Last updated February 2025
1. Introduction
ReFlow ApS (“ReFlow”, “we”, “our”, “us”) respects your privacy and is committed to protecting personal data processed in connection with our Platform and Consultancy Services. This Privacy Policy explains how we collect, use, share, and protect personal data.
By using our Platform or engaging our Consultancy Services, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller and Contact Information
ReFlow ApS
August Bournonvilles Passage 1
DK-1055 Copenhagen, Denmark
Company no. 39843870
Email: info@re-flow.io
For personal data uploaded by our customers to the Platform, the Customer acts as Data Controller and ReFlow acts as Data Processor.
3. Categories of Data We Process
Depending on the services used, ReFlow may process the following categories of data:
• Account information: name, email, phone, company details, billing information.
• User information: login credentials, role, activity logs.
• Uploaded content: data relating to environmental performance, product or process data, documents, certificates, lifecycle information, and related records.
• Consultancy-related information: correspondence, reports, project documentation.
• Technical information: IP address, device and browser type, access times, error logs.
ReFlow encourages customers to provide business contact details only, and not private/personal details.
4. Legal Basis for Processing
We process personal data based on:
• Performance of a contract (Article 6(1)(b) GDPR).
• Compliance with legal obligations (Article 6(1)(c) GDPR).
• Legitimate interests in operating, securing, and improving our services (Article 6(1)(f) GDPR).
• Consent, where applicable (Article 6(1)(a) GDPR).
5. How We Use Personal Data
ReFlow processes personal data for the following purposes:
• To register and manage accounts.
• To provide access to the Platform and deliver Consultancy Services.
• To issue invoices and manage payments.
• To maintain security, monitor performance, and perform auditing.
• To improve services and develop new features.
• To comply with legal obligations.
• To create anonymised and aggregated statistics for analytical and reporting purposes.
6. Sharing of Data
We may share personal data with:
• Sub-processors providing hosting, payment, marketing, or support services.
• Advisors and auditors where legally required.
• Authorities when required by law or binding order.
ReFlow ensures that sub-processors are bound by obligations consistent with GDPR.
7. International Transfers
Where data is transferred outside the EU/EEA, ReFlow applies recognised safeguards such as Standard Contractual Clauses approved by the European Commission.
8. Retention
• Account and user data is retained for as long as the Customer maintains an active subscription or engagement.
• Logs and audit records may be retained for up to five (5) years after closure of the relevant financial year.
• Data may be stored longer where required by law.
9. Data Subject Rights
Data subjects have the right to:
• Access personal data.
• Request rectification or erasure.
• Restrict or object to processing.
• Request portability of data.
• Withdraw consent, where processing is based on consent.
Requests must be directed to the Customer as Data Controller. ReFlow will provide reasonable assistance where required by law.
10. Security
ReFlow implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
11. Liability
The Customer is responsible for ensuring that any personal data provided to ReFlow has been collected lawfully and for the purposes intended. ReFlow accepts no liability for Customer’s unlawful processing or misuse of the Platform.
12. Changes to this Policy
We may update this Privacy Policy from time to time. The latest version will always be available on our website.
However, if you are still looking for more information please contact us.