Privacy Policy

Flownally spółka z ograniczoną odpowiedzialnością, ul. Kard. Stefana Wyszyńskiego 138/6, 50-307 Wrocław, Poland, KRS 0001222080, NIP 8982329940 (hereinafter the "Provider", "we" or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share personal data in connection with our business messaging integration services (hereinafter the "Services"), delivered via our software-as-a-service platform. Our Services are offered exclusively on a B2B basis and are not intended for consumers. All capitalized terms not defined here have the meanings given in our General Terms and Special Terms. By using our Services, you acknowledge that you have read and understood this Policy. For clarity, in this Privacy Policy "you" refers to the Client and its authorized Users, unless the context clearly indicates otherwise.

1. Client — an Entrepreneur concluding the Contract with the Provider.
2. User — a natural person who use the Account and access the Services as the Client, being an Entrepreneur or acting on behalf of the Entrepreneur as his representative, employee or associate.
3. End Customer — an individual who interacts with the Client via our Services. End Customers are typically the Client's own customers or prospects.
4. Provider — we, Flownally sp. z o.o., the service provider operating the platform.
5. Services — the services enabling the User real-time conversation with a designated person, consisting in particular, but not limited to, the transmission of vision and sound, carried out based on the General Terms and Special Terms.
6. Data — any information processed by the Provider in connection with the Services, including in particular personal data within the meaning of Article 4(1) GDPR, Client and User data, End Customer data, and technical or operational data related to the use of the Account, Website and/or Application.

Controller vs. Processor:

Depending on the data in question, we may act either as a Data Controller or a Data Processor under GDPR:

7. For Client and User's Data, the Provider acts as the Data Controller. We determine the purposes and means of processing this data and ensure its protection in line with this Policy.
8. For End Customer's Data that the Client submits to our platform, the Client is the Data Controller and the Provider acts as a Data Processor on the Client's behalf. This means we process the End Customer's personal data solely for providing the Services to the Client and only on the Client's instructions, as required by Article 28 GDPR. We have appropriate data processing agreements in place with our Clients to ensure GDPR compliance. If you are an End Customer of one of our Clients, please refer to the Client's privacy notice. We will assist our Clients in fulfilling their data protection obligations toward End Customers.

We process the following categories of personal data:

1. Account Registration Data (Client/User Data): When a Client signs up or enters a contract with us, we collect information such as the Client's company name, business contact details, tax identification number (NIP), billing address, as well as the names, emails, phone numbers or other contact details of the Client's authorized Users. This is necessary to create and maintain the Account, authenticate Users, provide access to the platform, and communicate with you about the Services. If a User's personal data was provided to us by the Client, the Client is responsible for informing the User and ensuring there is a valid legal basis for us to process that User's data. We may obtain User data either directly from Users (e.g. when they log in, communicate with us or update their profile) or from the Client (e.g. when the Client creates or manages User accounts). Where we obtain User personal data from the Client, the source of such data is the Client (e.g. the User's employer or contracting party) and the data typically includes identification and contact details (such as name, business email address and phone number) and role/position information; in such cases the Client should provide the User with the information required under Article 14 GDPR.
2. Communication and Support Data: If you contact us via our website chat, support email, or other channels, we collect the information you provide. Our chat support system may identify you and link to your account to provide customized service. We record support tickets and communications to address your requests and improve our customer service. If you have agreed to receive our newsletter or marketing communications, we collect your name, email, and marketing preferences to send you updates.
3. Service Usage Data: When Users utilize our application, we process data about that usage such as log-in credentials, log-in timestamps, IP addresses, device information, and actions taken on the platform. This data helps us operate and secure the Service, monitor performance, prevent fraud, and provide technical support. We may also collect telemetry or crash reports to debug issues.
4. Billing and Payment Data: To process subscription fees for different Plans, we collect billing contact details and transactional information. Payment card information is generally handled by the third-party Payment Institutions — we do not store your full card details on our systems. We receive from the payment provider a confirmation of payment and limited details needed for invoicing. All financial terms are governed by our Price List and Special Terms for the chosen Plan. We use billing data to issue invoices and comply with accounting and tax laws.
5. End Customer Data (Message Content): Our Service enables Clients to add End Customers and communicate with them via messaging channels like WhatsApp, EasyBot, or chatbots. The data processed may include End Customers' identifiers, the content of messages (e.g., text, images, audio, or other media that the End Customer sends), and conversation metadata. We store and transmit this data as needed to deliver the messaging service. Important: Clients are responsible for collecting any necessary consent from End Customers and ensuring that adding their data to our platform is lawful. For example, when uploading contact lists or when initiating conversations, the Client must have an appropriate legal basis for processing such data under the GDPR. Our Terms require that End Customers self-initiate the conversation or otherwise consent before being contacted. If an End Customer withdraws their consent, the Client must cease using our Service to contact them. We will facilitate such removal by the Client as needed. We do not use End Customer's data for our own purposes; we only process it to provide the Service to the Client, following the Data Processor role as described above.
6. Automatically Collected Data (Cookies & Analytics): When you visit our website or use the application, we use cookies and similar technologies to collect information. For details, see Cookies and Tracking below.
7. Special Categories of Data: Our Services are not intended to process any sensitive personal data. We ask our Clients and Users not to enter such data into the platform. We do not collect data from children, and our Services are not directed to minors under 18.

We process personal data for the following purposes, in compliance with the lawful bases under Article 6 of the GDPR:

1. To Provide the Services (Performance of the Contract): We use registration and account data to set up Client's Account, authenticate Users, and provide the features of the subscribed Plan. We process message data to transmit and store those messages as you direct, and to integrate with third-party messaging platforms, as part of the Services you have contracted for. Processing the Client's personal data is necessary for the performance of our contract with the Client (GDPR Art. 6(1)(b)). As for User data, while Users are not parties to that contract, we process their personal data in our legitimate interest to enable the Services for the Client (GDPR Art. 6(1)(f)).
2. Customer Support and Communications: We process personal data when we communicate with you, to answer your inquiries, provide technical support, or send important service notifications. This is in our legitimate interest to provide an effective service and maintain customer satisfaction (GDPR Art. 6(1)(f)). In some cases, support communications may also be part of contract performance (helping the Client to use the service, GDPR Art. 6(1)(b)).
3. Service Improvement and Security: We analyze usage data — primarily regarding how Clients and Users interact with our platform — to understand performance and improve our Services. We may deploy updates or new features and see how they are used, which helps us optimize the user experience. We also process data as needed for IT security, fraud prevention, and to prevent misuse of our platform. For example, we may monitor login patterns to detect suspicious access, or scan content to block malware or illegal material. These activities are based on our legitimate interests in running a reliable, safe service (GDPR Art. 6(1)(f)). We ensure that such processing is not overridden by Users' data protection rights by using the data in a limited and proportionate manner.
4. Billing and Legal Compliance: We use relevant Client's data to process payments and comply with legal obligations related to finances and accounting. For instance, issuing invoices and keeping financial records for tax purposes are legal obligations for us (GDPR Art. 6(1)(c)). Polish tax law requires us to retain invoice data for a certain period. We may also process data to comply with other laws or regulations. Additionally, if we need to enforce our contract or protect our legal rights, we may process relevant personal data for our legitimate interest in establishing or defending legal claims (Art. 6(1)(f)). Under the Polish Civil Code, contract claims can generally be pursued for up to 3 years, so we may retain data accordingly to protect our rights (see Data Retention below).
5. Marketing Communications: If you are a Client or a prospective Client who has explicitly consented to receive marketing or newsletter communications from us, we will use your contact details to send you promotional content, such as product updates, offers, or industry news. We abide by Polish laws requiring opt-in consent for commercial e-mails and for SMS/phone marketing. The legal basis for sending marketing emails or SMS is your consent (GDPR Art. 6(1)(a)). You are free to withdraw this consent at any time — every marketing email will include an unsubscribe link, or you can contact us at any time to opt out. Withdrawing consent will stop future marketing messages; this will not affect the lawfulness of processing before the withdrawal.

Use of AI Features: As part of our Service functionality, we may use Artificial Intelligence (AI) or machine learning tools to enhance your experience (for example, to generate conversation summaries). When you or your Users use such features, the relevant conversation content may be processed by our AI tools and/or third-party AI service providers. We implement this carefully: only the data necessary for the feature is used, and we apply appropriate safeguards to protect the data. The legal basis for processing Client and User personal data in connection with AI features is our legitimate interest in providing and improving the Services (GDPR Art. 6(1)(f)). No AI-based processing we conduct produces legal or similarly significant effects on individuals. For End Customer data, we act as a data processor on behalf of the Client and process such data for AI features only on the Client's documented instructions (GDPR Art. 28); the Client (as data controller) is responsible for providing the required notices and ensuring an appropriate legal basis for such processing of End Customer data (e.g. legitimate interests or consent, as applicable). If any person objects to the use of AI features in relation to their conversation, they should contact the relevant Client; the Client may disable such features or instruct us accordingly.

Our website and application use cookies and similar tracking technologies to distinguish you from other users, improve your experience, and gather information about how our Services are used.

1. Essential Cookies: These cookies are necessary for the website and app to function properly, such as keeping you logged in to your Account, navigating the platform, or remembering your language preferences. We set these cookies to fulfill the service you request, and they do not require consent. The legal basis for processing data from essential cookies is our legitimate interest in providing a functional service, or contractual necessity when cookies are needed to provide the features you explicitly use. Without these, the Service may not work correctly.
2. Analytics and Performance Cookies: If we use any analytics tools, these cookies collect information about how visitors interact with our site. This helps us improve functionality and user experience. We only use such cookies with your consent, in compliance with applicable ePrivacy laws. On your first visit, we will request your consent via a cookie banner for any non-essential cookies. The legal basis for analytics cookies is consent, and you can refuse or revoke consent at any time. We honor "opt-in" requirements for cookies as mandated by Polish and EU law.
3. Marketing and Third-Party Cookies: We do not currently serve third-party ads on our site. If that changes in the future, we will update this Policy and obtain consent before enabling such cookies.

Cookie Choices: You can manage or delete cookies in your browser settings at any time. You can also adjust preferences in our cookie consent tool on the website. Note that blocking certain cookies may impact your ability to use the Services. For more details on cookies, you may refer to our Cookie Policy or contact us.

ePrivacy Compliance: We abide by the Polish regulations implementing the EU ePrivacy Directive regarding storing information on user devices. This means we do not place non-essential cookies without your prior consent, and we provide clear information about cookie use. Our practices align with the requirements of telecommunications/electronic communications law for cookie consent and spam prevention.

We treat your personal data with care and do not sell it to anyone. However, in order to run our business and provide the Services, we share data with certain third parties in the following circumstances:

1. Subcontractors and Service Providers: We utilize trusted third-party service providers to support our operations.
2. Hosting and Infrastructure: We host our application and data on secure cloud servers or data centers. For example, we may use reputable cloud providers to store databases and ensure high availability. These providers only process data under our instructions.
3. Messaging Integration Partners: To deliver messages via external platforms, we integrate with those platforms' services. For WhatsApp messaging, we rely on WhatsApp's infrastructure to send and receive messages. In practice, when an End Customer communicates with a Client via WhatsApp through our Service, the content is transmitted through WhatsApp's systems as well — meaning WhatsApp will process that data as an independent controller according to its own terms. We ensure that our use of the WhatsApp Business API complies with WhatsApp's terms and data protection requirements. Similarly, if our Service connects to other platforms or bots, data might be shared with those systems at the Client's direction. We only share the data necessary for the integration and as instructed by the Client.

   For WhatsApp data processing practices and privacy information, see the official WhatsApp Privacy Policy at https://www.whatsapp.com/legal/privacy-policy?lang=pl and WhatsApp Business App Privacy Policy at https://www.whatsapp.com/legal/business-app-privacy-policy?lang=en.

4. Payment Processors: We work with Payment Institutions for processing subscription fees. These payment providers will handle your payment details on their secure systems. They act as independent controllers for your payment data, but will only share with us the information we need for verification. We recommend reviewing the privacy policy of the payment provider you use.
5. E-mail and Communication Tools: We may use third-party email delivery services to send out transactional emails or newsletters. Those services process your email address and content of the email under our instructions.
6. Analytics or Monitoring Services: If we employ analytics or error tracking services, those providers may receive pseudonymous data to provide aggregate insights. We configure these services to respect privacy and only use them with consent as noted in Cookies above.
7. AI Service Providers: For our AI features, we might use external AI APIs or platforms. For example, we could send conversation text to an AI engine. Any such provider is bound by confidentiality and data processing terms, and we only transmit data as needed for the AI function. We will disclose in our documentation which AI tools are used and ensure compliance with transfer rules.

All our subprocessors are subject to strict data protection obligations by contract -- they can only use the data to render services to us and not for their own purposes. We perform due diligence and choose providers who provide sufficient guarantees to implement appropriate technical and organizational measures to meet GDPR's requirements (per Art. 28 GDPR).

8. Business Transfers: In the event of a merger, acquisition, investment, or sale of all or part of our business, personal data may be transferred to the relevant third party as part of the transaction. We will ensure the recipient agrees to handle your data with standards equivalent to this Policy. You will be notified of any change of ownership or uses of your personal data, as required by law, and your choices regarding your data will be respected in any such transfer.
9. Legal Compliance and Protection: We may disclose personal data to outside parties if required by law or legal process, or if we have a good-faith belief that such disclosure is necessary to (i) comply with a legal obligation, (ii) protect our rights, property, or safety, or that of our Clients, Users, or others, or (iii) investigate fraud or security issues. In doing so, we will limit the data disclosed to what is legally necessary and will object to overbroad or invalid requests as appropriate. For instance, if authorities request End Customer data, we will typically redirect them to the Client unless we are legally compelled to provide it.
10. With Consent or Instruction: We may share data with third parties if you explicitly ask or consent us to do so. For example, if you use a feature to export data or integrate your Account with a third-party service, we will send data to the third party at your direction. Those third parties' use of the data is governed by their own policies.

We do not share personal data with any third parties for their own marketing or advertising purposes without your consent.

We are based in Poland, and our primary data storage and processing generally occur within the European Economic Area (EEA). However, some of our subcontractors or integration partners are located outside the EEA, or may process data outside the EEA. For example:

1. Using global cloud or service providers might involve servers in the United States or other countries.
2. WhatsApp data exchange could route through servers outside the EU.
3. If we utilize an AI service like OpenAI, the processing might occur in the United States where that provider is based.

Whenever we transfer personal data to a third country or an international organization, we ensure that appropriate safeguards are in place, as required by GDPR Chapter V. Our measures include:

4. European Commission Adequacy Decisions: If the country has an EU Commission adequacy decision, we rely on that.
5. Standard Contractual Clauses (SCCs): For most transfers to non-EEA service providers, we have Standard Data Protection Contractual Clauses in place. These are the clauses approved by the European Commission to ensure that the recipient of the data is contractually bound to protect it to EU standards. We have signed SCCs with our relevant subprocessors and partners when required. In addition, where necessary, we implement supplementary measures to further protect data, taking into account the guidance of the European Data Protection Board.

You can request a copy of the relevant transfer safeguards by contacting us. We will be happy to provide additional information regarding data transfers and the measures in place. By using our Services, you understand that your personal data may be transferred to and processed in countries outside your country of residence, which may have different data protection laws. However, we assure you that no matter where your data is processed, we protect it as described in this Policy and in accordance with the GDPR.

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. The exact duration depends on the type of data and the purposes of processing. Here are our general retention practices:

1. Account Data: We keep your Client and User account information for the duration of the contract. After your subscription ends or your account is deleted, we will generally archive or delete your personal data within a reasonable time frame, typically no later than 3 years after the contract termination, unless we need to keep it longer for legal reasons. If you simply stop using the Service without formally closing the account, we may contact you and/or retain the account data for a period in case you reactivate, but after an extended period of inactivity we may delete or anonymize the data. You can also contact us to request deletion of your account data sooner — we will accommodate such requests provided that there are no overriding legal obligations.
2. End Customer Data (Messages): As a Data Processor, we primarily retain End Customer message content and related data as instructed by the Client. Generally, message histories are stored in the platform so that the Client can view past conversations and maintain context with their customers. The retention may vary based on the Client's Plan and settings. By default, we will retain chat transcripts and contact details until the Client deletes them or requests their deletion, or until the Client's account is closed. Upon termination of the contract with the Client, we will either return the End Customer data to the Client and/or securely delete it from our systems. Any remaining data in backups or archives will be deleted in the normal course of our backup retention cycle.
3. Support and Communications: Communications you send us are retained as long as necessary to address your query and maintain records of our correspondence. Typically, we keep support emails and tickets for up to 3 years after resolution, in case you have follow-up issues and to ensure quality assurance and internal process improvement of our customer support, with personal data limited to what is strictly necessary or anonymised where feasible. Chat logs from our website's live chat with you may be stored for a similar period. Where possible, we will minimize personal data in these records.
4. Billing and Financial Records: As required by Polish law, we retain invoicing and accounting records for 5 full years after the end of the financial year to which they pertain. For example, an invoice from 2025 must be kept until the end of 2030. This retention is to comply with tax and accounting obligations. After that period, such records will be securely destroyed or anonymized. Any payment-related personal data not required for tax, accounting, or the establishment, exercise or defence of legal claims will be deleted or anonymised as soon as it is no longer necessary, in accordance with applicable law.
5. Marketing Data: If you have consented to receive marketing emails, we will retain your contact details on our marketing list until you unsubscribe or withdraw consent. Upon unsubscribe, we will remove you from the mailing list immediately and will only retain whatever minimal information is needed to ensure we honor your opt-out. If you never confirmed a marketing opt-in, we may purge your contact from our tentative list after a short period.
6. Logs and Analytics: Our system logs are generally kept for troubleshooting and security monitoring purposes. These logs are usually rotated and deleted regularly, typically within 6 to 12 months. Aggregated analytics data that does not identify individuals may be retained longer for historical analysis.
7. Legal Holds: In the event of a dispute, investigation, or legal claim, we may need to retain certain data beyond the standard retention period. For example, if we are involved in litigation or receive a lawful order to preserve data, we will retain the data for as long as needed to comply with those requirements. We also note that under the Polish Civil Code, certain contract-related claims may be brought within up to 6 years, so we may preserve relevant contract information and communication logs for that period to protect our legal interests.

After the applicable retention period has elapsed, we will either delete your personal data or anonymize it. We will carry out deletion in a secure manner to prevent any unauthorized access to the information during the process.

Under the GDPR, individuals have a range of rights regarding their personal data. We are committed to honoring these rights.

Your rights include:

1. Right of Access (Art. 15 GDPR): You have the right to obtain confirmation whether we are processing your personal data, and if so, to request a copy of the data and information about how we process it. This includes information on the purposes, categories of data, recipients to whom the data have been disclosed, retention period, and the source of the data, among other details.
2. Right to Rectification (Art. 16 GDPR): You have the right to have inaccurate personal data corrected and incomplete data completed. If any of your information we hold is outdated or incorrect, please inform us and we will update it. Users can also correct some information by logging into their Account settings.
3. Right to Erasure (Art. 17 GDPR): Also known as the "right to be forgotten." You may request that we delete your personal data, and we will comply provided that there is no lawful reason for us to retain it. This right is not absolute -- for instance, if we must keep certain data to comply with a legal obligation or to establish or defend a legal claim, we may refuse deletion of that specific data. But we will explain our reasoning in such cases. Typical scenarios where you can ask for erasure include: the data is no longer necessary for the original purpose, you withdraw consent, you object to processing and we have no overriding grounds, or we processed data unlawfully.
4. Right to Restriction of Processing (Art. 18 GDPR): You can request that we restrict processing of your data in certain circumstances — for example, while you contest the accuracy of the data or object to processing, or if our use is unlawful and you prefer restriction over deletion. During restriction, we will store the data but not use it. We will notify you before lifting any restriction.
5. Right to Data Portability (Art. 20 GDPR): For personal data that you provided to us, and which we process by automated means based on your consent or a contract with you, you have the right to receive that data in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible. In practice, this might include things like your account data or message history that you gave us. We will provide the export in a reasonable format. Note that this right applies to data you actively provided or data generated by your use of the service, but not to data we derived or inferred.
6. Right to Object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, to any processing of your personal data that we conduct on the basis of legitimate interests. If you object, we will evaluate your request and will stop or adjust the processing unless we have compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment, exercise, or defense of legal claims. You also have an absolute right to object to direct marketing uses of your data, which means if you object or opt-out of marketing, we will cease marketing communications to you without question.
7. Right not to be subject to Automated Decision-Making (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not make any such automated decisions about Clients, Users, or End Customers. There is no profiling that would negatively affect your rights. The AI features we use do not make decisions about individuals — they simply transform content for user convenience. If that ever changes, we will inform you and ensure necessary safeguards in accordance with the GDPR. In any case, you would have the right to human intervention and to contest the decision if fully automated decision-making were involved.
8. Right to Withdraw Consent: Wherever we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing that occurred before the withdrawal. If you withdraw consent, we will stop the processing that was based on consent.

These rights can be exercised free of charge for most cases. If requests are manifestly unfounded or excessive, we may either refuse or charge a reasonable fee as permitted by GDPR, but we have not had to do so to date. We will respond to your request as soon as possible, and in any event within one month of receipt. If needed, we can extend the response time by an additional two months for complex or numerous requests, but if so, we will inform you of the extension and the reasons for it.

How to Exercise Your Rights: If you are a Client or User, you can make a request directly to us. Please send your request to our contact point listed in Contact Us below. Include your name, contact information, and specify which right you wish to exercise and what personal data it relates to. We may need to verify your identity to ensure we do not disclose data to an unauthorized person. If you are an End Customer of one of our Clients, it is usually best to send your request to the Client, because they control your data and can confirm your identity in their context. We will assist the Client as needed to ensure your request is addressed. As a processor, we cannot typically erase or provide access to End Customer data on our own without the controller's instruction, but we will facilitate the request with the controller's cooperation.

Right to Lodge a Complaint: In addition to the above rights, if you believe that our processing of your personal data violates the GDPR or other data protection laws, you have the right to file a complaint with a Supervisory Authority (Data Protection Authority). You may do so in the EU Member State where you reside, where you work, or where the alleged infringement occurred. Our lead supervisory authority in the EU is the Polish Supervisory Authority — the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, address: ul. Moniuszki 1a, 00-014 Warsaw, Poland, website: https://uodo.gov.pl).

We take the security of personal data very seriously. We have implemented appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, for example: encryption of data in transit and at rest where applicable, access controls limiting who within our organization can access personal data, the use of firewalls and intrusion detection systems, regular security updates and patching of our software, and employee training on data protection. We also require our service providers to implement adequate security standards.

However, please note that no internet or email transmission is ever fully secure or error-free. Users are responsible for keeping their login credentials confidential and for following good security practices. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.

We may update this Privacy Policy from time to time, for example to reflect changes in our Services, legal requirements, or data processing practices. If we make material changes, we will notify Clients by email or via the platform, and update the "Last updated" date at the top of this Policy. We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Continued use of the Services after a policy update signifies acceptance of the revised terms, to the extent permitted by applicable law. If you do not agree with any changes, you may discontinue use of the Services in accordance with the General Terms. Any requests regarding deletion of personal data will be handled in accordance with applicable data protection laws and statutory retention obligations.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us:

For the quickest response, we recommend reaching out via email. We will happily respond to inquiries about privacy and data protection.