Legal

Data Retention Policy

Effective date: 10 May 2026

1. Scope

This policy describes how Flexie retains and deletes data in connection with the Flexie CRM website, accounts, support, billing, security operations, and the CRM Service.

2. Customer CRM Data

Customer CRM data is retained during the active subscription term unless Customer deletes it earlier using available Service functionality or instructs Flexie otherwise. Customer controls the data it enters into the Service and is responsible for configuring its own retention, deletion, export, and workflow rules where available.

3. Termination and Export

After termination or expiry of the Service, Flexie may make Customer CRM data available for export for a reasonable period, unless otherwise agreed. After that period, production data may be deleted, disabled, or made inaccessible, subject to backup rotation, legal obligations, dispute resolution, security, or abuse-prevention needs.

4. Backups

Backup copies may remain for a limited period until overwritten or deleted through normal backup rotation. Backup data is protected and is not restored into production except for disaster recovery, security, legal compliance, or operational continuity purposes.

5. Logs and Security Records

Application logs, audit logs, access logs, security logs, workflow execution logs, and diagnostic records may be retained for security, troubleshooting, abuse prevention, compliance evidence, and service reliability. Retention periods may vary depending on the type of log, customer configuration, legal requirements, and operational needs.

6. Account, Billing, Business, and KYC Records

Account administration, invoices, accounting records, tax records, business correspondence, contract records, and identity verification / Know Your Customer (KYC) records may be retained for the period required by applicable law, including Austrian accounting, tax, and AML/CTF retention rules, and for the establishment, exercise, or defence of legal claims.

7. Support Data

Support tickets, support emails, attachments, troubleshooting details, and related communications are retained as necessary to provide support, maintain service history, resolve disputes, improve security, and comply with legal obligations. Customers should avoid sending unnecessary sensitive data to support channels.

8. Website and Cookie Data

Website logs and cookie data are retained according to their purpose, the cookie settings selected by the visitor, legal requirements, and operational needs. Non-essential cookies should not be retained longer than necessary for their stated purpose.

9. Customer-Configured Integrations

Data transmitted to external systems through Customer-configured integrations is controlled by Customer and the external service selected by Customer. Flexie does not control retention by those external systems unless Flexie has separately contracted them for the core Service.

10. AI-Related Data

Where Customer configures AI/API integrations or AI-related workflows, Customer is responsible for determining what data is sent, which fields are excluded, and how long the external AI provider or endpoint retains data. Flexie does not use Customer Personal Data to train general-purpose AI models or third-party AI models unless separately agreed in writing.

Where Customer's use of the Service involves a high-risk AI system under Regulation (EU) 2024/1689 (EU AI Act), Customer is responsible for the record-keeping, logging, and retention obligations imposed on deployers and other operators of high-risk AI systems under Article 19 and related provisions of the EU AI Act. Flexie's standard retention of platform logs is not a substitute for those obligations.

11. Deletion Requests

Requests relating to Customer CRM data should normally be handled by the Customer as controller. Where Flexie acts as controller, deletion requests may be sent to support@flexie.io. Flexie may refuse or limit deletion where retention is required by law, contract, security, backup integrity, dispute resolution, or legitimate business needs.

12. Legal Holds

Flexie may retain data beyond standard periods where necessary for legal claims, regulatory requests, investigations, fraud prevention, security incidents, or to comply with applicable law.