Privacy Policy
Last updated March 26, 2026
Introduction
We at Underflow, Inc. ("Underflow", "we" or "us"), doing business as Proof of Review, are committed to respecting your privacy and keeping secure any information you share with us. This privacy policy explains how we collect, use, disclose, and process your personal data when you use our software, platform, and related services at proofofreview.ai.
Proof of Review is a service operated by Underflow, Inc. that provides AI compliance review software that helps teams document human review of AI decisions and maintain audit-ready compliance records. This policy describes how we handle the data involved in that process.
This Privacy Policy describes how we handle your information. It does not constitute a contract or create consent-based obligations beyond what is required by applicable law.
Where Underflow processes data on behalf of commercial customers (for example, decision records, reviewer records, or consumer request records), that processing is governed by our customer agreements and, where applicable, a Data Processing Agreement (DPA). This Privacy Policy does not apply to data we process solely on behalf of our customers.
1. Data we collect
Data you provide directly
- Account Information: Your name and email address when you sign up.
- Payment Information: Payment details if you access paid services.
- Communications: Your name, contact information, and message contents when you contact us.
Service data you provide or connect
When you use Proof of Review, we may access and process:
- Review and decision records: Recommendations, reviewer activity, decision rationales, timestamps, and related audit metadata.
- Documents and supporting materials: Files, records, policies, and other materials you submit to the Service.
- Communications: Messages and related context you provide when using the Service or contacting us.
Data we collect automatically
- Device Information: Device type, browser, operating system.
- Log Information: IP address, browser settings, error logs.
- Usage Data: How you use the Service, features used, actions taken.
- Cookies and similar technologies: See Section 12 ("Cookies and tracking technologies") for details.
Sensitive data
Proof of Review may process sensitive personal information contained in decision records, review materials, consumer appeals, notices, or supporting documents you provide to the Service. Depending on your use case, this may include financial information, employment records, education records, health-related information, government identifiers, or other data used in regulated decisions. We process this data solely to provide the Service on behalf of our customers and apply access controls, encryption, and retention limits to protect it. We do not use sensitive data for advertising or for any purpose outside the agreed scope of the Service.
We do not direct the Service to children under 18. If you are a customer, you are responsible for ensuring you have the rights and permissions necessary to provide any personal information, sensitive personal information, or regulated data to the Service.
2. Product data and integrations
Proof of Review may connect to or receive data from systems you use to manage AI recommendations, human review, notices, opt-outs, appeals, risk assessments, and audit records. Depending on your configuration, this may include:
- Decision records: AI recommendations, reviewer actions, final outcomes, rationales, timestamps, and related audit metadata.
- Review materials: Documents, evidence, policies, criteria, and supporting materials reviewed by human decision-makers.
- Reviewer records: Reviewer identities, authorization scope, credential status, training or qualification records, and review history.
- Consumer request records: Pre-use notice delivery, opt-out requests, access requests, appeals, responses, and status updates.
- System metadata: Configuration settings, integration logs, event logs, and security records needed to operate the Service.
3. How we use your data
We use your data to:
- Provide, maintain, and improve the Service
- Create and maintain proof of review records
- Document human review of AI-supported decisions
- Generate notices, opt-out workflows, access responses, appeal records, and related artifacts
- Support risk assessments, audit trails, and compliance reporting
- Manage accounts, authentication, permissions, and support requests
- Monitor, secure, and troubleshoot the Service
- Communicate with you about the Service
- Comply with legal obligations
AI and machine learning
Proof of Review may use artificial intelligence to assist with document review, workflow classification, risk assessment support, and generation of compliance artifacts. AI-assisted processing is performed with access controls, encryption, and audit logging appropriate to the sensitivity of the data.
Underflow will not use customer Content to train, or allow any third party to train, general-purpose AI models unless you have explicitly agreed to such use.
We may use anonymized and aggregated data to improve the Service, but only in a way that cannot identify you, your customers, reviewers, applicants, consumers, employees, or other individuals.
4. How we share your data
We may share your data with:
- Service Providers: Third parties who help us operate the Service, including cloud hosting, AI model providers, payment processors, and analytics services. These parties process data only as necessary to perform services on our behalf.
- Business Transfers: In connection with a merger, acquisition, restructuring, or sale of assets, your data may be transferred as part of that transaction.
- With Your Consent: When you give us permission to share, including through features designed to share information with other users or third parties.
5. Compelled disclosure
We may disclose your data if required:
- Under applicable law or to respond to a legal process, such as a search warrant, court order, or subpoena
- To protect our safety, your safety, or the safety of others, or in the legitimate interest of any party in the context of national security, law enforcement, litigation, or criminal investigation
- If required in connection with legal proceedings brought against Underflow, its officers, employees, affiliates, customers, or vendors
- To establish, exercise, protect, defend, and enforce our legal rights
6. Do Not Sell or Share My Personal Information
Underflow does not sell your personal information. We do not sell, rent, or trade personal data to third parties for monetary or other valuable consideration.
Underflow does not share your personal information for cross-context behavioral advertising. We do not share personal data with third parties for targeted advertising purposes.
Because we do not sell or share personal information, there is no need to opt out. However, if you believe your data has been sold or shared in error, or if you wish to exercise your right to opt out, please contact us at legal@useunderflow.com.
Underflow honors Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal, we will treat it as a valid opt-out request under applicable state privacy laws.
7. International transfers
Underflow is based in the United States. When you use our Service, your data may be transferred to and processed in the United States or other countries where our service providers operate.
If you are located in the European Economic Area (EEA) or UK, we will ensure appropriate safeguards are in place for any transfer of your data outside these regions, including Standard Contractual Clauses or other legally valid transfer mechanisms.
Your rights and protections will not be diminished by any international transfer of your data.
8. Retention
We retain your data only as long as necessary to operate the Service and meet our legal obligations. The specific retention periods depend on the category of data:
| Data category | Retention period |
|---|---|
| Account information (name, email) | Duration of your account plus 30 days after deletion |
| Decision and review records | Retained according to customer-configured retention periods or customer agreement. Deleted within 30 days of account termination unless a longer period is agreed or legally required. |
| Compliance artifacts | Retained according to customer-configured retention periods or customer agreement. Deleted within 30 days of account termination unless a longer period is agreed or legally required. |
| Payment information | As required by tax and financial regulations (typically 7 years) |
| Server logs (IP address, error logs) | 90 days |
| Analytics data | 26 months (aggregated; not tied to identifiable individuals) |
| Communications (support emails) | 2 years after last contact, unless needed for legal purposes |
| Cookies | See Section 12 for cookie-specific retention |
When you terminate your use of the Service, we delete data from our servers within 30 days, unless a longer retention period is specified in your customer agreement or required by law. Customers requiring multi-year retention for regulatory or audit purposes should specify retention terms in their agreement.
When data is no longer needed, we delete, de-identify, or anonymize it in compliance with applicable laws.
9. Security
We implement industry-standard technical and organizational measures to protect your data from unauthorized access, loss, or disclosure.
- Access Control: Access to personal data is granted only to authorized personnel on a need-to-know basis, and access is logged and monitored.
- Encryption: Data is encrypted in transit (TLS) and at rest (AES-256).
- Network Security: We employ secure network architecture, including firewalls and intrusion detection systems.
- Regular Audits: We conduct regular security audits to identify and address vulnerabilities.
- Incident Response: We have established protocols for managing and responding to security incidents.
10. Your rights
Depending on where you live, you may have certain rights regarding your personal data. The rights below apply to residents of all applicable jurisdictions, including under the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and other U.S. state privacy laws.
- Right to Know / Access: You have the right to know what personal data we collect, use, and disclose about you, and to request a copy of that data.
- Right to Correction: Request we correct inaccurate personal data.
- Right to Deletion: Request we delete your personal data, subject to certain legal exceptions.
- Right to Portability: Request your data in a structured, commonly used, machine-readable format.
- Right to Opt Out of Sale or Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. As stated in Section 6, Proof of Review does not sell or share your personal information.
- Right to Limit Use of Sensitive Data: You have the right to limit the use and disclosure of your sensitive personal information. Underflow only uses sensitive data as necessary to provide the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
- Right to Objection: Object to certain types of processing, including direct marketing.
- Right to Restriction: Request we temporarily or permanently stop processing some or all of your data.
- Right to Withdraw Consent: Withdraw consent where processing is based on consent.
- Rights Related to Automated Decisions: Depending on your jurisdiction, you may have rights to access information about automated decision-making, opt out of automated processing, or appeal automated decisions. See the applicable ADMT, CCPA, or other local regulations for details.
How to exercise your rights
To exercise any of these rights, you may:
- Email us at legal@useunderflow.com
- Mail us at Underflow, Inc., 1 Brady Street, A614, San Francisco, CA 94103
We will verify your identity before processing your request. We may ask you to confirm details associated with your account. You may also designate an authorized agent to make a request on your behalf; we may require the agent to provide proof of authorization.
We will respond to your request within 45 days. If we need more time, we will notify you of the extension and the reason (up to an additional 45 days).
Right to appeal
If we decline your request, we will inform you of the reason. You may appeal our decision by contacting us at legal@useunderflow.com with the subject line "Privacy Rights Appeal." We will respond to your appeal within 60 days.
If you believe we have not adequately addressed your concerns, you may lodge a complaint with your state attorney general or local data protection authority.
11. Policy changes
We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date at the top of this page. If you are a customer or user, we will notify you of material changes by email or through the Service. Your continued use of the Service after any change constitutes acceptance of the updated policy.
12. Cookies and tracking technologies
We use cookies and similar technologies to operate our website and understand how visitors interact with it.
What are cookies?
Cookies are small text files stored on your browser or device when you visit a website. They help the site remember your preferences and understand usage patterns.
Cookies we use
| Cookie type | Purpose | Examples | Retention |
|---|---|---|---|
| Strictly necessary | Required for the website to function (e.g., session management, security) | Session cookies, CSRF tokens | Session or up to 24 hours |
| Analytics | Help us understand how visitors use our site so we can improve it | Google Analytics (_ga, _ga_*) | Up to 26 months |
What we do not use
We do not use advertising cookies, retargeting pixels, or any third-party cookies for targeted advertising purposes. We do not build behavioral profiles for cross-site tracking.
Google Analytics
We use Google Analytics to collect aggregated usage data such as pages visited, time on site, and referral sources. Google Analytics uses first-party cookies to distinguish unique visitors. We have configured Google Analytics to reduce collection of identifying information where available. Google's use of this data is governed by Google's Privacy Policy.
Managing cookies
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking strictly necessary cookies may affect the functionality of our website.
You may also send a Global Privacy Control (GPC) signal through your browser, which we honor as a valid opt-out request under applicable state privacy laws.
13. Contact us
If you have any questions about this Privacy Policy, contact us at legal@useunderflow.com.