Privacy Policy

This Privacy Policy explains the nature, scope, and purpose of the processing of personal data in connection with the use of the software-as-a-service platform Product Flow (“Service”).

  1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Yevgen Yeshchenko
Founder – SaaS Product Flow
Im Egerten 7/1
74391 Erligheim
Germany
Phone: +49 1575 765 86 22
Email: [email protected]

  1. Scope of Application (B2B Only)

The Service is provided exclusively to business customers (B2B).

The processing of personal data of consumers within the meaning of applicable consumer protection laws is not intended.

The Customer is responsible for ensuring that only business-related personal data is processed when using the Service.

  1. Categories of Processed Data

In the course of using the Service, the following categories of personal data may be processed:

3.1 Customer Data

  • Company name
  • Contact person name
  • Business address
  • Email address
  • Telephone number

3.2 User Data

  • Username
  • Email address
  • Roles and permission information

3.3 Contract and Billing Data

  • Subscription and plan information
  • Subscription status
  • Billing address
  • Tax or VAT identification number
  • Payment status (no plain-text payment data)

3.4 Usage and System Data

  • Log data (e.g. login timestamps)
  • Technical metadata for system security
  • Error and debug information
  1. Purposes of Data Processing

Personal data is processed for the following purposes:

  • Provision and operation of the Service
  • User and access management
  • Contract execution and billing
  • Communication with Customers
  • Ensuring system security and stability

Further development of the Service, in particular within an Early Access / Beta environment

  1. Legal Bases

Personal data is processed on the basis of the following legal grounds under GDPR:

  • 6(1)(b) GDPR (performance of a contract)
  • 6(1)(f) GDPR (legitimate interests in operating, securing, and improving the Service)
  • 6(1)(c) GDPR (compliance with legal obligations, e.g. tax and accounting requirements)
  1. Payment Processing via Stripe

Payments are processed using Stripe, an external payment service provider.

Stripe independently processes personal data such as:

  • billing information
  • payment status
  • tax and invoice-related data

The Provider does not store or process payment card data.

Stripe acts as an independent data controller within the meaning of the GDPR.
Stripe’s own privacy policies apply in addition.

  1. Data Processing on Behalf of the Customer

Where the Provider processes personal data on behalf of the Customer, this is carried out on the basis of a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR.

In such cases, the Customer remains the sole data controller with respect to the lawfulness of the processed content.

  1. Data Disclosure to Third Parties

Personal data is disclosed to third parties only insofar as this is necessary for:

  • payment processing (Stripe),
  • compliance with legal obligations,
  • technical service providers (hosting and infrastructure).

No further disclosure takes place.

  1. International Data Transfers

Where service providers process data outside the EU/EEA (e.g. Stripe), such transfers are carried out in accordance with Art. 44 et seq. GDPR, in particular on the basis of Standard Contractual Clauses (SCCs).
Technical service providers are used for hosting and infrastructure, including cloud services such as Supabase (https://supabase.com/) und Vercel (https://vercel.com/).

The Provider reserves the right to change such providers at any time.

  1. Data Retention

Personal data is stored only for as long as necessary for:

  • performance of contractual obligations,
  • compliance with statutory retention requirements,
  • the Provider’s legitimate interests.

Once the purpose ceases to apply, the data is deleted or anonymized.

  1. Data Security

The Provider implements appropriate technical and organizational measures to protect personal data.

However, complete protection against unauthorized access cannot be guaranteed, especially in the context of an Early Access / Beta Service.

  1. Rights of Data Subjects

Data subjects have the following rights under GDPR, subject to statutory requirements:

  • right of access
  • right to rectification
  • right to erasure
  • right to restriction of processing
  • right to data portability
  • right to object

Requests may be addressed to the contact details listed in Section 1.

  1. No Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

  1. Changes to This Privacy Policy

The Provider reserves the right to amend this Privacy Policy at any time.

The current version is available on the website.

  1. Contact

For questions regarding data protection, please contact:

[email protected]