Flows Forge Privacy Policy

PRIVACY POLICY FOR www.flowsforge.com
Current version effective as of 4 February 2025

§1. Data Controller

The controller of personal data processed in connection with the use of the website www.flowsforge.com (the “Site”) is:
[Flows Forge – Tomasz Rogala ], with its registered office at Sucha 2, Kraków 
Data protection contact: [tomasz.rogala@flowsforge.com / tomasz.rogala@flowsforge.com].
We process data in accordance with the GDPR (EU 2016/679), the Polish Personal Data Protection Act (10 May 2018), and the Act on the Provision of Electronic Services (18 July 2002).

If Flows Forge operates as a limited company, insert the company’s full details (including KRS) instead of sole-proprietor data.

§2. Definitions

• User – any natural person using the Site.

• Personal Data – information relating to an identified or identifiable natural person.

• Newsletter – a service delivering commercial/marketing information after sign-up via form.

• Services – consulting, implementations, and support in RPA/AI/integrations (Make, Power Automate, UiPath).

• Client – an entity for whom we provide Services under a separate agreement.

§3. Data We Process

We process, in particular:

1. Contact/Brief/“Book a call” – first name, email, phone (optional), company, role, message content, technical metadata (IP, http headers).

2. Newsletter – email, first name (optional), marketing consent preferences.

3. Offers & contract delivery – identification and contact data, company/NIP, billing details, correspondence history.

4. Cookies & similar identifiers – essential, analytics, marketing (as per consents).

5. Recruitment (if applicable) – CV, cover letter, contact details, interview progress notes.

§4. Purposes & Legal Bases (Art. 6 GDPR)

1. Responding to messages/forms – our legitimate interest (Art. 6(1)(f)) and steps prior to a contract (Art. 6(1)(b)).

2. Newsletter/marketing communications – consent (Art. 6(1)(a)); you may withdraw at any time.

3. Contract conclusion & performance (offers, implementations, support) – contract performance (Art. 6(1)(b)).

4. Accounting & tax – legal obligation (Art. 6(1)(c)).

5. Site analytics & statistics – consent for cookies/analytics (Art. 6(1)(a)) or our legitimate interest in anonymized form (Art. 6(1)(f)).

6. Security & claims (fraud prevention, evidentiary archiving, defense against claims) – legitimate interest (Art. 6(1)(f)).

7. Recruitment (if applicable) – candidate’s consent (Art. 6(1)(a)) and our legal obligations (Art. 6(1)(c)).

Profiling: we may segment newsletter audiences/analytics to tailor content; we do not take decisions producing legal effects solely by automated means.

§5. Sources of Data

We obtain data directly from you (forms, email, phone, meetings) and from cookies/similar technologies via the consent banner.

§6. Data Recipients (Processors & Partners)

We entrust data to third parties only as necessary:

• Hosting/Website: Wix.com Ltd. (site hosting), and any CDN providers.

• Email/Productivity: Microsoft 365 (Microsoft Ireland Operations Ltd.).

• Form routing/automation: Make.com (Make s.r.o., Czech Republic) – if used for handling submissions.

• Analytics: Google Analytics 4 (Google Ireland Ltd.) – if enabled and consented to.

• Accounting/Billing: [accountancy firm / invoicing system].

• CRM/Helpdesk/Marketing automation: [e.g., HubSpot / MailerLite / Brevo / Airtable – if actually used].

• Legal/IT advisors – where necessary to protect our rights.

We maintain an up-to-date list of processors in our GDPR documentation and provide it on request.

§7. Transfers Outside the EEA

Some providers may process data outside the EEA. We ensure appropriate safeguards, including adequacy decisions, Standard Contractual Clauses (SCCs), and additional technical/organizational measures. Details are available on request.

§8. Retention Periods

• Correspondence/briefs – up to 12 months from closing the thread or until claims become time-barred.

• Newsletter – until consent is withdrawn or inactivity persists for 24 months.

• Contract/billing data – for the contract term and thereafter per accounting/tax rules (as a rule, 5 years counted from the end of the year in which the tax became due).

• Analytics/cookies data – per cookie lifetime or until consent is withdrawn in the banner.

• Recruitment – for the recruitment process and, with consent for future roles, no longer than 12 months.

§9. Your Rights

You have the right to: access, rectification, erasure (“right to be forgotten”), restriction, data portability, objection (including to direct marketing), and to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal).
You may lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland (uodo.gov.pl).

§10. Cookies & Similar Technologies

1. We use cookies and similar technologies (e.g., local storage) for:

   • essential purposes – Site functionality (forms, security, anti-CSRF),

   • analytics/statistics – with your consent (e.g., GA4),

   • marketing – only with your consent (remarketing, ad tags, if implemented).

2. On first visit we present a consent banner where you can accept/decline categories. You can change preferences anytime via the “Cookie settings” link in the footer.

3. You can also manage cookies in your browser (restrictions may affect Site functionality).

4. We do not display third-party advertisements (e.g., no Google AdSense). If we implement new pixels/retargeting in the future, we will update this section and the consent banner accordingly.

§11. Security

We apply measures including TLS/SSL encryption, access control (principle of least privilege), multi-factor authentication where feasible, incident logging, and access reviews. We require appropriate security measures from our processors.

§12. Our Role as Processor for Client Data

In B2B projects (RPA/AI implementations, support, integrations) we typically act as a processor on behalf of the Client (controller). A Data Processing Agreement (Art. 28 GDPR) forms part of our cooperation. The scope, data categories, purposes, and security measures are described in the DPA and project documentation.

§13. Children’s Data

The Site and Services are not directed to persons under 16. We do not knowingly collect their data.

§14. Changes to this Policy

We may update this Policy, e.g., due to legal, technological, or service-provider changes. The new version will be published on the Site with its effective date.

§15. Contact

For data protection matters contact: [tomasz.rogala@flowsforge.com / tomasz.rogala@flowsforge.com], or write to our registered address.
We have not appointed a Data Protection Officer (DPO). If we do, we will publish DPO details on the Site.