Potaflow
Get Started Sign In

Privacy Policy

Effective Date: April 11, 2026
Last Updated: April 11, 2026

Potaflow, LLC ("Potaflow," "we," "us," or "our"), a New York limited liability company, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at potaflow.com and our web application (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

Information You Provide

When you register for an account, submit test reports, or use our Service, we may collect:

  • Account Information: Name, email address, phone number, company name, and password credentials
  • Tester Credentials: NYS DOH license numbers, certification types, license expiration dates, and test kit information (manufacturer, model, serial number, calibration dates)
  • Test Report Data: Backflow device test readings, device information (type, manufacturer, model, serial number, size, location), pass/fail results, and inspection dates
  • Customer Information: Customer names, service addresses, property details, and contact information entered by testers for backflow device owners
  • Digital Signatures: Electronic signatures captured from testers and customers during the DOH-1013 form completion process
  • Photos: Images attached to test reports by testers (e.g., device photos, installation documentation)
  • Water District Information: District name, contact information, submission preferences, and compliance rules configured by district administrators

Information Collected Automatically

When you access the Service, we automatically collect:

  • Device and Browser Information: Browser type, operating system, device type, and screen resolution
  • Usage Data: Pages visited, features used, timestamps, and interaction patterns
  • IP Address: Used for security purposes including rate limiting and fraud prevention
  • Error Data: Application errors and performance data used to improve the Service

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Generate DOH-1013 PDF forms from test report data
  • Submit completed test reports to water districts via email or through their review portal
  • Verify tester license credentials against the NYS Department of Health database
  • Calculate device compliance status and upcoming test due dates
  • Send transactional emails (account verification, password resets, submission confirmations, rejection notifications)
  • Monitor and improve the performance, security, and reliability of the Service
  • Respond to your inquiries and provide customer support
  • Comply with legal obligations

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your information only in the following circumstances:

With Water Districts

When a tester submits a DOH-1013 test report, the report data (including tester information, device details, test readings, customer information, digital signatures, and the generated PDF) is delivered to the applicable water district via email or through their review portal on the Service. This sharing is the core function of the Service and is initiated by the tester upon submission.

With Service Providers

We use the following third-party services to operate the Service. These providers process data on our behalf and are contractually obligated to protect your information:

  • Amazon Web Services (AWS): Cloud hosting, database, and file storage (S3) — US East region
  • Cloudflare: Content delivery network, DNS, and DDoS protection
  • Resend: Transactional email delivery (account verification, submission notifications)
  • Sentry: Application error monitoring and performance tracking
  • Google Maps Platform: Address autocomplete and geocoding for service locations
  • Google Fonts: Web font delivery

For Legal Reasons

We may disclose your information if required to do so by law, court order, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to prevent fraud.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will provide notice of any such change in ownership or control of your personal information.

4. Data Retention

  • Test reports and compliance records: Retained for up to five (5) years from the date of submission to support regulatory compliance requirements. After five years, records may be permanently deleted.
  • Account information: Retained as long as your account is active. If you request account deletion, we will delete your personal information within thirty (30) days, except where retention is required for compliance purposes.
  • Archived PDFs: Stored in AWS S3 for up to five (5) years. After one (1) year, archived files may be moved to lower-cost storage tiers but remain accessible upon request.
  • Error and performance logs: Retained for up to ninety (90) days.

5. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your information, including:

  • All data is encrypted in transit using TLS/SSL
  • Data at rest is encrypted using AWS-managed encryption
  • Passwords are hashed using Argon2, a memory-hard hashing algorithm
  • Authentication tokens are generated using 256-bit random values and stored as SHA-256 hashes
  • Login attempts are rate-limited with progressive lockout to prevent brute force attacks
  • Multi-tenant data isolation ensures each organization's data is logically separated at the database level
  • Security headers (Content Security Policy, HSTS, X-Frame-Options) are configured on all responses

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

6. Your Rights

You have the following rights regarding your personal information:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete information in your account.
  • Deletion: You may request that we delete your personal information, subject to our data retention requirements for compliance records.
  • Data Export: You may export your test reports and device records from the Service at any time through the built-in export functionality.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within thirty (30) days.

7. Cookies

The Service uses only essential cookies required to maintain your authenticated session. We do not use advertising cookies, third-party tracking cookies, or analytics cookies. Cloudflare may set a security cookie (__cf_bm) to identify trusted web traffic and mitigate bot activity.

8. Children's Privacy

The Service is not intended for anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

9. State-Specific Rights

California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at [email protected].

Other U.S. States

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, and others) may have similar rights. Contact us at [email protected] to exercise any applicable rights under your state's law.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date at the top of this page. For material changes, we will notify you by email or through a notice within the Service at least thirty (30) days before the changes take effect. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, contact us at:

Potaflow, LLC
418 Broadway, Ste N, Albany, NY 12207
Email: [email protected]

© 2026 Potaflow, LLC. All rights reserved.