Privacy Policy

By using the Service, you agree to the collection and use of information in accordance with this Policy.

  1. Home
  2. /
  3. Security & Trust
  4. /
  5. Privacy Policy

This Privacy Policy describes how Performance Flow Metrics collects, uses, discloses, and protects personal information and institutional accounting data in connection with the Service. The Service is offered to businesses, institutions and their authorized users (collectively, “Customers” or “you”). By using the Service, you agree to the collection and use of information in accordance with this Policy.

Effective date: 02/20/2026
Provider: Performance Flow Metrics, LLC (“Performance Flow Metrics”, “we”, “us”, “our”)
Service: Upstream Reporting (the “Service”)

1. Controller / Roles

Performance Flow Metrics is the controller for personal data we collect directly from users and for our own operational purposes as described below.

When we process Customer Data on behalf of a Customer (e.g., accounting, LOS inputs, owner contact info), the Customer is the data controller and Performance Flow Metrics acts as a processor. In such cases, our processing is governed by a Data Processing Addendum (DPA) or the terms of your contract.

If you are an individual end-user, your first point of contact for data requests is your employer/Customer. If you need help contacting your Customer or making a request, see Contact Us below.

2. Information We Collect

We collect information from three high-level sources:

A. Customer Data (Institutional accounting & LOS data)

  • Content you or your organization upload to the Service, including but not limited to:
  • Well-level production data, accounting ledgers, lease operating statement inputs, revenue distributions, royalty and owner data, transaction records, mappings and associated metadata.
  • Records and reports generated by the Service (e.g., LOS PDFs, spreadsheets).

Note: Customer Data may contain personal data (names, addresses, email, phone numbers) of individuals (e.g., owners, employees). Such personal data is treated as Customer Data under this Policy.

B. Account & Contact Data

Organization name, billing and contact information, Authorized User names, emails, phone numbers, job titles, and role information.

C. Usage, Technical & Security Data

Log and event data, IP addresses, device/browser information, authentication logs, audit trails, performance metrics and cookies (if accepted at login).

D. Payment & Billing Data

Billing details, invoices and payment confirmation. We use PCI-compliant payment processors for card transactions and do not store full card numbers unless explicitly authorized.

3. How We Use Information

We use information for these purposes:

  • Provide and operate the Service. Hosting, processing, rendering reports, data imports/exports, integrations and support.
  • Billing and account management. Invoicing, payment processing, fraud prevention.
  • Security and integrity. Detecting and responding to threats, vulnerability management, and enforcing policies.
  • Support & operations. Troubleshooting, onboarding, documentation, uptime and disaster recovery.
  • Improvement & analytics. Aggregate and anonymized analytics to measure and improve the Service and build features. We do not identify Customers in anonymized datasets.
  • Legal & compliance. Responding to lawful requests, audits, compliance obligations and to protect rights, property or safety.
  • Optional communications. Service notices, updates and marketing (only with consent where required by law).
  • Legal bases (EU/EEA): performance of contract, legitimate interests (security, product improvement), consent for marketing where required, and legal obligations.

4. Data Sharing & Subprocessors

We do not sell Customer Data.

We may share Customer Data as follows:

  • Subprocessors / vendors. We use trusted subprocessors to host, operate and support the Service (e.g., cloud hosts, payment processors, analytics and monitoring providers, escrow agents). We enter written agreements and data protection terms with subprocessors and require them to implement appropriate safeguards. A current list of subprocessors is available on request.
  • Customer-authorized parties. At Customer’s instruction we may share data with banks, auditors, service providers, integrators or other parties authorized by Customer.
  • Legal requirements. We may disclose data to comply with law, a court order, or to respond to government or regulatory requests.
  • Business transfers. In connection with a merger, acquisition, sale or financing, Customer Data may be transferred; we will notify Customers and require the transferee to honor this Policy or obtain Customer consent.

5. International Transfers

Customer Data and other personal data may be processed or stored in jurisdictions outside your country, including the United States. Where data is transferred from the EU/EEA/UK, we rely on appropriate safeguards such as EU Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms. Contact support@performanceflowmetrics.com for details.

6. Security

We implement commercially reasonable technical and organizational measures, such as:

  • TLS encryption in transit and encryption at rest where appropriate;
  • Role-based access controls and least-privilege principles;
  • Multi-factor authentication support;
  • Logging and monitoring, vulnerability scanning and patch management;
  • Regular backups and disaster recovery procedures; and
  • Periodic independent assessments.

While we work to protect Customer Data, no system is 100% secure. We maintain an incident response plan and will notify impacted Customers in accordance with applicable law and contractual obligations. You’ll find details in our Security and Privacy statement.

7. Retention

We retain Customer Data for the period necessary to provide the Service and for business/operational needs, or as required by law. Upon termination of your account we will, upon Customer’s instruction, return a Transition Package (data export and documentation) and securely delete Customer Data from production systems in accordance with the DPA and Order, subject to reasonable archival/back-up retention windows and legal obligations.

8. Data Subject Rights

Where applicable, data subjects (or Customers acting on their behalf) have rights including:

  • Access, correction, deletion, portability (subject to contractual and legal limits);
  • Restriction / objection to certain processing; and
  • Withdraw consent where consent was the basis for processing.

For Customer Data processed on Customer’s behalf, Customer is the controller and is responsible for addressing data subject requests. Provider will assist as needed under the DPA. To make requests to Provider (e.g., for Provider-collected account data), contact support@performanceflowmetrics.com.

For EU/UK data subjects, we will respond in accordance with GDPR timelines; for California residents, see the CCPA/CPRA rights and process below.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights including:

  • Right to know categories of personal information collected and shared;
  • Right to deletion of personal information;
  • Right to opt-out of the sale of personal information (we do not sell Customer Data); and
  • Right to non-discrimination for exercising privacy rights.
  • To make a request, please email support@performanceflowmetrics.com

We may verify your identity before responding. For Requests from California consumers served through a Customer, we will cooperate with the Customer to respond.

10. Children

The Service is a business tool and is not directed to children under 13. We do not knowingly collect personal data from children under applicable age thresholds.

11. Third-Party Integrations

The Service may integrate with third-party accounting platforms, data feeds and tools. Those integrations are controlled by Customers; Provider is not responsible for the privacy practices of third-party applications. Before enabling an integration, review the third party’s privacy policy and ensure you are authorized to share data.

12. Changes to This Policy

We may update this Policy from time to time. For material changes, we will notify Customers by email or via the Service. Continued use after changes indicates acceptance.

13. Contact Us

If you have privacy questions, need assistance with a rights request, or want a list of our subprocessors, contact us at the email above.

14. Effective Date and Miscellaneous

This Policy is effective as of the date above. This Policy is incorporated into the Agreement between Provider and Customer and is subject to the Agreement’s terms.

Was this article helpful?

Thanks for your feedback!

Related Posts: