Privacidad

Version 1.0 — 17 June 2025
Last updated: 17 June 2025

1. Who we are

SIA Fluxy One (“Fluxy One”, “we”, “us”), Reg. No. 40203559086, Rupniecības iela 16‑14B, Riga, LV‑1010, Latvia, operates the website https://fluxy.one (“Site”) and the FLXY Digital Product Passport platform at https://flxy.io (“Platform”).

Contact for privacy matters: legal@fluxy.one

2. Personal data we collect

A. Website visitors — connection & analytics data

  • IP address
  • Browser user‑agent
  • UTM parameters
  • Cookies set by Google Analytics 4, HubSpot, skarbe.com

B. Platform accounts — identification & business data

  • Name and job title
  • Work e‑mail and phone number
  • Company legal details and billing address
  • Payment tokens (Stripe / Revolut Pay)
  • Login IP address, user‑agent, cookies

C. DPP scans — device & usage logs

  • Date and time of scan
  • Approximate location derived from IP address
  • Device / OS / browser details
  • DPP identifier, cookies, UTM tags

We do not knowingly process data of individuals under 16; the Service is strictly B2B.

3. Why we process data & legal bases (GDPR Art 6)

• Provide, secure and troubleshoot the Platform — Contract (Art 6 b)

• Generate and host Digital Product Passports — Contract; Legal obligation under ESPR 2024/1781 Art 27

• Log DPP scans and analytics — Legitimate interest (Art 6 f) — measure usage & prevent fraud

• Process payments and invoices — Contract; Legal obligation (tax)

• Send product updates and marketing e‑mails — Consent (Art 6 a) via double opt‑in; opt‑out anytime

• Improve the Site via cookies and heat‑maps — Consent (Art 6 a)

4. Cookies & tracking

We use:

  • Google Analytics 4 — analytics (retention 14 months)
  • HubSpot — marketing automation (retention up to 13 months)
  • skarbe.com — A/B testing (retention up to 6 months)
  • First‑party session cookies — necessary, retained 24 hours

Details and opt‑out options appear in our separate Cookie Policy.

5. Sub‑processors

  • Google Cloud EMEA — hosting & storage (EEA, no SCC needed)
  • Stripe Payments Europe — card payments (EEA → US, SCC + BCRs)
  • Revolut Pay — alternative payments (EEA, SCC)
  • HubSpot Ireland — CRM & marketing (EEA → US, SCC)
  • SendGrid / Twilio — transactional e‑mails (US, SCC)
  • Intercom R&D Unlimited — in‑app support (EEA → US, SCC)
  • Zendesk Ireland — ticketing (EEA → US, SCC)

An up‑to‑date list is available on request.

6. International transfers

Fluxy One does not host data outside the EEA. When a sub‑processor handles data in the United States, we rely on Standard Contractual Clauses 2021/914/EU and additional technical safeguards such as TLS 1.3, at‑rest encryption and strict access controls.

7. Retention periods

  • Platform account & billing data — while the account is active plus 10 years for DPP history
  • DPP content & scan logs — 10 years from the last paid billing period
  • Marketing contacts — until unsubscribe or 3 years of inactivity
  • Site analytics logs — 12 months
  • Application logs — 24 months

8. Data‑subject rights

You may request access, rectification, erasure, restriction, objection or data portability (GDPR Art 15‑22). Send requests to legal@fluxy.one — we respond within 30 days.

9. Automated decisions

Stripe and Revolut perform automated fraud screening. These checks do not create legal or similarly significant effects on you.

10. Security measures

  • ISO/IEC 27017‑certified data centres (Google Cloud EMEA)
  • TLS 1.3 encryption in transit; AES‑256 at rest
  • Multi‑factor authentication and role‑based access
  • Daily encrypted backups (30‑day retention)
  • 24 × 7 incident response
  • Annual external penetration tests

Full technical and organisational measures are listed in Terms Annex B § II.

11. Supervisory authority

You may lodge a complaint with the Data State Inspectorate of Latvia (Datu valsts inspekcija) — https://www.dvi.gov.lv/.

12. Updates

We may modify this Privacy Policy; material changes will be announced 30 days in advance via e‑mail or platform banner.

Last reviewed: 17 June 2025