Privacy Policy

Flow Factory AB

At Flowfactory, customer privacy is a top priority. We manage the personal data you provide when interacting with us, whether through our website, meetings, seminars, email or chat.With “personal information”, we mean data that can identify you as an individual, such as your name, email, phone number or other identifiable data.

What personal data we collect

The personal data we collect depends on how you interact with Flowfactory - whether you are a client, an end-user, a website visitor, or someone in contact with our sales or marketing teams. We only collect personal data that is relevant and necessary for the purposes described in this policy.

1. In the Flowfactory Platform (Product Usage)

If you use our platform as a client or end-user, we may collect the following information:

  • Name
  • Email address
  • Username
  • Profile picture (optional)
  • IP address
  • Login timestamps and attempts
  • Platform activity logs (e.g., create/read/update/delete actions)
  • System-generated logs for operational integrity and security purposes

This data is typically provided by you directly or generated through your use of the platform.

2. In Our CRM and Marketing Systems (e.g., HubSpot)

If you interact with our website, marketing materials, or sales team, we may collect:

  • Contact details (name, email, phone, job title, company)
  • Communication history with our team
  • Information you submit via web forms (e.g., demo requests, whitepaper downloads)
  • Marketing engagement data (e.g., pages visited, email opens/clicks)
  • Publicly available professional information (e.g., from LinkedIn or company websites)

Some of this information is collected automatically using tracking technologies (e.g.,cookies or web beacons), while other data is either provided by you or sourced from third-party providers who confirm they have a lawful basis to share it.

Because HubSpot and other marketing tools may process a broad and evolving set of metadata, we do not list every data point here. However, we commit to only using this data for clearly defined business purposes and in accordance with applicable data protection laws. You can read more about HubSpot’s datahandling practices in HubSpot’s privacy policy and data processing terms.

Source of Personal Data

Most of the personal information we process is provided to us directly by you. However, in some instances, particularly when identifying potential business customers, we may collect limited professional contact information (such as name, company, job title, business email) from publicly available sources (e.g., company websites, professional networking platforms like LinkedIn) or through third-party B2B contact providers who confirm they have a lawful basis to share such data. We do this based on our legitimate interest in business development.

Our Lawful Basis for Processing Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Performance of a Contract: Where we need to process your data to perform the contract we are about to enter into or have entered into with you (e.g., to provide you with FlowFactory services, manage your user account, process payments).
  • Legitimate Interests: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This includes:
    • Providing and improving our products and services.
    • Managing our relationship with you, including follow-up communications to solve your problems or discuss our products if you have shown interest.
    • For marketing and business development, such as contacting you if you have shown interest in our products or if you are an existing customer (you can opt-out of marketing communications at any time).
    • Ensuring the security and integrity of our platform and systems.
    • For internal administrative or operational purposes.
  • Consent: Where you have given us explicit consent to do so (e.g., for sending marketing communications to you if you are not yet a customer and have not otherwise engaged with us, or for processing any sensitive personal data if explicitly agreed). You have the right to withdraw consent at any time by contacting us.
  • Legal Obligation: Where we need to comply with a legal or regulatory obligation (e.g., retaining audit logs for legal reasons, tax obligations).

How We Process Data in Our Internal CRM (Hubspot)

The data we process in our internal CRM system (HubSpot) is stored by HubSpot, Inc. in the United States of America. When we transfer your personal data to HubSpot in the USA, which is outside the European Economic Area (EEA), we ensure a similar degree of protection is afforded to it by ensuring that appropriate safeguards are implemented. For our engagement with HubSpot, we rely on You can obtain more information about these safeguards by contacting us or by reviewing HubSpot's data processing terms.

Data Retention Periods

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Specific retention periods or criteria include:

  • Data within the FlowFactory product (Client/End-User controlled): Retained as long as the client or end-user desires, or until migration/deletion by the client. Backups are retained for an additional 30 days post-deletion.
  • User account information (End-User): Retained as long as the client wishes or until the client requests deletion.
  • Audit Logs: Retained for at least 5 years for legal and security reasons, or as determined by client agreement and legal obligations.
  • System Logs (FlowFactory owned): Retained for at least 5 years for security and operational integrity.
  • CRM Data (Contacts and communications with clients/prospects):
    • For active clients: Retained for the duration of the business relationship and thereafter for 5 years as required by law for accounting purposes.
    • For prospective customers or leads (who have shown interest): Retained for5 yearsafter the last meaningful contact, or until you request deletion, unless a business relationship is formed. We periodically review this data.
    • Website interaction data (for visitors not yet customers): Data from website forms or inquiries may be kept for5 years to allow for follow-up, unless you become a customer or request earlier deletion.

Sensitive Personal Data

We do not intentionally collect 'sensitive personal data' (this includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation) for our own direct purposes (e.g., via our website or for general CRM purposes). Our product allows clients to build any type of application and populate it with any type of data. If you, as a client or end-user, choose to store sensitive personal data within applications built on the FlowFactory platform, you are the data controller for that data and are responsible for ensuring you have a valid lawful basis, including explicit consent where required under Article 9 of the GDPR, for processing such data. FlowFactory acts as a data processor in such instances. If, in a rare and specific circumstance, Flow Factory AB itself needs to process sensitive personal data for its own purposes, we will only do so with your explicit prior consent or where otherwise permitted by law, and we will provide you with full details of why and how the information will be used.

Your Data Protection Rights

‍You have several rights in relation to your personal data. These include:

  • The right to be informed: To receive clear, transparent, and easily understandable information about how we use your personal data and your rights. This is why we are providing you with this privacy policy.
  • The right of access: To request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Theright to rectification: To request that we correct any incomplete or inaccurate personal data we hold about you.
  • The right to erasure (right to be forgotten): To request the deletion or removal of your personal data where there is no compelling reason for us to keep using it. This right is not absolute and only applies in certain circumstances.
  • The right to restrict processing: To request the suspension of the processing of your personal data in certain scenarios, for example, if you want us to establish its accuracy or the reason for processing it.
  • The right to data portability: To request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • The right to object: To object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the absolute right to object where we are processing your personal data for direct marketing purposes.
  • The right to withdraw consent: If we are relying on your consent to process your personal data, you have the right to withdraw that consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
  • Rights related to automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (we currently do not engage in such activities, but if we do, we will update this policy).

Exercising Your Rights: If you wish to exercise any of the rights set out above, please contact us at privacy@flowfactory.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We will try to respond to all legitimate requests within one month.

Automated Decision-Making and Profiling

We do not currently use your personal data for decisions based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. If our practices change, we will update this policy and provide you with the necessary information.

Consequences of Not Providing Data

Where we need to collect personal data by law, or under the terms of a contract we have with you (e.g., to provide you access to the FlowFactory platform), and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

The Right to Lodge a Complaint

You have the right to lodge a complaint at any time with a supervisory authority if you believe that our processing of your personal data infringes GDPR or other applicable data protection laws. The lead supervisory authority for Flow Factory AB is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten - IMY). Contact details for IMY can be found on their website (www.imy.se).

We would, however, appreciate the chance to deal with your concerns before you approach the IMY, so please contact us in the first instance at privacy@flowfactory.com.

Details of the Data Controller

The data controller responsible for your personal data is Flow FactoryABcompany registration number 556594-4971, with its registered address at Riddargatan 13a, 11451 Stockholm, Sweden.

Data Protection Officer(DPO) Contact Details

We have appointed a Data Protection Officer (DPO) who is responsible foroverseeing questions in relation to this privacy notice. If you have anyquestions about this privacy notice, including any requests to exerciseyour legal rights, please contact our DPO using the email: privacy@flowfactory.com