Dragonfl.ai ("we", "us", or "our") operates an enterprise AI platform that provides sales automation, lead management, voice AI, and knowledge management services to business organizations. This Privacy Policy explains what personal data we collect, how we use it, your rights, and how to contact us.
This policy applies to all users of the Dragonfl.ai platform and is designed to comply with applicable privacy regulations including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.
HIPAA Notice
Dragonfl.ai is not designed or certified as a HIPAA-compliant platform. If your organization operates in a healthcare context and may process Protected Health Information (PHI), please contact us before use. We do not knowingly process PHI without appropriate data processing agreements.
Dragonfl.ai is the data controller for personal data processed through this platform. For questions about this policy or to exercise your rights, contact us at:
Where your organization is an enterprise customer using the platform (a "Business Customer"), your organization may act as a separate data controller or data processor for data it submits to the platform (e.g., lead contacts). Please consult your organization's privacy notice for those processing activities.
When you register and use the platform, we collect:
As part of CRM and sales automation features, your organization may store contact data about third parties ("leads"), including:
Note for lead contacts: If you are a third-party contact ("lead") whose data was entered into the platform by a Business Customer, you should contact that organization directly regarding your data rights. We process this data on behalf of the Business Customer as a data processor.
When automated phone calls are made via our voice AI integration (Vapi.ai):
Important: Phone calls may be recorded. Call participants are notified of recording by the AI agent at the start of each call as required by applicable law.
If your organization connects calendar integrations (MS Outlook, Cal.com, Calendly), we store:
We use the following cookies. No third-party tracking or advertising cookies are used.
| Name | Purpose | Duration | Type |
|---|---|---|---|
| __dragonflai_sid | User session management and authentication | 8 hours | Strictly necessary |
| csrf | Cross-site request forgery (CSRF) protection | 8 hours | Strictly necessary |
| sidebar_state | Remembers sidebar open/collapsed preference | 7 days | Functional |
| cookie_notice_dismissed | Records that you dismissed the cookie notice (localStorage) | Persistent | Functional |
The session and CSRF cookies are strictly necessary for the platform to function and cannot be disabled. The sidebar preference and cookie notice cookies can be cleared via your browser settings at any time without affecting platform functionality.
We process personal data for the following purposes and legal bases (GDPR Article 6):
Providing the platform services
Contract (Art. 6(1)(b) GDPR)
Authentication, session management, lead management, CRM features, demo provisioning, knowledge base access.
AI-powered features
Contract / Legitimate interest (Art. 6(1)(b)(f))
Research generation, note enhancement, meeting agendas, voice call transcription, knowledge base chat — require processing lead and content data via AI models.
Security and fraud prevention
Legitimate interest (Art. 6(1)(f) GDPR)
Session fingerprinting, CSRF protection, rate limiting, audit logging.
Email notifications
Contract / Legitimate interest
Account verification, password reset, demo status updates, lead sharing notifications.
Platform improvement and analytics
Legitimate interest
Credit usage tracking, error logging, performance monitoring. No behavioral or marketing analytics are performed.
Legal compliance
Legal obligation (Art. 6(1)(c) GDPR)
Retaining records as required by applicable laws.
We share personal data with the following third-party service providers solely to deliver our services. All sub-processors are bound by data processing agreements:
| Provider | Purpose | Data Shared | Region |
|---|---|---|---|
| Auth0 | Authentication & identity management | Name, email, phone, password (hashed) | US (configurable) |
| Brevo | Transactional email delivery | Email, name, verification/reset links | EU |
| Vapi.ai | Voice AI and phone call automation | Phone number, call audio, transcript, agent config | US |
| OpenAI (via Mastra) | AI research generation, note enhancement, embeddings, chat | Lead/contact info, document content, conversation context | US |
| Deepgram (via Vapi) | Speech-to-text transcription | Call audio streams | US |
| Microsoft (Azure / Graph API) | Calendar integration (MS Outlook) | Calendar tokens, meeting scheduling requests | Configurable |
| Cal.com / Calendly | Alternative calendar integrations | Calendar API keys, scheduling requests | US/EU |
| HubSpot | CRM synchronization (optional) | Lead name, email, phone, company | US |
| MinIO / S3 | File and document storage | User profile pictures, knowledge base and case study files | Configurable |
We do not sell personal data to third parties. We do not use personal data for advertising or marketing profiling. We do not share data with third parties beyond those listed above.
Some of our sub-processors are located in the United States. When personal data is transferred from the European Economic Area (EEA), the UK, or Switzerland to the US, we rely on the following safeguards:
You may request a copy of the applicable transfer safeguards by contacting privacy@dragonfl.ai.
| Data Category | Retention Period |
|---|---|
| User account data | Until account deletion request or inactivity for 3 years |
| Session cookies | 8 hours (expire automatically) |
| Email verification tokens | 24 hours or until used |
| Lead / contact data | Until deleted by organization admin or platform deletion |
| Call recordings & transcripts | Until lead is deleted or on explicit request |
| AI research reports and notes | Until lead or organization is deleted |
| Chat conversation history | Until deleted by user or organization deletion |
| Credit transaction logs | 7 years (financial records requirement) |
| Encrypted API & calendar credentials | Until integration is disconnected or organization deleted |
We implement the following technical and organizational measures to protect your data:
Depending on your location, you may have the following rights regarding your personal data:
Right of access (Art. 15 GDPR)
Request a copy of personal data we hold about you.
Right to rectification (Art. 16 GDPR)
Update your name, email, and phone via the Settings page. For other corrections, contact us.
Right to erasure / 'right to be forgotten' (Art. 17 GDPR)
Delete your account via Settings → Danger Zone. This permanently removes your user profile, session data, conversations, and notification settings from our systems and from Auth0.
Right to data portability (Art. 20 GDPR)
Request an export of your personal data in a machine-readable format by emailing us.
Right to restriction of processing (Art. 18 GDPR)
Request that we restrict processing of your data in certain circumstances.
Right to object (Art. 21 GDPR)
Object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds.
Right to withdraw consent
Where processing is based on consent, you may withdraw at any time without affecting prior processing.
CCPA rights (California residents)
Right to know, delete, opt-out of sale (we do not sell data), and non-discrimination. Submit requests to the email below.
To exercise any right, email privacy@dragonfl.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, a member-state DPA in the EU).
The platform is intended for business use by adults. We do not knowingly collect personal data from individuals under the age of 16 (or the applicable age of digital consent in their jurisdiction). If you believe a minor has submitted data through our platform, contact us at privacy@dragonfl.ai and we will promptly delete it.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we will notify active users by email or via an in-app notification before the changes take effect.
Continued use of the platform after the effective date of a revised policy constitutes your acceptance of the changes.
For any privacy-related questions, data subject requests, or to report a concern:
Dragonfl.ai – Privacy Team
Email: privacy@dragonfl.ai
© 2026 Dragonfl.ai. All rights reserved. Back to application