--- title: "Privacy Policy" url: https://flexie.io/privacy-policy description: "How Flexie processes personal data as controller and as processor, your GDPR rights, EU/EEA hosting, and AI data controls. Operated by Flexie CRM e.U." --- Legal # Privacy Policy Effective date: 10 May 2026 ## 1\. Scope The controller for this Privacy Policy is Flexie CRM e.U., operated by Eriol Gjergji, Fritz-Konzert-Strasse 7, Top 1/3, 6020 Innsbruck, Austria, UID/VAT: ATU81616707, Firmenbuchnummer: FN 679939 k, Firmenbuchgericht: Landesgericht Innsbruck ("Flexie"). This Privacy Policy explains how Flexie processes personal data when Flexie acts as controller under the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (Datenschutzgesetz, DSG). It covers data collected through the flexie.io website, account creation, billing and payment administration, identity verification (KYC), support communications, security operations, marketing communications, and business correspondence. ## 2\. What This Policy Does Not Cover This Privacy Policy does **not** apply to personal data that a Flexie customer stores or processes inside its own Flexie CRM deployment. When a customer uses Flexie CRM to manage data about its own leads, contacts, employees, end users, or other persons, the customer is the controller for that data and Flexie acts as processor on the customer's documented instructions. That processing is governed by the Flexie [Data Processing Agreement (PDF)](https://flexie.io/documents/flexie-dpa-de-en-ai-act.pdf), not this Policy. If you are a data subject whose personal data is stored or processed inside a Flexie customer's deployment (for example, you are a contact, lead, employee, or end user of a business that uses Flexie CRM), please contact that business directly to exercise your rights. Flexie cannot act on requests relating to a customer's controller data without the customer's instruction or a binding legal obligation to do so. ## 3\. Contact For privacy questions about Flexie's own controller processing, contact: [support@flexie.io](mailto:support@flexie.io). Data protection matters are handled internally by the management of Flexie CRM e.U. ## 4\. No Data Protection Officer (DPO) Flexie has not appointed a designated Data Protection Officer (Datenschutzbeauftragter, DPO). This Section sets out the legal reasons why a DPO appointment is not required for Flexie under applicable law. Article 37(1) GDPR makes the appointment of a DPO mandatory only in the three cases listed below. Flexie does not meet any of them: 1. **Public authority or body (Article 37(1)(a) GDPR).** Flexie CRM e.U. is a privately owned, registered sole proprietorship (Unternehmer within the meaning of § 1 UGB), entered in the Austrian commercial register (Firmenbuchnummer FN 679939 k), and is not a public authority or public body. 2. **Regular and systematic monitoring of data subjects on a large scale (Article 37(1)(b) GDPR).** Flexie's core activity is the provision of a business-to-business CRM and workflow automation platform to registered businesses (see Section 2 of the Terms of Service). Flexie does not conduct behavioral profiling, online tracking, location monitoring, large-scale advertising targeting, or other regular and systematic monitoring of data subjects as a core activity. The processing of account, billing, and KYC data described in Section 5 of this Policy concerns Flexie's business customers and their authorized representatives, in volumes typical of a small business, and is not large-scale monitoring of data subjects. 3. **Large-scale processing of special-category or criminal-conviction data (Article 37(1)(c) GDPR).** Flexie does not, as part of its core activities, process special categories of personal data within the meaning of Article 9 GDPR (such as data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, health data, sex life, or sexual orientation), or personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR. Flexie does not target, market to, or specifically support customers in healthcare, banking, insurance, financial services, or other regulated sectors whose ordinary business operations require the large-scale processing of special-category or criminal-conviction data. The Service is offered as a general business CRM and workflow platform for ordinary commercial customers. Where a customer nonetheless chooses to process such data inside its own Flexie CRM deployment, that customer is the controller for that processing and is responsible for assessing whether the customer's own DPO obligation is triggered (see Section 2 of this Policy). For the avoidance of doubt regarding Flexie's role as processor: when Flexie processes personal data on behalf of a customer inside that customer's Flexie CRM deployment, Flexie's role is to host the software and the data, not to monitor, profile, or otherwise determine the purposes of that processing. The volume of personal data that a customer chooses to process inside its own deployment does not, by itself, convert Flexie's processor activity into "regular and systematic monitoring of data subjects on a large scale" within the meaning of Article 37(1)(b) GDPR, and does not by itself convert Flexie's processor activity into "large-scale processing of special categories of personal data" within the meaning of Article 37(1)(c) GDPR. Each customer remains responsible for assessing whether its own processing triggers a DPO appointment obligation for that customer under Article 37 GDPR. § 5 of the Austrian Data Protection Act (Datenschutzgesetz, DSG) reproduces and complements Article 37 GDPR for Austrian public bodies and does not extend the mandatory-appointment criteria beyond Article 37 GDPR for private controllers such as Flexie. This assessment is consistent with the Article 29 Working Party Guidelines on Data Protection Officers (WP 243 rev. 01, endorsed by the European Data Protection Board) and with the published practice of the Austrian Data Protection Authority (Datenschutzbehörde). Independently of the GDPR threshold above, an appointment by the sole proprietor of Flexie CRM e.U. as DPO would not be permissible: under Article 38(3) and (6) GDPR, a DPO must act independently, must not receive instructions regarding the performance of DPO tasks, and must not hold a role that decides the purposes and means of processing. The sole proprietor is the controller and decides those purposes and means, which creates a structural conflict of interest expressly identified in WP 243. Even though Flexie is not required to appoint a DPO, Flexie maintains the following measures for data protection governance: * a single privacy contact, [support@flexie.io](mailto:support@flexie.io), for all data subject requests, complaints, and supervisory authority correspondence; * an internal Verzeichnis von Verarbeitungstätigkeiten (Records of Processing Activities) under Article 30 GDPR; * documented data protection policies, including this Privacy Policy, the Cookie Policy, the Data Retention Policy, and the Data Processing Agreement applicable to processor processing; * incident-response procedures for personal data breaches, including the supervisory authority notification timeline required by Article 33 GDPR. Flexie will reassess this position if and when its processing activities materially change. If appointment becomes mandatory, or if Flexie elects to appoint a DPO voluntarily, this Policy will be updated to identify the DPO and the relevant contact details. ## 5\. Personal Data We Process as Controller As controller, Flexie processes the following categories of personal data in connection with the website, account administration, billing, identity verification, support, security, and marketing communications. This list does not cover personal data that customers process inside their own Flexie CRM deployments, which is governed by the Data Processing Agreement (see Section 2). * Account and business contact data: name, company, email, phone, role, account identifiers. * Billing and payment administration data: invoices, billing address, VAT number, payment status, payment-channel identifiers (for example PayPro Global or Stripe references), bank transfer details, and related records. * Identity verification and Know Your Customer (KYC) data: company registration extract details, legal-entity identifiers, authorized representative and beneficial ownership information, identity documents supplied for verification, sanctions and anti-money-laundering / counter-terrorism financing check results, and related records. The Service is offered to businesses only and is not sold to consumers; KYC checks apply to business customers and their representatives. * Support and communication data: emails, support messages, call notes, issue details, attachments supplied to support, and related metadata. * Website and usage data: IP address, browser, device data, pages visited, cookie identifiers, referral data, timestamps, and log information. * Security data: authentication events, access logs, abuse-prevention records, audit logs, and incident records. * Marketing communication data where you subscribe to or request communications from Flexie, including opt-in records and unsubscribe history. ## 6\. Special-Category Data Flexie does not invite, request, or intentionally process special categories of personal data within the meaning of Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, data concerning health, or data concerning sex life or sexual orientation), or personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR, through the controller channels covered by this Policy. You should not submit special-category or criminal-conviction data to Flexie through the website, contact forms, support communications, or account registration. If such data is nonetheless received, Flexie will delete it as soon as reasonably practicable unless a legal obligation requires retention. Where a customer chooses to process special-category or criminal-conviction data inside its own Flexie CRM deployment, that processing is governed by the Data Processing Agreement and is the customer's responsibility as controller (see Section 2). ## 7\. Sources of Personal Data Flexie collects personal data primarily from you directly when you visit the website, create an account, contact support, sign a contract, or correspond with Flexie. Flexie may also receive personal data from: * public registers and lists used for KYC, including commercial register extracts, beneficial ownership registers, sanctions and politically-exposed-person lists, and equivalent sources; * payment processors and infrastructure providers, where they share data necessary to provide their service, such as payment status or fraud signals; * your colleagues or your organization, where someone else on your team creates the account or invites you as a user; * publicly available business sources, where Flexie reasonably uses such information for business-to-business outreach permitted under applicable Austrian and EU law. ## 8\. Purposes and Legal Bases | Purpose | Legal basis | | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Accounts, administration, billing, support, and customer communication | Contract performance or pre-contractual steps (Art. 6(1)(b) GDPR) | | Service security, abuse prevention, logging, troubleshooting | Legitimate interests under Art. 6(1)(f) GDPR (protecting the Service, Flexie's customers, and third parties from fraud, abuse, unauthorized access, and operational failures), and legal obligations where applicable. | | Accounting, tax, statutory recordkeeping | Legal obligation (Art. 6(1)(c) GDPR) | | Customer identity verification, KYC, anti-money-laundering and sanctions screening, fraud and abuse prevention | Legal obligation and legitimate interests under Art. 6(1)(c) and (f) GDPR, including complying with AML/CTF, sanctions, and tax obligations, preventing financial crime, and protecting Flexie from contractual and reputational risk. | | Service notices and product communications to existing customers | Contract performance or legitimate interests under Art. 6(1)(b) or (f) GDPR, namely keeping customers informed about the Service they use and changes relevant to them. | | Marketing communications | Consent (Art. 6(1)(a) GDPR; § 174 TKG 2021; § 7 ECG) or, where legally permitted, legitimate interests in B2B prospecting, with an unsubscribe option in every electronic marketing message. | | Non-essential cookies and analytics | Consent (Art. 6(1)(a) GDPR; § 165 TKG 2021) | ## 9\. Whether Provision of Personal Data Is Required Provision of account, billing, and KYC data is required to enter into and perform the contract with Flexie. If you do not provide that data, Flexie cannot open an account, issue invoices, process payments, complete KYC, or provide the Service. Provision of marketing preferences and optional support details is voluntary; refusal does not affect Flexie's ability to provide the Service. ## 10\. Automated Decision-Making and Profiling Flexie does not use automated decision-making that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR for the controller processing covered by this Policy. Automated checks within KYC, such as comparing inputs against sanctions and PEP lists, inform human review and are not by themselves used as the sole basis for a decision with legal effect. If a customer configures automated decision-making or profiling inside its own Flexie CRM deployment, that processing is the customer's responsibility as controller and is not governed by this Policy. ## 11\. Marketing Communications Flexie sends electronic marketing communications, such as email newsletters or product announcements, only with prior consent where consent is required under § 174 TKG 2021 and § 7 ECG, or where the recipient is an existing business customer receiving information about similar products or services as permitted by Austrian law. You can withdraw consent or opt out of marketing at any time by using the unsubscribe link in any marketing email or by contacting [support@flexie.io](mailto:support@flexie.io). Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Marketing emails may include open and click tracking technologies, such as tracking pixels and tracked links, that record whether you opened a message and which links you followed, together with related technical metadata. Flexie uses this information to measure campaign performance, improve content relevance, and segment future communications. You can disable image loading in your email client to limit open tracking. Unsubscribing from marketing communications ends both the messages and the associated tracking. ## 12\. Children The Service is offered to businesses only and is not directed at children. Flexie does not knowingly collect personal data from persons under the age of 14, which is the Austrian digital consent threshold under § 4 (4) DSG. If you believe a child has provided personal data to Flexie, contact [support@flexie.io](mailto:support@flexie.io) and the data will be deleted. ## 13\. Customer-Configured Integrations Customers may configure integrations with external systems such as email, SMS, telephony, webhooks, APIs, databases, payment systems, analytics endpoints, or AI/API services. These are selected and controlled by the customer. Where Customer configures such an integration, Flexie processes or transmits data according to Customer's configuration and instructions. Customer-selected integration providers are not Flexie sub-processors merely because the Service provides integration tooling. Customers are responsible for assessing those providers, entering into required contracts, configuring payloads, and complying with legal requirements. ## 14\. AI and Automation Flexie does not train, fine-tune, own, operate, or run general-purpose AI models or third-party AI models for Customer's use of the Service unless separately agreed in writing. Where Customer configures AI/API endpoints or AI-related workflows, Customer controls the provider, endpoint, prompts, payloads, fields, and output use. Within the meaning of Regulation (EU) 2024/1689 (EU AI Act), Flexie is not a provider, a deployer, or a general-purpose AI model provider in respect of Customer's use of the Service. Customer is the deployer of any AI system that Customer configures through the Service and is responsible for the deployer obligations under Articles 4 and 26 of the EU AI Act, the transparency obligations under Article 50 where applicable, and the prohibitions in Article 5\. The Terms of Service include Customer's substantive obligations in this area; this Policy describes the related personal-data implications. Flexie provides field-level permission and exclusion tools where available so Customers can exclude fields such as phone numbers, email addresses, identifiers, sensitive notes, or other selected data from AI-related workflows or payloads. Customer is responsible for configuring and maintaining those controls. Flexie does not, as controller, use AI to process personal data in a manner that produces legal effects or similarly significantly affects data subjects within the meaning of Article 22 GDPR. See also Section 10 (Automated Decision-Making and Profiling). ## 15\. Recipients and Sub-Processors Flexie may share personal data with the following categories of recipients, only as necessary for the purposes set out in this Policy: * Infrastructure providers for hosting, compute, storage, networking, and backups. Current authorized providers are OVH SAS, Hetzner Online GmbH, and Amazon Web Services EMEA SARL, using European data centers / EU/EEA regions for core hosting unless otherwise agreed or configured by Customer. * Payment processors (PayPro Global and Stripe) for processing payments and managing related billing data, and banks for SEPA and equivalent transfers. * KYC and compliance data sources, including providers of commercial register data, sanctions screening, and PEP screening, as needed to perform required checks. * Professional advisers such as accountants, auditors, tax advisers, and lawyers, where required for legal, accounting, or tax reasons. * Authorities and courts, where required by law, court order, or to establish, exercise, or defend legal claims. * Successors in the context of a corporate transaction such as merger, acquisition, or asset sale, subject to confidentiality and applicable law. Sub-processors that process Customer Personal Data on Flexie's behalf for the Service are governed by the Data Processing Agreement, which sets out the sub-processor regime and notice mechanism for personal data. ## 16\. International Transfers Flexie aims to process core Customer Personal Data within the EU/EEA for the Service. If a transfer outside the EU/EEA is required for Flexie-controlled processing, Flexie will use a valid transfer mechanism where required, such as the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and, where applicable, additional supplementary measures. If Customer configures an integration to an external or non-EEA endpoint, that transfer is made on Customer's instruction and Customer is responsible for assessing and implementing the required transfer mechanism. ## 17\. Retention Personal data is retained only for as long as necessary for the purposes described in this Policy, the Data Retention Policy, the applicable agreement, legal obligations, dispute resolution, security, and legitimate business needs. KYC and accounting records are retained for the periods required by Austrian AML/CTF and tax law. See [Data Retention Policy](https://flexie.io/data-retention-policy). ## 18\. Your Rights Where applicable, you have rights under the GDPR and the DSG to: * access your personal data (Art. 15 GDPR); * request rectification of inaccurate data (Art. 16 GDPR); * request erasure (Art. 17 GDPR); * request restriction of processing (Art. 18 GDPR); * object to processing based on legitimate interests, including direct marketing (Art. 21 GDPR); * data portability for data processed by automated means under contract or consent (Art. 20 GDPR); * withdraw consent where processing is based on consent (Art. 7(3) GDPR); * lodge a complaint with a supervisory authority (Art. 77 GDPR). Requests relating to Flexie's own controller processing may be sent to [support@flexie.io](mailto:support@flexie.io). Requests relating to Customer CRM data should be sent to the relevant Flexie customer acting as controller; see Section 2. ## 19\. Supervisory Authority You may contact the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, Austria, or another competent supervisory authority in your Member State, if you believe your rights have been infringed. ## 20\. Security Flexie applies reasonable technical and organizational security measures to protect personal data, as further described on the [Security & Infrastructure](https://flexie.io/security-infrastructure) page. No system is completely secure; Customers remain responsible for account security, user permissions, integration credentials, workflow configuration, and field-level controls. ## 21\. Personal Data Breaches Flexie maintains documented procedures for identifying, assessing, containing, and reporting personal data breaches in accordance with Articles 33 and 34 GDPR. Where a personal data breach for which Flexie acts as controller occurs, Flexie will notify the Austrian Data Protection Authority (Datenschutzbehörde) without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in accordance with Article 33 GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where a breach is likely to result in a high risk to those rights and freedoms, Flexie will also communicate the breach to the affected data subjects without undue delay, in accordance with Article 34 GDPR. Where a breach occurs in respect of Customer Personal Data for which Flexie acts as processor on behalf of a customer, Flexie will notify the customer in accordance with the Data Processing Agreement so that the customer can fulfil its own Article 33 and 34 GDPR obligations as controller. Internal breach handling, including investigation, root-cause analysis, mitigation, and record keeping under Article 33(5) GDPR, follows Flexie's incident-response procedures. ## 22\. Cookies and Web Analytics The Flexie website uses **no cookies** and stores nothing on your device for tracking; see the [Cookie Policy](https://flexie.io/cookie-policy). For aggregate website statistics we use **Umami** (Umami Cloud, umami.is) as our analytics processor. Umami is **cookieless**: it stores no cookies or identifiers on your device and does not identify you. It processes only anonymous, aggregated usage data, namely pages viewed, the referring website, approximate country (derived from your IP address, which is not stored), and browser or device type. It does not build a personal profile and does not track you across other websites. Legal basis: our legitimate interest in understanding and improving the website (Art. 6(1)(f) GDPR). Where Umami processes data outside the EEA, appropriate safeguards apply. We do not use it for advertising. Cookies in the separate Flexie CRM application are addressed in the [Cookie Policy](https://flexie.io/cookie-policy). ## 23\. Changes Flexie may update this Privacy Policy from time to time. The updated version will be published on the website with a new effective date. Where changes materially affect how Flexie processes your personal data, Flexie will notify you by reasonable means in advance of the effective date.