Conflu.
a tordo.xyz product
Get started →

Privacy Policy

Last updated: 21 June 2026

This Privacy Policy explains how RT Consulting FZE ("Conflu", "we", "us") collects, uses, and protects personal data when you use Conflu at conflu.xyz.

Who we are

Conflu is operated by RT Consulting FZE, a Free Zone Establishment licensed by the Fujairah Creative City Free Zone Authority (Licence No. 6160/2015), registered at Twin Towers, P.O. Box 4422, Fujairah, United Arab Emirates. For questions about this policy, contact privacy@conflu.xyz.

Your data and our role

We are the controller for the data you give us to run your account (such as your email address, billing details, account metadata, and usage records). For the data inside the provider accounts you connect — your and your clients' emails, calendars, contacts, files, and tasks — you are the controller and Conflu acts as your processor, accessing it only to serve your MCP requests on your instructions.

What we do not store

We do not store email bodies, subjects, senders, recipients, calendar event titles or descriptions, contact details, task content, file or attachment content, or filenames from any connected provider. Conflu is a stateless pass-through: your AI client calls our MCP endpoint, we authenticate the request, retrieve OAuth tokens from secure secret storage, call the provider (such as Microsoft Graph or Google Workspace APIs) in real time, and stream the response back. We do not cache or index provider payloads.

What we do store

We store account metadata in Firestore (for example connected mailbox addresses, tenant identifiers, account status, and billing plan), usage counters and per-request metadata (timestamps, tool name, bytes transferred) for billing and support, and your billing details through our payment processor. OAuth refresh tokens are stored only in Google Cloud Secret Manager, encrypted at rest, and never in Firestore.

Legal bases

Where data protection law such as the EU GDPR applies, we process personal data on the basis of: performance of our contract with you (to provide the Service); our legitimate interests (to secure, support, and improve the Service); compliance with legal obligations; and your consent where required.

Sub-processors

We rely on a small set of providers to run the Service: Google Cloud Platform and Firebase (hosting, database, secret storage, in the EU), Stripe (payments), Mailgun (transactional email, EU instance). Each processes data on our behalf under appropriate data-processing terms.

International transfers

Service infrastructure is primarily located in the European Union. Where data is transferred internationally, we rely on appropriate safeguards such as standard contractual clauses.

Data retention

We retain account and usage data for as long as your account is active and as needed to provide the Service, then for a limited period as required for billing, legal, and security purposes. When you delete your account, we delete or anonymise associated data and revoke stored OAuth tokens, subject to legal retention requirements.

Your rights

Subject to applicable law, you may request access to, correction of, or deletion of your personal data, object to or restrict certain processing, and request portability. Contact privacy@conflu.xyz; we will respond within the timeframes required by law.

Cookies

We use only essential first-party cookies needed to sign you in and keep your session secure. We do not use advertising or third-party tracking cookies.

Security

We protect data with encryption in transit and at rest, least-privilege access, secret isolation in Google Cloud Secret Manager, and structured audit logging. No system is perfectly secure, but we work to protect your data and will notify you of any breach affecting your personal data as required by law.

Children

The Service is not directed to anyone under 18, and we do not knowingly collect data from children.

Changes

We may update this policy from time to time and will post the new version here with an updated date; material changes will be notified by email or in-product.

Contact

Privacy questions: privacy@conflu.xyz. RT Consulting FZE, Twin Towers, P.O. Box 4422, Fujairah, United Arab Emirates.