engagement signals — form interaction data and session behaviour used by the CIP™ scoring engine to rank lead quality for site operators
• System logs — we may maintain system logs for security, fraud prevention, and system integrity purposes. These are retained for up to 90 days.

3.4 CCPA Data Categories Breakdown

For California residents, here is a structured breakdown of the categories of personal information we collect:

• Identifiers — email address, first name, hashed IP address (form submissions), raw IP address (consent audit records), browser user agent string
• Commercial information — plan preference, pricing tier selection, website domain
• Internet or network activity — page views, form interactions, UTM parameters, engagement signals, session data
• Inferences — CIP™ lead engagement score derived from interaction behaviour
• Communication data — phone number and scheduling data where provided through Pro Add-On features
• Consent records — policy version accepted, timestamp of acceptance, IP address, user agent at time of consent

3.5 Consent Audit Trail

Every account registration on the NetroFlex CIP™ platform writes a permanent consent audit record to our database. This record constitutes the legal proof that you agreed to our Terms of Service and Privacy Policy at the time of registration. Each consent audit record contains: Tenant ID, email address, IP address, user agent string, Terms version, Privacy Policy version, and a server-side UTC timestamp. This audit record is non-deletable under standard deletion requests as it constitutes a legal compliance record.

When we publish material updates to our Terms or Privacy Policy and increment the policy version, existing users will be required to review and re-accept the updated policies before accessing the platform. Each re-acceptance generates a new audit record with the updated version and timestamp.

3.6 Cookies, Sessions, and Local Storage

Our account registration and platform use session cookies to maintain your authenticated state. These are strictly necessary functional cookies required for the platform to operate and do not require consent under GDPR for EU/EEA users.

Our website uses localStorage (not cookies) to remember your theme preference (light/dark mode). This does not track you and is stored only in your own browser using a generic key name that does not identify our platform.

Our WordPress plugin may set functional cookies to recognise returning visitors and prevent duplicate lead submissions. These are session-based functional cookies and are not used for advertising or cross-site tracking.

We do not use advertising cookies or third-party tracking cookies on netroflex.com. The base.netroflex.com portal may in the future display third-party advertising that sets cookies — this will be disclosed in our Cookie Policy with 14 days notice before activation. See Section 23 and our Cookie Policy for full details.

3.7 WordPress Plugin Data

If you are a site operator using the NetroFlex CIP™ WordPress plugin, your plugin collects lead data submitted through your forms — including email, name, UTM data, and engagement signals. This data is stored in your own database on your own server and remains entirely under your control. NetroFlex does not have access to your site's lead database.

However, the plugin does contact our servers in two ways:

• License validation: On the 1st and 15th of each calendar month, the plugin sends a scheduled request to api.netroflex.com to verify that your license key and API key are active. This transmits your tenant ID, hashed license key, and plugin version. No visitor or lead data is included in this request.
• Smart Panel intelligence: When you open the Smart Panel for a lead, that lead's data is temporarily transmitted to api.netroflex.com to generate CIP scores, Dorothy AI responses, and intelligence outputs. This data is processed and returned to your dashboard — it is not permanently stored on our servers. See Section 22 for full details of Dorothy AI processing.

3.8 What We Do NOT Collect

• We do not collect last names at registration — first name only
• We do not store passwords in any recoverable form — passwords are bcrypt hashed at cost 12
• We do not store raw IP addresses for form submissions — only irreversible SHA-256 hashes (note: raw IPs are stored in consent audit records as described in Section 3.5)
• We do not collect payment card details — billing is handled by third-party processors
• We do not collect sensitive personal data (race, religion, health, biometric data)
• We do not attempt to infer sensitive personal characteristics
• We do not collect data from children under 13
• We do not use advertising cookies on netroflex.com
• We do not sell your data to advertisers
• We do not permanently store lead data that passes through our servers for Smart Panel processing — it is processed and discarded
• We do not have access to your site's lead database — it remains on your own server

3.9 Future: Analytics

We may in the future integrate Google Analytics or a privacy-focused alternative to help us understand site traffic patterns. If and when this occurs, this Privacy Policy will be updated before implementation, and EU visitors will be presented with an appropriate consent mechanism.

3.10 Spatial Interaction Data

We may collect spatial interaction data related to how users engage with elements within a website or application interface. This may include cursor movement, click positioning, scroll depth, viewport visibility, and interaction with on-screen components. This data is limited strictly to digital, on-screen interactions. NetroFlex CIP™ does not collect GPS data, precise geographic location, or any real-world physical location information. Spatial interaction data is used solely to analyse engagement patterns and enhance conversion performance for site operators.

3.11 Embedded Forms and External Data Collection

NetroFlex CIP™ allows site operators to deploy forms on external websites using embedded HTML code or platform integrations, including WordPress shortcodes. When a visitor submits information through one of these forms, the data is transmitted to NetroFlex servers for processing and storage on behalf of the site operator. The site operator is the data controller, and NetroFlex acts as a data processor. NetroFlex does not control how these forms are presented, deployed, or disclosed on external websites.

3.12 System Tracking Identifiers

Each embedded form may include a unique system identifier that associates the submission with the corresponding NetroFlex CIP™ account. This identifier is used solely to route data correctly, attribute submissions to the appropriate user, and enable platform functionality such as lead tracking and reporting. This identifier does not track individuals across websites, identify personal identities, or monitor user activity beyond the specific form submission context.

3.13 End User Transparency — Embedded Forms

If you are an end user submitting information through a form hosted on an external website, you should refer to the privacy policy of the website on which the form is hosted. The site operator is responsible for providing appropriate disclosures and obtaining any required consent before collecting your data through NetroFlex CIP™ forms.

How We Use Your Information

• To create and manage your NetroFlex CIP™ account and authenticate your identity at login
• To add you to our early access waitlist and send you a confirmation email
• To assign you to the correct plan and lock in your founding pricing tier
• To send platform updates, launch notifications, and early access invites
• To detect and block bots, scrapers, and malicious actors targeting our system (via hashed IP and honeypot detection)
• To understand which marketing campaigns drive signups (via UTM data)
• To calculate a CIP™ lead engagement score for site operators — this score helps marketers prioritise follow-up and is not used to make any automated decision that legally affects you
• To process Dorothy AI queries — when you ask Dorothy about a lead, that lead's data is temporarily transmitted to our servers to generate the response, then discarded
• To validate license and API key status for the WordPress plugin on a scheduled basis
• To maintain a consent audit trail establishing the legal record of your agreement to our Terms and Privacy Policy
• To improve our platform, features, and user experience
• To comply with legal obligations

Automated Processing

When you submit a form on a site using the NetroFlex CIP™ plugin, our system may automatically calculate a CIP™ engagement score, classify your lead status as cold, warm, or hot, trigger a follow-up notification to the site operator, and block submissions identified as bots. These automated processes do not make any decision that legally or significantly affects you as an individual.

Dorothy AI — Assisted Intelligence (Not Autonomous Action)

NetroFlex CIP™ includes Dorothy, an AI assistant that analyses engagement signals and generates suggested actions or draft communications based on lead activity. Dorothy operates as a decision support system only. It suggests. It drafts. It does not act. All communications suggested by Dorothy require manual review and explicit approval by the site operator before sending. NetroFlex CIP™ does not send messages automatically on behalf of any user.

When you ask Dorothy a question about a lead, the lead's data — including engagement signals, UTM data, temperature classification, and relevant history — is temporarily transmitted to api.netroflex.com to formulate the response. This processing is performed entirely on NetroFlex's own infrastructure. No lead data is sent to third-party AI providers. The data is discarded after the response is returned to your dashboard.

Communication Action Logging

For platform integrity and dispute resolution purposes, NetroFlex CIP™ maintains logs of communication actions. These logs record the timestamp a draft was generated, the timestamp the user sent the communication, and whether the draft was edited before sending. Logs are retained for a minimum of 24 months.

IP Address Handling — Our Approach

NetroFlex CIP™ handles IP addresses differently depending on the context. We are transparent about both approaches.

5.1 Form Submission IP Hashing

When you submit a lead capture form, your IP address is processed through a SHA-256 cryptographic hash before it is ever stored. The raw IP address is discarded immediately and never written to our database. SHA-256 is a one-way cryptographic function — mathematically irreversible. Used exclusively for bot detection. Retained for up to 12 months then permanently deleted. Never shared with any third party.

5.2 Account Registration IP Storage

When you create an account, your IP address is validated and stored in its original form within your consent audit record. This is a deliberate and necessary exception to our hashing practice — a hashed IP cannot fulfill the legal compliance function of proving who agreed to our policies at a specific moment in time. Registration IP is stored only in the consent audit table, treated as personal data, and retained for the lifetime of the account and a minimum of 5 years after account closure.

5.3 Hashing vs. Truncation

Legal Basis for Processing — GDPR (EU Users)

We process your personal data under the following legal bases: Consent — you voluntarily submit your email and check the consent checkbox at registration. Contract Performance — processing necessary to provide the Services you have registered for. Legitimate Interests — fraud prevention, bot detection, traffic source understanding, lead scoring for site operators, license validation, and maintenance of consent audit records. Legal Obligation — where required by applicable law.

Your GDPR Rights

• Access — Request a copy of your personal data
• Rectification — Request correction of inaccurate data
• Erasure — Request deletion. Note: consent audit records may be retained where required for legal compliance.
• Restriction — Request limited processing of your data
• Portability — Request your data in a portable format
• Objection — Object to processing based on legitimate interests, including profiling

Profiling Disclosure — GDPR Article 22

Our CIP™ platform performs automated scoring of leads based on engagement signals. This constitutes profiling under GDPR Article 4(4). CIP™ analyses engagement behaviour to assign a lead quality score. This scoring is an internal marketing tool for site operators only. It has no legal or similarly significant effect on you as an individual. You have the right to object to this profiling at any time — email privacy@netroflex.com.

Contact privacy@netroflex.com to exercise any of these rights. We respond within 30 days.

California Privacy Rights — CCPA

• Right to Know — Request disclosure of categories and specific data collected about you. See Section 3.4 for a full category breakdown.
• Right to Delete — Request deletion of your personal information, subject to certain exceptions. Note: consent audit records may be retained where required for legal compliance.
• Right to Correct — Request correction of inaccurate personal information we hold about you
• Right to Opt-Out — We do not sell your personal information. You do not need to opt out of a sale.
• Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights

Submit a CCPA request to privacy@netroflex.com with subject line "CCPA Request".

Data Retention

• Account data (name, email, domain) — retained for the life of your account. Upon account closure, retained for a minimum of 12 months then deleted unless legal obligation requires longer retention.
• Passwords — stored only as bcrypt hashes. Never recoverable. Deleted upon account closure.
• Waitlist email addresses — until you unsubscribe, request deletion, or the waitlist program ends
• Hashed IP addresses (form submissions) — up to 12 months for fraud detection, then permanently deleted
• Raw IP addresses (consent audit records) — retained for the lifetime of the account and a minimum of 5 years after account closure, as a legal compliance record
• User agent strings (consent audit records) — same retention as raw IP addresses above
• Consent audit records — permanent records. Each row represents a legally binding consent event and cannot be deleted under standard deletion requests.
• UTM / source data — as long as your account or waitlist record is active
• System logs — up to 90 days for security and integrity purposes
• Communication action logs — minimum 24 months from the date of the communication action
• Dorothy AI query data — not retained. Lead data transmitted for Dorothy processing is discarded after the response is returned.
• License validation ping data — logged for a maximum of 30 days for audit purposes, then deleted.

You may request deletion of your data at any time by emailing privacy@netroflex.com. We will honour deletion requests to the fullest extent permitted by applicable law.

Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We do not currently share your data with any third-party services for their own purposes. We may disclose data only in these circumstances:

• Legal compliance — if required by law, court order, or government authority
• Business protection — to enforce our Terms of Service or protect rights, property, or safety
• Business transfer — in a merger or acquisition, with prior notice to you before your data becomes subject to a different privacy policy
• Third-party service providers — we may use third-party service providers such as cloud hosting, email delivery services, video conferencing providers, and payment processors to enable certain features. These providers process data only as necessary to perform their functions and are not permitted to use it for their own purposes.

Dorothy AI processing is performed entirely on NetroFlex's own infrastructure. No lead data is transmitted to third-party AI providers at any time.

Data Security and Breach Notification

10.1 Access and Credential Security

• Database credentials stored as server environment variables — never in publicly accessible files or source code
• Passwords hashed using bcrypt at cost 12 — the plaintext password is never written to any storage medium
• API keys stored as SHA-256 hashes only — the plaintext key is shown once at generation and never stored
• Production system access restricted to authorised personnel only

10.2 Transmission and Storage Security

• HTTPS encryption for all data transmitted to and from our Services, including API license pings and Smart Panel data flows
• IP addresses from form submissions stored only as one-way SHA-256 cryptographic hashes
• All Dorothy AI query data is transmitted over encrypted connections and discarded after processing

10.3 Application Security

• CSRF protection — every form submission is validated using a per-session CSRF token checked with timing-safe hash_equals()
• Bot and honeypot protection — registration and form submissions use a honeypot field that is invisible to real users but filled by bots
• Input sanitisation — all user inputs are processed through strip_tags(), trim(), filter_input(), and field-level maxlength limits before any database operation
• SQL injection prevention — all database queries use PDO prepared statements. No raw string interpolation is used in any query.
• Session security — session_regenerate_id(true) is called on successful login to prevent session fixation attacks
• HTTP security headers — all responses include X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin, and a Content Security Policy header
• Error suppression — error_reporting(0) is set in production. No PHP error details or stack traces are exposed to the browser under any circumstances

10.4 Breach Notification

No method of transmission or storage is 100% secure. In the event of a data breach affecting your personal data, we will notify affected users in accordance with applicable laws — including GDPR Article 33 (within 72 hours to the relevant supervisory authority where required) and applicable US state breach notification requirements.

Communications Features — Pro Add-On

Certain communication features — including SMS, calling, video calls, voice memos, email outreach, and scheduling — are offered as optional Pro Add-On functionality controlled entirely by the site operator. These features are not active by default.

11.1 What NetroFlex CIP™ Provides

• A Smart Panel interface enabling site operators to initiate communications with their leads
• Communication may be initiated manually by the site operator or triggered automatically based on user-defined workflows
• Video call and scheduling features may involve the processing of meeting metadata, calendar information, and communication logs
• NetroFlex CIP™ does not determine when, how, or whether a site operator contacts a lead

11.2 Operator Responsibilities — TCPA and Consent

Site operators are solely responsible for obtaining all required consent before contacting individuals via SMS, phone calls, email, or automated systems, in accordance with all applicable laws including the TCPA, CAN-SPAM Act, GDPR Article 6, and any applicable local laws.

11.3 Anti-Spam and Misuse Prohibition

Users may not use NetroFlex CIP™ to send unsolicited, spam, or harassing communications, or to make decisions that produce legal or similarly significant effects concerning individuals. Violation of these terms may result in immediate account termination.

11.4 Third-Party Communications Infrastructure

Certain communication features may rely on third-party service providers, including cloud communications platforms, email delivery systems, and video conferencing services. These providers process data only as necessary to perform their functions and are not permitted to use it for their own purposes.

11.5 No Agency Relationship

NetroFlex CIP™ does not act as an agent, representative, or intermediary for any site operator. No agency, partnership, joint venture, employment, or fiduciary relationship is created between NetroFlex and any site operator through the use of the platform's communication features.

Data Controller vs. Data Processor

• For data collected directly by NetroFlex CIP™ (e.g. account registrations, the early access waitlist, consent audit records): NetroFlex acts as the data controller and this Privacy Policy governs how that data is handled.
• For data collected through the NetroFlex CIP™ plugin or embedded forms on a site operator's website: the site operator acts as the data controller, and NetroFlex acts as a data processor. The site operator is responsible for their own privacy disclosures and compliance obligations toward their leads.
• For Dorothy AI processing: when lead data is temporarily transmitted to our servers to generate intelligence responses, NetroFlex acts as a data processor on behalf of the site operator (data controller). The data is processed for the sole purpose of generating the intelligence response and is not retained.

NetroFlex does not have access to lead data stored in a site operator's own database. That data remains entirely under the site operator's control and governance. Our multi-tenant platform architecture ensures that each operator's account and associated data is logically isolated.

Site Operator Responsibility

Site operators using NetroFlex CIP™ are responsible for ensuring their own compliance with applicable privacy laws in their jurisdiction. This includes but is not limited to:

• Providing appropriate privacy disclosures to their own users and leads, including disclosure of NetroFlex CIP™ as a data processor
• Disclosing to their visitors that the NetroFlex CIP™ plugin contacts api.netroflex.com for license validation and Smart Panel intelligence
• Obtaining consent where required before tracking, scoring, or contacting individuals
• Implementing a cookie consent mechanism before enabling tracking features
• Complying with TCPA, CAN-SPAM, GDPR, CCPA, and any other applicable laws governing their use of the platform
• Honouring data deletion and opt-out requests from their leads
• Ensuring their own privacy policy reflects the use of NetroFlex CIP™ features on their site
• Keeping their account credentials and API keys secure and not sharing them with unauthorised persons

NetroFlex provides infrastructure and tools. Liability for misuse of the platform rests with the site operator.

Scope of Responsibility

NetroFlex CIP™ provides infrastructure and tools for marketing workflow automation and lead intelligence. Our scope of responsibility is defined as follows:

• We provide the platform — we do not make decisions on behalf of site operators or their leads
• We do not control how site operators use data collected through their implementation
• We do not evaluate the legality of communications initiated by site operators
• We do not guarantee the accuracy, completeness, or reliability of any engagement score, lead classification, or inferred behaviour produced by the CIP™ system
• NetroFlex CIP™ does not provide business, marketing, legal, or financial advice
• Nothing in the platform or its outputs should be construed as professional advice of any kind

Liability, No Reliance, and No Guarantee

15.1 No Reliance

NetroFlex CIP™ outputs — including engagement scores, lead classifications, and behavioural inferences — are provided for informational and workflow purposes only. Site operators are solely responsible for any decisions, actions, or outcomes resulting from their use of these outputs.

15.2 No Accuracy Guarantee

We do not guarantee the accuracy, completeness, or reliability of any engagement score, lead classification, or inferred behaviour generated by the CIP™ system. Dorothy AI responses are informational suggestions only and should not be relied upon as definitive assessments.

15.3 No Professional Advice

NetroFlex CIP™ does not provide business, marketing, legal, financial, or any other form of professional advice.

15.4 No Warranty — As Is / As Available

The Services are provided "as is" and "as available" without warranties of any kind, whether express or implied.

15.5 No Sensitive Inference

NetroFlex CIP™ does not attempt to infer sensitive personal characteristics such as race, religion, health status, political affiliation, sexual orientation, or any other protected characteristic.

15.6 Limitation of Purpose

CIP™ is designed solely as a marketing workflow and lead prioritisation tool. It must not be used as a system for evaluating individuals in any legal, financial, employment, credit, insurance, housing, or eligibility context.

15.7 Regulatory Non-Classification

NetroFlex CIP™ is not a telecommunications provider, common carrier, financial institution, credit reporting agency, consumer reporting agency, data broker, or regulated entity under any applicable statute.

International Data Transfers

NetroFlex CIP™ is based in the United States. If you are located outside the United States — including in the European Union, European Economic Area, or United Kingdom — your personal data may be transferred to and processed in the United States. The United States may not provide the same level of data protection as your home jurisdiction. By using our Services, you acknowledge this transfer. We design our data handling practices to provide appropriate protections regardless of where data is processed, in alignment with GDPR Chapter V requirements where applicable.

This applies equally to data flows that occur during WordPress plugin license validation and Smart Panel intelligence processing — all such flows are between your server and our US-based infrastructure.

If you have questions about international data transfers, contact privacy@netroflex.com.

Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals to websites. We currently do not respond to Do Not Track signals due to the lack of a consistent industry standard for how such signals should be interpreted and honoured. If a consistent standard is established, we will revisit this position. You may opt out of non-essential data collection at any time by contacting us at privacy@netroflex.com.

Proprietary Software Notice

All source code, algorithms, platform architecture, scoring logic, registration systems, consent enforcement engine, policy version control system, Dorothy AI engine, and software powering NetroFlex CIP™ are proprietary and confidential. No part of our software may be copied, reverse-engineered, decompiled, or distributed without express written permission from NetroFlex.

Data processed through our WordPress plugin remains stored in your own database infrastructure under your control as the site administrator. NetroFlex does not have access to plugin-collected lead data.

Children's Privacy

Our Services are not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@netroflex.com and we will delete it promptly.

Changes to This Privacy Policy and Re-Consent

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or business practices. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify affected users by email.

When we publish a material update that increments our Privacy Policy version number, existing platform users will be required to review and re-accept the updated policy before they can access the platform dashboard. This re-consent flow is enforced by our global policy engine and cannot be bypassed. Each re-acceptance is logged as a new record in our consent audit trail.

We encourage you to review this policy periodically. Continued use of our Services after changes are posted constitutes your acceptance of the revised policy for Services that do not require active re-consent.

WordPress Plugin — API and License Data Flows

This section provides a complete technical disclosure of all data flows between the NetroFlex CIP™ WordPress plugin and our servers. Site operators are responsible for disclosing these data flows to their own visitors in their privacy policy.

21.1 License and API Key Validation

The NetroFlex CIP™ WordPress plugin performs scheduled license validation on the 1st and 15th of each calendar month by sending a server-to-server request to api.netroflex.com. This request transmits:

• Your tenant ID — to identify your account
• Your hashed license key and API key — to authenticate the request
• Plugin version number — to ensure compatibility
• Your server's IP address — as a byproduct of any outbound HTTP request

No visitor data, lead data, or personal information belonging to your site's visitors is transmitted during license validation. This is a server-to-server authentication check only. If a license or API key is found to be invalid, inactive, or suspended, the plugin's protected features will be disabled until the issue is resolved.

21.2 Smart Panel Intelligence Data Flow

When a site operator opens the Smart Panel for a specific lead, the plugin sends a request to api.netroflex.com containing the lead's stored data to generate intelligence outputs. This is an on-demand request, not a scheduled one. The data transmitted includes:

• A short-lived session token (not the raw API key) — generated per Smart Panel session
• The lead's engagement signals, UTM data, temperature classification, and relevant history — to enable CIP scoring and Dorothy AI responses
• Your tenant ID — to authenticate the request and isolate your data from other tenants

Our server processes this data to generate the intelligence response (CIP score, Dorothy insights, behavioral analysis) and returns it to your WordPress dashboard. This data is not permanently stored on our servers after the response is returned. Lead records remain in your own database on your own server.

21.3 Plugin Update Checks

If the plugin is distributed through the WordPress.org repository, update checks are handled by WordPress.org infrastructure, not by NetroFlex. WordPress.org's own privacy policy governs those requests.

21.4 Operator Disclosure Obligation

As a site operator deploying the NetroFlex CIP™ plugin, you must disclose in your own privacy policy that your site uses NetroFlex CIP™, that the plugin contacts api.netroflex.com for license validation and intelligence processing, and that lead data may be temporarily transmitted to NetroFlex servers when the Smart Panel is used. See our Plugin Data Policy for a template disclosure you can adapt.

Dorothy AI — Processing and Data Handling

Dorothy is the NetroFlex CIP™ AI assistant. This section discloses exactly how Dorothy processes data and what happens to that data.

22.1 How Dorothy Works

When a site operator asks Dorothy a question about a lead — for example, "What should I do next with this lead?" or "Is this lead ready to buy?" — Dorothy formulates a response based on that lead's data. To do this, the following data is temporarily transmitted from the operator's plugin or dashboard to api.netroflex.com:

• The lead's CIP engagement score and temperature classification
• UTM source, medium, campaign, and content data
• Behavioral signals — scroll depth, time on page, form interaction data
• Bot risk assessment
• Any notes the operator has added to the lead record
• Timeline and activity history for that lead

22.2 What We Do NOT Do

• We do not send lead data to any third-party AI provider — Dorothy runs entirely on NetroFlex's own infrastructure
• We do not permanently store the lead data transmitted for Dorothy queries
• We do not use Dorothy query data to train models or improve our systems in ways that retain identifiable lead data
• We do not share Dorothy query data with any other tenant or third party

22.3 Dorothy as a Decision Support Tool

Dorothy's responses are informational suggestions only. Dorothy suggests. It does not send communications, take actions, or make binding decisions. All communications require explicit review and approval by the site operator. The site operator is solely responsible for any actions taken based on Dorothy's suggestions.

22.4 Data Retention for Dorothy Queries

Lead data transmitted for Dorothy processing is held in memory for the duration of the query processing only and is not written to any persistent storage on NetroFlex servers. Dorothy query logs (recording that a query was made, the account that made it, and the timestamp) may be retained for up to 30 days for system monitoring and abuse prevention, without retaining the lead's personal data.

base.netroflex.com Portal — Future Advertising

The NetroFlex CIP™ user portal at base.netroflex.com may in the future display third-party advertising, including video and display ad formats. This section documents our commitment to transparency when that occurs.

No advertising is currently active on any NetroFlex domain. When third-party advertising is introduced to the portal, we commit to:

• Updating this Privacy Policy and our Cookie Policy at least 14 days in advance with full details of the advertising network, cookie types, and data flows involved
• Implementing a consent mechanism inside the portal for EU/EEA users before any advertising cookies are activated
• Disclosing the specific third-party ad networks used and linking to their own privacy policies
• Providing a clear mechanism for portal users to opt out of advertising cookies at any time
• Ensuring Pro plan users are offered an ad-free experience where commercially feasible

Third-party advertising networks typically set their own cookies for purposes including viewability tracking, frequency capping, and audience targeting. When any such advertising is introduced, full disclosure will appear in both this policy and our Cookie Policy before activation. Portal advertising, if and when introduced, will apply only to base.netroflex.com and will not affect the netroflex.com marketing site.

The WordPress plugin lite version of the portal may also carry advertising in future. The same 14-day advance notice and consent mechanism commitments apply.

Contact Us

For questions, concerns, or data requests regarding this Privacy Policy: