MyAgentFlow · a product of dun4u Services LLC · EIN 42-2166983
Effective Date: April 14, 2026 · Last Updated: May 29, 2026
This Privacy Policy describes how dun4u Services LLC ("dun4u," "we," "us," or "our"), a Maryland limited liability company, collects, uses, discloses, and safeguards your information when you use MyAgentFlow ("MyAgentFlow," "the Service," or "the Platform") at https://myagentflow.app.
By using the Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service. This Privacy Policy is incorporated into our Terms of Service by reference.
2.1 Information you provide directly. When you create an account, subscribe, contact support, book a demo, or enter information into the Platform, we collect:
2.2 Information collected automatically. When you use the Service, we automatically collect:
2.3 Information from third parties. When you connect external accounts to the Service:
2.4 AI interaction data. When you use AI features inside the Platform, we may collect:
2.5 Referral data. The Platform includes a referral program ("Refer & Earn" — see Terms § 4.10). When you participate as a referrer or referee, we store: (a) your unique referral code (auto-generated on account creation), (b) a link between your account and the account of any agent who referred you (so we know who to credit when your subscription begins), and (c) a ledger row for each referral indicating its status (signed up / converted / rewarded / blocked / reversed) and the number of free days earned. Referral data is processed only to operate the referral program; we do not share referrer-referee relationships externally and they are not visible to other users.
We use the information we collect to:
We do not sell your personal information. We do not use your data, your leads' data, or your connected mailbox data to train or fine-tune general-purpose AI models without your explicit consent.
Where applicable under laws such as the GDPR or CPRA, we process your personal data based on:
Lead data captured through your MyAgentFlow landing pages, home page, chatbot, or imports belongs to you. We process this data solely to provide the Service to you — including running campaigns, scoring leads, sending automated emails, and surfacing replies. We do not share, sell, or use your leads' data for any purpose other than delivering the Service to you.
You are responsible for ensuring that your collection and use of lead data complies with applicable privacy laws — including GDPR, CPRA / CCPA, CAN-SPAM, CASL, and TCPA — and for obtaining any necessary consents from your leads before contacting them through the Service.
5.1 Activity logs and personal-touch notes. The Service includes relationship-management features that let you record manual touches (phone calls, text messages, in-person meetings) and attach free-form notes to each contact. These activity logs and notes are stored privately, scoped to your individual user account — never shared across team members, never visible to other users, and never used to train any AI model. They are visible only to you and to MyAgentFlow staff acting under the confidentiality terms described in this policy. You can delete any activity entry at any time from the contact's record.
6.1 Service providers. We share information with trusted third-party vendors who help us operate the Service, only to the extent necessary to deliver it:
These providers are contractually obligated to protect your data and may only use it to provide services on our behalf.
6.2 AI platform partners. AI generation in the Service is powered by third-party AI infrastructure (currently OpenAI). When you use an AI feature, the prompt and inputs you submit are transmitted to the AI provider over an encrypted connection in order to produce the requested output. We have data-processing agreements with these providers and select providers whose terms prohibit using our prompt data to train general-purpose models.
6.3 Business transfers. In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice in the Service if such a transfer occurs.
6.4 Legal requirements. We may disclose information if required to do so by law, court order, subpoena, or governmental authority, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect our rights or property, or protect the safety of our users or the public.
6.5 We do not sell your data. dun4u Services LLC does not sell, rent, or trade your personal information, your leads' personal information, or your connected mailbox data to third parties for their own marketing purposes.
MyAgentFlow lets you connect a Google (Gmail / Google Workspace) or Microsoft (Outlook / Microsoft 365) mailbox so the Service can send campaign and transactional emails on your behalf, from your own address. The OAuth grant is send-only — we do not request, hold, or use any scope that reads, lists, modifies, or otherwise accesses the contents of your inbox. Replies are tracked through a separate mechanism described in 7.2 below that does not depend on mailbox-read permissions. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
7.1 Scopes we request and why
https://www.googleapis.com/auth/gmail.send: Google-classified sensitive scope. Used exclusively to send campaign and transactional emails that you have authored or approved in the Service, from your own Gmail address, so that deliverability reflects your sender reputation. This scope cannot be used to read, list, search, or modify any message in your mailbox.https://www.googleapis.com/auth/userinfo.email: Google-classified non-sensitive scope. Used solely to identify the connected account so you can see which mailbox is linked.https://graph.microsoft.com/Mail.Send: send-only equivalent for Outlook / Microsoft 365.User.Read, offline_access: identify the connected account and keep the send-only grant alive across sessions. Neither grants any mailbox-read capability.We do not request gmail.readonly, Mail.Read, or any other mailbox-read scope from either provider. A previous version of this policy described limited mailbox-read scopes for reply tracking; that capability has been replaced by the Inbound Parse mechanism described below, and the read scopes were dropped on 2026-05-18.
7.2 How replies are captured (without reading your inbox)
When the Service sends an email on your behalf, the Reply-To header is set to a unique per-lead address that we control (e.g. lead-<id>@reply.myagentflow.app). When the lead clicks Reply, their mail client sends the reply to that address — not back into your mailbox — and our email-receiving provider (SendGrid Inbound Parse) forwards the parsed message to a MyAgentFlow webhook. We use the reply to:
Because replies flow through MyAgentFlow's receiving address rather than into your mailbox, MyAgentFlow can see the reply text — limited to messages where the lead chose to reply to our per-lead Reply-To address. We never see any other message in your mailbox, and we never see any reply your lead sends to a different address.
7.3 How your email data is used
7.4 How your email data is NOT used
7.5 Storage, retention, and security of OAuth tokens
7.6 Your controls
We implement industry-standard technical and organizational security measures to protect your data, including:
Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
8.1 Photos and uploaded media — important note. Photos you upload or generate (profile photo, home page hero, gallery photos, lead-magnet preview images, email header banners, landing-page images, and any photo saved to your Photo Library) are stored in publicly readable cloud storage so they can be displayed on your published landing pages, embedded in emails sent to your contacts, and rendered in social-media link previews. Anyone with the direct image URL can view the file, even if you later remove it from a page. The URLs themselves are long and not guessable, but they are not secret — once an image has been embedded in an email, posted to social media, or rendered on a public page, assume the image is public. Do not upload photos that contain sensitive personal information, identification documents, financial information, or anything you would not be comfortable having publicly accessible. If you remove a photo from your account, the underlying file is deleted from our storage on a rolling schedule, but third-party caches (email clients, search engines, social media link previews) may retain copies indefinitely.
We retain account data and content for as long as your account is active or as needed to provide the Service. Email-send metadata (recipient, subject, timestamps, open/click events) is retained for the lifetime of your account so you can audit campaign performance; message body content passed through the send pipeline is not retained beyond what is required for delivery and logging.
9.1 Subscription freeze. When your subscription ends — whether by cancellation, an unconverted trial, or extended non-payment — your account enters a 30-day freeze. During the freeze:
captured_during_freeze and you won't be notified until you reactivate.9.2 Reminder & deletion timeline. If you do not reactivate, we will email reminders at days 7, 20, and 25 of the freeze. On day 30, your personal data, contacts, and content are scheduled for permanent deletion. Final deletion completes on day 45.
9.3 What is preserved after deletion. Some records are retained for legal, security, and operational reasons:
9.4 Self-serve account deletion. You may request deletion of your account at any time — whether you are actively subscribed, in trial, or in the post-cancellation freeze window — from Settings → Security → Delete account while signed in. The flow:
auth.users record, profile, contacts, landing pages, lead magnets, campaigns, social posts, and uploaded media are permanently removed by an automated job. OAuth tokens for connected mailboxes are revoked from our database in the same pass (we recommend you also revoke the grant at Google or Microsoft per Section 7.5 for complete revocation).9.5 Email-based deletion request. If you cannot access the in-app form for any reason, you may also request deletion by emailing privacy@myagentflow.app. We will complete deletion within 30 days of the request, subject to the same legal-retention exceptions.
Depending on your location, you may have the following rights regarding your personal data:
To exercise these rights, email privacy@myagentflow.app. We will respond within the timeframe required by applicable law (typically 30 days).
If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what personal information we collect, use, and share; the right to delete your personal information; the right to correct inaccurate information; the right to opt out of the sale or sharing of personal information; and the right to non-discrimination for exercising your privacy rights.
We do not sell personal information. To submit a verifiable consumer request, contact us at privacy@myagentflow.app.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, our legal basis for processing your data is described in Section 4. You have the rights outlined in Section 10 above, plus the right to lodge a complaint with your local data-protection authority. To make a request or ask questions about cross-border data transfers, contact privacy@myagentflow.app.
Data Processing Agreement (DPA) available on request. If you process personal data of EEA / UK / Swiss residents through MyAgentFlow and require a DPA to comply with Article 28 GDPR (or the equivalent under the UK GDPR / Swiss FADP), email privacy@myagentflow.app with your business name and we will send a countersigned DPA within 5 business days. The DPA supplements this Privacy Policy and the Terms of Service; no additional fee.
We use essential cookies to maintain your session and authentication state. We do not use third-party advertising cookies or cross-site tracking pixels. We may use first-party analytics cookies to understand how visitors use our marketing site, with appropriate consent where required by law.
You can disable cookies in your browser settings, but doing so may affect the functionality of the Service.
The Service may contain links to third-party websites, integrations, or platforms that are not operated by dun4u Services LLC. We have no control over, and assume no responsibility for, the privacy practices of any third-party sites. We encourage you to review the privacy policies of any third-party sites you visit through links from the Service.
The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@myagentflow.app and we will promptly delete it.
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by updating the "Last Updated" date at the top of this page and, where appropriate, by sending notice to your registered email address or showing an in-app notice. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
Each December, dun4u Services LLC donates 5% of annual net profits to one non-profit organization selected at our sole discretion for that year. No subscriber, lead, or mailbox data is shared with the recipient organization as part of this program. For full details, see Terms of Service Section 20.
This section describes how SMS (text message) communications work on MyAgentFlow, what consumer data is collected as part of the SMS program, and the rights and protections that apply to recipients of SMS messages sent through our platform. This section exists so MyAgentFlow agents and the consumers who receive messages from those agents can understand the SMS program before any text message is sent or received.
18.1 Program description. MyAgentFlow provides a managed SMS sending capability to licensed real estate agents who subscribe to the Service. Agents use the SMS feature to send appointment confirmations, listing updates, follow-up messages, holiday and birthday greetings, lead-nurturing messages, and other real-estate-related communications to leads and contacts who have explicitly opted in to receive SMS from the agent. SMS messages are delivered through our messaging carrier partner, Twilio, Inc. (the “Carrier”). Each agent on the Service is assigned a dedicated US phone number from which their messages originate; that number is the visible sender on the recipient's phone.
18.2 Information collected from SMS recipients. When a person (a “Recipient”) opts in to receive SMS from an agent on the Service, the following information is collected and stored:
18.3 How SMS information is used. SMS data is used to deliver messages from the agent to the Recipient, to enforce opt-out requests, to provide the agent with delivery confirmation, to provide our compliance team with audit records, and to defend the agent and MyAgentFlow against any consumer complaint or regulatory inquiry. We do not use SMS content to train any AI model. We do not sell SMS phone numbers to third parties. We do not share SMS content with any third party other than the Carrier (for delivery) and law enforcement when compelled by a valid legal process.
18.4 Opt-in is required before any SMS is sent. No agent may send an SMS message through the Service to any Recipient who has not explicitly opted in to receive SMS from that agent. Opt-in is collected through one of the following methods:
No web form on MyAgentFlow is permitted to pre-check the SMS opt-in checkbox or condition any download or other benefit on the Recipient checking the box. Opt-in is logged with a timestamp on the lead record as sms_opt_in_at. The platform's send pipeline (the sendSms edge function) hard-fails any attempted send to a Recipient whose sms_opt_in_at is null.
18.5 Opt-out is immediate and permanent. A Recipient can stop receiving SMS from the agent at any time by replying with any of the standard opt-out keywords: STOP, UNSUBSCRIBE, CANCEL, END, or QUIT. Capitalization, punctuation, and surrounding text are ignored. Our inbound webhook (the twilioInboundSms edge function) sets sms_opt_out_at on the lead record within seconds of the keyword being received. Once that timestamp is set, no agent or automated path can send another SMS to that phone number through the Service. Restoring opt-in after a STOP requires direct database intervention by MyAgentFlow staff and is granted only on receipt of fresh, documented written consent from the Recipient.
18.6 HELP keyword response. A Recipient who replies HELP will receive an automated response identifying the agent, providing the agent's contact information, and disclosing how to opt out. This response is sent at no cost to the Recipient beyond what their mobile carrier charges for receiving an SMS.
18.7 Message frequency. Message frequency varies by agent and by the campaigns the agent has configured. MyAgentFlow does not impose a fixed message-per-month cap, but agents are required by our Acceptable Use Policy (Terms of Service Section 7) to send at a frequency consistent with the consent the Recipient gave. A typical real-estate use case results in fewer than 10 messages per Recipient per month.
18.8 Message and data rates. Standard message and data rates from the Recipient's mobile carrier may apply to every message sent and received. MyAgentFlow does not charge Recipients for SMS messages. Mobile carriers are not liable for delayed or undelivered messages.
18.9 Quiet hours. SMS marketing messages are not sent between 9:00 PM and 8:00 AM local time per the federal Telephone Consumer Protection Act (TCPA, 47 U.S.C. § 227). Transactional messages (delivery of a lead-magnet PDF the Recipient just requested, appointment confirmations, two-factor authentication codes) are exempt from the quiet-hours restriction. Local time is determined from the Recipient's phone-number area code when known and from the agent's configured timezone otherwise.
18.10 Audit trail. Every outbound and inbound SMS is logged in the sms_logs table with the message body, the Twilio message SID, the Recipient phone number, the agent who sent it, the campaign or template the message came from (if applicable), the delivery status, the delivery error code (if any), and the timestamp. These logs are retained for the lifetime of the agent's account and remain available to the agent and to MyAgentFlow staff for compliance review. Recipients may request a copy of all SMS records associated with their phone number by contacting privacy@myagentflow.app.
18.11 Carrier disclosure. MyAgentFlow is registered with US carriers under the A2P 10DLC (Application-to-Person 10-Digit Long Code) compliance framework administered by The Campaign Registry. Our brand is registered as Dun4u Services LLC. Each campaign use case is independently vetted before any message is sent. Carriers may filter, throttle, or block messages at their discretion; carriers are not liable for delayed or undelivered messages.
18.12 Children. Consistent with the broader Children's Privacy section above (Section 15), the Service is not directed at children under 18. We do not knowingly accept SMS opt-in from any individual we know to be under 18, and we will purge any phone number we discover is associated with a minor under 18 from our records on request.
18.13 Changes to the SMS program. Any material change to the SMS program (new message types, increased frequency, new use cases) will be disclosed in this section and, where appropriate, communicated to Recipients via a one-time SMS notification before the new program goes live. Continued participation after such notification constitutes acceptance of the change.
18.14 Questions or complaints. Recipients with questions about a specific message should contact the agent who sent it (the agent's name and contact information appear in every message). Recipients with questions about the SMS program itself, or who wish to file a privacy complaint, should contact privacy@myagentflow.app.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We are committed to working with you to resolve any concerns about your privacy.