At Flowbox we take privacy very seriously and strive to use personal data in a secure and transparent way. We are continuously developing our services and privacy practices to ensure a high level of protection for personal data processed by us.

This privacy guide serves to provide a pedagogical description of processing of personal data carried out on behalf of our customers, i.e. processing for which we are the data processor. For the purposes of this guide, we will use the term “client” or “you” when referring to our customer, the data controller, and the term “customer” when referring to the client’s customers, website visitors and brand ambassadors.

Detailed information on the processing we carry out on behalf of our clients is set out in the data processing agreements executed with our clients. If details are not what you are looking for, please see a summary of the most important parts below.

We process personal data made publicly available on social media by users who have interacted with your brand, and visitors of your website. Such data often includes:

The personal data we collect is processed for the purposes of providing the Flowbox services and platform, e.g. to enable you to use the data in content feeds (“Flows”) on your website, measure performance of Flows, and provide you with insights in relation to customers’ behavior on your website, e.g. if they click on or purchase a product.

We only process personal data as long as necessary to fulfil the purposes of processing such personal data after which the personal data is deleted or anonymized. For instance, this means that transaction identifiers collected through the use of cookies are deleted 30 days after a customer has left your website.

Access to personal data is limited to such Flowbox employees or consultants who need access for the purposes of providing our services, and our hosting partner Amazon.

We do not sell personal data.

All personal data processed on behalf of the client is stored with Amazon in Flowbox databases located in the AWS virtual private cloud. If we need to transfer personal data outside EU/EEA we will do so based on an appropriate transfer mechanism, such as standard contractual clauses.

We have implemented security measures and a disaster recovery plan. A description of our security measures is available here: https://help.getflowbox.com/en/articles/4967183-flowbox-system-architecture-and-security.

Flowbox’s services are designed to enable the client to allow customers to exercise their rights under the GDPR, including but not limited to rights to access, rectify and delete personal data.

Access:

Customer data processed by Flowbox can be accessed on request by the client and will be made available in accordance with Flowbox’s routines for data retrieval and the client’s reasonable instructions.

Rectification:

All Flows provide customers the opportunity to report a post uploaded on behalf of the client. If a post is reported, the client will receive a message in their Flowbox account and will be able to review the reporting cause and be able to take appropriate action.

Erasure:

Customers can also report an image to have it deleted, using the same reporting process as described above.

All clients are controllers and hence responsible towards customers for the data processing carried out by Flowbox on behalf of the controller. We encourage clients to create terms and conditions, including a privacy policy, relevant for the collection of user generated content. For inspiration, see this list of example t&cs.

Flowbox system architecture and security

Flowbox full Privacy Policy

Flowbox GDPR - frequently asked questions