Privacy Policy

Last updated: March 2025

1. Controller

The operator of Flowersynk (“we”, “us”) is the data controller for the personal data processed through this Service. Contact details and company information can be found in the imprint or on our website.

2. What Data We Collect

Account data

Email address – for account creation, login (magic links), and notifications
First and last name – for display and communication
Password (hashed) – stored securely if you use password login
Locale – your language preference (e.g. German, English)

Organization and business data

Company details – registration name, number, VAT, addresses, contact information
Profile and cover images – stored on our servers
Files and documents – uploaded for audits, invoices, offers, and other business purposes

Communication and collaboration

Chat messages – between organizations
Invitation emails – when you invite users to your organization

Payment data

Payment records – billing address, subscription plan, transaction status (processed by Stripe; we do not store full card numbers)

Technical data

Session cookies – to keep you logged in (_flowersynk_key, _flowersynk_web_user_remember_me)
Audit trail – changes to records for compliance and support (e.g. who changed what and when)

3. Legal Basis and Purposes

We process your data based on:

Contract performance – to provide the Service, manage your account, process orders, and handle payments
Legitimate interest – to improve the Service, ensure security, and maintain records for legal compliance
Consent – where we ask for explicit consent (e.g. optional features)

4. Third-Party Services

We use the following services:

Service	Purpose	Data shared
Stripe	Payments and subscriptions	Organization ID, user ID, plan, billing address
Amazon SES	Transactional email	Recipient email, name, subject, body
AWS S3	File storage	Files, images, PDFs
DeepL	Translation	Text to be translated
Frankfurter API	Exchange rates	Currency codes only

These providers may process data outside the EU. Where applicable, we rely on standard contractual clauses or other safeguards to ensure adequate protection.

5. Retention

Account data – retained while your account is active and for a reasonable period after closure for legal and support purposes
Session tokens – removed when you log out or when they expire (e.g. 60 days for “remember me”)
Audit trail – retained as required for legal and compliance obligations
Payment records – retained as required by tax and accounting regulations

6. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

Access – obtain a copy of your personal data
Rectification – correct inaccurate data
Erasure – request deletion in certain circumstances
Data portability – receive your data in a structured format
Restriction – limit processing in certain cases
Object – object to processing based on legitimate interest
Withdraw consent – where processing is based on consent
Complain – lodge a complaint with your data protection authority

To exercise these rights, contact us using the details below. We will respond within one month.

7. Security

We use industry-standard measures to protect your data, including:

Encrypted connections (HTTPS)
Hashed passwords (bcrypt)
Signed session cookies
Access controls and secure hosting

8. Cookies

We use essential cookies for:

Session management – to keep you logged in
Remember me – to persist login across sessions (up to 60 days)

We do not use third-party analytics or advertising cookies on the Service.

9. Changes

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The “Last updated” date at the top indicates when this policy was last revised.

10. Contact

For questions about this Privacy Policy or to exercise your rights, contact us at:

Email: privacy@flowersynk.com (or the contact address on our website)
Address: [Your company address – update in config or runtime]