GDPR Compliance
Statement

Depending on the context, we act as:

• »Data Controller for account management, billing, website operation, and marketing activities.
• »Data Processor when we process personal data on behalf of our customers within the SaaS platform.

Where we act as a processor, we process data strictly in accordance with our customers’ instructions and a Data Processing Agreement (DPA).

We may process:

• »Account Data: name, email address, company details, login credentials
• »Billing Data: billing address, payment information (processed via secure payment providers)
• »Usage Data: logs, device information, IP address, interactions with the platform
• »Customer Data: data uploaded or managed by customers within the platform
• »Support Data: communications and support requests

We rely on:

• »Contract performance (e.g., providing the SaaS service)
• »Legal obligations (e.g., tax and accounting requirements)
• »Legitimate interests (e.g., service improvement, fraud prevention)
• »Consent (e.g., marketing communications, cookies where required)

Individuals have the right to:

• »Access, rectify, or erase personal data
• »Restrict or object to processing
• »Data portability
• »Withdraw consent at any time

If we process data as a processor, requests should be directed to the relevant customer (controller). We assist our customers in fulfilling these rights.

We implement appropriate technical and organizational measures, including:

• »Encryption in transit (TLS) and at rest where applicable
• »Access controls and authentication mechanisms
• »Regular security monitoring and vulnerability management
• »Staff training on data protection

We retain personal data only as long as necessary:

• »Account data: for the duration of the contract and a limited period thereafter
• »Billing data: as required by applicable tax laws
• »Customer data: as instructed by the customer or until account termination

We use trusted subprocessors (e.g., cloud hosting, analytics, payment providers) under written agreements that include GDPR-compliant safeguards. A list of subprocessors is available upon request.

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.

We offer a GDPR-compliant DPA governing our role as a processor, including obligations related to confidentiality, security, subprocessors, and data subject rights assistance.

We maintain procedures to detect, investigate, and report personal data breaches. Where required, we notify customers and relevant authorities without undue delay.

Our website and platform may use cookies and similar technologies for functionality, analytics, and (where applicable) marketing, subject to user consent where required.

For GDPR-related inquiries, please contact our Data Protection Officer:

• »Company: TechFlow Solutions OÜ
• »Address: Tallinn, Estonia (Enterprise Registry: 12345678)
• »Email: support@techflowsolutions.eu

We continuously review our practices to ensure ongoing compliance with GDPR and related data protection laws.