Last updated 10 July 2026
StaffFlow is timesheet-to-invoice automation software for staffing firms. This policy explains what data we handle, where it goes, and who else can see it. It is written to describe what the software actually does, rather than to reserve rights we do not use.
StaffFlow is operated by Saichandra Bandi, Hyderabad, Telangana, India. For any question about this policy, or to exercise a right described below, write to hello@staffflowpro.com.
Where StaffFlow processes data on behalf of a customer, that customer is the data controller and StaffFlow is a processor acting on their instructions.
StaffFlow does not request or store payment card details, bank account numbers, social security numbers, or payroll records.
StaffFlow does not become a second system of record. Timesheet documents are filed into the customer's own OneDrive. Invoices are created in the customer's own QuickBooks company. StaffFlow's database holds the configuration, the hours billed, the invoice references, and the operational logs described above.
Reading a timesheet requires sending its contents to services that can interpret a document. We name each one, and what it receives:
| Processor | What it receives | Purpose |
|---|---|---|
| Microsoft Azure (Document Intelligence) | Timesheet document contents | Reads text and tables from images and PDFs |
| OpenAI | Timesheet text and tables | Extracts hours, dates, and labels |
| Microsoft Graph | Mailbox and OneDrive access, as authorised by the customer | Receives timesheets, files documents |
| Intuit QuickBooks Online | Invoice data, as authorised by the customer | Creates invoices and attaches proof |
| Railway | Application hosting and database | Runs StaffFlow |
| Cloudflare | Dashboard hosting | Serves the web application |
| Resend | Operational alert emails | Notifies the operator of failures |
These processors act on our instructions under their own terms. We do not sell personal data, we do not share it for advertising, and we do not permit our processors to use customer content to train their models.
StaffFlow accesses a customer's QuickBooks company only after an authorised user of that company grants access through Intuit's consent screen. We request the minimum scope needed to read customers and create invoices. Access can be revoked at any time from within QuickBooks, or by writing to us. StaffFlow does not read bank feeds, payroll, or transactions unrelated to the invoices it creates.
No system is perfectly secure. If a breach affects your data, we will tell you without undue delay and describe what happened.
Configuration, hours, and invoice records are retained for as long as the customer's account is active, because they are the audit trail behind invoices already issued. Operational logs are retained while they remain useful for investigation. On written request, and where no legal or accounting obligation requires otherwise, we will delete a customer's data.
Depending on where you live, you may have the right to access, correct, export, or delete personal data we hold about you, and to object to or restrict its processing. Where StaffFlow acts as a processor for a customer, please direct such a request to that customer; we will assist them in answering it. Otherwise, write to hello@staffflowpro.com.
StaffFlow is operated from India. Its processors operate infrastructure in the United States and elsewhere. Data handled by StaffFlow may therefore be processed outside the country in which it was collected.
StaffFlow is business software. It is not directed at children and we do not knowingly collect data from anyone under 18.
If this policy changes materially, we will update the date above and, where the change affects an active customer, tell them directly.