SIA Fluxy One
Version 3.1 — February 13, 2026
Last Updated: February 13, 2026
Effective Date: February 13, 2026
Changes in v3.1: Added specific AI model disclosure (Google Translation API, Vertex AI, Gemini), Google Cloud ISO certifications (27001, 27017, 27018, SOC 2 Type II)
SIA Fluxy One
Registration No.: LV40203559086
Address: Rupniecības iela 16-14B, Riga, LV-1010, Latvia
Email: legal@fluxy.one
Data Protection Officer (DPO): dpo@fluxy.one
Support: support@flxy.io
This Privacy Policy applies to all personal data collected and processed by SIA Fluxy One ("we," "us," "Fluxy One," "the Company") across the following digital properties and services:
Websites and Applications:
Services:
We collect and process different types of personal data depending on how you interact with our services.
(a) Account and Registration Data:
When you create an account on our platforms (Fluxy.One Platform or Zero Box), we collect:
(b) Payment Information:
When you subscribe to paid services, we collect:
(c) Product Data (Digital Product Passports):
When you create Digital Product Passports (DPPs) or product pages, you may provide:
(d) Communications Data:
When you contact us via email, chat, or support forms, we collect:
(e) Marketing Preferences:
If you subscribe to our newsletter or marketing communications:
(a) Website Usage Data (Analytics):
When you visit our websites, we automatically collect:
Tools used:
(b) QR Code Scan Data (Consumer Interactions):
When a consumer scans a QR code linked to a Digital Product Passport, we collect:
What we do NOT collect:
Purpose: Scan data is used to:
(c) Cookies and Similar Technologies:
We use cookies and similar tracking technologies. See Cookie Policy for details.
(a) Payment Processors:
We receive payment confirmation data from:
(b) CRM and Communication Tools:
We use third-party services to manage customer relationships:
(c) API Partners:
If you integrate with our API via partnerships (e.g., Avery), we may receive:
We process personal data for the following purposes, based on the specified legal grounds under GDPR:
| Purpose | Legal Basis | Data Types |
|---|---|---|
| Provide Fluxy.One Platform and Zero Box services | Contract performance (Art. 6(1)(b) GDPR) | Account data, product data, payment info |
| Process payments and issue invoices | Contract performance, Legal obligation (accounting) | Billing details, transaction history |
| Customer support and communication | Legitimate interest (Art. 6(1)(f) GDPR) | Email, support tickets, chat logs |
| Website analytics and performance monitoring | Legitimate interest (service improvement) | IP address, browser data, page views |
| Marketing emails and newsletters | Consent (Art. 6(1)(a) GDPR) | Email address, marketing preferences |
| Compliance with EU DPP regulations (ESPR) | Legal obligation (Art. 6(1)(c) GDPR) | Published DPP data, scan analytics |
| Security and fraud prevention | Legitimate interest (security) | Login attempts, IP addresses, payment fraud checks |
| AI model training (internal) | Legitimate interest (service improvement) | Anonymized support tickets, aggregated product metadata |
AI Services Used:
The Service uses the following AI technologies to assist with data entry, translation, and content processing:
(a) Google Cloud AI Services:
Data Processing Location: All AI processing occurs in EU data centers (Belgium, Netherlands)
(b) Proprietary AI Models:
What we use AI for:
What we do NOT do:
User Verification Required:
All AI-generated content must be reviewed and verified by users before publication. Fluxy is not liable for errors in unverified AI outputs (see applicable Terms of Service).
We may share personal data with third parties in the following circumstances:
(a) Service Providers (Data Processors):
We use trusted third-party companies to help us deliver our services. These companies are contractually obligated to: Process data only on our instructions, Implement appropriate security measures, Comply with GDPR, Delete or return data upon termination.
Current Service Providers:
| Provider | Service | Location | Data Shared |
|---|---|---|---|
| Google Cloud Platform (Google Ireland Ltd) | Hosting (Belgium), AI (Translation API, Vertex AI, Gemini) | EU (Belgium, Netherlands) | All platform data |
| Stripe Payments Europe Ltd | Payment processing | EU (Ireland) | Billing details, transaction data |
| PayPal (Europe) S.à r.l. et Cie | Payment processing | EU (Luxembourg) | Billing details, transaction data |
| Revolut Ltd | Payment processing | EU (Lithuania) | Billing details, transaction data |
| Odoo S.A. | CRM and customer management | EU (Belgium) | Contact details, sales data |
| Crisp IM SARL | Customer support chat | EU (France) | Name, email, chat transcripts |
| Hugo.ai | AI-powered support assistant | EU/USA | Support tickets, email |
| SendPulse | Email marketing | EU/USA | Email addresses, open rates |
| Mailchimp (Intuit Inc.) | Email marketing | USA | Email addresses, campaign stats |
| Mailerlite | Email marketing | EU (Lithuania) | Email addresses, click rates |
| OpenAI Ireland Ltd (optional) | AI models (premium features) | EU (Ireland) | Anonymized prompts (no personal data) |
(b) Public Disclosure (Digital Product Passports):
When you publish a Digital Product Passport via QR code: Product data becomes publicly accessible to anyone who scans the QR code. This includes product names, descriptions, images, responsible person contact details (as required by EU GPSR). Purpose: Compliance with ESPR regulations and consumer transparency.
(c) Regulatory Authorities:
We may share data with: European Commission (central DPP registry, if required), EU Customs Authorities (for customs clearance and ESPR compliance), National Data Protection Authorities (upon legal request), Tax Authorities (Latvia, EU) — For VAT and accounting compliance.
(d) Legal Obligations:
We may disclose data if required by law: Court orders, subpoenas, search warrants, Anti-money laundering (AML) investigations, Sanctions compliance checks (EU, OFAC, UN).
(e) Business Transfers:
If SIA Fluxy One is acquired, merges with another company, or sells assets: Personal data may be transferred to the successor entity. You will be notified 30 days in advance. Data protection standards will remain equivalent to this Policy.
We will NEVER:
All personal data is stored in the European Economic Area (EEA):
Google Cloud Platform Certifications:
Our hosting provider (Google Cloud Platform) maintains the following security and privacy certifications:
These certifications ensure that our infrastructure meets the highest international standards for data security and GDPR compliance.
Some service providers process data in the United States or other non-EEA countries. These transfers are conducted using:
(a) Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (2021/914) for all non-EEA transfers. SCCs are legally binding contracts that ensure GDPR-equivalent data protection.
(b) Supplementary Measures: In addition to SCCs, we implement: Encryption in transit (TLS 1.3+), Encryption at rest (AES-256), Pseudonymization (where feasible), Data minimization (transfer only necessary data).
(c) Data Protection Impact Assessment (DPIA): We have conducted DPIAs for high-risk transfers (e.g., to the USA). Available upon request at dpo@fluxy.one.
We do NOT transfer personal data to countries without GDPR adequacy decisions (e.g., China, Russia) unless: Explicitly required by law (e.g., customs data for international shipments) or You instruct us to do so (at your own risk).
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data (name, email) | Duration of subscription + 12 months | Contract performance, customer support |
| Payment records (invoices, transactions) | 7 years | Legal obligation (accounting laws) |
| Product data (unpublished DPPs) | Duration of subscription + 12 months | Service delivery |
| Published DPPs (public QR codes) | 10-15 years (ESPR archive) | Legal obligation (ESPR Regulation 2024/1781) |
| Support tickets | 3 years | Legitimate interest (service improvement) |
| Marketing consent | Until you withdraw consent | Consent-based processing |
| Website analytics (Google Analytics) | 26 months (GA4 default) | Legitimate interest (analytics) |
| QR scan data (anonymized) | 5 years | Legal obligation (ESPR tracking) |
After the retention period expires: Data is permanently deleted from active systems within 30 days. Backup data is deleted within 90 days (next backup rotation cycle). Encrypted data is securely destroyed (keys deleted, data unrecoverable).
For published Digital Product Passports: Even after account termination, we are legally required to maintain read-only access to published DPPs for 10-15 years (as per ESPR Regulation 2024/1781). This ensures compliance with EU customs and environmental regulations. Archived DPPs are accessible by regulators and consumers (QR codes remain scannable). You will have NO editing rights after termination, but data remains public.
You have the following rights regarding your personal data:
What it means: You can request a copy of all personal data we hold about you.
How to exercise: Email dpo@fluxy.one with subject line "Data Access Request."
Response time: 30 days (may be extended to 60 days for complex requests).
What we provide: Copy of your personal data (JSON/CSV export), Categories of data processed, Purposes of processing, Recipients of data (list of service providers), Retention periods.
Cost: Free (first request). Subsequent requests within 6 months may incur a reasonable fee (€15-50).
What it means: You can correct inaccurate or incomplete data.
How to exercise: For account data: Edit directly in your dashboard settings. For other data: Email dpo@fluxy.one.
Response time: 72 hours for critical corrections (e.g., billing address), 30 days for others.
What it means: You can request deletion of your personal data.
How to exercise: Email dpo@fluxy.one with subject line "Data Deletion Request."
Limitations: We may NOT delete data if: Required by law (e.g., accounting records, ESPR archive), Necessary for legal claims or disputes, Overriding legitimate interests (e.g., fraud prevention).
What we delete: Account data (name, email, password), Unpublished product data, Marketing preferences.
What we CANNOT delete: Published DPPs (ESPR legal obligation — remain in archive for 10-15 years), Invoices and payment records (7-year accounting obligation).
What it means: You can request that we limit how we use your data (e.g., store it but not process it).
When to use: You dispute the accuracy of data (until we verify), Processing is unlawful, but you don't want deletion, We no longer need the data, but you need it for legal claims.
How to exercise: Email dpo@fluxy.one.
What it means: You can receive your data in a machine-readable format (JSON, CSV) and transfer it to another service provider.
How to exercise: Dashboard: Export data via "Settings → Export Data". Email: Request at dpo@fluxy.one.
What we provide: Product data (GTINs, descriptions, images), Account information, Support ticket history.
Format: JSON or CSV (your choice).
What it means: You can object to processing based on "legitimate interest."
Examples: Object to marketing emails (click "Unsubscribe"), Object to profiling or automated decision-making.
How to exercise: Email dpo@fluxy.one.
Note: We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
What it means: If we process data based on your consent (e.g., marketing emails), you can withdraw consent at any time.
How to exercise: Marketing emails: Click "Unsubscribe" link. Other consent: Email dpo@fluxy.one.
Effect: We will stop processing immediately, but withdrawal does not affect the lawfulness of past processing.
What it means: If you believe we violated GDPR, you can file a complaint with your national data protection authority.
Latvia (our supervisory authority): Data State Inspectorate (Datu valsts inspekcija)
Address: Blaumaņa iela 11/13-15, Riga, LV-1011, Latvia
Email: pasts@dvi.gov.lv
Website: https://www.dvi.gov.lv
EU Online Complaint Portal: https://edpb.europa.eu/about-edpb/about-edpb/members_en (find your country's authority)
We implement the following security measures to protect your data:
(a) Encryption: In transit: TLS 1.3+ for all HTTPS connections. At rest: AES-256 encryption for stored data (databases, backups). Passwords: Hashed using bcrypt (never stored in plain text).
(b) Access Controls: Multi-Factor Authentication (MFA) required for all staff accessing production systems. Role-Based Access Control (RBAC) — Employees access only data necessary for their role. IP whitelisting for administrative access.
(c) Monitoring and Logging: Real-time intrusion detection (Google Cloud Security Command Center). Audit logs for all data access, modifications, and deletions. Automated alerts for suspicious activity (failed login attempts, unusual API usage).
(d) Backup and Recovery: Daily automated backups (stored in separate EU data center). Quarterly disaster recovery tests to ensure data can be restored.
(e) Vulnerability Management: Monthly security scans for software vulnerabilities. Patch management — Critical security updates applied within 48 hours.
(a) Staff Training: All employees receive annual GDPR and data security training. Confidentiality agreements (NDAs) for all personnel.
(b) Data Breach Response Plan: Incident detection: Within 24 hours. Notification to DPO: Within 48 hours. Notification to data subjects: Within 72 hours (if high risk). Notification to authorities: Within 72 hours (GDPR Art. 33).
All service providers (subprocessors) are contractually required to: Implement equivalent security measures; Notify us of breaches within 24 hours; Submit to security audits (SOC 2, ISO 27001).
In the event of a personal data breach: We will notify you within 72 hours via email to your registered account email. We will notify the Data State Inspectorate (Latvia) within 72 hours (if required under GDPR Art. 33). We will notify affected individuals within 72 hours if the breach poses a high risk (GDPR Art. 34).
What we will tell you: Nature of the breach (what data was affected); Likely consequences; Measures taken to mitigate harm; Contact point for further information (dpo@fluxy.one).
We use cookies and similar technologies to: Remember your login session; Analyze website usage (Google Analytics); Enable marketing campaigns (Facebook Pixel, LinkedIn Insight Tag). For full details, see our Cookie Policy.
Your choices: Accept all cookies (recommended for best experience); Reject non-essential cookies (via cookie banner); Manage preferences at any time: Cookie Settings.
Our services are not directed at children under 16 (or under 13 in some jurisdictions). We do NOT knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, contact us immediately at dpo@fluxy.one. We will delete the data within 48 hours.
We use AI to assist with: Product description suggestions (based on GTIN or product category); Data extraction from documents (OCR on uploaded certificates); Support chatbot responses (Hugo.ai, Crisp AI).
Human oversight: All AI suggestions are reviewed by you before publishing. You have final control over all data. No automated decisions affect legal rights (e.g., account termination, payment refusal).
We do NOT use automated profiling to: Make credit decisions; Determine pricing (same prices for all users in the same tier); Deny service based on behavioral patterns.
You have the right to: Object to automated decision-making (Art. 22 GDPR); Request human review of AI-generated content; Opt out of AI-assisted features (contact support@flxy.io).
We may update this Privacy Policy from time to time to reflect: Changes in laws (GDPR amendments, new ESPR regulations); New services or features; Changes in data processing practices.
For significant changes: We will notify you via email 30 days in advance. We will display a banner on the website. You may object to changes by terminating your account before the effective date.
For minor changes: We will update the "Last Updated" date at the top of this Policy. We recommend checking this page periodically.
Email: legal@fluxy.one
Subject line: "Privacy Inquiry"
Email: dpo@fluxy.one
Phone: +371 26125210
Address: Data Protection Officer, SIA Fluxy One, Rupniecības iela 16-14B, Riga, LV-1010, Latvia
Email: dpo@fluxy.one
Subject line: Use specific keywords: "Data Access Request" (Art. 15 GDPR), "Data Deletion Request" (Art. 17 GDPR), "Data Correction Request" (Art. 16 GDPR), "Data Portability Request" (Art. 20 GDPR), "Object to Processing" (Art. 21 GDPR).
Response time: 30 days (may be extended to 60 days for complex requests).
Data State Inspectorate (Latvia)
Blaumaņa iela 11/13-15, Riga, LV-1011, Latvia
Email: pasts@dvi.gov.lv
Website: https://www.dvi.gov.lv
This Privacy Policy complies with: GDPR (Regulation 2016/679); ePrivacy Directive (Directive 2002/58/EC); ESPR (Regulation 2024/1781 — Digital Product Passports); Latvian Data Protection Law.
For UK users, this Policy also complies with: UK GDPR (as amended by the Data Protection Act 2018). UK supervisory authority: Information Commissioner's Office (ICO) — https://ico.org.uk
We do NOT operate under: CCPA (California) — Our services are not directed at California residents; COPPA (Children's Online Privacy Protection Act) — We do not target children. If you are a US user, your rights are limited to those under GDPR (if applicable) and our contractual Terms of Service.
If you are located outside the EU/EEA: Data transfers are governed by Standard Contractual Clauses (SCCs). You retain GDPR-equivalent rights (access, deletion, correction). Contact dpo@fluxy.one for jurisdiction-specific questions.
END OF PRIVACY POLICY
