Legal

Privacy
Policy

What we collect, why we collect it, who we share it with, and how long we keep it. Written in plain English so your legal + security teams don't have to translate.

Last updated: April 17, 2026

Apr 17, 2026Last updated
7 yearsTransaction retention
30 daysRights response SLA
No saleof personal data
On this page

1. Who we are

multiflow is operated by Welcomelane, Inc. ("multiflow"). We are a payment-orchestration platform for multi-entity operators. For most operator-facing relationships, multiflow acts as a data processor on behalf of the Operator ("you"), who is the data controller for their customers' personal data. For our own corporate relationships (leads, applicants, employees, vendors), we act as the data controller.

2. What we collect

From operators and applicants

Business name, legal entity, corporate structure, EIN, contact name + email + phone, brand/descriptor list, expected volume, processor history, underwriting documents you upload (bank statements, IDs, voided checks), signed agreements. When you interact with our portal, we log IP, user agent, authentication events, and audit events for every data access.

From operator customers (via the payment flow)

Card network tokens, transaction timestamps, amounts, descriptors, order references, masked PANs (last 4 / BIN), billing postal code, and processor response codes. We do not store full PANs, CVVs, or full magnetic-stripe data. All card data transits tokenized via PCI-DSS-compliant processors.

From website visitors

Pages viewed, referrer, approximate geolocation (country + region from IP), device type, browser. We use a minimal set of first-party analytics; we do not load third-party ad trackers on multi-flow.pro marketing pages by default.

3. Why we collect it

  • To deliver the Service: route transactions, reconcile ledgers, produce reports, surface data in the operator portal.
  • To comply with law: KYC/KYB on operators, AML / BSA obligations of our acquiring bank, 1099-K issuance, tax reporting, responses to lawful requests.
  • To secure the Service: detect fraud, monitor for account takeover, audit access, respond to incidents.
  • To communicate with you: product updates, security advisories, invoices, contract correspondence.

4. Who we share it with

  • Acquiring bank + processor: the bank that holds your merchant account and the processor that moves money between networks.
  • Card networks: Visa, Mastercard, Amex, Discover — they receive transaction data under network operating rules.
  • Sub-processors: cloud infrastructure (AWS), identity + MFA services, email/SMS delivery, analytics, customer support. Current sub-processor list is maintained on our Security page; material changes are notified with 30 days' notice.
  • Legal + regulatory: in response to valid subpoenas, court orders, or regulatory requests. We notify you unless legally prohibited.

We do not sell your personal information. We do not share operator or customer data with advertisers or marketing networks.

5. How we secure it

TLS 1.3 end-to-end, AES-256 encryption at rest, Row-Level Security policies on all operator data, service role keys never in frontend bundles, JWT-derived client_id on every data fetch, 15-minute session expiry, audit log on every data access, WebAuthn support for privileged roles. Full details on our Security page.

6. How long we keep it

  • Transaction data: 7 years (US financial record-retention rules).
  • Operator audit logs: 7 years.
  • Chargeback + dispute records: 2 years after resolution.
  • Marketing website logs: 90 days.
  • Applicant data (denied / withdrawn): 2 years, then deleted.

7. Your rights

Depending on your jurisdiction (GDPR, UK-GDPR, CCPA, CPRA, VCDPA, etc.), you may have rights to access, correct, delete, port, or restrict processing of your personal data. To exercise these rights, email privacy@multi-flow.pro. We respond within 30 days (or sooner where required). For requests about your customers' data where multiflow is a processor, contact the Operator directly — they are the controller.

8. International transfers

multiflow operates primarily in the United States. If you are located in the EEA, UK, or Switzerland, your data is transferred to the US under Standard Contractual Clauses (2021 EU SCCs) or an equivalent lawful transfer mechanism. Our DPA details the transfer safeguards.

9. Cookies + similar technologies

On multi-flow.pro: essential cookies only (session, CSRF). On the operator portal: authentication cookies and session storage. No third-party ad / tracking cookies are set by default. A full cookie list is available on request.

10. Children's privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, email privacy@multi-flow.pro and we will delete it.

11. Changes to this Policy

Material changes are emailed to the Operator's primary contact 30 days before they take effect. Minor clarifications may be published without notice; the "Last updated" date at the top reflects any change.

12. Contact

Privacy questions + data subject requests: privacy@multi-flow.pro
Security incidents: security@multi-flow.pro
Data Protection Officer (for GDPR inquiries): dpo@multi-flow.pro

Need the DPA or sub-processor list?

Both live in our Trust Center and are bundled with the MSA. Email privacy@multi-flow.pro and we'll send them.

The Operator Briefing

Twice-monthly. No fluff.

Processor shutdowns, reserve-hold playbooks, reconciliation lessons, and the merchant-account decisions that save operators six-figure years. Delivered to your inbox — never spam.

No spam. Unsubscribe in one click.

We use essential cookies · Privacy