All legal documents
Legal & Compliance
GDPR Compliance Statement
Version1.0UpdatedJun 15, 2026Reading time6 min read
1. Introduction
This GDPR Compliance Statement explains how FLOW FN PTE. LTD. (UEN 202617303Z), a company incorporated in Singapore ("we", "us", or "our"), complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 when processing personal data of individuals located in the European Economic Area (EEA). This statement supplements our Privacy Policy and Data Processing Agreement.
2. Our Commitment to GDPR
We are committed to full compliance with GDPR and respect the privacy rights of EEA residents. We process personal data lawfully, fairly, and transparently, and implement appropriate technical and organizational measures to protect personal data.
3. Legal Basis for Processing
We process personal data based on the following legal bases: (a) Contract Performance: Processing necessary to provide FlowFn services under our Terms of Service; (b) Legitimate Interests: Processing for service improvement, security, fraud prevention, and business operations; (c) Consent: Where you have given explicit consent (e.g., marketing communications); (d) Legal Obligations: Processing required by applicable laws; and (e) Vital Interests: Processing necessary to protect vital interests of individuals.
4. Data Subject Rights Under GDPR
If you are located in the EEA, you have the following rights: (a) Right of Access: Request access to your personal data and information about processing; (b) Right to Rectification: Request correction of inaccurate or incomplete data; (c) Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data in certain circumstances; (d) Right to Restrict Processing: Request limitation of processing in certain circumstances; (e) Right to Data Portability: Receive your data in a structured, machine-readable format; (f) Right to Object: Object to processing based on legitimate interests; and (g) Rights Related to Automated Decision-Making: Rights regarding automated processing and profiling.
5. Exercising Your GDPR Rights
To exercise your GDPR rights, the primary intake channel is the public Data Subject Request form at https://www.flowfn.com/legal/data-request, or you may email our Data Protection Officer at legal@flowfn.com. We will respond to your request within one month (may be extended by two months for complex requests). We may request verification of your identity before processing requests. You have the right to lodge a complaint with your supervisory authority if you believe we have violated your rights.
6. Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance. You can contact our DPO at legal@flowfn.com for questions about data protection, to exercise your rights, or to report concerns. Our DPO is independent and reports directly to management.
7. International Data Transfers
Our production infrastructure is located in the United States East Coast (AWS US East / N. Virginia, us-east-1, DigitalOcean New York 3 (NYC3) for managed MongoDB, and Redis Cloud running on AWS us-east-1 for in-memory cache and background-job queue), and most of our sub-processors (including DigitalOcean, Redis Ltd., Stripe, OpenAI and AWS Simple Email Service for transactional email) operate primarily in the United States. Personal data of EEA, UK and Swiss data subjects is therefore routinely transferred from those regions to the United States. We rely on the following safeguards: (a) the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) — Module 2 (Controller-to-Processor) between FlowFn and each customer-controller, and Module 3 (Processor-to-Processor) between FlowFn and our sub-processors; (b) the UK Information Commissioner's International Data Transfer Addendum to the SCCs for UK GDPR transfers, and the Swiss FDPIC's amendments where applicable; (c) the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US DPF, where the relevant recipient is self-certified (this includes AWS); (d) adequacy decisions where applicable; and (e) other mechanisms recognised under GDPR / UK GDPR. We have completed and document an internal Transfer Impact Assessment (TIA) for the United States East Coast transfer (covering AWS us-east-1, DigitalOcean NYC3 and Redis Cloud) that addresses the matters required by Schrems II — recipient-jurisdiction surveillance laws, the contractual and technical supplementary measures we apply (TLS 1.2+ in transit, AES-256 at rest, role-based access controls, audit logging, pseudonymisation where feasible), and the practical likelihood of access by US public authorities to the categories of data we transfer. The TIA is refreshed on material change. A copy of the relevant SCC modules and a TIA summary can be requested from legal@flowfn.com.
8. Data Processing Records
We maintain records of processing activities as required by GDPR Article 30, including: (a) purposes of processing; (b) categories of data subjects and personal data; (c) categories of recipients; (d) international transfers; (e) retention periods; and (f) security measures. These records are available to supervisory authorities upon request.
9. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including: (a) systematic evaluation of personal aspects; (b) large-scale processing of special categories of data; (c) systematic monitoring of public areas; and (d) other high-risk activities. We consult with supervisory authorities when required.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach in accordance with Article 33 GDPR; (b) where the breach is a notifiable data breach under section 26B of the Singapore Personal Data Protection Act, notify the Personal Data Protection Commission (PDPC) no later than 3 calendar days after we have assessed the breach to be notifiable; (c) notify affected data subjects without undue delay where the breach poses a high risk to their rights and freedoms or is likely to result in significant harm under the PDPA; (d) provide information about the nature of the breach, likely consequences, and measures taken; and (e) document all breaches for supervisory authority and regulatory review.
11. Privacy by Design and Default
We implement privacy by design and default principles, including: (a) data minimization (collecting only necessary data); (b) purpose limitation (processing only for specified purposes); (c) storage limitation (retaining data only as long as necessary); (d) security measures (appropriate technical and organizational measures); (e) transparency (clear information about processing); and (f) user control (easy exercise of rights).
12. Sub-Processors and Third Parties
We use sub-processors (AWS including SES, DigitalOcean for managed MongoDB, Redis Ltd. for Redis Cloud, Stripe, OpenAI) to provide services. All sub-processors are bound by data protection obligations equivalent to GDPR requirements. We maintain a list of sub-processors and notify you of changes. You have the right to object to new sub-processors. Current sub-processors are listed in our Data Processing Agreement. Transferring an app or an individual item to another team is a controller-to-controller disclosure made on your instruction — not sub-processing and not a change of sub-processor; the destination team becomes the controller for the transferred data. This is described in our Data Processing Agreement, Section 11 (Cross-Team Transfers).
13. Supervisory Authority
If you are located in the EEA, you have the right to lodge a complaint with your local supervisory authority if you believe we have violated GDPR. A list of supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en. You may contact the supervisory authority in your Member State; see the EDPB list linked above for contact details.
14. Children's Data
Our Service is restricted to users aged 18 or older. Because of this minimum-age rule, the Service is out of scope for Article 8 of the GDPR / UK GDPR (which governs information-society services offered directly to children). We do not knowingly collect personal data from anyone under 18. If you become aware that someone under 18 has created an account, please contact legal@flowfn.com and we will delete the account and associated personal data.
15. Updates to This Statement
We may update this GDPR Compliance Statement to reflect changes in our practices or legal requirements. Material changes will be notified via email or through the Service. The "updated_at" date indicates when this statement was last revised.
16. Contact Information
For all GDPR-related inquiries — including DPO correspondence, data-subject requests, and supervisory-authority cooperation — contact legal@flowfn.com. The public intake form is at https://www.flowfn.com/legal/data-request. If we appoint an EU representative under Article 27 GDPR, contact details will be published in our Privacy Policy.