Privacy Policy

FlowHunt's Privacy Policy outlines data processing for users, managed by QualityUnit. It covers purposes, legal bases, user rights, data transfers, and security. Consent is required for service use, with data stored on Stripe and shared with OpenAI and Google.

1. General

This Privacy Policy describes how FlowHunt processes the Users personal information to perform the Services offered in the Website, under the domain flowhunt.io (“Services”).

Users must read and expressly consent to the data treatment referred by this Privacy Policy, before using the Services.

2. Data Controller

The Controller of the data collected through this Website is QualityUnit, sro.

Flowhunt will process the personal data of the User of this Website for the following purposes:

  • Enable the maintenance, development and management of the Services, business relationship formalized by contracting products and/or services through this Website, which includes carrying out operations that relate to the management of customers concerning the contracts, orders, deliveries and invoices, and manage the unpaid invoices and possible disputes about the use of our products and services. The data processed for this purpose will be kept as long as said business relationship is maintained and, once it ends, during the periods of conservation and prescription of responsibilities legally established. The legal basis of the treatment is the execution of a contract in which the User is a party.
  • Respond to requests for information and/or queries made by the User. The data processed for this purpose will be kept until the request for information and/or consultation has been answered and, after that, during the legally established periods of conservation and limitation of responsibilities. The legal basis of the processing is the legitimate interest of FlowHunt in responding to the User.
  • Keep the User informed, including by electronic means, about FlowHunt products, services and news. The data processed for this purpose will be kept until the moment the User withdraws his consent given to receive said communications and, after that, during the legally established periods of conservation and limitation of responsibilities. The legal basis of the processing is the consent of the User.
  • If the User does not consent to the processing of your data for this purpose, please inform FlowHunt with email to support@flowhunt.io.

Failure to accept this Privacy Policy will imply that all the Services rendered and Website content offered by FlowHunt shall not be made available, and that the system subscription process shall be interrupted or terminated.

4. Categories of data

‍The data relating to bank cards and all personal data are stored in Stripe, under the rules and policies of Stripe. https://stripe.com/en-sk/privacy.

5. Automated Decision-Making

FlowHunt informs the Users that by using the Services they will be subject to automated decision-making, including profiling.

6. Recipients and Personal Data Transfers

The data may be communicated to the following third party recipients: OpenAI, Google.

7. Rights of the Users

Users are, at any time, entitled to exercise their rights of access, rectification, erasure, restriction of processing, data portability, not to be object to a decision based solely on automated processing, including profiling, and object, by contacting FlowHunt and sending a written notification to support@flowhunt.io, attaching a copy of their National Identity Document or another equivalent identity document identifying them as a User.

Users have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. The Users also have the right to lodge a complaint with a supervisory authority.

8. FlowHunt as data processor

In the event that the User purchases a license to use the Services, FlowHunt will need to process certain personal data on behalf of the licensee (whether the licensee is the User itself or a legal entity represented by the User). For these purposes, the User shall be considered the Data Controller and FlowHunt shall be considered the Data Processor.

The following clauses constitute the regulation of the relationship between the Controller and the Processor for the purposes of complying with the provisions of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, “GDPR2) and Article 33 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (hereinafter, “LOPDGDD”).

8.1. Processing of data to be carried out by the Data Processor

The Data Processor shall process the personal data necessary to carry out the Services on behalf of the Controller. The aforementioned processing shall have a duration equal to that of the provision of the Services, in such a way that once the provision of the Services has been completed, the processing shall be deemed to have been completed.

8.2. Obligations of the Processor

The Data Processor undertakes to:

a. Use the personal data undergoing processing, or that it collects for the purpose of their inclusion, only for the strict provision of the Services. Under no circumstances may it use the data for its own purposes.

b. Process the data in accordance with the instructions of the Controller. If the Processor considers that any instructions are in breach of the GDPR or any other Union or Member State data protection provisions, the Processor shall immediately inform the Controller thereof.

c. Where applicable, keep a written record of all categories of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR.

d. Not to communicate the data to third parties, except with the express authorisation of the Data Controller, in the legally admissible cases.

e. Not to subcontract any of the services that form part of the Services and involve the processing of personal data.If it is necessary to subcontract any processing, the Controller must be given prior written notice of this fact, at least 20 calendar days in advance, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. Subcontracting may be carried out if the Controller does not express its opposition, in writing, within the established period. The subcontractor, who shall also have the status of data processor, is also obliged to comply with the obligations established herein for the Data Processor and the instructions issued by the Data Controller. It is the responsibility of the initial processor to regulate the new relationship in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as the initial processor, with regard to the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the subcontractor, the initial Processor shall remain fully liable to the Controller for compliance with the obligations.The Controller authorizes the Processor to carry out the following subcontracting necessary to provide the Services: see list of suprocessors.

f. Maintain the duty of secrecy with respect to the personal data to which it has access by virtue of the provision of the Services, even after the provision of the Services has ended.

g. To ensure that persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.

h. Keep at the disposal of the Data Controller the documentation accrediting compliance with the obligation established in the previous section.

i. Guarantee the necessary training in the protection of personal data for the persons authorized to process personal data.

j. Assist the Controller in responding to the exercise of the rights of:

  • Access, rectification, erasure and object;
  • Limitation of processing;
  • Data portability;
  • Not to be subject to automated individualized decisions (including profiling).

When the data subjects exercise their rights of access, rectification, erasure and object, restriction of processing, data portability and the right not to be subject to automated individualized decisions before the Data Controller, the latter must communicate this by e-mail to the Data Controller. The communication must be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant for resolving the request.

k. Notify the Controller without undue delay and, in any event, no later than 48 hours by e-mail of any breach of security of the personal data under their responsibility of which they become aware, together with all relevant information for the documentation and communication of the incident. Notification shall not be required where such a breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons.

If available, at least the following information shall be provided:

  • A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned.
  • The name and contact details of the data protection officer or other point of contact from whom further information may be obtained.
  • A description of the possible consequences of the personal data breach.
  • Description of the measures taken or proposed to be taken to remedy the personal data breach including, where appropriate, measures taken to mitigate the possible negative effects.

If it is not possible to provide the information simultaneously, to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a gradual manner without undue delay.

l. Support the Controller in carrying out data protection impact assessments, where appropriate.

m. Support the Controller in carrying out prior consultations with the supervisory authority, where appropriate.

n. Make available to the Controller all information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the Controller or any other auditor authorized by it.

o. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons. In any case, it shall put in place mechanisms to:

Ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.

  • Restore availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • Regularly verify, evaluate and assess the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
  • Pseudonymized and encrypt personal data, where appropriate.

p. Appoint a Data Protection Officer and communicate his or her identity and contact details to the Controller, where appropriate.

q. Comply with the other obligations that the GDPR, the LOPDGDD and its implementing regulations establish for the Data Processor.

8.4. Obligations of the Data Controller

The Data Controller has the following obligations:

a. To provide or allow access to the data specified above by the Data Controller.

b. Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the Data Controller, where applicable.

c. Conduct prior consultation as appropriate.

d. Ensure, prior to and throughout the processing, compliance with the GDPR, the LOPDGDD and its implementing regulations by the Data Processor.

e. Supervise the processing, including carrying out inspections and audits.

f. Facilitate the right to information at the time of data collection.

g. Comply with the rest of the obligations that the RGPD, the LOPDGDD and its implementing regulations establish for the Data Controller.

9. Security and Protection of Data

FlowHunt has adopted the Data protection security legally required, and strives to adapt additional technical measures and means within its scope to avoid the loss, misuse, alteration, unauthorized access to and theft of the personal details provided. FlowHunt agrees to use all of the details sent by registered Users with the utmost confidentiality and resilience.

FlowHunt use and transfer to any other app of information received from ApenAI APIs will adhere to OpenAI API Services User Data Policy, including the Limited Use requirements.

10. Changes to this Privacy Policy

FlowHunt reserves the right to amend this policy in order to adapt it to new regulations, case laws and industrial and/or commercial practice.

‍If FlowHunt decides to change its Privacy Policy, it will post those changes on this page. This Privacy Policy was last modified on 17/07/2024.

Our website uses cookies. By continuing we assume your permission to deploy cookies as detailed in our privacy and cookies policy.