Privacy Policy

Effective date: 17 April 2026. Last updated: 17 April 2026.

UrgentFlow is a countdown timer plugin for Framer, operated as a small independent software service. This policy describes the personal data we collect, why we collect it, who processes it on our behalf, and the choices you have. It applies to the plugin, the Portal at portal.urgentflow.rnui.dev, and the API at urgentflow.rnui.dev.

1. Who we are

"UrgentFlow", "we", "us" refers to the operator of this service, reachable at mrpmohiburrahman@gmail.com. We are the data controller for the personal data described below, except where Freemius (our billing processor) acts as the merchant of record for your purchase — in that relationship Freemius is the controller for payment data.

2. What we collect

a) From Google sign-in. When you sign in with Google we use the openid, email, and profile scopes only. Google provides us with your email address, your display name, and your profile picture URL. We do not request access to your Gmail, Drive, contacts, calendar, or any other Google service. We never see your Google password.

b) Account data. When you sign in we create an account record in Firebase Firestore containing:

• Your user id (Firebase uid) and email
• Your plan (free or Pro) and, if Pro, your Freemius license key and license status
• Any Framer sites you register with UrgentFlow (site id, domain, public key)
• Timer configurations you save (duration, timer type, etc.)
• Account timestamps (created, last login)

c) Evergreen deadline data. For the Pro per-visitor deadline feature, when a visitor loads a Framer site running an UrgentFlow timer we store:

• A visitor fingerprint — a hash derived from non-identifying browser characteristics (for example, user agent, language, screen size). It is not a government id, phone number, or name. It is used only to recognise the same visitor returning to the same site so their deadline stays consistent.
• A cookie id — a random opaque identifier stored in the visitor's browser for the same purpose.
• The siteId, timerId, and the computed deadline timestamp.

We do not collect IP addresses for fingerprinting. We do not track visitors across different sites.

d) Billing data. When you upgrade to Pro, payment is processed by Freemius as merchant of record. Freemius collects and holds your payment method and billing address. We receive from Freemius only the license key, subscription status, and the email you used at checkout — we never see your card details.

e) Server logs. Our hosting providers (Firebase and our VPS host) keep short-term request logs containing IP address and timestamps for security, abuse prevention, and debugging. These logs are not joined with account data for marketing or profiling purposes.

3. How we use it

• To authenticate you and keep you signed in to the Portal.
• To render the countdown timer correctly on your Framer sites, including remembering per-visitor deadlines.
• To enforce the free / Pro plan entitlement.
• To send transactional emails related to your account and subscription (billing receipts via Freemius, account security notices). We do not send marketing email.
• To detect abuse and protect the service.

We do not sell your personal data. We do not use your personal data to train AI models. We do not serve advertising.

4. Sub-processors

We rely on the following providers to run the service. Each acts as our processor (or, for Freemius, as the controller for payment data):

• Google (Firebase Authentication, Cloud Firestore, Cloud Functions, Hosting) — authentication, database, serverless functions, and hosting for the API and Portal. See Firebase privacy and security.
• Freemius — merchant of record for Pro subscriptions, handles payment processing, tax, and invoicing. See Freemius privacy policy.
• AlexHost (VPS host) — hosts the Portal and admin dashboards via Docker containers, behind Let's Encrypt TLS.
• Sentry — error monitoring for the plugin and backend. Errors may include stack traces and a transient user id to correlate reports.

5. Cookies

On the Portal (portal.urgentflow.rnui.dev) we set three first-party cookies after you sign in:

• urgentflow_token — your short-lived session token.
• urgentflow_refresh — your refresh token, used to renew the session without making you sign in again.
• urgentflow_uid — your user id, used to look up your account on the server.

We do not use analytics cookies, advertising cookies, or third-party tracking cookies on the Portal, the apex, or the plugin. Published Framer sites using UrgentFlow may set the evergreen deadline cookie described in section 2(c) on the site owner's own domain.

6. Data retention

• Account data — retained while your account is active and for 90 days after you cancel or request deletion, after which it is permanently deleted from Firestore.
• Evergreen deadline records — automatically purged after the deadline has expired (the data is no longer useful once the timer is over).
• Server logs — retained for up to 30 days unless required longer for abuse investigation.
• Billing records — retained by Freemius for the period required by tax law in your jurisdiction (typically 7 years). We do not override Freemius's retention of invoices.

7. Your rights

Subject to applicable law (including the GDPR in the EU/UK and the CCPA/CPRA in California), you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Request deletion of your personal data ("right to be forgotten").
• Export your personal data in a portable format.
• Object to or restrict processing.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email mrpmohiburrahman@gmail.com. We respond within 30 days.

8. International transfers

Your data is stored in Google Cloud regions in the United States (Firebase default) and on our VPS in Europe. By using the service you acknowledge that your data may be transferred to and processed in these jurisdictions. Where required, we rely on the Standard Contractual Clauses and Google's built-in safeguards.

9. Children

UrgentFlow is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has signed up, contact us and we will delete the account.

10. Security

We use TLS in transit, Firebase Authentication for identity, scoped service accounts, and the principle of least privilege for Firestore security rules. No system is perfectly secure — if you notice a vulnerability, please report it responsibly to mrpmohiburrahman@gmail.com.

11. Changes to this policy

If we change this policy we will update the "Last updated" date above and, for material changes, notify you by email or an in-Portal banner before the change takes effect.

12. Contact

Questions or requests: mrpmohiburrahman@gmail.com.