Version 2.0 — 17 June 2025
Last updated: 02 December 2025

1. Who we are

SIA Fluxy One (“Fluxy One”, “we”, “us”), Reg. No. 40203559086, Rupniecības iela 16‑14B, Riga, LV‑1010, Latvia, operates the website https://fluxy.one (“Site”) and the FLXY Digital Product Passport platform https://fluxy.one, https://flxy.io (“Platform”).

Contact for privacy matters (Data Protection Officer/DPO):
Email: legal@fluxy.one
You can also reach our DPO at dpo@fluxy.one for any privacy-related requests.

‍

2. Personal data we collect

A. Website visitors — connection & analytics data

• IP address
• Browser user‑agent
• UTM parameters
• Cookies set by Google Analytics 4, HubSpot, skarbe.com
• IP address (from reCAPTCHA verification)
• reCAPTCHA tokens

A.1 Contact Form Submissions (https://fluxy.one/contact)

• First name and last name
• Work email address
• Business Classification:
  - Category from "What best describes you?" dropdown:
   * I'm a European producer of finished products
   * I'm a European producer of raw materials
   * I'm a Small business (up to 25 products)
   * I'm an Importer of finished products
   * I'm an Importer of raw materials
   * I want to become a Partner
  (This classification helps us tailor DPP solutions to your business type)
• Company name
• Сountry
• Message ("Tell us more" field)
• Cookies set by Google Analytics 4, HubSpot, skarbe.com
• IP address (from reCAPTCHA verification)
• reCAPTCHA tokens

B. Platform accounts — identification & business data

• Name and job title
• Work e‑mail and phone number
• Company legal details and billing address
• Payment tokens (Stripe / Revolut Pay)
• Login IP address, user‑agent, cookies

C. DPP scans — device & usage logs

• Date and time of scan
• Approximate location derived from IP address
• Device / OS / browser details
• DPP identifier, cookies, UTM tags

We do not knowingly process data of individuals under 16; the Service is strictly B2B.

3. Why we process data & legal bases (GDPR Art 6)

• Provide, secure and troubleshoot the Platform — Contract (Art 6 b)

• Generate and host Digital Product Passports — Contract; Legal obligation under ESPR 2024/1781 Art 27

• Log DPP scans and analytics — Legitimate interest (Art 6 f) — measure usage & prevent fraud

• Process payments and invoices — Contract; Legal obligation (tax)

• Send product updates and marketing e‑mails — Consent (Art 6 a) via double opt‑in; opt‑out anytime

• Improve the Site via cookies and heat‑maps — Consent (Art 6 a)

• Respond to contact form inquiries — Contract (Art 6(b))

• Send DPP solutions and relevant offers — Legitimate Interest (Art 6(f)) or Consent (Art 6(a))

4. Cookies & tracking

We use:

• Google Analytics 4 — analytics (retention 14 months)
• HubSpot — marketing automation (retention up to 13 months)
• skarbe.com — A/B testing (retention up to 6 months)
• First‑party session cookies — necessary, retained 24 hours

See our separate Cookie Policy for details and opt-out options. All non-essential cookies require prior consent via our cookie banner.

5. Sub‑processors

• Google Cloud EMEA — hosting & storage (EEA, no SCC needed)
• Stripe Payments Europe — card payments (EEA → US, SCC + BCRs)
• Revolut Pay — alternative payments (EEA, SCC)
• HubSpot Ireland — CRM & marketing (EEA → US, SCC)
• SendGrid / Twilio — transactional e‑mails (US, SCC)
• Intercom R&D Unlimited — in‑app support (EEA → US, SCC)
• Zendesk Ireland — ticketing (EEA → US, SCC)

Up-to-date list of processors is available upon request.

6. International transfers

Fluxy One does not host personal data outside the EEA. When sub-processors (such as Stripe or Twilio) process data in the US, we rely on Standard Contractual Clauses 2021/914/EU and apply technical safeguards, including TLS 1.3, at-rest encryption, and strict access controls.

7. Retention periods

• Platform account & billing data — while the account is active plus 10 years for DPP history
• DPP content & scan logs — 10 years from the last paid billing period
• Marketing contacts — until unsubscribe or 3 years of inactivity
• Site analytics logs — 12 months
• Application logs — 24 months
• Contact form submissions - 12 months from last interaction

8. Data‑subject rights

You have the right to request:
• Access to your data (Art. 15)
• Rectification and correction of data (Art. 16)
• Erasure (“Right to be forgotten”) (Art. 17)
• Restriction of processing (Art. 18)
• Objection to processing (Art. 21)
• Data portability (Art. 20)

Send requests to legal@fluxy.one or dpo@fluxy.one — we respond within 30 days. We may require identity verification.

9. Automated decisions

Stripe and Revolut perform automated fraud screening. These checks do not create legal or similarly significant effects on you.

10. Security measures

• ISO/IEC 27017-certified data centers (Google Cloud EMEA)
• TLS 1.3 encryption in transit; AES-256 encryption at rest
• Multi-factor authentication; role-based access
• Daily encrypted backups (retention: 30 days)
• 24×7 incident response
• Annual external penetration tests
• Full technical and organizational measures are listed in Terms Annex B § II

11. Supervisory authority

You may lodge a complaint with the Data State Inspectorate of Latvia (Datu valsts inspekcija): https://www.dvi.gov.lv/
For EU users outside Latvia: Find your national authority here.

12. Updates

We may update this Privacy Policy to reflect material changes to our practices or legal obligations. Material changes will be announced at least 30 days in advance via email or platform notification.
Last reviewed: 19 November 2025
‍

By using our Site and Platform, you acknowledge you have read and understood this Privacy Policy.