Usherfly

Privacy Policy — Usherfly

Last updated: June 14, 2026

California residents have additional rights under CCPA — see Section 10.

1. Introduction

Usherfly takes the privacy of your personal data seriously. This Privacy Policy explains what personal data we collect when you use the Usherfly platform, how we process it, how long we retain it, and how you can exercise your rights. This policy is prepared under the Turkish Personal Data Protection Law No. 6698 (KVKK). It also covers your rights under the California Consumer Privacy Act (CCPA) (see Section 10).

Contact: privacy@usherfly.io

1.1 Controller and Processor Roles

Usherfly acts in different roles depending on the type of data it processes:

  • For account data (email, name, organization name, password hash), Usherfly is the data controller.
  • For onboarding flow data (uploaded documents, form responses, e-signature data), the Organization (Organization Admin) is the controller and Usherfly is the processor. Usherfly processes this data only on the Organization's instructions.

For Onboardees: To exercise your rights (access, rectification, erasure) over documents, form responses, and e-signature data you share within an onboarding flow, contact the Organization that invited you first. As the Organization's processor, Usherfly supports such requests on the Organization's behalf. The detail of these roles is defined in the Data Processing Agreement.

The legal entity acting as data controller is Truemium OÜ (Estonian Business Register code 17381638), registered at Paavli tn 5a/1, Põhja-Tallinna linnaosa, 10412 Tallinn, Estonia. Contact: privacy@usherfly.io

2. Data We Collect

CategoryExamplesFor Whom
Identity and contactFirst name, last name, email addressAll users
Account informationPassword (hashed), organization nameOrganization Admin
Onboarding contentUploaded documents, form submissions, e-signature dataOnboardee
Payment informationBilling address (card data not stored by Usherfly)Paid plan users
Session and log dataIP address, browser type, page visits, timestampsAll users

2.3 Demo and Sales Lead Data

When a visitor submits a demo request or contact form on the Usherfly website, we process their name, email address, company name, and message solely to respond to the request. This data is processed by Truemium OÜ (Estonian Business Register code 17381638), registered at Paavli tn 5a/1, Põhja-Tallinna linnaosa, 10412 Tallinn, Estonia, acting as data controller, under consent (GDPR Art.6(1)(a); KVKK Art.5/1), given by ticking the consent checkbox on the demo form, and is not shared with third parties. Retention: up to 12 months after the request is responded to. To request deletion: privacy@usherfly.io.

3. Purposes and Legal Bases for Processing

Account creation and service delivery (contract performance); security and fraud prevention (legitimate interest); product improvement and analytics (legitimate interest); email notifications (contract performance); marketing emails (explicit consent); compliance with legal obligations; anonymous analytics (KVKK Art. 28).

Product telemetry is processed in two layers: browser-side analytics and session replay run only with your explicit cookie consent; server-side product events such as signup, activation, limit, and upgrade events are processed pseudonymously, without cookies, under legitimate interest / contract performance (D-165).

4. Retention Periods

User profile and document data is retained for the duration of the active account and permanently deleted upon deletion request (D-024). Event logs are retained for 3 years after user identifier anonymization. Security logs are retained for a maximum of 1 year.

5. Data Recipients

AWS (eu-central-1, Frankfurt) — storage and processing; Paddle Billing — payment processing; transactional email provider — notifications; PostHog (EU data region — eu.i.posthog.com) — product analytics and consent-gated, masked session recordings; Sentry — error tracking; Anthropic (Claude), OpenAI — AI onboarding flow generation (admins are instructed not to include onboardee personal data in these fields; the description and context are sent transiently and not stored persistently by Usherfly, while the optional role may be retained in flow-generation audit logs) — United States, transferred under Standard Contractual Clauses (SCCs) (execution confirmation pending); Google (OAuth / Workspace) — sign-in identity authentication (name, email, Google account id) — United States; SMS providers (Twilio, İletimerkezi) — delivery of transactional onboarding messages and opt-in marketing messages by SMS (phone number, message content) — region / transfer mechanism to be finalized before go-live, a GDPR-adequate safeguard will be in place; WhatsApp provider (planned) — delivery of transactional onboarding messages and opt-in marketing messages over WhatsApp (phone number, message content) — provider selection to be finalized before go-live. We do not sell, rent, or share personal data for advertising purposes. Current sub-processor list: Sub-Processor List.

6. Data Security

We apply encryption in transit and at rest, access controls, and regular security reviews. In the event of a breach, we will notify you and relevant authorities as required by applicable law.

7. Your Rights Under KVKK

You have the right to be informed, access your data, request rectification, request erasure, restrict processing, object to processing, claim compensation for unlawful processing, and obtain information on data transfers. Submit requests to privacy@usherfly.io or via account settings (responded to within 30 days). Supervisory authority: KVKK — kvkk.gov.tr.

8. Cookies

Analytics cookies and session replay are enabled only with the explicit consent you give in the cookie banner; choosing "necessary only" means no analytics cookies are used. For details, see Cookie Policy.

9. International Data Transfers

Primary storage and processing take place in AWS eu-central-1 (Frankfurt) (D-116), which meets GDPR-equivalent adequacy standards. There are two categories of US transfers: AI flow generation (Anthropic, OpenAI) — the admin-provided flow description, role, and context text is transferred transiently; admins are instructed not to include onboardee personal data in these fields; the description and context are sent transiently and not stored persistently by Usherfly, while the optional role may be retained in flow-generation audit logs — and Google OAuth sign-in (based on the user's consent at sign-in). Both transfers are made under Standard Contractual Clauses (SCCs) (execution confirmation pending). For details, see the sub-processor list and Section 5.

10. Additional Rights for California Residents (CCPA)

California residents have the right to know, access, delete, and opt out of sale of personal data. Usherfly does not sell personal data. Submit requests to privacy@usherfly.io (responded to within 45 days). Supervisory authority: CPPA — cppa.ca.gov.

11. Changes to This Policy

For material changes, we will notify you by email in advance.

12. Contact

Privacy questions: privacy@usherfly.io