Flow Commerce Inc. Privacy Policy

Effective Date: May 29, 2020  Prior Privacy Policy found here.

This privacy policy is for Flow Commerce Inc. and its subsidiaries (together, “Flow”) (“Privacy Policy”). Flow understands that your privacy is very important to you. Rest assured that your privacy and trust are also very important to us.

NOTE TO CONSUMERS OUTSIDE OF THE UNITED STATES: Please be aware that Flow hosts data in the United States and by providing your information to Flow you are personally transferring your data to the United States.

This Privacy Policy details the personal information we collect about you, the means through which we collect that information, with whom we share it, and how you can change your preferences regarding how we collect and use your information when you provide it to us at our home site, www.flow.io (our “Site”), or at our retail partners’ websites or mobile applications (either hosted by Flow or otherwise) where you may purchase such retail partners’ goods and services from Flow (together, the “Flow Digital Properties”). BY (i) CLICKING THE TICK BOX TO ACCEPT THIS PRIVACY POLICY, (ii) USING THE FLOW WEBSITES, AND/OR (iii) MAKING A PURCHASE ON A FLOW WEBSITE, YOU ARE ACCEPTING THE PRACTICES DESCRIBED IN THIS PRIVACY POLICY.  

If you purchase goods from Flow via a Flow Digital Property, these goods are provided to Flow by our retail partners (the “Retail Partners”) and you are subject to the privacy policy of the applicable Retail Partner.

NOTES TO USERS IN CALIFORNIA: For additional information for California residents, please see https://www.flow.io/policies/CA-privacy/ ^[a]

NOTES TO USERS IN EUROPE:

• Because we provide our offerings to individuals who are based in the European Economic Area (“Europe”), European data protection legislation known as the General Data Protection Regulation (“GDPR”) applies to us and our use of your Personal Data.
• This Privacy Policy is intended to meet our duties of transparency under the GDPR and, more specifically, to make it clear to you what rights our European Users have and how they can exercise them.
• For more information, please see the provisions under the heading “Provisions Specific to European Users”, below.

What Types of Personal Information Does Flow Collect?

We collect, store, and use information that you provide directly to us and information we acquire in other ways, each as detailed below:

• Information You Provide to Us Directly. We acquire information from you when you (a) provide information via any of the Flow Digital Properties, including any user accounts or other accounts, (b) when you apply for a job at Flow, (c) purchase goods and/or services from Flow, (d) communicate or interact with Flow customer service (via email, mail, courier, fax, web form, and/or phone), (e) download any whitepaper, article, research paper, infographic or other downloadable, (f) request or otherwise sign up to receive our newsletter(s) and/or watch any webinar, video or other online content, and/or (g) engage in any other electronic or oral conversation with an employee, contractor, agent or retail partner of Flow.

Through these channels, you might provide us with information about you, information about the recipient of any merchandise you are ordering and/or having shipped, including but not necessarily limited to, in either case, names, email addresses, postal addresses, phone numbers, genders, birthdays, marketing preferences, personal interests, credit card information, and other information, such as driver’s license numbers, CPF numbers or other national identifiers, and passport information.  

To the extent that you provide us information that is retained as a user account or user profile through a Flow Digital Property, you may log into that profile to update, edit or delete any information contained therein.  Information that is retained as a record of an order placed, item shipped, return request, customer service provided, or similar transaction is, by its nature, not editable.

• Information We Acquire in Other Ways. We also acquire other information about you when you interact with emails you receive from us, ads for Flow that you may interact with, or with any of the Flow Digital Properties and certain of their features, including user accounts and other accounts, checkouts, questionnaires, panels, and social media features, such as signing into a Flow Digital Property account using your social media sign-in credentials or otherwise interacting with third party social media features that are enabled on the Flow Digital Properties.

This information may be collected by us or our third party partners through tracking pixels, lead form extension, or through log files and may include your city and country location, your IP address, your browser, the type of device you have used to access the Flow Digital Property, URLs that refer you to a Flow Digital Property, date and times of your visits to Flow Digital Properties, information on actions taken while at Flow Digital Properties (such as page views, duration of page views, and site navigation patterns), a unique identifier for your browser or device and details of your usage such as your preferences, “pins”, “likes” and “dislikes.”

Another example would include confirmations that we receive when you open an email from us or our partners, if your computer or other device supports that function. We also acquire information about you from our subsidiary companies, Retail Partners (directly or through their service providers), business partners, other third parties and publicly available information and combine that information (or compare that information) with the information otherwise detailed throughout this Privacy Policy.

What Cookies and Other Technologies Does Flow Use?

A cookie is a small file downloaded on to a device when a user accesses certain websites or mobile apps. When you interact with Flow or its partners, cookies and other technologies may be used for storing information, and accessing information stored on your devices, such as your computer, mobile device or other device. These cookies and other technologies may include first party cookies (i.e., those placed by the website being visited) and third party cookies (i.e., those placed by a website other than the one being visited), local shared objects (“LSO,” and commonly referred to as “Flash Cookies” or “HTML 5 Cookies”) and tracking pixels (including transparent or clear gifs also known as “web beacons”). For purposes of this Privacy Policy, we use “Cookies” generically to include all of these technologies.

Cookies can either expire at the end of a session (“Session Cookies”) or be persistent and last through multiple sessions (“Persistent Cookies”). Session Cookies can be helpful for remembering items you put in your shopping cart as you browse a site, or for security reasons when you are providing financial information. Persistent Cookies are stored on your device in between sessions, which allows for your preferences or actions to be remembered and used on a website or mobile app (or in some cases across different websites and/or mobile apps). Persistent Cookies may be helpful in remembering your preferences and choices when using a website or to ensure advertising messages are more relevant to you. Cookies are useful because they allow us to recognize your device and provide you with a high level of service and relevant offers.

The Flow Digital Properties may include Social Media Features, such as the Facebook “Like” button and widgets such as the “Share” button or interactive mini-programs that run on the Flow Digital Properties. These Social Media Features may collect your IP address, which page you are visiting on a Flow Digital Property, and may set a Cookie to enable the feature to function properly. Social Media Features and widgets are either hosted by a third party or hosted directly on the Flow Digital Properties. Your interactions with these Social Media Features are governed by the privacy policy of the company providing the Social Media Feature.

Broadly speaking, Cookies placed on your computer or device fall into two categories:

1. First Party Cookies – these are served directly by us to your computer or device and are used only by us to recognize your computer or mobile device when it revisits our website; and
2. Third Party Cookies – these are served by our service providers, Retail Partners, and other partners on our website, and can be used by such parties to recognize your computer or mobile device when you use it to visit other websites.

The Flow Digital Properties may use the following types of Cookies for the purposes set out below:

How Can I Disable Cookies?

To limit disclosures and use of personal data - you can typically remove or reject Cookies via your browser settings. In order to do this, follow the instructions provided by your browser (usually located within the “settings”, “help” “tools” or “edit” facility).  Many browsers are set to accept Cookies until you change your settings.  You can take additional steps to disable or delete similar data, such as Flash Cookies, by modifying the “add-on” settings on your browser. Various browsers may offer their own management tools for access to HTML5 LSOs. However, please note that certain Cookies are required for you to be able to take advantage of some of Flow’s important functions. For example, if you do not allow our cookies, you may not be able to purchase items from one of our checkouts. You may find specific instructions for disabling cookies in some of the popular browsers via the following links: Google Chrome, Safari, Mozilla Firefox, Microsoft Internet Explorer.

Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our services do not currently respond to browser DNT signals. You can use the range of other tools we provide to control data collection and use, including turning off cookies as described above, or opting out of receiving marketing from us as described in this Privacy Policy.

See also “Does Flow Participate in Online Behavioral Advertising” Section below.

Use of Cookies on Flow Digital Properties.

In addition to any Cookies that may be set via our Site, with their permission, we may also set Cookies via our partners’ Flow Digital Properties to assist both them and you in our provision of the Flow Services.

Where Else Does Flow Obtain Data? 

We also obtain information about you from other third party sources. To the extent we combine such third party sourced information with information we have collected about you on the Service, we will treat the combined information in accordance with the practices described under this Privacy Policy, plus any additional restrictions imposed by the source of the data. These third party sources vary over time, but have included or may include:

• Our Retail Partners
• Other partners with which we offer co-branded services, sell or distribute our products, or engage in joint marketing activities.
• Publicly-available sources such as open government databases or other data in the public domain.
• Social networks when you reference our Flow or one of our hashtags.
• Lead generation services.
• Advertising networks (as described below).

We are not responsible for the accuracy of any information provided by third parties or third party policies or practices. You are subject to these third parties’ privacy policies. If you would like to opt-out of the collection and sharing of your information, such as remembering your contact information, you need to opt-out on these third party sites.

How Does Flow Use Your Information? 

The type or identity of third parties to which Flow discloses personal information and the purpose is addressed herein. We use and retain your information as needed to provide you services, ship and track your order, maintain a record of your purchases and returns, for fraud detection, comply with our legal obligations, resolve disputes, to offer our services to your company, to review your job application and background as part of the recruitment process, and for other legitimate business reasons. By way of example, and not limitation, we analyze transactional data for the purpose of identifying trends, statistics and measurements that could contribute to the enhancement of Flow services. Such use could include identifying market sensitivities, and relative market interest in specific product categories. Another example would be if you place an order with us through a Flow Digital Property, we (directly or through our merchant supplier or other entity on our behalf) may contact you if there is an issue with the order (e.g., to find an alternative to a restricted item). If you are a client or potential client of the Flow Commerce Saas solution, we may use your information to send you newsletters, surveys, feature updates, invitations, and marketing messages about Flow or our partners.

You may opt-out of receiving our newsletters, feature updates and the like by clicking the “unsubscribe” link on the particular communication you receive from us. You may also request that we remove you from our marketing communications by sending an email to privacy@flow.io.

How Does Flow Share Your Information? 

We do not sell your information to others and do not share your information with third parties other than as outlined in this Privacy Policy. However, there are certain situations where we may provide your information to third parties.

• Marketplaces and Partners Involved in Your Transactions. Depending on how you interact with Flow, you may make purchases that involve third parties, including but not limited to our Retail Partners. For example, you may make a purchase that involves a third-party website or marketplace. In such a situation, you may initially view products on that website or marketplace and Flow is facilitating the order or otherwise involved. If this is the case, it will be very clear to you that a third party is involved in your transaction. And, if so, we will share your personal information with that third party.
• Service Provider. Flow may provide your personal information to certain service providers in connection with the fulfillment of your purchase instructions either directly or through the use of cookies, including but not limited to payment service providers, delivery agents, transliteration or translation service providers, email service providers to send you emails on our behalf, customer support providers to process your feedback, customs brokers, international tax and/or revenue authorities and fraud management parties. For example, in the case of fraud management service providers, they may use and retain information relating to your transaction and browsing activity to analyze and detect fraudulent transactions as compare to your transaction. We may provide your information to service providers, such as employment agencies or applicant tracking services, that are assisting us in filling open roles. Additionally, we may provide your personal information to certain service providers in connection with marketing activities you have signed up for (like newsletters) and related items, such as emailing services. Other service providers track analytics on the Flow Digital Properties, such as Google Analytics, or to provide marketing services, such lead generation services or agencies who assist with online behavioral advertising (as further described below).
• Flow’s Protection. We will disclose your personal information as required by law, when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process, to enforce or apply our Terms & Conditions and other agreements and to protect the rights of Flow.
• Business Transition. In the event Flow goes through a business transition, such as a merger with or acquisition by another company, sale of all or a portion of our assets or brands, your personal information will likely be among the assets transferred.
• You Otherwise Consent. We may, of course, share your information in other ways that you specifically consent to.
• Other Disclosures. We may disclose your personal information to law enforcement, government officials, public authorities or other third parties if: (i) we are compelled to do so by subpoena, court order or other legal process, (ii) we must do so to comply with laws, statutes, rules or regulations, including credit card rules, (iii) we believe in good faith that the disclosure is necessary to prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of any rules, regulations, laws or this Privacy Policy.
• Aggregated Content. We may also share “aggregated/blinded” information with our merchant partners, PR agencies, advertising agencies, and other third parties. By “aggregated/blinded” information we mean, information from multiple users that contains only zip codes, purchasing amounts, products, brands, categories, merchants involved, timing of transactions/usage and frequency of usage – with no other private information or personally identifying information included.

In addition, in the event of a merger, acquisition, reorganization, bankruptcy, or other similar events, certain information in our possession may be transferred to our successor or assign.

Does Flow Participate in Online Behavioral Advertising?

Flow does not deliver third party online advertisements on the owned and operated Flow Digital Properties but we advertise our services on other websites. We may use the analytics information from the Flow Digital Properties for retargeting and remarketing campaigns. Please familiarize yourself with those website operators' or network advertisers' privacy policies to understand their practices relating to advertising, including what type of information they may collect about your Internet usage. Some advertising networks we may use may be members of the Network Advertising Initiative (NAI) or the European Interactive Digital Advertising Alliance (EDAA). Individuals may opt-out of targeted advertising delivered by NAI or EDAA member ad networks by using tools provided visiting http://www.networkadvertising.org/ and http://www.youronlinechoices.eu/ respectively. If you wish to opt-out of receiving ads targeted to you based on your preferences, you may do so by clicking here. Please note that this does not opt you out of being served non-targeted advertising. You will continue to receive generic, non-targeted ads.

How Does Flow Handle, Store and Secure Your Information?

We take the security of your data very seriously at Flow. We use a variety of current technologies and processes to protect your data, including encryption at both the storage and transport level. However, please note that no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.

The security of your password is key to the security of your data. We recommend that you do not share, reuse, or store any of the passwords you may have set up with any of Flow’s Retail Partners with anyone else.

What You Should Understand About Third-Party Advertisers and Links to Other Digital Properties?

The Flow Digital Properties may include links to partner websites or other third-party websites. We are not responsible for the content displayed or the practices of any such websites. We recommend that you review the privacy policy and terms and conditions of those websites.

Does Flow Transfer Your Data Cross Border?

Flow adheres to applicable laws and regulations regarding your personal information moving across geographical and jurisdictional borders. This includes the use of data transfer agreements and model contractual clauses, where available, between our corporate entities, our partners and our clients where required.

Information submitted by you may be transferred by us to our other offices and/or to the third parties mentioned in the circumstances described above (see How Does Flow Use and Share Your Information?), which may be situated in, or employ staff in, places other than your home jurisdiction, the U.S., the U.K. and/or Europe.  The countries concerned may not have similar data protection laws to your home jurisdiction, the U.S., the U.K. and Europe.  Where we transfer your information we will take all reasonable steps to ensure that your privacy continue to be protected.  By submitting information via the Flow Digital Property, you agree to this storing, processing and/or transfer.

We are responsible for all personal information in our possession, including information transferred to a third party service provider or agent, so that we can provide you with a product or service. In some instances our employees, service providers, agents, and any of their service providers, may be located in other provinces or jurisdictions outside Canada, and your personal information may be subject to the laws of those foreign jurisdictions, which may be different than Canada’s.

Flow complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and/or the United Kingdom to the United States.  Flow has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, the Privacy Shield Principles and to view our certification, please visit www.privacyshield.gov.

Flow’s participation in the Privacy Shield applies to all personal data that is subject to the Privacy Policy and is received from the European Union, European Economic Area, the United Kingdom and Switzerland.  Flow will comply with the Privacy Shield Principles in respect of such personal data for which Flow’s participation has been registered separately.

Flow’s accountability for personal data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Flow remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Flow proves that it is not responsible for the event giving rise to the damage.

We encourage you to contact us should you have a Privacy Shield-related (or general privacy-related) complaint. For any complaints that cannot be resolved with Flow directly, and you continue to have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://www.jamsadr.com/file-an-eu-us-privacy-shield-claim.

As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. Flow is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).  

European and UK Users should see the final section of this Privacy Policy below for more information on the specific provisions and practices that apply to them.

Are Children Allowed to Use Flow?

Flow does not allow anyone under the age of 18 to take part in any of its services. If you are under the age of 18, you must stop using the Flow Digital Properties and taking part in its services now. To be clear, but not to limit what you are not allowed to do, if you are under 18, you may not make purchases from Flow or any of its partners, you may not click through to any of our partners’ websites, and you may not take part in any surveys, panels or the like.

What Should I Know About Changes to This Privacy Policy?

If we decide to change this Privacy Policy, we will post the updated policy at https://link.flow.io/policies/privacy. We reserve the right to modify this Privacy Policy at any time, so please come to this link to review it frequently. If we make significantly material changes to this Privacy Policy, we will notify you by means of a notice on www.Flow.io prior to the change becoming effective.

What are the Terms & Conditions and Dispute Resolution?

If you choose to visit Flow and/or use any of Flow’s services, your visits and actions, and any disputes over privacy shall be governed exclusively by this Privacy Policy and the Terms & Conditions at www.Flow.io, including limitations on liability and exclusive application of the laws of and jurisdiction of the state of New York.

How to Contact Us:

If you’d like us to update, correct, delete, or deactivate any personal information that you have provided to us via our Site or elsewhere, or would like to restrict certain uses of your personal information, please send your request to us at privacy@flow.io and we will review and process your request within 30 days of receiving it.

If you have questions or concerns regarding this Privacy Policy, including any questions or complaints related to the EU-U.S. Privacy Shield Framework, please contact us at privacy@flow.io or by calling us directly at +1 888-475-3569.

Flow Commerce Inc.

2 Hudson Place

Hoboken, NJ 07030

United States

PROVISIONS SPECIFIC TO EUROPEAN USERS

The following provisions apply to our European Users only.  These European User-specific provisions are intended to supplement and, where relevant, supersede the foregoing provisions of this Privacy Policy in respect of such European Users.

Who is the Controller of your Personal Data?

A “Controller” is the person who determines the purposes and means of processing Personal Data.

When will Flow be the Controller? In many cases, Flow is the Controller. For data we collect on Flow.io or on checkout pages of Flow Digital Properties, Flow is the Controller. For the purchase of goods that Flow receives from its Retail Partners, Flow and its service providers, administer all matters relating to your – this includes providing the checkout page, payment processing facilities, communicating with you about your purchase, facilitating delivery and providing customer support etc.

When will the Retail Partner whose goods you purchase be the Controller? For data collected when you browse our Retail Partner’s websites or collected from pixels placed on the checkout pages of the Flow Digital Property related to that particular Retail Partner, or data that you provide to the Retail Partner directly, Flow commits to process your Personal Data only under the instructions of its Retail Partners. In these circumstances, Flow will be the Processor of your Personal Data and the relevant Retail Partner will be the Controller.

Please contact us using the details in the “How to Contact Us” section above if you want to find out whether Flow or the Retail Partner whose goods you purchase is the Controller of your Personal Data Flow processes in connection with your purchase.

What is Personal Data?

The GDPR definition of ‘personal data’ can be found here. Essentially, it boils down to: information about an individual, from which that individual is either directly identified or can be indirectly identified.  

It does not include anonymous information (i.e., information where the identity of individual has been permanently removed).

However, it does include ‘indirect identifiers’ or ‘pseudonymous data’ (i.e., information which alone doesn’t identify an individual but, when combined with certain additional and reasonably accessible information, could be attributed to a particular individual).

To the extent it meets the definition in GDPR, and unless superseded by these European User-specific provisions, each reference to how we deal with your Personal Information in this Privacy Policy should, for users based in Europe (“European Users”), be read as a reference to Personal Data.

What Personal Data do these “Provisions Specific to European Users” apply to?

They apply to any European User’s Personal Data that we process as a Controller (see the “When will Flow be the Controller?” subsection above). This is because, where we process Personal Data as a Processor of our Retail Partners we are bound by both the GDPR and our agreements with those Retail Partners to process your Personal Data only under their instructions.    

What Personal Data do we collect?

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together follows:

1. Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, driver’s license numbers, CPF numbers or other national identifiers, and passport information.

1. Contact Data includes billing address, shipping address, email address and telephone numbers.

1. Financial Data includes payment card details.

1. Transaction Data includes details about payments you make in respect of your purchases of Retail Partners’ goods.

1. Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and geolocation, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Site.

1. Usage Data includes information about how you use our Site and offerings.

1. Marketing and Communications Data includes your preferences in receiving marketing from us, our Retail Partners, and other third parties and your general communication preferences.

Our Purposes and “legal bases” for processing your Personal Data?

Where we act as a Controller of Personal Data, the GDPR requires us to ensure that we have a “legal basis” for that use. We typically rely on one of the following legal bases in respect of our processing of your Personal Data:

• Where we need to perform the contract we are about to enter into or have entered into with you (“Contractual Necessity”).
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (“Legitimate Interests”).
• Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).

Generally we do not rely on “consent” as a legal basis for using your Personal Data.  

Please note that where we act as a Processor of a Retail Partner, it is that Retail Partner’s responsibility to ensure that they have a valid legal basis for their processing of your Personal Data (including any processing we carry out on their behalf).  

We have set out below, in a table format which of the legal bases we rely on in respect of the relevant Purposes for which we use your Personal Data, as well as what those purposes are.

Where more than one legal basis is listed in the below, if you want details about the specific legal basis we are relying on to process your Personal Data in a specific circumstance, please contact us using the details in the “How to Contact Us” section above.

Data Security

We have put in place what we consider to be appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.

In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business “need to know”. They will only use or access your Personal Data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected ‘personal data breach’ and will notify you and any applicable regulator of a breach affecting your Personal Data where we are legally required to do so.

Your Legal Rights  

Under certain circumstances, you have rights under the GDPR in relation to your Personal Data. These rights are described below:  

• Request access to your Personal Data. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.

• Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

• Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).

• Object to processing of your Personal Data. This right exists where we are relying on a Legitimate Interest and there is something about your particular situation, which makes you want to object to processing on this ground. Additionally you have the absolute right to object to the processing of your personal data if it is for direct marketing purposes.

• Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.

• Request the transfer of your Personal Data.  We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. This right only applies to automated information that we process based on your consent or Contractual Necessity.

Please note that where we act as a Processor of a Retail Partner if you make a request in respect of any of the above directly to Flow, we will: (a) let the relevant Retail Partner (i.e., the one whose goods you purchased and who is the Controller of your Personal Data) know that you have made this request; (b) pass on your details to that Retail Partner; and (c) send you the necessary contact information for that Retail Partner so that you can make that request to them directly. Where we can, and where the law permits, we will also assist that Retail Partner in complying with any request you make to them.

No Fee Usually Required.

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What We May Need From You.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time Limit to Respond.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Complaints.

In addition to your right to complain to us directly at the details in the “How to Contact Us” section above, if you feel your complaint has not been adequately resolved, please note that the GDPR gives you the right to contact your local data protection supervisory authority, which for the UK, is the Information Commissioner’s Office.

Special Categories of Personal Data

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

Please do not provide us with any such information.

What happens if you fail to provide any necessary Personal Data?

Where we need to collect Personal Data for the purposes of Compliance with Law, or due to Contractual Necessity, if you fail to provide that Personal Data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example: (1) we may not be able to fulfil your order without the required Personal Data; or (2) attempting to process your order without your Personal Data may put us in breach of our legal obligations).

How do we deal with Anonymous Information of our European Users?

When we refer to “Anonymous Information” we mean information that does not (either directly or indirectly) enable identification of any individual person. We may create Anonymous Information from your Personal Data – we do this by permanently removing any information that could enable us, or any third party that is reasonably likely to access that information, from identifying the individual to whom it previously related.

For example, we might create Anonymous Information from Usage Data and Technical Data to analyze trends, administer and improve the Flow Solution, prepare general usage reports and trends for current and potential Retail Partners and/or, to gather demographic information about our user base as a whole.

However, please note that if we or any third party combine or connect Anonymous Information with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Policy.

How do we share your Personal Data?

For more information on how, and with whom, we may share your Personal Data with third parties, please see the “How Does Flow Share Your Information?” above.  

Retention  

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it (see the “Our Purposes and “legal bases” for processing your Personal Data?” section above) for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for Personal Data, we consider:

• the amount, nature, and sensitivity of the Personal Data we hold;
• the potential risk of harm from unauthorized use or disclosure of your Personal Data;
• the purposes for which we process your Personal Data and whether we can achieve those purposes through other means; and
• any applicable legal or regulatory requirements.

Data Transfers

Flow complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.  

For more information on this framework and how it applies to, and protects you, please see the section titled “Does Flow Transfer Your Data Cross Border? above.

Third party sources

For more information on the third party sources from which we may collect your Personal Data, please see the “Information We Acquire in Other Ways” subsection above. Please note that none of these third party sources of your Personal Data are publicly available.