Privacy Policy

Introduction

NetroFlex CIP™ ("we," "us," or "our") is a Conversion Intelligence Platform developed and operated by NetroFlex, a US-based software company. We are committed to protecting your privacy and being transparent about the data we collect, how we use it, and your rights.

This Privacy Policy applies to our website at netroflex.com, the NetroFlex CIP™ WordPress plugin, our early access waitlist, and any future SaaS platform, Shopify integration, or Pro Add-On features we release (collectively, the "Services").

By using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our Services.

We design our practices to align with applicable privacy laws, including GDPR and CCPA where relevant. We do not claim perfection — if you have concerns, contact us at privacy@netroflex.com.

Who We Are

NetroFlex CIP™ is a performance optimization system based on engagement signals. Our platform helps marketers, creators, and agencies capture, score, and understand leads through intelligent tracking and automation.

• Business Location: United States
• Contact Email: privacy@netroflex.com
• Website: https://netroflex.com

All software, source code, platform architecture, and related intellectual property associated with NetroFlex CIP™ is proprietary and confidential.

NetroFlex CIP™ is designed solely as a marketing workflow and lead prioritisation tool. It is not a system for evaluating individuals in any legal, financial, employment, credit, housing, or eligibility context.

Information We Collect

3.1 Information You Provide Directly

When you join our early access waitlist or create an account on our platform, we collect:

• Email address (required) — used to send your waitlist confirmation and platform updates
• Name (collected when provided) — used to personalise communications
• Plan preference — used to assign you to the correct pricing tier and feature set
• Phone number (if provided or enabled by site operator via Pro Add-On) — used for communication features where opted in
• Scheduling and communication preferences — if you interact with scheduling or calling features via a site operator's implementation

3.2 Information Collected Automatically

When you interact with our Services, we automatically collect:

• Hashed IP address — your IP address is immediately converted to a one-way SHA-256 cryptographic hash before storage. We never store your raw IP. While hashed IP addresses are not directly identifiable, we treat them as personal data where required under applicable law. Used solely for bot blocking and fraud detection.
• UTM parameters (utm_source, utm_campaign, utm_medium, utm_content, utm_term) — collected when present in the URL to understand which marketing campaigns drive signups
• Page source / referral — the page title or URL where a form was submitted
• Engagement signals — form interaction data and session behaviour used by the CIP™ scoring engine to rank lead quality for site operators
• System logs — we may maintain system logs for security, fraud prevention, and system integrity purposes. These are retained for up to 90 days.

3.3 CCPA Data Categories Breakdown

For California residents, here is a structured breakdown of the categories of personal information we collect:

• Identifiers — email address, name, hashed IP address
• Commercial information — plan preference, pricing tier selection
• Internet or network activity — page views, form interactions, UTM parameters, engagement signals, session data
• Inferences — CIP™ lead engagement score derived from interaction behaviour
• Communication data — phone number and scheduling data where provided through Pro Add-On features

3.4 Cookies and Local Storage

Our website uses localStorage (not cookies) to remember your theme preference (light/dark mode). This does not track you and is stored only in your own browser.

Our WordPress plugin may set functional cookies to recognise returning visitors and prevent duplicate lead submissions. These are session-based functional cookies and are not used for advertising or cross-site tracking.

If you are an EU/EEA visitor, functional cookies strictly necessary for the service to operate do not require consent under GDPR. We do not use advertising or third-party tracking cookies. Where required by law, site operators must implement a cookie consent mechanism before enabling tracking features on their sites.

3.5 WordPress Plugin Data

If you are a site operator using the NetroFlex CIP™ WordPress plugin, your plugin collects lead data submitted through your forms — including email, name, UTM data, and engagement signals. This data is stored in your own database on your own server and remains entirely under your control. NetroFlex does not have access to your site's lead database.

3.6 What We Do NOT Collect

• We do not collect raw IP addresses — only irreversible SHA-256 hashes
• We do not collect payment card details — billing is handled by third-party processors
• We do not collect sensitive personal data (race, religion, health, biometric data)
• We do not attempt to infer sensitive personal characteristics such as race, religion, health status, or political affiliation
• We do not collect data from children under 13
• We do not use advertising cookies or sell data to advertisers
• We do not share your data with any third party for their own marketing purposes

3.7 Future: Analytics

We may in the future integrate Google Analytics or a similar service to help us understand site traffic patterns. If and when this occurs, this Privacy Policy will be updated before implementation, and EU visitors will be presented with an appropriate consent mechanism.

3.8 Spatial Interaction Data

We may collect spatial interaction data related to how users engage with elements within a website or application interface. This may include cursor movement, click positioning, scroll depth, viewport visibility, and interaction with on-screen components.

This data is limited strictly to digital, on-screen interactions within a browser or application environment. NetroFlex CIP™ does not collect or process precise geographic location data, GPS data, or real-world physical location information.

Spatial interaction data is used solely to analyze engagement patterns, improve user experience, and enhance conversion performance for site operators.

We do not track users across unrelated websites, devices, or physical environments. All interaction data is limited to the specific implementation of the Services.

NetroFlex CIP™ does not use spatial interaction data to uniquely identify individuals, create biometric profiles, or infer sensitive personal characteristics.

3.9 Embedded Forms and External Data Collection

NetroFlex CIP™ allows site operators to deploy forms on external websites using embedded HTML code or platform integrations, including WordPress shortcodes. When a visitor submits information through one of these forms, the data is transmitted directly to NetroFlex servers for processing and storage on behalf of the site operator.

In these cases, the site operator is the data controller, and NetroFlex acts as a data processor providing infrastructure and processing services. NetroFlex does not control how these forms are presented, deployed, or disclosed on external websites.

3.10 System Tracking Identifiers

Each embedded form may include a unique system identifier that associates the submission with the corresponding NetroFlex CIP™ account. This identifier is used solely to route data correctly, attribute submissions to the appropriate user, and enable platform functionality such as lead tracking and reporting.

This identifier does not track individuals across websites, identify personal identities, or monitor user activity beyond the specific form submission context. It is a routing mechanism, not a cross-site tracking mechanism.

3.11 End User Transparency — Embedded Forms

If you are an end user submitting information through a form hosted on an external website, you should refer to the privacy policy of the website on which the form is hosted. The site operator is responsible for providing appropriate disclosures and obtaining any required consent before collecting your data through NetroFlex CIP™ forms.

How We Use Your Information

• To add you to our early access waitlist and send you a confirmation email, typically within minutes of signup
• To assign you to the correct plan and lock in your founding pricing tier
• To send platform updates, launch notifications, and early access invites
• To detect and block bots, scrapers, and malicious actors targeting our system (via hashed IP)
• To understand which marketing campaigns drive signups (via UTM data)
• To calculate a CIP™ lead engagement score for site operators using our plugin — this score helps marketers prioritise follow-up and is not used to make any automated decision that legally affects you
• To improve our platform, features, and user experience
• To comply with legal obligations

Automated Processing

When you submit a form on a site using the NetroFlex CIP™ plugin, our system may automatically:

• Calculate a CIP™ engagement score based on your interaction signals (e.g. time on page, form completion)
• Classify your lead status as cold, warm, or hot to help the site operator prioritise outreach
• Trigger a follow-up notification or email to the site operator alerting them of your signup
• Block submissions identified as bots or security threats based on hashed IP reputation

These automated processes do not make any decision that legally or significantly affects you as an individual. They are tools for the site operator's internal marketing workflow only. You are never denied a service, charged differently, or discriminated against based on your CIP™ score.

NetroFlex CIP™ outputs — including engagement scores and lead classifications — are provided for informational purposes only. Site operators are solely responsible for any decisions, actions, or outcomes resulting from their use of these outputs.

Frost AI — Assisted Intelligence (Not Autonomous Action)

NetroFlex CIP™ may include Frost, an AI assistant that analyses engagement signals and generates suggested actions or draft communications based on lead activity — for example, suggesting a follow-up message when a lead engages with a specific piece of content.

Frost operates as a decision support system only. It suggests. It drafts. It does not act.

• All communications suggested by Frost require manual review and explicit approval by the site operator before sending
• NetroFlex CIP™ does not send messages automatically on behalf of any user
• All communications are user-initiated and user-controlled — the platform never initiates contact with a lead independently
• Frost-generated drafts are starting points for human review, not automated outputs
• Generated communications are provided as optional drafts only and are never sent without explicit user action and approval
• NetroFlex does not verify, validate, or assume responsibility for the accuracy or appropriateness of any AI-generated content
• Users are solely responsible for reviewing and approving all generated content before it is sent

This architecture ensures that all outreach remains under the full control of the site operator, and that NetroFlex CIP™ cannot be characterised as an autonomous messaging or communication system.

Communication Action Logging

For platform integrity and dispute resolution purposes, NetroFlex CIP™ maintains logs of communication actions. These logs record the timestamp a draft was generated, the timestamp the user sent the communication, and whether the draft was edited before sending. This logging exists to establish a clear record that all communications were reviewed and sent by the user — not by NetroFlex CIP™. Logs are retained for a minimum of 24 months.

IP Address Hashing — Our Approach

When you submit a form on our platform, we process your IP address through a SHA-256 cryptographic hash before it is ever stored. The raw IP address is discarded immediately and never written to our database.

• Your raw IP address is never stored — it is hashed and discarded in the same operation
• SHA-256 is a one-way cryptographic function — mathematically irreversible
• The stored hash cannot be used to identify you, locate you, or reconstruct your IP
• While hashed IP addresses are not directly identifiable, we treat them as personal data where required under applicable law
• Used exclusively for bot detection and blocking malicious actors
• Retained for up to 12 months then permanently deleted
• Never shared with any third party
• Never used to track your behaviour across websites

We design our IP handling practices to align with GDPR, CCPA, and general international privacy standards.

Legal Basis for Processing — GDPR (EU Users)

We process your personal data under the following legal bases:

• Consent — You voluntarily submit your email. You may withdraw at any time by unsubscribing.
• Legitimate Interests — Fraud prevention, bot detection, traffic source understanding, and lead scoring for site operators.
• Legal Obligation — Where required by applicable law.

Your GDPR Rights

• Access — Request a copy of your personal data
• Rectification — Request correction of inaccurate data
• Erasure — Request deletion ("right to be forgotten")
• Restriction — Request limited processing of your data
• Portability — Request your data in a portable format
• Objection — Object to processing based on legitimate interests, including profiling

Profiling Disclosure — GDPR Article 22

Our CIP™ platform performs automated scoring of leads based on engagement signals. Under GDPR Article 4(4), this constitutes profiling and we are required to disclose it clearly:

• CIP™ analyses engagement behaviour (time on page, form interaction) and on-screen spatial interaction patterns to assign a lead quality score
• This scoring is an internal marketing tool for site operators only
• It has no legal or similarly significant effect on you as an individual
• It does not affect your access to services, your pricing, credit, employment, or any other right
• It is not used for creditworthiness, employment decisions, insurance eligibility, housing, or any regulated decision-making process
• Because it produces no legal effects, it falls under legitimate interests rather than requiring explicit consent under Article 22
• You have the right to object to this profiling at any time — email privacy@netroflex.com

Contact privacy@netroflex.com to exercise any of these rights. We respond within 30 days.

California Privacy Rights — CCPA

• Right to Know — Request disclosure of categories and specific data collected about you. See Section 3.3 for a full category breakdown.
• Right to Delete — Request deletion of your personal information, subject to certain exceptions
• Right to Correct — Request correction of inaccurate personal information we hold about you
• Right to Opt-Out — We do not sell your personal information. You do not need to opt out of a sale.
• Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights

Submit a CCPA request to privacy@netroflex.com with subject line "CCPA Request".

Data Retention

• Waitlist email addresses — until you unsubscribe, request deletion, or the waitlist program ends
• Name and plan preference — retained as long as your account or waitlist record is active
• Hashed IP addresses — up to 12 months for fraud detection, then permanently deleted
• UTM / source data — as long as your waitlist record is active
• System logs — up to 90 days for security and integrity purposes
• Communication data — retained as long as the site operator's account is active, subject to their own data policies

You may request deletion of your data at any time by emailing privacy@netroflex.com.

Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We do not currently share your data with any third-party services for their own purposes. We may disclose data only in these circumstances:

• Legal compliance — if required by law, court order, or government authority
• Business protection — to enforce our Terms of Service or protect rights, property, or safety
• Business transfer — in a merger or acquisition, with prior notice to you before your data becomes subject to a different privacy policy
• Third-party service providers — we may use third-party service providers, such as cloud communications platforms, email delivery services, and video conferencing providers, to enable certain features. These providers process data only as necessary to perform their functions and are not permitted to use it for their own purposes. NetroFlex CIP™ is not the infrastructure owner of these communication channels. These providers act as independent processors and are responsible for their own compliance with applicable laws.

Data Security and Breach Notification

• Database credentials stored as server environment variables — never in publicly accessible files
• IP addresses stored only as one-way cryptographic hashes
• Production system access restricted to authorised personnel only
• HTTPS encryption for all data in transit
• System logs maintained for security and integrity monitoring

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Breach Notification: In the event of a data breach affecting your personal data, we will notify affected users in accordance with applicable laws — including GDPR Article 33 (within 72 hours to the relevant supervisory authority where required) and applicable US state breach notification requirements.

Communications Features — Pro Add-On

Certain communication features — including SMS, calling, video calls, voice memos, email outreach, and scheduling — are offered as optional Pro Add-On functionality controlled entirely by the site operator. These features are not active by default.

11.1 What NetroFlex CIP™ Provides

• A Smart Panel interface enabling site operators to initiate communications with their leads
• Communication may be initiated manually by the site operator or triggered automatically based on user-defined workflows
• Video call and scheduling features may involve the processing of meeting metadata, calendar information, and communication logs
• NetroFlex CIP™ does not determine when, how, or whether a site operator contacts a lead, and does not evaluate the legality of such communications

11.2 Operator Responsibilities — TCPA and Consent

Site operators are solely responsible for obtaining all required consent before contacting individuals via SMS, phone calls, email, or automated systems, in accordance with all applicable laws including:

• The Telephone Consumer Protection Act (TCPA) for SMS and automated calls in the United States
• The CAN-SPAM Act for commercial email
• GDPR Article 6 for any communications involving EU residents
• Any applicable local or national laws governing electronic communications in the operator's jurisdiction

Recipients must be provided with a clear method to opt out of communications, such as replying STOP for SMS where applicable. Site operators are responsible for honouring all opt-out requests promptly.

11.3 Anti-Spam and Misuse Prohibition

Users may not use NetroFlex CIP™ to send unsolicited, spam, or harassing communications. Users may not use NetroFlex CIP™ to make decisions that produce legal or similarly significant effects concerning individuals. Violation of these terms may result in immediate account termination.

11.4 Third-Party Communications Infrastructure

Certain communication features may rely on third-party service providers, including cloud communications platforms, email delivery systems, and video conferencing services. These providers process data only as necessary to perform their functions and are not permitted to use it for their own purposes. NetroFlex CIP™ is not the infrastructure owner of these communication channels and does not control the data practices of third-party providers.

11.5 No Agency Relationship

NetroFlex CIP™ does not act as an agent, representative, or intermediary for any site operator. No agency, partnership, joint venture, employment, or fiduciary relationship is created between NetroFlex and any site operator through the use of the platform's communication features or any other aspect of the Services.

Data Controller vs. Data Processor

The distinction between data controller and data processor is a critical concept under GDPR and similar frameworks. For clarity:

• For data collected directly by NetroFlex CIP™ (e.g. the early access waitlist at netroflex.com): NetroFlex acts as the data controller and this Privacy Policy governs how that data is handled.
• For data collected through the NetroFlex CIP™ plugin on a site operator's website: the site operator acts as the data controller, and NetroFlex acts as a data processor where applicable. The site operator is responsible for their own privacy disclosures and compliance obligations toward their leads.

NetroFlex does not have access to lead data stored in a site operator's own database. That data remains entirely under the site operator's control and governance.

Site Operator Responsibility

Site operators using NetroFlex CIP™ are responsible for ensuring their own compliance with applicable privacy laws in their jurisdiction. This includes but is not limited to:

• Providing appropriate privacy disclosures to their own users and leads
• Obtaining consent where required before tracking, scoring, or contacting individuals
• Implementing a cookie consent mechanism before enabling tracking features
• Complying with TCPA, CAN-SPAM, GDPR, CCPA, and any other applicable laws governing their use of the platform
• Honouring data deletion and opt-out requests from their leads
• Ensuring their own privacy policy reflects the use of NetroFlex CIP™ features on their site

NetroFlex provides infrastructure and tools. We do not control how site operators collect, interpret, or act on data collected through their implementation of the Services. Liability for misuse of the platform rests with the site operator.

Scope of Responsibility

NetroFlex CIP™ provides infrastructure and tools for marketing workflow automation and lead intelligence. Our scope of responsibility is defined as follows:

• We provide the platform — we do not make decisions on behalf of site operators or their leads
• We do not control how site operators use data collected through their implementation
• We do not evaluate the legality of communications initiated by site operators
• We do not guarantee the accuracy, completeness, or reliability of any engagement score, lead classification, or inferred behaviour produced by the CIP™ system
• NetroFlex CIP™ does not provide business, marketing, legal, or financial advice
• Nothing in the platform or its outputs should be construed as professional advice of any kind

Our Services are intended for use by businesses and individuals operating in compliance with applicable laws in their jurisdiction.

NetroFlex has no obligation to monitor, review, or validate communications, user activity, data practices, or compliance with applicable laws by site operators or their end users. We may, but are not required to, investigate reported misuse of the platform.

Liability, No Reliance, and No Guarantee

15.1 No Reliance

NetroFlex CIP™ outputs — including engagement scores, lead classifications, and behavioural inferences — are provided for informational and workflow purposes only. Site operators are solely responsible for any decisions, actions, or outcomes resulting from their use of these outputs. NetroFlex accepts no liability for business decisions made based on CIP™ data.

15.2 No Accuracy Guarantee

We do not guarantee the accuracy, completeness, or reliability of any engagement score, lead classification, or inferred behaviour generated by the CIP™ system. Scores are probabilistic signals, not definitive assessments of any individual.

15.3 No Professional Advice

NetroFlex CIP™ does not provide business, marketing, legal, financial, or any other form of professional advice. Nothing in the platform or its outputs should be construed as advice of any kind.

15.4 No Warranty — As Is / As Available

The Services are provided "as is" and "as available" without warranties of any kind, whether express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement. We do not warrant that the Services will be uninterrupted, error-free, completely secure, or free of harmful components.

15.5 No Sensitive Inference

NetroFlex CIP™ does not attempt to infer sensitive personal characteristics such as race, religion, health status, political affiliation, sexual orientation, or any other protected characteristic. Any such inference drawn from CIP™ data would be unintended, unsupported by the system, and a misuse of the platform.

15.6 Limitation of Purpose

CIP™ is designed solely as a marketing workflow and lead prioritisation tool. It must not be used as a system for evaluating individuals in any legal, financial, employment, credit, insurance, housing, or eligibility context. CIP™ scoring is not used for and must not be applied to creditworthiness assessments, employment screening, insurance eligibility, housing applications, or any regulated decision-making process.

15.7 Regulatory Non-Classification

NetroFlex CIP™ is not a telecommunications provider, common carrier, financial institution, credit reporting agency, consumer reporting agency, data broker, or regulated entity under any applicable telecommunications, financial services, or consumer protection statute. The platform does not provide regulated services in any jurisdiction.

International Data Transfers

NetroFlex CIP™ is based in the United States. If you are located outside the United States — including in the European Union, European Economic Area, or United Kingdom — your personal data may be transferred to and processed in the United States.

The United States may not provide the same level of data protection as your home jurisdiction. By using our Services, you acknowledge this transfer. We design our data handling practices to provide appropriate protections regardless of where data is processed, in alignment with GDPR Chapter V requirements where applicable.

If you have questions about international data transfers or wish to exercise your rights, contact privacy@netroflex.com.

Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals to websites. We currently do not respond to Do Not Track signals due to the lack of a consistent industry standard for how such signals should be interpreted and honoured. If a consistent standard is established, we will revisit this position.

You may opt out of non-essential data collection at any time by contacting us at privacy@netroflex.com.

Proprietary Software Notice

All source code, algorithms, platform architecture, scoring logic, and software powering NetroFlex CIP™ are proprietary and confidential. No part of our software may be copied, reverse-engineered, decompiled, or distributed without express written permission from NetroFlex.

Data processed through our WordPress plugin remains stored in your own database infrastructure under your control as the site administrator. NetroFlex does not have access to plugin-collected lead data.

Children's Privacy

Our Services are not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@netroflex.com and we will delete it promptly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or business practices. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify affected users by email.

We encourage you to review this policy periodically. Continued use of our Services after changes are posted constitutes your acceptance of the revised policy.

Contact Us

For questions, concerns, or data requests regarding this Privacy Policy: