Effective date: 18 July, 2021
Flow is the entity deciding for what purpose your data is being processed. If you reside in the USA, your data controller is Flow OS, Inc., while if you reside in the EU your data controller is Trencadis and other Flow entities in the EU. See more about who we are at https://flowos.com/.
For this purpose, we collect only that personal data absolutely necessary for the specified purposes, on a best efforts basis. We do not sell your data. For the collected information and data, we strive to apply adequate solutions to anonymize it, or to pseudonymize it.
Flow cares about protecting your right to privacy in all the regions where we operate and while complying with local laws, we are committed to implementing the personal data protection standard imposed by the General Data Protection Regulation adopted by the European Parliament and the European Council on 27 April 2016 (hereinafter referred to as the "GDPR") across all Flow entities.
Our Data Protection Officer can be found at the following email address: firstname.lastname@example.org.
The following definitions of terms used in this Policy are drawn from and coordinated with Article 4 of the GDPR and are presented for informational purposes:
- Personal Data: Any information relating to an identified or identifiable natural person (the “Data Subject“) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
- Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
- Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
- Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified.
- Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
C. How and why we use information we collect
How we use the information we collect depends in part on which Services you use, how you use them, and any preferences you have communicated to us. Below are the specific purposes for which we use the information we collect about you.
- to provide the Services. In order to provide the Services, and for you to fully enjoy the benefits of our Platform, we need to process the information you provide within the Platform, according to this Policy.
- to ensure network and information security by assuring correct and efficient operation of our products and services, according to the technical specifications, and for their improvement, including analysing the reported IT security issues, delivering and customizing the related services to the Customers' needs and developing new technologies. We are always looking for ways to make our Services smarter, faster, secure, integrated, and useful. We use information and collective learnings (including feedback) about how people use our Services to troubleshoot, to identify trends, usage, activity patterns, and areas for integration and to improve our Services and to develop new products, features and technologies that benefit our Customers and the public.
- to support or communicate with the Customers about the Services. We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze your feedback and crash information, and to repair and improve the Services. we might share information with a third party expert for the purpose of responding to support-related requests. We use your contact information to send transactional communications via email and within the Services, including confirming your purchases, reminding you of subscription expirations, responding to your comments, questions and requests, providing customer support, and sending you technical notices, updates, security alerts, and administrative messages.
- to make statistical analysis and market studies/for marketing purposes . We use your contact information and information on how you use the Services to send promotional communications that may be of specific interest to you, including by email. These communications may be informed by audits of interactions (like counting ad impressions), and are aimed at driving engagement and maximizing what you get out of the Services, including information about new features, survey requests, newsletters, and events we think may be of interest to you. We also communicate with you about our Services and any updates or new Services provided, product offers, promotions, and contests, as follows:
- Promotional Emails
- Survey Emails
- Sessions news emails
- Sessions tips emails
You may opt out of receiving promotional communications from us by updating your email notification preferences within your Service account settings menu .
- to protect our legitimate business interests and legal rights . Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions.
- in certain cases, with your consent . We use personal data where you have given us consent to do so for a specific purpose not listed above, e.g. we may publish testimonials or featured customer stories to promote the Services, with your permission.
D. Basic principles regarding personal data processing
The data protection principles outline the basic responsibilities for organizations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
- Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.
- Storage period limitation: Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality: Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, the Company must use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized access to, or disclosure. Appropriate technical or organizational measures are to be taken in order to comply with this requirement: such data security measures can include the use of encryption and authentication and authorisation mechanisms.
- Accountability: Data Controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.
E. Legal Basis for processing (for EEA Users)
If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have a legal basis for doing so under applicable EU laws. The legal basis depends on the Services you use and how you use them. This means we collect and use your information only where:
- We need that information as to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;
- It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;
- You give us consent to do so for a specific purpose; or
- We need to process your data to comply with a legal obligation.
If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information because we or a third party (e.g. your employer) have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services.
F. Personal data collection
Flow collects information about you when you provide it to us, when you use our Services, and when other sources provide it to us, as further described below.
- Personal data directly provided by a Customer or a business partner
We collect information about you when you input it into the Services or otherwise provide it directly to us.
- Account and Profile Information
We collect information about you when you register for an account, create or modify your profile, set preferences, sign-up for or make purchases through the Services. For example, you provide your contact information (name, surname, email address, job title) and, in some cases, billing information, when you register for the Services. You also have the option of adding a display name, profile photo, job title/name of employer, and other details to your profile information to be displayed in our Services. We keep track of your preferences when you select your settings for the Services.
If you decide to log in with Google, Facebook, LinkedIn or other social media account, you consent for Flow to have access to your respective profile data on such a social media account.
Please note that the authentication process is being handled through flowos.com. Flowos.com is also owned by Flow and therefore any information collected within the registration process shall be processed in accordance with this Policy.
- Content you provide through our products
The Services include Sessions, where we collect and store content that you post, send, receive and share. This content includes any information about you that you may choose to include. Content also includes the files and links you upload to the Services. We collect feedback you provide directly to us through the product and; we collect content using analytics techniques that hash, filter or otherwise scrub the information to exclude information that might identify you or your organization; and we collect clickstream data about how you interact with and use features of the Services.
- Content you provide through our websites
The Services also include our websites owned or operated by us. We collect other content that you submit to these websites, which include social media or social networking websites operated by us. For example, you provide content to us when you provide feedback or when you participate in any interactive features, surveys, contests, promotions, sweepstakes, activities or events.
- Information you provide through our support channels
The Services also include our customer support, where you may choose to submit information regarding a problem you are experiencing with a Service or just to send us valuable feedback. Whether you designate yourself as a technical contact, open a support ticket, speak to one of our representatives directly or otherwise engage with our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and any other documentation, screenshots or information that would be helpful in resolving the issue.
Also, when submitting feedback via our designated channels, some account and system information will be shared with us. So keep in mind not to share sensitive or personal information. In order to solve the technical problems you reported via our feedback channel, we may need to process (analyze) information regarding the way you used our product in the context that generated the issue, such as: account information, browser information, operating system, device and other technical information about the system, the artefacts you used within our Product and the way you used them. These information will be used only for improving our services and for solving the technical issues you reported. ,
- Information regarding Guests in Sessions
A guest (or „Attendee”) is a person invited by a User (or „Owner”) to attend a session without having to register for an account. Information regarding the role of the Attendee can be found in the Help Section . In order to participate in a Session, a guest will receive an invitation at the email address provided by the User or an access link via other channels. If an Attendee doesn't have an account yet, they will have to fill their name and email address in order to join the session. In order to provide the Services we will also collect the information provided by the Guest (name, email address, content they provide through our products ).
We will not use Guest information for marketing purposes. The Guest may opt out of receiving any kind of communication from us by choosing to Unsubscribe from our email. Please note that if you choose to unsubscribe from our mailing list you will not be able to receive any kind of emails from us, including meeting invitations, takeaways or notes. In case you change your mind, you can always choose to subscribe back, by taking the same steps you took in order to unsubscribe.
2. Information we collect automatically when you use the Services
We collect information about you when you use our Services, including browsing our websites and taking certain actions within the Services.
- Your use of the Services
We keep track of certain information about you when you visit and interact with any of our Services. This information includes the features you use; the links you click on; the type, size and filenames of attachments you upload to the Services; frequently used search terms; and how you interact with others on the Services.
We also collect information about the teams and people you work with and how you work with them, such as with whom you collaborate with and communicate with most frequently.
- Device and Connection Information
We collect information about your computer, phone, tablet, or other devices you use to access the Services. This device information includes your connection type and settings when you install, access, update, or use our Services. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience. How much of this information we collect depends on the type and settings of the device you use to access the Services.
Server and data center Service administrators can disable collection of this information via the administrator settings or prevent this information from being shared with us by blocking transmission at the local network level.
- Cookies and Other Tracking Technologies
3. Collecting Data from publicly available information and other sources (e.g. from other platforms such as Google, Facebook, LinkedIn)
We receive information about you from other Service Customers, from third-party services, from our related companies, social media platforms, public databases, and from our business and channel partners. We may combine this information with information we collect through other means described above. This helps us to update and improve our records, identify new customers, create more personalized advertising and suggest services that may be of interest to you.
- Other Customers of the Services
Other Customers of our Services may provide information about you when they submit content through the Services. We also receive your email address from other Service Customers when they provide it in order to invite you to the Services. Similarly, an organization may provide your contact information when they designate you as the billing or technical contact on your company's account or when they designate you as an administrator.
- Other services you link to your account
We receive information about you when you or your organization integrate third-party apps (Google Sign-in, LinkedIn Sign-in) or link a third-party service with our Services. For example, if you create an account or log into the Services using your Google credentials, we receive your name and email address as permitted by your Google profile settings in order to authenticate you.
You may also integrate our Services with other services you use, such as to allow you to access, store, share and edit certain content from a third-party through our Services. For example, you may authorize our Services to access, display and store files from a third-party document-sharing service within the Services interface. Or you may authorize our Services to connect with a third-party calendaring service or to sync a contact list or address book so that your meetings and connections are available to you through the Services, so you can invite others to collaborate with you on our Services or so your organization can limit access to certain Customers.
- Other Flow companies and/or partners
We may receive information about you from companies that are owned, operated or mandated by Flow, in accordance with their terms and policies.
We receive information about you and your activities on and off the Services from third-party partners, such as advertising and market research partners who provide us with information about your interest in and engagement with our Services and online advertisements.
- Third Party Providers
We may receive information about you from third party providers of business information and publicly available sources (like social media platforms), including physical mail addresses, job titles, email addresses, phone numbers, intent data (or user behaviour data), IP addresses and social media profiles, for the purposes of targeted advertising of products that may interest you, delivering personalized communications, event promotion, and profiling.
G. What analytics tools we use
In order to understand the navigational trends related to our Services, we use third-party analytics tools which collect information which your browser sends when you visit our web page. Here are tools which we use and information about their privacy policies:
- Cookies - we are using cookies, a small software file stored temporarily or placed on the hard drive of your device in order to allow a web server to identify your device and the web browser you use, in order to recognize you when you are visiting the site again. Cookies may also store preferences or other information about you. For more information please visit our Cookies Policy.
H. How we share information we collect and who has access to personal data.
- With other Service Customers
When you use the Services, we share certain information about you with other Service Customers.
2. For collaboration
You can create content, which may contain information about you, and grant permission to others to see, share, edit, copy and download that content based on settings you or your organization (if applicable) select. Some of the collaboration features of the Services display some or all of your profile information to other Service Customers when you share or interact with specific content. For example, when you comment in a session, we display your profile picture and name next to your comments so that other Customers with access to the page or issue understand who made the comment.
You can confirm whether certain Service properties are publicly visible from within the Services or by contacting the relevant administrator.
3. Internally & with affiliated companies
4. Managed accounts and administrators
If you register or access the Services using an email address with a domain that is owned by your employer or organization or associate that email address with your existing account, and such organization wishes to establish an account or site, certain information about you including your name, profile picture, contact info, content and past use of your account may become accessible to that organization’s administrator and other Service Customers sharing the same domain. If you are an administrator for a particular site or group of Customers within the Services, we may share your contact information with current or past Service Customers, for the purpose of facilitating Service-related requests.
5. With third parties service providers
We work with third-party service providers (e.g. advertising, market research, conferencing ) to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analysis and other services for us, which may require them to access or use information about you.
6. With third parties products
We work with third parties who provide consulting, sales, support, and technical services (e.g. Hubspot, Webflow, CookieBot, Hotjar, Miro) to deliver and implement customer solutions around the Services. We may share your information with these third parties in connection with their services, such as to assist with billing and collections, to provide localized support, and to provide customizations. We may also share information with these third parties where you have agreed to that sharing of information.
7. With third Party Widgets
Some of our Services may contain widgets and social media features, such as the Facebook "like" button or the LinkedIn "applause" button. These widgets and features may collect your IP address, which page you are visiting on the Services, and may set a cookie to enable the feature to function properly. Widgets and social media features are either hosted by a third-party or hosted directly on our Services. You should always check the privacy settings and notices in these third-party services to understand how those third-parties may use your information.
8. With your consent
We share information about you with third parties when you give us consent to do so. For example, we can display personal testimonials of satisfied customers on our public websites. With your consent, we may post your name alongside the testimonial.
9. Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights
In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and services, (d) protect Flow, our customers or the public from harm or illegal activities, or (e) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.
I. How we store and secure personal data
- Storage and security
We use industry standard technical and organizational measures to secure the information we store. While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that information, during transmission through the Internet or while stored on our systems or otherwise in our care, is safe from intrusion by others.
If you use your server or data center, responsibility for securing storage and access to the information you put into the Services rests with you and not with Flow. We strongly recommend that server or data center users configure SSL to prevent interception of information transmitted over networks and to restrict access to the databases and other storage points used.
2. Duration of storage
How long we keep information we collect about you depends on the type of information, as described in further detail below.
- We retain your account information for as long as your account is active and a reasonable period thereafter in case you decide to re-activate the Services. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services.
- If your account is deactivated or disabled, some of your information and the content you have provided will remain in order to allow your team members or other Customers to make full use of the Services.
- If the Services are made available to you through an organization (e.g., your employer), we retain your information as long as required by the administrator of your account.
- For marketing purposes, if you have elected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our Services. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.
- For solving technical problems you reported: we store the information until we solve the issue you reported and we close the ticket within our support department.
After such time, we will either delete or de-identify your information or, if this is not possible, then we will securely store your information and isolate it from any further use until deletion is possible.
J. How we transfer information we collect
We collect information globally and may transfer, process and store your information outside of your country of residence, to wherever we or our third-party service providers operate for the purpose of providing you the Services or have the servers located. Whenever we transfer your information, we take steps to respect the legal requirements laid down by the GDPR.
We make enquiries and require third parties to respect the security of your personal data and to treat it in accordance with the applicable laws and regulation. Third-party service providers might use your personal data for their own purposes but only by respecting their Privacy Policies and the GDPR related principles. We will ensure our best efforts to permit them to process your personal data only for specified purposes and in accordance with our instructions.
Some of our external third parties or contractors are based outside the European Economic Area (EEA) so the processing of your data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- Adequacy decisions
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission through adequacy decisions – the official list of countries that have been recognized to grant a standard of personal data protection compliant to that of the GDPR can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
In addition, UK will also be subject to an adequacy decision to replace the current interim solution, agreed under the EU-UK Trade and Cooperation Agreement, which allows for companies and organisations to transfer personal data from the EU to the UK up until 30 June 2021.
- Standard Contractual Clauses (SCCs)
Where we use certain service providers, we may use standard contractual data protection clauses which may have been approved by the European Commission which give personal data the same protection it has in Europe.
Flow offers European Union Model Clauses, also known as SCCs, to meet the adequacy and security requirements for our Consumers that operate in the European Union and the United Kingdom, and other international transfers of data.
- Participation in the EU – US and Swiss – US Privacy Shield Framework
Under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, we are responsible for the processing of information about you that we receive from the EU, the UK, and Switzerland and onward transfers to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for such onward transfers and remain liable in accordance with the Privacy Shield Principles if third-party agents that we engage to process such information about you on our behalf do so in a manner inconsistent with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage.
To learn more about the Privacy Shield Program, please see www.privacyshield.gov.
Independent dispute resolution - If Flow has not managed to handle your complaint addressed at email@example.com in a satisfactory manner, you can raise a concern to the attention of your data protection authorities or the Swiss Federal Data Protection and Information Commissioner, which will establish a panel in order to investigate and resolve complaints raised under the Privacy Shield.
Binding arbitration - If you have exhausted all other means to resolve your complaint regarding a potential breach of Flow’s obligations under the Privacy Shield Framework and if you are located in the EEA, the UK or Switzerland, you may invoke binding arbitration.
Liability - Flow is liable for third parties processing personal data on its behalf. However, Flow reserves the right to prove that the non-compliance was not a result of Flow’s actions or was not in Flow’s control.
K. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
L. Data retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
M. Personal data rights
According to the GDPR, the Data Subjects shall have the right to access to data, rectification, erasure, restriction on processing, objection to processing and right to data portability, as follows:
- Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
- Request restriction of processing your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Object to processing of your personal data. You may object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.
- Right to withdraw consent. Where we are relying on consent to process your personal data, you may withdraw that consent. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
For exercising these rights, you may send a written request, dated and signed and send it to the above mentioned Trencadis headquarters or via email to the data protection officer at firstname.lastname@example.org.
You also have the right to lodge a complaint with a competent supervisory authority on data protection.
N. Fair processing guidelines
- Notices to data subjects
At the time of collection or before collecting personal data for any kind of processing activities including but not limited to selling products, services, or marketing activities, the Company is responsible to inform data subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and the Company’s security measures to protect personal data. All such information is provided through this Policy.
2. Obtaining consents
Whenever personal data processing is based on the Customer’s consent, the Company is responsible for retaining a record of such consent. The Company is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
When requests to correct, amend or destroy personal data records are received, the Company must ensure that these requests are handled within a reasonable time frame. The Company must also record the requests and keep a log of these.
Personal data must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected personal data for another purpose, the Company must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s).
O. Guidelines for establishing the lead supervisory authority
Whether acting as a controller or as a processor, will have as a lead supervisory authority the Romanian Data Processing Authority (email@example.com) or any other relevant data protection agency in a state where Flow operates (including but not limited to the US or other EU country).
P. Response to personal data breach incidents
When the Company learns of a suspected or actual personal data breach, it must perform an internal investigation and take appropriate remedial measures in a timely manner. Where there is any risk to the rights and freedoms of data subjects, the Company must notify the Romanian Data Processing Authority or for that matter, any other relevant data protection agency without undue delay and, when possible, within 72 hours after having become aware of the personal data breach.
Q. Conflicts of law
This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which the Company operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
R. Contact details
The Customers can raise their questions in relation to their rights or to address any questions in relation to this Policy by:
Directly at the address: Romania, Baia Mare, 3D Margeanului Street, Maramures County
Each request will be reviewed as soon as possible, but no later than 30 days since its submission.
S. Disclaimers. Publications date