FLXY.io | Fluxy.One
Version 1.0 — 17 juin 2025
"The use of the websites https://flxy.io and http://fluxy.one are governed by a separate Agreement (Website Terms of Use), which the user accepts upon registration or payment for services."
SIA Fluxy One — Rupniecības iela 16‑14B, Riga, LV‑1010, Lettonie
Email: legal@fluxy.one
DPO: dpo@fluxy.one
Support: support@flxy.io
Note: This document is the official English version. In the event of any discrepancies between this version and translations into other languages, the English version shall prevail.
This Agreement ("Agreement") is entered into by and between SIA Fluxy One (Reg. No. LV40203559086, Latvia), hereinafter referred to as the "Operator," "We," or "Fluxy," and the legal entity or individual accepting these terms, hereinafter referred to as the "Client" or "You."
The Operator, acting in its capacity as a European DPP Operator and an Official Solution Partner of GS1 Belgium & Luxembourg, grants the Client access to the flxy.io platform ("Service") for the creation, management, and storage of Digital Product Passports (DPP).
(a) Acceptance: The Agreement is deemed concluded from the moment the Client performs the first of the following actions:
* Registration of an account on the Website;
* Payment of an invoice issued by the Operator or an Authorized Regional Representative;
* Commencement of API usage or data upload.
(b) Form of Agreement: This Agreement is concluded electronically. Upon written request by the Client sent to legal@fluxy.one, the Operator shall provide a PDF copy certified by a Qualified Electronic Signature (eIDAS) of an authorized representative.
If the Client purchases services through an Authorized Regional Representative (hereinafter "Reseller"):
(a) Financial terms (currency, payment deadlines) are governed by the agreement between the Client and the Reseller;
(b) This Agreement remains the sole document regulating the use of the Software, data rights, SLAs, and the Operator’s liability;
(c) The Reseller has no authority to modify the terms of this Agreement or make warranties on behalf of the Operator.
Under the subscription, the Client obtains the right to create DPPs, each of which includes:
(a) GS1 Digital Link: A unique product web address (URI) (e.g., `https://dpp.flxy.io/01/...`) that resolves to the product passport;
(b) QR Code: A graphic file (PNG/SVG) for packaging, compliant with ISO/IEC 18004 standards;
(c) Data Hosting: Product data storage in a structured format compliant with Regulation (EU) 2024/1781 (ESPR);
(d) API Access: Access to data for integration with corporate systems.
The Service operates based on international GS1 standards. To use the Service, the Client is required to assign valid GTINs (Global Trade Item Numbers) issued by a licensed GS1 member organization to its products. Local or internal codes not compliant with the GS1 standard are not supported.
(a) The Operator warrants that the technical architecture of the DPP complies with the requirements of the ESPR Regulation and applicable EU Delegated Acts.
(b) In the event of changes to requirements by the European Commission or Customs Authorities, the Operator undertakes to update the Service. If such changes require data updates by the Client, the Operator shall notify the Client within a reasonable timeframe.
The Client is prohibited from using the Service to create passports for counterfeit, illegal, or sanctioned products. The Operator reserves the right to remove any DPPs violating these rules.
The Client retains full and exclusive ownership of all data ("Client Data") uploaded to the Service. The Client bears sole responsibility for the accuracy, completeness, and legality of the content.
(a) The Service utilizes Generative AI (GenAI) technologies to assist in data entry.
(b) Verification Obligation: The Client acknowledges that AI is an assistive tool and may produce errors. The Client is obliged to verify all data prior to publication. The Operator shall not be liable for the publication of unverified data.
(c) Model Training: The Operator guarantees that Client Confidential Data is NOT used to train public AI models. Only anonymized meta-data may be used to improve internal algorithms.
The Client authorizes the Operator to transfer DPP data to:
(a) The European Commission’s central registry (Product Passport Registry);
(b) National customs authorities of EU Member States;
(c) Public access (for consumers) via QR code scanning.
Payment is made based on an Invoice via one of the following methods:
* Direct Bank Transfer (SEPA/SWIFT);
* Payment Systems (Stripe, PayPal, RevolutPay);
* Payment via an Authorized Regional Representative.
(a) EU Clients: Service fees include Latvian VAT (21%) unless the Reverse Charge mechanism applies to the Client.
(b) Non-EU Clients: Services are classified as export (B2B) and are not subject to Latvian VAT (0%). The Client is solely responsible for calculating and paying any local taxes (VAT, Withholding Tax/WHT) applicable in their jurisdiction.
Prices are fixed for the paid Subscription Period. Upon renewal, the Operator reserves the right to index prices, but by no more than the CPI (Eurozone) + 5% per annum.
The Operator has the right to suspend access in the event of: (a) Non-payment of services (exceeding 14 days); (b) Identification of material breaches (counterfeit certificates, IP infringement) following notification and a cure period (7 days).
Upon termination of the Agreement, the Operator ensures the preservation of published DPPs in a "Passive Archive" mode (read-only access for end-users/regulators, with no editing rights for the Client) for the duration established by the ESPR Regulation (up to 10-15 years).
(a) The Operator shall not be liable for customs clearance delays, fines, or return of goods caused by the inaccuracy or incompleteness of data provided by the Client.
(b) The Operator’s maximum aggregate liability for any claims arising out of this Agreement is limited to the amount actually paid by the Client during the 12 months preceding the incident.
The Parties are released from liability for non-performance of obligations due to circumstances of force majeure (war, sanctions, global internet outages).
"Confidential Information" includes any non-public information transferred by one party to the other, including Client Data, technical specifications of the Service, pricing, and contract terms.
The Receiving Party undertakes: (a) not to disclose Confidential Information to third parties (except to affiliates and consultants under NDA); (b) to use it solely for the performance of the Agreement.
The Client represents and warrants that neither the Client, nor its beneficial owners, directors, or affiliates are listed on any sanctions lists ("Sanctioned Persons") administered by:
(a) The European Union (EU Consolidated List);
(b) The US Office of Foreign Assets Control (OFAC SDN List);
(c) The United Nations (UN Security Council);
(d) The United Kingdom (HMT) or the Republic of Latvia.
The Client undertakes NOT to use the Service:
(a) For the benefit of Sanctioned Persons or to facilitate transactions with them;
(b) In territories subject to comprehensive embargoes;
(c) For the creation of DPPs for Dual-Use Goods without appropriate licenses.
In the event of a breach of this section or the future inclusion of the Client in sanctions lists, Fluxy One has the right to immediately block access to the Service and terminate the Agreement unilaterally without refund of prepaid funds and without any liability to the Client.
This Agreement is governed by the substantive law of the Republic of Latvia.
All disputes arising out of or in connection with this Agreement shall be finally settled by the Luxembourg Arbitration Association in accordance with its rules. The language of the arbitration shall be English.
1.1. Target: The Operator guarantees Platform availability (including API and QR code resolution) at a level of 99.5% per calendar month.
1.2. Exceptions: Downtime calculation excludes unavailability caused by: (a) Scheduled Maintenance (with 24-hour notice); (b) Force Majeure; (c) Client-side equipment or network issues.
2.1. In case of failure to meet the Availability Guarantee, the Client is entitled to request compensation (Service Credit):
• Availability 99.0% – 99.49%: Compensation equal to 5% of the monthly fee.
• Availability 95.0% – 98.99%: Compensation equal to 10% of the monthly fee.
• Availability Below 95.0%: Compensation equal to 20% of the monthly fee.
3.1. Support is provided via email (support@flxy.io) and ticketing system.
3.2. Target Response Times:
• P1 (Critical):
• Description: Platform completely unavailable or critical API failure.
• Response Time: 4 hours (24/7).
• P2 (High):
• Description: Core functions working with errors or significant degradation of performance.
• Response Time: 8 business hours.
• P3 (Normal):
• Description: General usage questions, minor UI bugs, or non-critical inquiries.
• Response Time: 24 hours.
In accordance with Art. 28 GDPR
1.1. Under this DPA, the Client acts as the Controller, and Fluxy One acts as the Processor.
1.2. The subject matter of processing involves personal data contained in the Client’s account (employee data) and DPP content (supplier contact persons), solely for the purpose of providing the Service.
The Operator implements the following measures:
* Encryption in transit (TLS 1.2+) and at rest (AES-256);
* Regular backups and recovery testing;
* Multi-Factor Authentication (MFA) for personnel access;
* Access logging.
3.1. The Client grants general written authorization for the engagement of Sub-processors.
3.2. Current Authorized Sub-processors:
* Google Cloud Platform (Google Ireland Ltd) — Hosting, Infrastructure, AI (Location: EU).
* Stripe Payments Europe Ltd — Payment Processing (Location: EU/USA).
* Zendesk / Intercom — Support System.
* OpenAI Ireland Ltd — Optional AI models (Location: EU).
3.3. The Operator shall notify the Client of new Sub-processors at least 30 days in advance.
4.1. Primary data storage location: European Economic Area (EEA).
4.2. Any transfer outside the EEA (to third countries without an adequacy decision) is conducted based on Standard Contractual Clauses (SCCs) approved by the European Commission, which are incorporated herein by reference.
Upon written request by the Client (no more than once per year), the Operator shall provide security reports (e.g., SOC 2 Type II or ISO 27001) to verify compliance with GDPR requirements.
