Version 1.0 — 17 June 2025
Last updated: 17 June 2025

1. Who we are

SIA Fluxy One (“Fluxy One”, “we”, “us”), Reg. No. 40203559086, Rupniecības iela 16‑14B, Riga, LV‑1010, Latvia, operates the website https://fluxy.one (“Site”) and the FLXY Digital Product Passport platform at https://flxy.io (“Platform”).

Contact for privacy matters: legal@fluxy.one

2. Personal data we collect

A. Website visitors — connection & analytics data

• IP address
• Browser user‑agent
• UTM parameters
• Cookies set by Google Analytics 4, HubSpot, skarbe.com

B. Platform accounts — identification & business data

• Name and job title
• Work e‑mail and phone number
• Company legal details and billing address
• Payment tokens (Stripe / Revolut Pay)
• Login IP address, user‑agent, cookies

C. DPP scans — device & usage logs

• Date and time of scan
• Approximate location derived from IP address
• Device / OS / browser details
• DPP identifier, cookies, UTM tags

We do not knowingly process data of individuals under 16; the Service is strictly B2B.

3. Why we process data & legal bases (GDPR Art 6)

• Provide, secure and troubleshoot the Platform — Contract (Art 6 b)

• Generate and host Digital Product Passports — Contract; Legal obligation under ESPR 2024/1781 Art 27

• Log DPP scans and analytics — Legitimate interest (Art 6 f) — measure usage & prevent fraud

• Process payments and invoices — Contract; Legal obligation (tax)

• Send product updates and marketing e‑mails — Consent (Art 6 a) via double opt‑in; opt‑out anytime

• Improve the Site via cookies and heat‑maps — Consent (Art 6 a)

4. Cookies & tracking

We use:

• Google Analytics 4 — analytics (retention 14 months)
• HubSpot — marketing automation (retention up to 13 months)
• skarbe.com — A/B testing (retention up to 6 months)
• First‑party session cookies — necessary, retained 24 hours

Details and opt‑out options appear in our separate Cookie Policy.

5. Sub‑processors

• Google Cloud EMEA — hosting & storage (EEA, no SCC needed)
• Stripe Payments Europe — card payments (EEA → US, SCC + BCRs)
• Revolut Pay — alternative payments (EEA, SCC)
• HubSpot Ireland — CRM & marketing (EEA → US, SCC)
• SendGrid / Twilio — transactional e‑mails (US, SCC)
• Intercom R&D Unlimited — in‑app support (EEA → US, SCC)
• Zendesk Ireland — ticketing (EEA → US, SCC)

An up‑to‑date list is available on request.

6. International transfers

Fluxy One does not host data outside the EEA. When a sub‑processor handles data in the United States, we rely on Standard Contractual Clauses 2021/914/EU and additional technical safeguards such as TLS 1.3, at‑rest encryption and strict access controls.

7. Retention periods

• Platform account & billing data — while the account is active plus 10 years for DPP history
• DPP content & scan logs — 10 years from the last paid billing period
• Marketing contacts — until unsubscribe or 3 years of inactivity
• Site analytics logs — 12 months
• Application logs — 24 months

8. Data‑subject rights

You may request access, rectification, erasure, restriction, objection or data portability (GDPR Art 15‑22). Send requests to legal@fluxy.one — we respond within 30 days.

9. Automated decisions

Stripe and Revolut perform automated fraud screening. These checks do not create legal or similarly significant effects on you.

10. Security measures

• ISO/IEC 27017‑certified data centres (Google Cloud EMEA)
• TLS 1.3 encryption in transit; AES‑256 at rest
• Multi‑factor authentication and role‑based access
• Daily encrypted backups (30‑day retention)
• 24 × 7 incident response
• Annual external penetration tests

Full technical and organisational measures are listed in Terms Annex B § II.

11. Supervisory authority

You may lodge a complaint with the Data State Inspectorate of Latvia (Datu valsts inspekcija) — https://www.dvi.gov.lv/.

12. Updates

We may modify this Privacy Policy; material changes will be announced 30 days in advance via e‑mail or platform banner.

Last reviewed: 17 June 2025

‍