Privacy
New Avenues Federal keeps the public site separate from GoalFlow request work. This page covers what information comes in, where it is stored, how it is used, and what should stay out of public channels.
We receive basic request metadata through Cloudflare plus the information you choose to send through contact email, GoalFlow request forms, uploads, portal access, and related follow-up.
GoalFlow stores structured request metadata, workflow state, approvals, access grants, and audit logs in Cloudflare D1. Uploaded documents and raw inbound email artifacts are stored in Cloudflare R2.
We use submitted information to start requests, screen uploads, route work, issue approved client access, support review, and maintain an audit trail. Public request forms are not a general-purpose document drop.
Traffic reaches GoalFlow over HTTPS. Operations routes are protected by Cloudflare Access, and major workflow and access events are logged for review. Data currently relies on Cloudflare-managed encryption at rest rather than customer-managed keys or field-level application encryption.
Do not send CUI, CDI, ITAR, export-controlled, or unknown-sensitive material through public request forms. If a file is declared or detected as restricted, GoalFlow blocks it before storage and asks you to contact New Avenues Federal first.
A formal public retention schedule is not finalized yet. During the current pilot phase, records may be retained for request operations, audit review, backup, and recovery unless a narrower rule is published.
Privacy questions
