Privacy Policy
Last updated: May 25, 2026
BallotFlow is a voting platform at ballotflow.io. This page covers what we collect, what we do with it, and how to get in touch.
Two kinds of users
Account holders create and administer elections. We have your email address (for sign-in) and the elections and organizations you manage.
Voters cast ballots. If an administrator invited you by email, we have your address from them and the ballot you submitted. If you voted through an open link without signing in, we have neither your email nor any way to connect the ballot to you.
What we collect
Account holders: email address, organization membership, role, and server logs (IP, user-agent, timestamp).
Email-invitation voters: email address (from the administrator) and the ballot.
Open-link voters: a random browser cookie
called bf_open_voter that blocks the same browser
from voting twice in one election. No personal data in it.
Your IP is kept briefly for rate limiting and never attached
to the ballot.
Marketing site and playground visitors: server logs. The playground runs entirely in memory and writes nothing to our database.
What we use it for
Authenticating you, sending invitations, displaying your elections, counting ballots, investigating abuse. That is the full list.
Sub-processors
Three services see your data because we need them to operate. Postmark sends transactional email and receives the recipient address and message contents. DigitalOcean hosts the servers and database. Cloudflare provides DNS and CDN.
We do not sell, rent, or share data with anyone else. We disclose only under legal compulsion or to prevent harm.
Cookies
A session cookie for signed-in account holders, and bf_open_voter for open-link voters. Both are HttpOnly, Secure,
SameSite=Lax. That is the full list.
Retention and anonymization
During voting, ballots are connected to the voter record that cast them so administrators can see who has voted. When an election closes, we remove that connection so the post-close record no longer ties ballots back to individual voters.
Audit logs persist after close so election results remain verifiable. They do not contain voter identifiers. We keep audit logs indefinitely for the lifetime of the platform.
Deleted organizations are soft-deleted and hard-purged after 90 days. Server logs are kept for 30 days.
Your rights
Email [email protected] to access, correct, export, or delete your data. We respond within the deadlines GDPR, UK GDPR, and CCPA require where they apply.
Security
TLS in transit, encryption at rest. Magic-link tokens are short-lived and single-use. Sessions invalidate on sign-out. If we have a security incident, we notify affected users without undue delay.
Children
Not for users under 13 (under 16 in the EEA and UK). If a child has signed up, email us and we will delete the account.
Changes
We update this page when our practices change and notify account holders by email for material changes.