Privacy
What the public site and GoalFlow intake keep.
New Avenues Federal keeps the public site separate from case work. This page covers what information comes in, where it is stored, how it is used, and what should stay out of public channels.
What we collect
We receive basic request metadata through Cloudflare plus the information you choose to send through contact email, GoalFlow intake, uploads, portal access, and related follow-up.
Case and file records
GoalFlow stores structured case metadata, workflow state, approvals, access grants, and audit logs in Cloudflare D1. Uploaded documents and raw inbound email artifacts are stored in Cloudflare R2.
How records are used
We use submitted information to open cases, screen uploads, route work, issue approved client access, support review, and maintain an audit trail. Public intake is not a general-purpose document drop.
Security controls
Traffic reaches GoalFlow over HTTPS. Internal operations routes are protected by Cloudflare Access, and major workflow and access events are logged for review. Data currently relies on Cloudflare-managed encryption at rest rather than customer-managed keys or field-level application encryption.
Restricted material boundary
Do not send CUI, CDI, ITAR, export-controlled, or unknown-sensitive material through public intake. If a file is declared or detected as restricted, GoalFlow blocks it before storage and asks you to contact New Avenues Federal first.
Retention
A formal public retention schedule is not finalized yet. During the current pre-pilot phase, records may be retained for case operations, audit review, backup, and recovery unless a narrower rule is published.
Privacy questions