This policy describes how we collect and process your data through https://www.flowpoint.ai website (the "Website"). The terms "Flowpoint", "we", "us", and "our" refer to Flowpoint Analytics Ltd, a legal person registered under the laws of England and Wales.
We are committed to safeguarding the privacy of our users. We are not going to misuse your data.
Flowpoint Analytics Ltd
Registered address: Flat 41 Oslo Court, Prince Albert Road, London, England, NW8 7EN
Contact email address: email@example.com
I. Information we collect from you;
II. Our data processor obligations;
III. Retention of your information;
IV. Third-party Access to Information;
V. Your rights;
VI. Security of information;
VII. Changes to this Policy.
Account set up and provision of services
To access the services and start using our product, you will be required to create an account on our Website and provide us with some information. Specifically, we will ask you to provide us with the following categories of information:
full name of the person creating the account;
the name of the organisation you represent as well as your address;
your organisation's website domain.
The above-mentioned personal information will be processed in order to perform the contract between you and us (GDPR Art. 6.1.b).
Communication and customer support
We may receive your information when you leave a request for support on the Website, or when you inquire about our services. We will use the information given by you to provide you with the help you might need, fix and improve the Website, and analyse our efficiency in product efforts. Additionally, we may process other communications between us and you, for example, your inquiries regarding the services.
The applied legal basis for this is the performance of the contract between you and us (GDPR Art. 6.1.b) and our legitimate interest in improving the Website (GDPR Art. 6.1.f).
Website analytics and marketing activities
We analyse our Website in order to better understand your preferences and enhance your experience with Flowpoint.When we do so, we may collect the following categories of your information:
IP address, UID, email address;
activity on the Website (mouse clicks, page scrolls, page reloads,
tabs switching, repeated clicks, and the timestamps of their actions);
details of the devices used (screen size, device type, other
Also, upon receiving consent from you, we will share with you our marketing and promotional materials via email. You can always opt out of this by clicking the appropriate button in our emails to you. The withdrawal of your consent will not affect the lawfulness of processing based on consent before.
Please note that apart from being a data controller, we also take up the role of a data processor when we provide you with our services and analyse your organisation’s website. Specifically, where this is the case, we will process personal data in relation to analytics of the behaviour of your organisation’s website visitors. Such data will typically include:
user'’s IP address, approximate location, UID, browser details (configuration, fingerprint), email address (if made available);
their activity on your website (mouse clicks, page scrolls, page reloads, tabs switching, repeated clicks, and the timestamps of their actions); and
the details of the devices used by them (screen size, device type, operating system, other details); and.
custom data: information about user custom events, user custom attributes, other related data.
As a data processor of such information, we do not use it for our own purposes and only store it on behalf of our customers so they can use our user analytics software.
We will offer you to sign a Data Processing Agreement with us when we start to process the information provided by you as a data processor.
We will store your information and data of your website visitors for as long as you have an activated account with us. When you stop being our client, we will delete or anonymise the information collected from you and your website visitors after 6 months, unless you explicitly ask us to delete the information earlier.
However, we may need to retain some of your personal data for longer if there is a need for it, for example, in order to comply with our tax, accounting and legal requirements. In this case, the applied legal basis for the processing of your information will be the necessity to comply with a legal obligation.
Your personal information may be shared with the following third parties:
IT outsourcing service providers;
email service providers;
cloud hosting providers to store and process collected data;
customer communication solutions;
payment service providers;
online document storage solutions;
CRM software solutions;
project management solutions.
The providers listed above process your information based on our instructions only.
In case your personal data is provided to third parties outside the EEA, we will implement appropriate safeguards to protect your personal data, including Standard Contractual Clauses as adopted by the European Commission. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Google API Services
The Website’s use and transfer to any other website of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. Please make sure to familiarise yourself with this policy.
In addition to the disclosures for the purposes identified before, we may disclose information about you:
if we are required to do so by law, in connection with any legal
proceedings or to establish, exercise or defend our legal rights; and
in case we sell, licence or otherwise assign our company, corporate
rights, the Website or its separate parts or features to third parties.
We will not sell, share or rent your information to third parties.
You may exercise GDPR rights regarding your personal data. In particular, you have the right to:
You have the right to know what personal data we process. As such you can obtain the disclosure of the personal data involved in the processing and you can obtain a copy of the information undergoing processing.
If you find that we process inaccurate or out-of-date information, you can verify the accuracy of your information and/or ask for it to be updated or corrected;
If we are not under the obligation to keep your personal data for legal compliance and it is not needed in the scope of an active contract or claim, we will remove your information upon your request.
When you contest the accuracy of your information, believe we process it unlawfully or want to object to the processing, you have the right to temporarily stop the processing of your information to check if the processing was consistent. In this case, we will stop processing your personal data (other than storing it) until we are able to provide you with evidence of its lawful processing.
Where we process your personal data on the legal basis of consent you provided us or on the necessity to perform a contract, we can make, at your request, your personal data available to you or to an organisation of your choosing.
If we process your information for our legitimate interests (e.g., for direct marketing emails or for our marketing research purposes), you can object to it. Let us know what you object against and we will consider your request. If there are no compelling interests for us to refuse to perform your request, we will stop the processing for such purposes. If we believe our compelling interests outweigh your right to privacy, we will clarify this to you.
You can formulate such requests or channel further questions on data protection by contacting us directly at firstname.lastname@example.org or by contacting our Data Protection Officer at: email@example.com.
If you are a visitor of the website that uses our services, please send your personal data request to the data controller of your data, i.e., the website owner.
If you believe that our use of personal information violates your rights, or if you are dissatisfied with a response you received to a request you formulated to us, you have the right to lodge a complaint with the competent data protection authority of your choice.
We will take all necessary measures to protect your information from unauthorised or accidental access, destruction, modification, blocking, copying, and distribution, as well as from other illegal actions of third parties. As we use the services of third-party software providers across several countries outside of the European Union, we may transfer the collected information to those countries for further processing. In such cases, we will make sure that relevant safeguards are in place. More information on such safeguards can be provided upon request.
We also make sure that access to your information stored in our database is only possible via a secure and closed VPN connection. Additionally, all communications exposed to the internet are TLS encrypted to provide the highest level of communications security.
This Data Processing Agreement (the "Agreement") forms part of Processor´s Terms and Conditions (the "Master Agreement") between Flowpoint Analytics Ltd (the "Processor") and the party that has accepted the Master Agreement (the "Controller").
(A) The Parties entered into the Master Agreement.
(B) Due to the scope and subject-matter of the Master Agreement, it is necessary for the Processor to Process the Personal Data on behalf of the Controller.
(C) This Agreement sets out the additional terms, requirements and conditions on which the Processor shall Process the Personal Data on behalf of the Controller under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) GDPR for contracts between data controllers and data processors.
(D) The date of execution of the Master Agreement shall constitute the date of execution of this Agreement.
Definitions and interpretation
1.1 The Parties acknowledge that, as per definitions in the Data Protection Legislation, the Controller is a controller and the Processor is a processor, unless otherwise explicitly stated in the Agreement.
1.2 Where the Agreement uses terms that are defined in the Master Agreement, the terms hall have the same meaning as in the Master Agreement.
1.3. The TERMS used in this Agreement have the following meaning:
"Data Protection Legislation" means all privacy and data protection laws applicable to the Processing, including the GDPR and any applicable national implementing laws, regulations and secondary legislation relating to the Processing of the Personal Data and the privacy of electronic communications, as updated, amended or replaced from time to time.
"Data Subject" means an individual who is a subject of the Personal Data.
"GDPR"means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and its national implementing laws, including, but not limited to, the UK GDPR as defined in section 3 of the UK Data Protection Act 2018.
"Personal Data" mmeans any information relating to an identified or identifiable natural person that is Processed by the Processor as specified herein; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as name, identification number, location data, online identifier, or to one or more factors specific to the physical, the physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise Processed.
"Processing", "Processes", "Process" and "Processed" mean either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define “processing”, “processes”, “process” or “processed”. The terms includes any operation or set of operations performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as well as transferring the Personal Data to third parties.
"Regulation (EU) 2018/1725" means Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
"SCCs" means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
"IDTA" means International Data Transfer Agreement incorporating the Standard Data Protection Clauses issued by the Information Commissioner under S119A(1) Data Protection Act 2018 of the United Kingdom.
1.4. Any reference to “writing” or “written” includes faxes, email and electronic messaging services.
The Personal Data types and the Processing purposes
2.1. The Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consent for the Processing instructions it gives to the Processor.
2.2. Subject-matter and nature of the Processing: Provision of services under the Master Agreement, such as analysing the behaviour of the users of the Controller's website. The nature of the Processing activities implies the set of operations, such as collection, recording, organisation, structuring, usage, storage, erasure or destruction of data.
2.3. Duration of the Processing: 6 months after the end of the Master Agreement or earlier if agreed by the Parties.
2.4. Purposes, the Data Subjects, and the Personal Data categories:
|Purposes and activities||Data Subjects||Personal Data categories|
|Website analytics||Users of the Controller's website||- IP address, UID, email address;|
- activity on the Controller's
website (mouse clicks, page
scrolls, page reloads, tabs
switching, repeated clicks, and the
timestamps of their actions);
- details of the devices used (screen
size, device type, other details).
2.5. Security measures:
Access to the database is only possible via a secure and closed VPN connection, with separate credentials;
All communications exposed to the internet are TLS encrypted;
Compulsory prior authentication of the Controller to access the personal data belonging to them and processed by the Processor.
2.6. Subprocessors involved:
|Intercom||Customer communications management||USA|
|Slack Technologies, LLC||Communication||USA|
|One Drive (Microsoft Corporation)||Document storage||USA|
|iCloud (Apple Inc.)||Document storage||USA|
|Namecheap||Domains and hosting||USA|
|Google Drive (Google LLC)||Document storage||USA|
|Notion Labs, Inc.||Task Management solution and document storage||USA|
|Trello, Inc.||Project Management solution||USA|
|IT contractors||IT development and support||Romania|
|Stripe, Inc.||Payment processing platform||USA|
|Mailchimp||Email marketing platform||USA|
The Processor's obligations
3.1. The Processor shall only Process the Personal Data in accordance with the Controller’s written instructions specified herein. The Processor shall not Process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Processor shall promptly notify the Controller if, in the Processor’s opinion, the Controller’s instructions would not comply with the Data Protection Legislation.
3.2. The Processor shall promptly comply with any of the Controller’s requests or instructions requiring the Processor to amend, transfer, delete or otherwise Process the Personal Data, or to stop, mitigate or remedy any unauthorised Processing.
3.3. The Processor shall maintain the confidentiality of all the Personal Data and shall not disclose the Personal Data to third parties, unless the Controller or this Agreement specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires the Processor to Process or disclose the Personal Data, the Processor shall first inform the Controller of the legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4. The Processor shall reasonably assist the Controller with meeting the Controller’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor’s Processing and the information available to the Processor, including in relation to the Data Subject’s rights, data protection impact assessments and reporting to and consulting with the supervisory authorities under the Data Protection Legislation.
3.5. The Processor shall promptly notify the Controller of any changes to the Data Protection Legislation that may adversely affect the Processor’s performance of the Master Agreement.
3.6. The Processor shall ensure that all its employees with access to the Personal Data:
a. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data
b. have undertaken training on the Data Protection Legislation relating to handling the Personal Data and how it applies to their particular duties; and
c. are aware of both the Processor’s obligations and their personal obligations under the Data Protection Legislation and this Agreement.
3.7. The Processor shall take reasonable steps to ensure the reliability, integrity and trustworthiness of the employees with access to the Personal Data and conduct their background checks consistent with applicable law.
4.1. The Processor shall at all times implement appropriate technical and organisational measures against the unauthorised or unlawful Processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of the Personal Data.
4.2. The Processor shall implement such measures in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk involved.
4.3. The Controller hereby confirms that technical and organisational measures specified herein are sufficient and appropriate under the Data Protection Legislation and this Agreement.
The Personal Data Breach
5.1. The Processor shall promptly and without undue delay notify the Controller if any Personal Data is lost or destroyed, or becomes damaged, corrupted, or unusable. The Processor shall restore such Personal Data at its own expense.
5.2. The Processor shall immediately and without undue delay notify the Controller if the Processor becomes aware of:
a. any accidental, unauthorised or unlawful Processing of the Personal Data; or
b. any Personal Data Breach.
5.3. Where the Processor becomes aware of (a) and/or (b) of Clause 5.2 hereof, the Processor shall, without undue delay, also provide the Controller with the following information:
a. description of the causes and nature of (a) and/or (b) of Clause 5.2 hereof, including the categories and approximate number of both the Data Subjects and the Personal Data records concerned;
b. the likely consequences; and
c. description of the measures taken or proposed to be taken to address (a) and/or (b) of Clause 5.2 hereof, including measures to mitigate the possible adverse effects.
5.4. Immediately, following any unauthorised or unlawful Processing of the Personal Data or the Personal Data Breach, the Parties shall coordinate with each other to investigate the matter. The Processor shall reasonably cooperate with the Controller in the Controller's handling of the matter, including:
a. assisting with any investigation;
b. providing the Controller with physical access to any facilities and operations affected;
c. facilitating interviews with the Processor's employees, former employees and others involved in the matter;
d. making available all relevant records, logs, files, data reporting and other materials required to comply with all the Data Protection Legislation or as otherwise reasonably required by the Controller; and
e. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or the unlawful Processing of the Personal Data.
5.5. The Processor shall not inform any third party of any Personal Data Breach without first obtaining the Controller’s prior written consent, except when required to do so by law.
5.6. The Processor agrees that the Controller has the sole right to determine:
a. whether to provide a notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Controller’s discretion, including the contents and delivery method of the notice; and
b. whether to offer any type of a remedy to the affected Data Subjects, including the nature and extent of such remedy.
5.7. The Processor shall cover all reasonable expenses associated with the performance of the obligations under Clauses 5.2 and 5.4 hereof, unless the matter arose from the Controller’s specific instructions, negligence, wilful default or breach of this Agreement, in which case the Controller shall cover all reasonable expenses.
Cross-border transfers of the Personal Data
6.1. The Controller hereby authorises the Processor to transfer or otherwise Process the Personal Data outside the European Economic Area (the "EEA") subject to conditions laid down in this Agreement.
6.2. The Processor may only Process, or permit the Processing of, the Personal Data outside the EEA under one of the following conditions:
a. the Processor Processes the Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals.
b. the Processor takes, where appropriate, one of the safeguards specified by the Data Protection Legislation, notably by Article 46 GDPR.
6.3. If any Personal Data transfer between the Controller and the Processor requires the execution of the SCCs or the IDTA in order to comply with the Data Protection Legislation, the Parties shall complete all relevant details and take all other actions required to legitimise the transfer.
7.1. The Processor may not authorise a third party (subprocessor) to Process the Personal Data, unless all of the following conditions are met:
a. the Controller has given a specific or general written authorisation to the engagement of the subprocessor(s);
b. the Processor shall enter into a written agreement with each of the authorised subprocessors, which shall contain terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures;
c. at the Controller's request, the Processor shall provide to the Controller a copy of such an agreement with the subprocessor and any subsequent amendments. To the extent necessary to protect a business secret or other confidential information, including Personal Data, the Processor may redact the text of the agreement prior to sharing the copy;
d. the Processor shall maintain control over all the Personal Data it entrusts to the subprocessor(s).
7.2. The Controller hereby gives a general authorisation to involve subprocessors to Process the Personal Data under this Agreement. In case the Processor intends to update the list of subprocessors engaged, the Processor shall inform the Controller in advance and provide the Controller with the information necessary to enable the Controller to exercise the right to object.
7.3. Where the subprocessor fails to fulfil its obligations under a such written agreement, the Processor remains fully liable to the Controller for the subprocessor's performance of its obligations.
7.4. Where the Processor fails to fulfil its guarantees under Clause 7.1 hereof, the Processor shall indemnify all of the Controller's arising direct and indirect damages.
Complaints, the Data Subjects requests and third-party rights
8.1. The Processor shall, at no additional cost, take such technical and organisational measures as may be appropriate and promptly provide such information to the Controller, as the Controller may reasonably require, to enable the Controller to comply with:
a. the rights of the Data Subjects under the Data Protection Legislation, including the Data Subjects' access rights, the rights to rectify and erase the Personal Data, object to the Processing and automated Processing of the Personal Data, and restrict the Processing of the Personal Data; and
b. information or assessment notices served on the Controller by any supervisory authority under the Data Protection Legislation.
8.2. The Processor shall notify the Controller immediately and without undue delay if the Processor receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either Party's compliance with the Data Protection Legislation.
8.3. The Processor shall notify the Controller immediately and without undue delay when the Processor receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
8.4. The Processor shall provide the Controller with the Processor's full cooperation and assistance in responding to any complaint, notice, communication or the Data Subject's request in connection with the Personal Data Processed.
8.5. The Processor shall not disclose the Personal Data to any Data Subject or to a third party other than at the Controller's request or instructions, as provided for in this Agreement or as required by law.
This Agreement shall remain in full force and effect so long as:
a. the Master Agreement remain in effect, or
b. the Processor retains any Personal Data related to the Master Agreement in the Processor's possession or control (the "Term").
Non-compliance with the Agreement and termination
10.1. Without prejudice to any provisions of the GDPR and/or the Regulation (EU) 2018/1725, in the event that the Processor is in breach of its obligations under this Agreement, the Controller may instruct the Processor to suspend the Processing of the Personal Data until the Processor complies with its obligations under this Agreement or the Agreement is terminated.
10.2. The Controller shall be entitled to terminate the Agreement if:
a. the Processing of the Personal Data by the Processor has been suspended by the Controller pursuant to Clause 10.1 hereof and if compliance with the obligations under this Agreement is not restored within a reasonable time and in no event later than within 1 (one) month following suspension;
b. the Processor is in substantial or persistent breach of its obligations under this Agreement or its obligations under the GDPR and/or the Regulation (EU) 2018/1725;
c. the Processor fails to comply with a binding decision of a competent court or a competent supervisory authority regarding its obligations pursuant to this Agreement or the GDPR and/or the Regulation (EU) 2018/1725.
10.3. The Processor shall be entitled to terminate the Agreement where, after having informed the Controller that the Controller's instructions infringe applicable legal requirements in accordance with Clause 3.1 hereof, the Controller insists on compliance with the instructions.
10.4. Any provision of this Agreement, which expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data, shall remain in full force and effect.
10.5. If a change in any Data Protection Legislation prevents either Party from fulfilling all or part of its Master Agreement obligations, the Parties shall suspend the Processing of the Personal Data until that Processing complies with the new requirements. If the Parties are unable to bring the Processing of the Personal Data into compliance with the Data Protection Legislation within 2 (two) months, a Party may terminate the Master Agreement on written notice to the other Party.
Data return and destruction
11.1. At the Controller's request, the Processor shall give the Controller a copy of or access to all or part of the Controller's Personal Data in the Processor's possession or control in the format and on the media reasonably specified by the Controller.
11.2. Upon termination of the Master Agreement for any reason or expiry of their term, the Processor shall securely delete or destroy or, if directed in writing by the Controller, return and not retain all or any Personal Data related to this Agreement in the Processor's possession or control.
11.3. If any law, regulation or governmental or regulatory body requires the Processor to retain any documents or materials that the Processor would otherwise be required to return or destroy, the Processor shall notify the Controller in writing of that retention requirement, giving details of the documents or materials that the Processor shall retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
11.4. Upon the request from the Controller, the Processor shall certify in writing that the Processor has destroyed the Personal Data.
12.1. If the Controller is required to show its compliance with the Data Protection Legislation, or the Controller reasonably believes that a Personal Data Breach occurred or is occurring, or the Processor is in breach of any of its obligations under this Agreement or any Data Protection Legislation, the Processor shall permit an assigned and eligible third-party representative of the Controller to audit the Processor's compliance with its obligations under this Agreement on at least 15 (fifteen) days' notice during the Term. The Processor shall give the third-party representative of the Controller all necessary assistance reasonably required to conduct such audits. The assistance may include, but is not limited to:
a. physical access to, remote electronic access to any information held at the Processor's premises or on systems storing the Personal Data;
b. access to and meetings with any of the Processor's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
c. necessary inspection of all infrastructure, electronic data or systems, facilities, equipment or application software used to store, Process or transfer the Personal Data.
12.2. If a Personal Data Breach occurred or is occurring, or the Processor becomes aware of a breach of any of its obligations under this Agreement or any Data Protection Legislation, the Processor shall:
a. promptly conduct its own audit to determine the cause;
b. produce a written report that includes a detailed plan to remedy any deficiencies identified by the audit;
c. provide the Controller with a copy of the written audit report; and
d. promptly remedy any deficiencies identified by the audit.
12.3. The Processor shall promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Processor's management.
12.4. The Controller shall cover all reasonable expenses incurred by the Processor in connection with performing its obligations under Clause 12.1 hereof.
This Agreement shall be governed by, construed and interpreted in accordance with the laws of England and Wales.