Controller Information

SIA Fluxy One

Registration No.: LV40203559086

Address: Rupniecības iela 16-14B, Riga, LV-1010, Latvia

Email: legal@fluxy.one

Data Protection Officer (DPO): dpo@fluxy.one

Support: support@flxy.io

Scope of This Policy

This Privacy Policy applies to all personal data collected and processed by SIA Fluxy One ("we," "us," "Fluxy One," "the Company") across the following digital properties and services:

Websites and Applications:

• https://fluxy.one — Main website and product information portal
• https://app.flxy.io — Fluxy.One DPP Platform (B2B dashboard)
• https://zero.flxy.io — Zero Box Dashboard (SME solution)
• https://flxy.io — Platform infrastructure and API
• https://dpp.flxy.io — GS1 Digital Link resolver for Digital Product Passports

Services:

• Fluxy.One Platform — Enterprise Digital Product Passport (DPP) solution for manufacturers
• Zero Box — SME solution for GS1-compliant product QR codes
• API Services — Data integration and partner APIs
• Customer Support — Via email, chat, and AI-powered assistance

1. TYPES OF DATA WE COLLECT

We collect and process different types of personal data depending on how you interact with our services.

1.1 Data You Provide Directly

(a) Account and Registration Data:
When you create an account on our platforms (Fluxy.One Platform or Zero Box), we collect:

• Full name (individual or business representative)
• Email address
• Company name, registration number, VAT ID (for business accounts)
• Billing address
• Phone number (optional)
• Password (hashed and encrypted, never stored in plain text)

(b) Payment Information:
When you subscribe to paid services, we collect:

• Billing name and address
• Payment method details (processed by Stripe, PayPal, or Revolut Pay — we do NOT store full credit card numbers)
• Transaction history (invoices, payment dates, amounts)

(c) Product Data (Digital Product Passports):
When you create Digital Product Passports (DPPs) or product pages, you may provide:

• Product names, descriptions, images, videos
• GTINs (Global Trade Item Numbers)
• Responsible Person information (name, email, address — required for EU GPSR compliance)
• Supplier and manufacturer contact details
• Materials, certifications, sustainability data
• Uploaded documents (test reports, manuals, certificates)

(d) Communications Data:
When you contact us via email, chat, or support forms, we collect:

• Name and email address
• Message content
• Attachments (screenshots, documents)
• Support ticket history

(e) Marketing Preferences:
If you subscribe to our newsletter or marketing communications:

• Email address
• Consent for marketing emails
• Opt-out preferences

1.2 Data We Collect Automatically

(a) Website Usage Data (Analytics):
When you visit our websites, we automatically collect:

• IP address (anonymized after processing)
• Browser type and version (e.g., Chrome 120, Safari 17)
• Device type (desktop, mobile, tablet)
• Operating system (Windows, macOS, iOS, Android)
• Pages viewed, time spent on pages
• Referral source (e.g., Google search, direct visit)
• Geographic location (country and city level, derived from IP address)

Tools used:

• Google Analytics 4 (GA4) — Web analytics
• Google Tag Manager — Tag management
• Proprietary analytics (for dashboard usage)

(b) QR Code Scan Data (Consumer Interactions):
When a consumer scans a QR code linked to a Digital Product Passport, we collect:

• Scan timestamp (date and time)
• Country of scan (derived from IP address)
• Device type (iOS/Android)
• Number of scans per product

What we do NOT collect:

• Consumer names, email addresses, or phone numbers
• Exact GPS location
• Browser history or personal identifiers

Purpose: Scan data is used to:

• Provide scan analytics to DPP creators (you)
• Improve service performance and user experience
• Comply with EU DPP regulations (ESPR tracking requirements)

(c) Cookies and Similar Technologies:
We use cookies and similar tracking technologies. See Cookie Policy for details.

1.3 Data from Third Parties

(a) Payment Processors:
We receive payment confirmation data from:

• Stripe Payments Europe Ltd (transaction success/failure, payment method type)
• PayPal (transaction ID, payer email)
• Revolut Ltd (transaction status)

(b) CRM and Communication Tools:
We use third-party services to manage customer relationships:

• Odoo S.A. (CRM) — Contact details, sales pipeline data
• Crisp IM (customer chat) — Chat transcripts, email, name
• Hugo.ai (AI support assistant) — Support ticket content
• SendPulse, Mailchimp, Mailerlite (email marketing) — Email addresses, open rates, click rates

(c) API Partners:
If you integrate with our API via partnerships (e.g., Avery), we may receive:

• Company name and contact details
• API usage logs (requests per second, endpoints accessed)
• Error logs

2. PURPOSES AND LEGAL BASIS FOR PROCESSING

We process personal data for the following purposes, based on the specified legal grounds under GDPR:

3. HOW WE USE YOUR DATA

3.1 Service Delivery

• Create and manage your account
• Generate GS1 Digital Link QR codes and Digital Product Passports
• Process payments and subscriptions
• Provide dashboard access to your product data
• Enable API integrations

3.2 Customer Support

• Respond to inquiries via email, chat, and support tickets
• Troubleshoot technical issues
• Provide onboarding assistance

3.3 Analytics and Improvement

• Analyze website and dashboard usage patterns
• Identify bugs and performance issues
• Improve user interface and features
• Develop new products and services

3.4 Marketing and Communications

• Send service announcements (account updates, security alerts) — no consent required (transactional emails)
• Send newsletters about new features, industry news, EU regulatory changes — consent required
• Conduct customer satisfaction surveys

3.5 Compliance and Legal Obligations

• Comply with GDPR, ESPR, and Latvian laws
• Respond to legal requests (court orders, regulator inquiries)
• Maintain records for tax and accounting purposes (7 years)
• Archive published DPPs for 10-15 years (ESPR legal requirement)

3.6 AI and Machine Learning

AI Services Used:
The Service uses the following AI technologies to assist with data entry, translation, and content processing:

(a) Google Cloud AI Services:

• Google Cloud Translation API — Multilingual translation of DPP content (24+ languages)
• Google Vertex AI — Data extraction from uploaded documents (OCR), auto-completion of product fields
• Google Gemini models — Advanced AI features for compliance suggestions and data structuring

Data Processing Location: All AI processing occurs in EU data centers (Belgium, Netherlands)

(b) Proprietary AI Models:

• Internal algorithms trained on anonymized metadata to improve user experience
• Support ticket analysis to enhance chatbot responses
• Product category metadata (e.g., "textile products often have care instructions")

What we use AI for:

• Auto-suggesting product descriptions
• Extracting data from uploaded documents (test reports, certificates)
• Translating content into multiple languages (see Platform/Zero Box ToS for full AI translation disclosure)
• Compliance field suggestions based on product category

What we do NOT do:

• Train public AI models (OpenAI, Google) with your confidential product data
• Share specific business secrets with third-party AI providers
• Use customer emails or names for AI training

User Verification Required:
All AI-generated content must be reviewed and verified by users before publication. Fluxy is not liable for errors in unverified AI outputs (see applicable Terms of Service).

4. DATA SHARING AND DISCLOSURES

4.1 When We Share Your Data

We may share personal data with third parties in the following circumstances:

(a) Service Providers (Data Processors):
We use trusted third-party companies to help us deliver our services. These companies are contractually obligated to: Process data only on our instructions, Implement appropriate security measures, Comply with GDPR, Delete or return data upon termination.

Current Service Providers:

(b) Public Disclosure (Digital Product Passports):
When you publish a Digital Product Passport via QR code: Product data becomes publicly accessible to anyone who scans the QR code. This includes product names, descriptions, images, responsible person contact details (as required by EU GPSR). Purpose: Compliance with ESPR regulations and consumer transparency.

(c) Regulatory Authorities:
We may share data with: European Commission (central DPP registry, if required), EU Customs Authorities (for customs clearance and ESPR compliance), National Data Protection Authorities (upon legal request), Tax Authorities (Latvia, EU) — For VAT and accounting compliance.

(d) Legal Obligations:
We may disclose data if required by law: Court orders, subpoenas, search warrants, Anti-money laundering (AML) investigations, Sanctions compliance checks (EU, OFAC, UN).

(e) Business Transfers:
If SIA Fluxy One is acquired, merges with another company, or sells assets: Personal data may be transferred to the successor entity. You will be notified 30 days in advance. Data protection standards will remain equivalent to this Policy.

4.2 When We Do NOT Share Your Data

We will NEVER:

• Sell personal data to third parties for marketing purposes
• Share data with data brokers or advertisers (except anonymized analytics)
• Disclose confidential business information without your consent

5. INTERNATIONAL DATA TRANSFERS

5.1 Primary Data Location

All personal data is stored in the European Economic Area (EEA):

• Primary data center: Google Cloud Europe (Belgium, Netherlands, Finland)
• Backup data center: EU-West (Frankfurt, Germany)

Google Cloud Platform Certifications:
Our hosting provider (Google Cloud Platform) maintains the following security and privacy certifications:

• ISO 27001 — Information Security Management System
• ISO 27017 — Cloud Security
• ISO 27018 — Cloud Privacy and Protection of Personally Identifiable Information
• SOC 2 Type II — Security, Availability, Confidentiality

These certifications ensure that our infrastructure meets the highest international standards for data security and GDPR compliance.

5.2 Transfers Outside the EEA

Some service providers process data in the United States or other non-EEA countries. These transfers are conducted using:

(a) Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (2021/914) for all non-EEA transfers. SCCs are legally binding contracts that ensure GDPR-equivalent data protection.

(b) Supplementary Measures: In addition to SCCs, we implement: Encryption in transit (TLS 1.3+), Encryption at rest (AES-256), Pseudonymization (where feasible), Data minimization (transfer only necessary data).

(c) Data Protection Impact Assessment (DPIA): We have conducted DPIAs for high-risk transfers (e.g., to the USA). Available upon request at dpo@fluxy.one.

5.3 No Transfers to High-Risk Countries

We do NOT transfer personal data to countries without GDPR adequacy decisions (e.g., China, Russia) unless: Explicitly required by law (e.g., customs data for international shipments) or You instruct us to do so (at your own risk).

6. DATA RETENTION

6.1 How Long We Keep Your Data

6.2 Deletion After Retention Period

After the retention period expires: Data is permanently deleted from active systems within 30 days. Backup data is deleted within 90 days (next backup rotation cycle). Encrypted data is securely destroyed (keys deleted, data unrecoverable).

6.3 Exception: ESPR Archive Obligation

For published Digital Product Passports: Even after account termination, we are legally required to maintain read-only access to published DPPs for 10-15 years (as per ESPR Regulation 2024/1781). This ensures compliance with EU customs and environmental regulations. Archived DPPs are accessible by regulators and consumers (QR codes remain scannable). You will have NO editing rights after termination, but data remains public.

7. YOUR RIGHTS UNDER GDPR

You have the following rights regarding your personal data:

7.1 Right of Access (Art. 15 GDPR)

What it means: You can request a copy of all personal data we hold about you.
How to exercise: Email dpo@fluxy.one with subject line "Data Access Request."
Response time: 30 days (may be extended to 60 days for complex requests).
What we provide: Copy of your personal data (JSON/CSV export), Categories of data processed, Purposes of processing, Recipients of data (list of service providers), Retention periods.
Cost: Free (first request). Subsequent requests within 6 months may incur a reasonable fee (€15-50).

7.2 Right to Rectification (Art. 16 GDPR)

What it means: You can correct inaccurate or incomplete data.
How to exercise: For account data: Edit directly in your dashboard settings. For other data: Email dpo@fluxy.one.
Response time: 72 hours for critical corrections (e.g., billing address), 30 days for others.

7.3 Right to Erasure ("Right to Be Forgotten") (Art. 17 GDPR)

What it means: You can request deletion of your personal data.
How to exercise: Email dpo@fluxy.one with subject line "Data Deletion Request."
Limitations: We may NOT delete data if: Required by law (e.g., accounting records, ESPR archive), Necessary for legal claims or disputes, Overriding legitimate interests (e.g., fraud prevention).
What we delete: Account data (name, email, password), Unpublished product data, Marketing preferences.
What we CANNOT delete: Published DPPs (ESPR legal obligation — remain in archive for 10-15 years), Invoices and payment records (7-year accounting obligation).

7.4 Right to Restriction of Processing (Art. 18 GDPR)

What it means: You can request that we limit how we use your data (e.g., store it but not process it).
When to use: You dispute the accuracy of data (until we verify), Processing is unlawful, but you don't want deletion, We no longer need the data, but you need it for legal claims.
How to exercise: Email dpo@fluxy.one.

7.5 Right to Data Portability (Art. 20 GDPR)

What it means: You can receive your data in a machine-readable format (JSON, CSV) and transfer it to another service provider.
How to exercise: Dashboard: Export data via "Settings → Export Data". Email: Request at dpo@fluxy.one.
What we provide: Product data (GTINs, descriptions, images), Account information, Support ticket history.
Format: JSON or CSV (your choice).

7.6 Right to Object (Art. 21 GDPR)

What it means: You can object to processing based on "legitimate interest."
Examples: Object to marketing emails (click "Unsubscribe"), Object to profiling or automated decision-making.
How to exercise: Email dpo@fluxy.one.
Note: We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

7.7 Right to Withdraw Consent (Art. 7(3) GDPR)

What it means: If we process data based on your consent (e.g., marketing emails), you can withdraw consent at any time.
How to exercise: Marketing emails: Click "Unsubscribe" link. Other consent: Email dpo@fluxy.one.
Effect: We will stop processing immediately, but withdrawal does not affect the lawfulness of past processing.

7.8 Right to Lodge a Complaint

What it means: If you believe we violated GDPR, you can file a complaint with your national data protection authority.
Latvia (our supervisory authority): Data State Inspectorate (Datu valsts inspekcija)
Address: Blaumaņa iela 11/13-15, Riga, LV-1011, Latvia
Email: pasts@dvi.gov.lv
Website: https://www.dvi.gov.lv
EU Online Complaint Portal: https://edpb.europa.eu/about-edpb/about-edpb/members_en (find your country's authority)

8. DATA SECURITY

8.1 Technical Measures

We implement the following security measures to protect your data:

(a) Encryption: In transit: TLS 1.3+ for all HTTPS connections. At rest: AES-256 encryption for stored data (databases, backups). Passwords: Hashed using bcrypt (never stored in plain text).

(b) Access Controls: Multi-Factor Authentication (MFA) required for all staff accessing production systems. Role-Based Access Control (RBAC) — Employees access only data necessary for their role. IP whitelisting for administrative access.

(c) Monitoring and Logging: Real-time intrusion detection (Google Cloud Security Command Center). Audit logs for all data access, modifications, and deletions. Automated alerts for suspicious activity (failed login attempts, unusual API usage).

(d) Backup and Recovery: Daily automated backups (stored in separate EU data center). Quarterly disaster recovery tests to ensure data can be restored.

(e) Vulnerability Management: Monthly security scans for software vulnerabilities. Patch management — Critical security updates applied within 48 hours.

8.2 Organizational Measures

(a) Staff Training: All employees receive annual GDPR and data security training. Confidentiality agreements (NDAs) for all personnel.

(b) Data Breach Response Plan: Incident detection: Within 24 hours. Notification to DPO: Within 48 hours. Notification to data subjects: Within 72 hours (if high risk). Notification to authorities: Within 72 hours (GDPR Art. 33).

8.3 Third-Party Security

All service providers (subprocessors) are contractually required to: Implement equivalent security measures; Notify us of breaches within 24 hours; Submit to security audits (SOC 2, ISO 27001).

8.4 Data Breach Notification

In the event of a personal data breach: We will notify you within 72 hours via email to your registered account email. We will notify the Data State Inspectorate (Latvia) within 72 hours (if required under GDPR Art. 33). We will notify affected individuals within 72 hours if the breach poses a high risk (GDPR Art. 34).

What we will tell you: Nature of the breach (what data was affected); Likely consequences; Measures taken to mitigate harm; Contact point for further information (dpo@fluxy.one).

9. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar technologies to: Remember your login session; Analyze website usage (Google Analytics); Enable marketing campaigns (Facebook Pixel, LinkedIn Insight Tag). For full details, see our Cookie Policy.
Your choices: Accept all cookies (recommended for best experience); Reject non-essential cookies (via cookie banner); Manage preferences at any time: Cookie Settings.

10. CHILDREN'S PRIVACY

Our services are not directed at children under 16 (or under 13 in some jurisdictions). We do NOT knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, contact us immediately at dpo@fluxy.one. We will delete the data within 48 hours.

11. AUTOMATED DECISION-MAKING AND PROFILING

11.1 AI-Assisted Features

We use AI to assist with: Product description suggestions (based on GTIN or product category); Data extraction from documents (OCR on uploaded certificates); Support chatbot responses (Hugo.ai, Crisp AI).
Human oversight: All AI suggestions are reviewed by you before publishing. You have final control over all data. No automated decisions affect legal rights (e.g., account termination, payment refusal).

11.2 No Profiling for Marketing

We do NOT use automated profiling to: Make credit decisions; Determine pricing (same prices for all users in the same tier); Deny service based on behavioral patterns.

11.3 Your Rights

You have the right to: Object to automated decision-making (Art. 22 GDPR); Request human review of AI-generated content; Opt out of AI-assisted features (contact support@flxy.io).

12. CHANGES TO THIS PRIVACY POLICY

12.1 Updates

We may update this Privacy Policy from time to time to reflect: Changes in laws (GDPR amendments, new ESPR regulations); New services or features; Changes in data processing practices.

12.2 Notification

For significant changes: We will notify you via email 30 days in advance. We will display a banner on the website. You may object to changes by terminating your account before the effective date.
For minor changes: We will update the "Last Updated" date at the top of this Policy. We recommend checking this page periodically.

12.3 Version History

• v3.0 (February 15, 2026): Added Zero Box services, updated subprocessors (Hugo.ai, SendPulse), clarified AI data usage
• v2.0 (December 2, 2025): Updated for ESPR compliance, added QR scan data disclosure
• v1.0 (January 1, 2024): Initial release

13. CONTACT US

13.1 General Privacy Questions

Email: legal@fluxy.one
Subject line: "Privacy Inquiry"

13.2 Data Protection Officer (DPO)

Email: dpo@fluxy.one
Phone: +371 26125210
Address: Data Protection Officer, SIA Fluxy One, Rupniecības iela 16-14B, Riga, LV-1010, Latvia

13.3 Exercising Your Rights

Email: dpo@fluxy.one
Subject line: Use specific keywords: "Data Access Request" (Art. 15 GDPR), "Data Deletion Request" (Art. 17 GDPR), "Data Correction Request" (Art. 16 GDPR), "Data Portability Request" (Art. 20 GDPR), "Object to Processing" (Art. 21 GDPR).
Response time: 30 days (may be extended to 60 days for complex requests).

13.4 Supervisory Authority

Data State Inspectorate (Latvia)
Blaumaņa iela 11/13-15, Riga, LV-1011, Latvia
Email: pasts@dvi.gov.lv
Website: https://www.dvi.gov.lv

14. JURISDICTION-SPECIFIC INFORMATION

14.1 European Union (EU/EEA)

This Privacy Policy complies with: GDPR (Regulation 2016/679); ePrivacy Directive (Directive 2002/58/EC); ESPR (Regulation 2024/1781 — Digital Product Passports); Latvian Data Protection Law.

14.2 United Kingdom

For UK users, this Policy also complies with: UK GDPR (as amended by the Data Protection Act 2018). UK supervisory authority: Information Commissioner's Office (ICO) — https://ico.org.uk

14.3 United States

We do NOT operate under: CCPA (California) — Our services are not directed at California residents; COPPA (Children's Online Privacy Protection Act) — We do not target children. If you are a US user, your rights are limited to those under GDPR (if applicable) and our contractual Terms of Service.

14.4 Other Jurisdictions

If you are located outside the EU/EEA: Data transfers are governed by Standard Contractual Clauses (SCCs). You retain GDPR-equivalent rights (access, deletion, correction). Contact dpo@fluxy.one for jurisdiction-specific questions.

END OF PRIVACY POLICY