Flowtly – Privacy Policy

1. General provisions

This Privacy Policy explains how Flowtly Prosta Spółka Akcyjna (“Flowtly”, “we”, “our”, “us”) collects, processes, and protects personal data, as well as what rights users have in relation to their data.

The Policy complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, “GDPR”) and other applicable data protection laws. This Policy applies to all users of the Flowtly Platform and to individuals whose personal data are processed in connection with its operation.

2. Data controller

The data controller is Flowtly Prosta Spółka Akcyjna (Flowtly PSA), with its registered office at ul. Młynarska 8/12, 01-194 Warsaw, Poland, entered in the Register of Entrepreneurs under KRS 0001188143, NIP 5273180297, REGON 542625051, with a share capital of PLN 15,800.

You can contact us:

• by post at the above address,
• by e-mail: business.support@flowtly.com, or
• via the contact form available on the Platform.

3. Categories of data processed

We process the following categories of personal data:

• Registration and subscription data: name, surname, e-mail address, password, organization name, position, billing data (address, tax ID), and the scope of the selected subscription plan.
• Employment and HR data: names, PESEL or national identification numbers, e-mail addresses, employment data, remuneration, working time, qualifications, and leave records.
• Contractor and invoicing data: business name, address, tax ID, payment terms, bank account numbers, invoice identifiers, and tax information.
• Sensitive data: only when voluntarily provided and necessary for the performance of the contract (e.g. health information in the context of sick leave, trade union membership for contribution purposes, or demographic data for equality reporting).
• Technical data and integrations: data obtained via Kontomatik (bank account history) used for reconciliation and reporting, error logs from Sentry (Functional Software Inc.), server logs, IP addresses, and cookies.
• Publicly available data: data from KRS, REGON, CEIDG, and other public registers used for verifying contractors.
• Other data provided by users: profile photos, avatars, uploaded files (e.g. invoices or payment confirmations), and content of correspondence with our support team.

4. Purposes and legal basis of processing

Flowtly processes data for the following purposes:

• Provision of services and account management: registering organizations, managing permissions, tracking working time, leave management, invoicing, project budgeting, and reporting.
• Contract performance: issuing invoices, collecting subscription fees, providing technical support, and ensuring service availability.
• Communication with users: responding to inquiries, providing updates, and notifying of service changes.
• Legal obligations: accounting, tax settlements, and document archiving.
• Legitimate interests of Flowtly: ensuring security, preventing fraud, improving services, and pursuing or defending legal claims.

Personal data are not processed for any purposes other than those listed above without prior notification and, where required, the user’s consent.

5. Automated processing and profiling

Flowtly does not make decisions producing legal effects on users or significantly affecting them based solely on automated data processing or profiling.

Some algorithms may support internal features such as workload analysis, resource allocation, or budget prediction, but the final decisions are always made by authorized persons. We may use aggregated, anonymized data for analytical and statistical purposes to improve our services.

6. Data recipients

Personal data may be disclosed to:

• Flowtly employees and authorized collaborators, bound by confidentiality obligations,
• Stripe (payment processing),
• Kontomatik (bank account data integration),
• Functional Software Inc. (Sentry) for monitoring system errors,
• external accountants, lawyers, and IT service providers, to the extent necessary to perform services, and
• public authorities, when required by law.

All third-party providers process data under written data processing agreements and according to Flowtly’s instructions. We do not sell personal data. We may publish only aggregated, anonymized statistics.

Partner privacy policies:

• Stripe
• Kontomatik
• Sentry

7. Transfer of data outside the EEA

Flowtly’s servers are located within the European Economic Area. In some cases, data may be transferred to service providers outside the EEA (e.g. the United States, in the case of Stripe or Sentry). In such situations, we ensure appropriate safeguards are applied, such as Standard Contractual Clauses or adequacy decisions under GDPR.

8. Data retention periods

We store personal data only for as long as necessary to fulfill the purposes for which they were collected, including legal or contractual obligations. After this period, data are deleted or anonymized unless further retention is required by law or to protect Flowtly’s legitimate interests.

9. User rights

Users have the following rights under the GDPR:

• Access to their personal data.
• Rectification of inaccurate data.
• Erasure of data (“right to be forgotten”).
• Restriction of processing.
• Data portability to another controller.
• Objection to processing based on legitimate interest.
• Withdrawal of consent (where processing is based on consent).
• Lodging a complaint with the President of the Personal Data Protection Office (UODO).

To exercise any of these rights, please contact us at business.support@flowtly.com or in writing at the address of our registered office.

10. Data security

We apply organizational and technical measures to protect data against unauthorized access, loss, alteration, or disclosure. We use encrypted connections (HTTPS), regular backups, access control mechanisms, and up-to-date security procedures. Only authorized employees or contractors have access to data, within the scope necessary to perform their duties.

11. Cookies

The Platform uses essential cookies necessary for proper functioning. Analytical cookies are set only if the user agrees via the cookie bar; they help us understand behaviour and improve our services. We do not use cookies for marketing or advertising purposes. Users can manage their choices in the cookie bar at any time or block cookies in their browser; disabling certain cookies may limit some functionalities of the Platform.

12. Final provisions

This Privacy Policy is an integral part of the Flowtly Terms and Conditions. It may be updated periodically; users will be informed of material changes in advance. In the event of discrepancies between language versions, the Polish version shall prevail. This Policy is effective as of 2 September 2025.