1. Introduction
Flowbooks is committed to protecting the privacy and security of your personal data. This Data Protection Notice explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
As a data controller and processor, we take our obligations under data protection law seriously. This notice applies to all users of our services, including customers, employees, contractors, and visitors to our website.
2. Data Controller Information
Flowbooks, Inc. is the data controller for personal data collected through our services. Our contact details are:
Flowbooks, Inc.
123 Business Avenue
Suite 456
San Francisco, CA 94103
United States
Email: dpo@flowbooks.com
Phone: (555) 123-4567
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Data Protection Notice. If you have any questions about this notice, including any requests to exercise your legal rights, please contact the DPO using the details above.
3. Your Rights Under GDPR
Under the GDPR, you have various rights in relation to your personal data. These include:
Right to Access
You have the right to request a copy of the personal data we hold about you and to check that we are lawfully processing it.
Right to Rectification
You have the right to request that we correct any incomplete or inaccurate personal data we hold about you.
Right to Erasure (Right to be Forgotten)
You have the right to request that we delete or remove personal data where there is no good reason for us continuing to process it. Please note that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Right to Restrict Processing
You have the right to request that we suspend the processing of your personal data in certain scenarios.
Right to Data Portability
You have the right to request that we transfer your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
Right to Object
You have the right to object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground.
Rights Related to Automated Decision Making
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
To exercise any of these rights, please contact our Data Protection Officer using the contact details provided. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
4. Lawful Basis for Processing
We will only process your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Contract: Where we need to perform the contract we are about to enter into or have entered into with you.
- Legitimate Interest: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Legal Obligation: Where we need to comply with a legal or regulatory obligation.
- Consent: Where you have provided your consent to the processing of your personal data for one or more specific purposes.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
5. Data Retention
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
6. International Transfers
We may transfer your personal data to countries outside the European Economic Area (EEA). Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe (Standard Contractual Clauses).
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
Please contact our Data Protection Officer if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
7. Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
Our security measures include:
- Encryption of personal data
- Regular security assessments and penetration testing
- Secure access controls and authentication mechanisms
- Regular backups to prevent data loss
- Staff training on data protection and security
- Physical security measures for our premises and servers
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
8. Data Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the personal data breach to you without undue delay, describing in clear and plain language:
- The nature of the personal data breach
- The name and contact details of the Data Protection Officer or other contact point
- The likely consequences of the personal data breach
- The measures taken or proposed to address the breach
9. Data Protection Impact Assessments
Where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, we will, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
A single assessment may address a set of similar processing operations that present similar high risks. We will consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by us to mitigate the risk.
10. Data Protection by Design and Default
We implement appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility.
We integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
11. Records of Processing Activities
We maintain records of our processing activities, including:
- The name and contact details of the controller and DPO
- The purposes of the processing
- A description of the categories of data subjects and personal data
- The categories of recipients to whom the personal data have been or will be disclosed
- Transfers of personal data to a third country or international organization
- The envisaged time limits for erasure of the different categories of data
- A general description of the technical and organizational security measures
12. Changes to This Data Protection Notice
We may update this Data Protection Notice from time to time. When we update this notice, we will notify you by updating the "Last Updated" date at the top of this notice and, where appropriate, by contacting you directly.
We encourage you to review this Data Protection Notice regularly to stay informed about how we are protecting your personal data.
13. Contact Us
If you have any questions about this Data Protection Notice or our data protection practices, please contact our Data Protection Officer:
Data Protection Officer
Flowbooks, Inc.
123 Business Avenue
Suite 456
San Francisco, CA 94103
United States
Email: dpo@flowbooks.com
Phone: (555) 123-4567