Flowbit AIFlowbit AI

Privacy Policy

Version: 2.0.0

Last Updated: February 18, 2026

Effective Date: February 18, 2026

This Privacy Policy informs you about the processing of personal data when using our Flowbit AI platform. It complies with the requirements of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller (Art. 4(7) GDPR)

Flowbit Technologies GmbH

Goethestraße 25, 74076 Heilbronn, Germany

Email: privacy@flowbitai.com

2. Data Protection Officer (DPO)

Interim contact: privacy@flowbitai.com

Note: Formal DPO appointment is pending based on company size thresholds (cf. Art. 37 GDPR, Sec. 38 BDSG).

3. Data We Collect

(a) Account Information

  • Name, email address, password hash, system role

(b) Automatically Collected Data

  • IP address, browser type, usage data, cookies

(c) Third-Party Data

  • OAuth profile data from Microsoft (with consent)
  • Email metadata from Outlook integration (with explicit consent)

4. Legal Basis for Processing (Art. 6 GDPR)

User Registration and Authentication

To create and manage user accounts for accessing the platform

Legal Basis: Performance of contract (Art. 6(1)(b) GDPR)

Document Processing and Analysis

To provide document analysis and data extraction services

Legal Basis: Performance of contract (Art. 6(1)(b) GDPR)

Outlook Integration

To automatically process documents from email attachments

Legal Basis: Consent (Art. 6(1)(a) GDPR)

Usage Analytics

To analyze platform usage and improve services

Legal Basis: Consent (Art. 6(1)(a) GDPR)

Security and Fraud Prevention

To ensure platform security and prevent fraud

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)

5. Purposes of Processing

  • Provision and operation of our document processing services
  • AI-powered document processing and data extraction
  • Account management and customer support
  • Security and fraud prevention
  • Analytics for platform improvement (with consent)
  • Compliance with legal obligations

6. Sub-Processors (Art. 28 GDPR)

We engage sub-processors in the following categories:

  • Cloud infrastructure provider (EU) — document storage
  • Database provider (EU) — account data and metadata
  • Application hosting provider (EU) — platform operation
  • Email integration service (EU) — Outlook integration (with consent)

A detailed list of our sub-processors is available to registered users in their privacy settings, or upon request at privacy@flowbitai.com.

7. International Data Transfers

Your data may be transferred to countries outside the EEA. We ensure appropriate safeguards through:

  • Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
  • Adequacy decisions by the European Commission (Art. 45 GDPR)
  • EU-US Data Privacy Framework (DPF) for US recipients with DPF certification

8. Data Retention

We retain your data only as long as necessary:

  • Account data: 2 years after last activity
  • Documents: 1 year (customizable)
  • Audit logs: 3 years (compliance)
  • Activity logs: 90 days
  • Consent records: 6 years (legal requirement)
  • Security logs: 2 years
  • Deleted user data: 30 days before permanent deletion

9. Your Rights (Art. 15-22 GDPR)

Under the GDPR, you have the following rights:

Right of Access (Art. 15)

You have the right to request a copy of your personal data.

Right to Rectification (Art. 16)

You can request the correction of inaccurate or completion of incomplete data.

Right to Erasure (Art. 17)

You have the right to request deletion of your data ("right to be forgotten").

Right to Restriction of Processing (Art. 18)

You can request the restriction of processing of your data.

Right to Data Portability (Art. 20)

You have the right to receive your data in a structured, commonly used, and machine-readable format.

Right to Object (Art. 21)

You can object to the processing of your data when it is based on legitimate interests.

Right to Lodge a Complaint (Art. 77)

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence.

To exercise your rights, contact us at: privacy@flowbitai.com

10. Automated Decision-Making (Art. 22 GDPR)

We use AI technologies for document extraction and analysis. The following applies:

  • AI is used for automated extraction of data from documents.
  • All AI results can be reviewed and corrected by users.
  • No solely automated decisions are made that produce legal effects or similarly significantly affect you.

11. Cookies

We use cookies as described in our Cookie Policy. You can manage your cookie preferences through our consent banner.

12. Data Security (Art. 32 GDPR)

We implement appropriate technical and organizational measures to protect your data:

  • Encryption at rest and in transit (AES-256)
  • Access controls and authentication mechanisms
  • Regular security reviews and audits
  • Incident response procedures

13. Data Breach Notification (Art. 33/34 GDPR)

In the event of a data breach:

  • Notification to the competent supervisory authority within 72 hours (Art. 33 GDPR).
  • Notification to affected individuals without undue delay when there is a high risk to their rights and freedoms (Art. 34 GDPR).

14. Changes to This Privacy Policy

Material changes to this Privacy Policy will be notified to you at least 30 days in advance via email or platform notification. Continued use of the platform after the changes take effect constitutes acceptance.

15. Contact

For privacy-related questions or to exercise your rights:

Email: privacy@flowbitai.com

You also have the right to lodge a complaint with your local data protection supervisory authority.