Privacy Policy
Last updated: June 24, 2026
1. Introduction
StatFlow is a metrics ingestion and monitoring service operated by DoubleU Labs, LLC ("DoubleU Labs", "we", "us", or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use StatFlow ("the Service"). By using the Service, you agree to the terms of this Privacy Policy. Our Terms of Service govern your use of the Service.
If you have questions, contact us at support@doubleulabs.com.
2. Information We Collect
2.1 Account Information
When you register, we collect your email address and a hashed password. We never store your password in plain text. We use industry-standard bcrypt hashing. If you use Google single sign-on, we also store a Google account identifier and receive your email address (and display name when provided by Google) to authenticate you.
You may set an optional display name in your profile. Team plans store member emails, invite status, and assigned roles for users you invite to your account.
2.2 Metric Data
The core purpose of StatFlow is to store metric data you send us: stat names, numeric values, timestamps, optional metadata labels on individual data points, and annotations you attach to stats or time ranges. This data belongs to you and is used to provide charts, dashboards, alerts, exports, and related Service features.
2.3 Usage and Technical Data
We collect standard server logs including IP addresses, HTTP request paths, user agent strings, timestamps, and response codes. We maintain security audit logs for certain authentication and account events. This data is used for security monitoring, debugging, rate limiting, and service reliability. Server logs are retained for 30 days unless a longer period is required for an active investigation.
2.4 Billing and Plan Data
Payment processing is handled entirely by our third-party payment processor. We do not store your full credit card number, CVV, or full payment details on our servers. We store subscription plan, usage counters (such as data points and AI invocations this month), customer identifiers, and subscription status to manage your plan and enforce limits.
2.5 Communications
If you contact us by email, we retain that correspondence to respond to your inquiry and improve our support. We may send transactional emails (account verification, billing receipts, alert notifications, critical service announcements). We do not send marketing emails without your explicit opt-in.
2.6 AI Feature Data
If you enable AI features (available on certain paid plans), we process additional information to generate AI outputs. This may include stat names, numeric values, timestamps, metadata, alert configurations, natural-language rule text, anomaly events, dashboard context, and summaries of account activity.
The scope of data sent depends on the feature: some AI features analyze a single stat or alert, while others may evaluate a broader set of your metric data—including potentially most or all Customer Data in your account—to produce digests, cross-stat insights, or similar outcomes. AI features are opt-in and disabled by default; no Customer Data is sent to AI providers until you enable them in Settings → AI (and your plan includes AI).
2.7 Dashboards, Alerts, and Public Sharing
We store dashboard layouts, tile configurations, and alert rules you create. If you enable public dashboards, the metrics displayed on those dashboards are accessible to anyone who has the public URL (without signing in). Alert configurations may include webhook URLs and routing keys for services you integrate (Slack, Discord, PagerDuty, etc.); we transmit alert payloads to those destinations when alerts fire.
2.8 Product Feedback
If you submit in-app feedback, we collect the message you provide, an optional sentiment rating, and basic technical context (such as the page URL) to improve the Service. Do not include secrets, credentials, or sensitive personal data in feedback submissions.
3. How We Use Your Information
- To provide, operate, and maintain the Service
- To process transactions, enforce plan limits, and send billing confirmations
- To send alert and digest notifications you have configured
- To authenticate you, including via Google SSO where enabled
- To manage team invites, roles, and shared account access
- To verify your email address and secure your account
- To detect, investigate, and prevent fraudulent or abusive activity
- To diagnose technical problems and improve the Service
- To comply with legal obligations
- To power optional AI features you enable (for example, anomaly detection, watchdog alerts, natural-language alert rules, forecasting, insight digests, and root-cause analysis)
- To serve public dashboards and embeds you explicitly choose to publish
We do not use your metric data for advertising or sell it. We do not train our own general-purpose machine learning models on your Customer Data for unrelated purposes.
When AI features are enabled, we transmit relevant Customer Data to third-party AI inference providers (such as large language model API services) solely to produce the AI functionality you request. Those providers process data on our behalf and are contractually required to use it only to deliver the Service. Their own privacy and data-use terms may also apply. You can disable account-level AI at any time in Settings → AI.
4. How We Share Your Information
We do not sell your personal data. We may share information in the following limited circumstances:
4.1 Service Providers
We use a small number of trusted third-party service providers to operate the Service. Each provider receives only the minimum data necessary to perform their function and is contractually prohibited from using your data for any other purpose. The categories of providers we use include:
- Payment processing — handles billing and subscription management. We do not receive or store your full payment details.
- Transactional email delivery — sends account verification, team invites, billing, alert, and digest emails. Receives recipient email addresses and message content necessary for delivery.
- Identity providers — when you use Google SSO, Google processes your sign-in according to Google's privacy policy; we receive tokens/profile data needed to authenticate your account.
- Cloud infrastructure & hosting — servers on which the Service runs and your data is stored. Subject to appropriate data processing agreements.
- Performance & error monitoring — anonymized, aggregated data used to measure and improve Service reliability. No personal data is shared.
- AI inference providers— when you enable AI features, we send relevant Customer Data (which may range from a single stat to a substantial portion of your account's metrics) to third-party AI services for analysis and output generation. Data is transmitted only while AI features are enabled and your plan includes them.
4.2 User-Directed Sharing
We do not sell your metric data. However, you may cause data to be shared with third parties when you:
- publish a dashboard with public access enabled
- embed charts on external sites using our SDK
- configure alert webhooks or third-party notification endpoints
- invite team members who can view account data according to their role
You are responsible for reviewing these choices and the privacy practices of any third-party services you connect.
4.3 Legal Requirements
We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
4.4 Business Transfers
If DoubleU Labs is acquired, merges with another company, or transfers all or part of its assets, your information may be transferred as part of that transaction. We will notify you by email and/or a prominent notice on the Service prior to any such transfer.
5. Data Retention
We retain your account and metric data for as long as your account is active or as needed to provide the Service. Metric data is subject to a rolling retention window that depends on your plan (for example, 7 days on Hobby, 2 years on Pro, 5 years on Team). Data older than your window is not returned in queries and may be permanently deleted. Soft-deleted stats may remain in trash for a limited period before permanent removal.
Account data is retained until you request deletion. Usage counters (such as monthly data points and AI calls) reset according to billing periods.
You may request deletion of your account and all associated data at any time by contacting support@doubleulabs.com. We will process deletion requests within 30 days, subject to legal obligations to retain certain records (e.g., billing records for tax purposes).
6. Data Security
We implement reasonable security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These include:
- TLS/HTTPS encryption for all data in transit
- Passwords hashed with bcrypt
- API keys stored as SHA-256 hashes, never in plain text; keys may be scoped to read or write
- JWTs with short expiry signed with a secret key
- Rate limiting and brute-force protection on authentication and API endpoints
- Security audit logging for certain account events
- Infrastructure access restricted to authorized personnel
No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable security practices, we cannot guarantee absolute security.
7. Cookies and Tracking
We do not use advertising cookies or third-party tracking pixels. The Service uses:
- Authentication tokens stored in browser local storage for dashboard sessions
- Anonymized, aggregated performance analytics — used to measure page load times and Service reliability. No personal data is collected or transmitted.
When you sign in with Google, Google may set cookies or use similar technologies under Google's own policies during the OAuth flow.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your account and data
- Portability — request your metric data in machine-readable format (CSV/JSON export available in the dashboard)
- Objection — object to certain processing activities, including AI processing (you may disable AI features in account settings)
To exercise any of these rights, email support@doubleulabs.com with your request. We will respond within 30 days.
9. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us immediately and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email and/or by posting a prominent notice on the Service at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact
For privacy-related questions or requests:
DoubleU Labs, LLC
Email: support@doubleulabs.com