Contents
1 Information we collect
We collect only the minimum information necessary to operate the service.
Information you provide directly:
- Name and email address when you sign in via Google OAuth.
- Workflow data and process instances you create in the live demo.
Information collected automatically:
- Standard server access logs (IP address, browser type, pages visited, timestamps).
- Session identifiers stored in a browser cookie.
We do not collect payment information, precise geolocation, or sensitive personal data.
2 How we use your information
We use the information we collect to:
- Authenticate you and maintain your session.
- Associate workflow instances with your account in the live demo.
- Diagnose errors and improve the service.
- Comply with legal obligations.
We do not sell, rent, or share your personal information with third parties for marketing purposes.
3 Google OAuth & sign-in
The live demo at bpmn.omniworkflow.com offers sign-in with Google. When you choose this option:
- You are redirected to Google's authentication service.
- We receive only your name, email address, and profile picture from Google — no passwords are ever transmitted to us.
- Your use of Google sign-in is also governed by Google's Privacy Policy.
You may also create a local account with a username and password. Passwords are stored as salted hashes and are never stored in plaintext.
4 Cookies & sessions
We use a single session cookie to keep you signed in. This cookie:
- Is set only after you sign in.
- Contains a random session identifier — no personal data.
- Expires when you close your browser or sign out.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
5 Data storage & security
Workflow instance data created in the live demo is stored in a MongoDB database hosted on a private server. We apply standard security measures including encrypted connections (TLS), access controls, and regular backups.
The live demo is a demonstration environment. Do not store confidential or sensitive personal data in process instances. Demo data may be periodically cleared without notice.
If you self-host bpmn-server (open-source), you are fully responsible for the security of your own deployment.
6 Third-party services
This website and demo use the following third-party services:
- Google OAuth — authentication (see Section 3).
- GitHub — source code hosting; linked from this site but no data is sent to GitHub during normal use.
- MongoDB Atlas (or equivalent) — database hosting for the demo environment.
We do not integrate Google Analytics, Facebook Pixel, or any advertising network.
7 Your rights
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and associated data.
- Object to or restrict processing of your data.
- Withdraw consent at any time (including revoking Google access via your Google account settings).
To exercise any of these rights, contact us at the address in Section 10. We will respond within 30 days.
8 Children's privacy
This service is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
9 Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the service after any changes constitutes acceptance of the updated policy.
For material changes, we will make reasonable efforts to provide notice (for example, by posting a notice on the site before the change takes effect).
10 Contact us
If you have questions or requests regarding this Privacy Policy, please reach out: