Flowyer LegalTech LLC provides the following information regarding the personal data of business partners that comes into its possession.
Flowyer LegalTech LLC (registered office: Alíz Street 6. Building A, B staircase, 1st floor, door 6, 1117 Budapest, Hungary, tax number: 25556584-4-13; company registration number: 13-09-181128) processes personal data in accordance with this notice, which is acknowledged as essential for finalising the order by reading this notice.
The Data Controller is Flowyer LegalTech LLC.
Flowyer LegalTech LLC has not appointed a Data Protection Officer, as it does not carry out any data processing activities that would necessitate such an appointment.Description and purpose of data processing: Facilitating the business operations of contracting partners and fulfilling contractual rights and obligations, as well as statutory tax and accounting obligations (e.g. bookkeeping, taxation).
Additional purposes include identifying and differentiating business partners (both buyers and suppliers), establishing communication, generating user statistics, managing orders and purchases, fulfilling contractual obligations arising from purchases, and exercising associated rights.
The legal basis for data processing: Performance of a contract / legal obligation (if the name of the contracting party includes the name of a private individual) / legitimate interest (in all other cases).Scope of data processed and their source: If the name of the contracting partner includes the name of a private individual, the processed data includes the name, address, tax number provided for invoicing, the number of licences ordered, and their expiration date.
Additionally, in all cases, the name, email address, phone number, and optionally the position of the private individual acting as a contact person.
Retention period: For accounting documents (primarily invoices and contracts), a minimum of 8 years (if the name of the contracting partner includes the name of a private individual) / 5 years resp. following the last transaction (in all other cases).Data sharing: In the course of daily business operations, recorded personal data may only be accessed by the Data Controller and its subcontractors to the extent necessary for their activities. Personal data may be shared with authorities upon request or as required by law. To fulfil legal obligations, other third parties (e.g., accountants) may also access the data.
The Service Provider uses Google Analytics to measure the traffic of the www.flowyer.eu website. This programme places so-called cookies on the user's computer, which collect user data such as browser and operating system information, the user's IP address, as well as the URL of the entry and exit pages. The system automatically generates statistical data from this information. The Service Provider does not associate these data with other personal information and uses them solely to create traffic statistics.
The Software's servers are operated by Google LLC. Thanks to the Google Cloud Platform, the Software's databases are stored on highly secure and redundant servers in failover mode, physically located in Frankfurt, meeting the highest industry standards for security and availability. The system automatically creates daily backups of all databases, which are retained for 365 days. Prioritising security, the backups are geographically segmented and stored in Belgium. Beyond the high level of physical and software protection, we also ensure that our subscribers' case data are stored in a segmented manner, with each client's data kept in a separate database. For uploaded files, we use a version control system, which is also operated in Frankfurt. Deleted or accidentally overwritten files can be restored for up to 90 days.
7.1. Data subjects are entitled at any time to request information about the personal data we process as specified in this privacy notice, including the purpose, legal basis, and duration of the processing, as well as the recipients or categories of recipients who have received or will receive the data (for all legal bases).
7.2. Data subjects are entitled at any time to request the rectification or supplementation of inaccurate or incomplete personal data (for all legal bases).
7.3. Data subjects are entitled at any time to request that the personal data we hold and process electronically be transferred to them or another data controller in a commonly used format (only for processing based on contractual/legal obligations).
7.4. Data subjects are entitled at any time to request a restriction on the processing of personal data. In case of restriction, personal data, apart from storage, may only be processed with the data subject's consent, or for the establishment, exercise, or defence of legal claims, or to protect the rights of another person. Data subjects may request restriction of data processing if:
» they contest the accuracy of the personal data,
» the processing is unlawful but they oppose the erasure of the personal data,
» the Data Controller no longer needs the personal data for the purpose of processing, but they require it for the establishment, exercise, or defence of legal claims.
The Data Controller will inform the data subject before lifting any restriction on data processing (for all legal bases).
7.5. Data subjects are entitled at any time to request the erasure of personal data (for all legal bases). Personal data will be erased if:
» it is no longer necessary for the purpose for which it was collected or processed,
» the data was processed unlawfully, or
» the Data Controller is obliged to delete the personal data to comply with a legal obligation.
7.6. Data subjects are entitled at any time to object to the processing of their personal data (only for processing based on legitimate interests).
The Data Controller will investigate requests related to data processing within 30 days of receipt, make a decision on their validity, and inform the applicant of the decision in writing.8.1. If you believe that your personal data has not been processed in accordance with this privacy notice, or if you feel that you have been unable to fully exercise your rights, please contact us at the following address:
» Email address: support@flowyer.eu (please include "Data Processing" in the subject line of your email).
8.2. If your rights regarding your personal data have been violated, you may lodge a complaint with the following authority:
The Software includes two independent AI services that are subject to different data processing rules.
A) Document Anonymizer – data processing
Data processing roles
With regard to the Document Anonymizer, the Client qualifies as the data controller. Flowyer LegalTech LLC acts as a data processor based on the Client's instructions.
Scope of processed data
The entire content of uploaded documents, as well as personal data contained in the documents – are processed temporarily, exclusively for the purpose of recognition and anonymization.
Data transfer
The Document Anonymizer runs exclusively on servers located within the European Union. No data transfer outside the European Union takes place.
Data retention period
Uploaded and processed documents are only present on the server for the duration of processing (typically from seconds to a few minutes). They are automatically and permanently deleted upon completion of processing. The Service Provider does not create or store copies of the documents.
Prohibition of data use
The Service Provider does not use data uploaded to the Document Anonymizer for the training or development of artificial intelligence models. The language model used is pre-trained and operates exclusively in inference mode.
Data processing related to the feedback function
a) The Client may submit feedback through the anonymizer interface regarding unrecognised (false negative) or incorrectly identified (false positive) elements.
b) Purpose of processing feedback: continuous improvement of service quality and enhancement of recognition accuracy.
c) Legal basis for processing feedback: the legitimate interest of the Service Provider (Article 6(1)(f) GDPR) in improving service quality.
d) Retention period for data contained in feedback: until the feedback is processed and the necessary improvements are completed, but no longer than 1 year.
e) The Service Provider anonymizes or generalizes any personal data potentially contained in feedback during the development process; original documents are not stored or used directly.
B) AI Assistant (ChatGPT Integration) – data processing
Data processing roles
With regard to the AI Assistant, the Client contracts directly with OpenAI in their own name (using their own OpenAI account and API key). Flowyer LegalTech LLC solely provides a technical interface for accessing the API and does not qualify as a sub-processor in relation to OpenAI.
The relationship between the Client and OpenAI
| Name | OpenAI, LLC |
|---|---|
| Registered office | San Francisco, United States of America |
| Activity | GPT language model API service |
| Contractual relationship | Directly with the Client |
| Privacy policy | https://openai.com/policies |
The Client's responsibilities:
• Reviewing and accepting OpenAI's terms of service and privacy policy
• Adequately informing their own clients about data transfers
Scope of processed data
The prompts (instructions, questions) provided by the Client, any personal data potentially contained therein, and the generated responses. Additionally, the content of prompt templates (quick buttons) created by the Client.
Data transfer to a third country
When using the AI Assistant, prompts are transferred to the United States to OpenAI's servers, through the Client's own API key. The Client is responsible for the legal basis of the data transfer and for the data protection agreement (DPA, SCCs) concluded with OpenAI as OpenAI's direct contracting partner.
By using the AI Assistant service, the Client acknowledges and accepts the transfer of data to the USA.
Data retention period
| Location | Retention period |
|---|---|
| Flowyer servers | No storage |
| OpenAI servers | Zero Data Retention |
Prohibition of data use
As of 1 March 2023, OpenAI officially does not use data sent through the API for the training or development of AI models (unless the user expressly consents to this). Verification and enforcement of this takes place within the legal relationship between the Client and OpenAI.
C) Common Provisions
Automated decision-making
The AI services (neither the Document Anonymizer nor the AI Assistant) do not make decisions based solely on automated data processing that produce legal effects concerning the Client or data subjects within the meaning of Article 22 of the GDPR. The AI services function exclusively as auxiliary tools; the final decision is always made by the Client.
Data security measures
With regard to the AI services, the Service Provider applies the following data security measures:
• Encrypted data transmission: TLS 1.2 or higher
• Role-based access control
• Security event logging
Summary table – Differences between the two services
| Aspect | Document Anonymizer | AI Assistant (ChatGPT) |
|---|---|---|
| Developer | Flowyer LegalTech LLC | OpenAI, LLC |
| Location of operation | EU (Germany) | USA (OpenAI servers) |
| Data transfer | None (EU only) | Transferred to the USA |
| Contractual relationship | Client ↔ Flowyer | Client ↔ OpenAI (direct) |
| Flowyer's role | Data processor | Technical interface only |
| Data storage | During processing, then deleted | Zero Data Retention |
| Use for training | No | No (OpenAI guarantee) |
| Accuracy guarantee | Near 100%, but not guaranteed | No guarantee |
| Verification obligation | Yes | Yes |
| Feedback option | Yes (false positive/negative) | No |
The following rules apply to data processing in connection with the Document Handover Share function of the Software.
1. Data protection nature of the function
The Document Handover Share function enables the Customer, or an attorney or authorised user acting on behalf of the Customer, to make documents or document folders relating to a matter available to external recipients with read-only access, in a controlled and logged manner.
When the function is used, personal data may be processed both within the content of the shared documents and in connection with the identification of the Recipient, the provision of access, the logging of access events, and the generation of access and download certificates.
2. Controller and processor roles
In relation to the creation of the Share, the determination of the scope of the shared documents, the designation of Recipients, the provision of the Recipients’ e-mail addresses and the determination of the duration of the Share, the Customer shall qualify as the controller.
Flowyer LegalTech Kft. shall act as processor on the basis of the Customer’s instructions in connection with the technical operation of the Share, including in particular the creation of the Share Link, the sending and verification of the Verification Code, the management of the access session, the display of the file list, the provision of download access, logging and the technical generation of certificates.
Flowyer LegalTech Kft. may act as an independent controller in respect of personal data where such processing is necessary for the fulfilment of its own legal obligations, the protection of its IT and service security interests, the prevention of misuse, or the establishment, exercise or defence of legal claims.
3. Categories of personal data processed
In connection with the use of the function, the following personal data may in particular be processed:
a) the Recipient’s e-mail address;
b) technical data relating to the Verification Code sent to the e-mail address provided by the Recipient, including the hashed form of the code, its expiry time, the number of failed attempts and any lockout data;
c) technical identifiers connected to the Share Link and token;
d) the technical identifier, expiry time and status of the Recipient’s access session;
e) data necessary to identify the matter affected by the Share, including in particular the matter number, the subject matter of the case, and the name, identifier and path of the shared file or folder;
f) personal data contained in the shared documents, where the relevant document contains such data;
g) access and security log data, including in particular the time of the event, the Recipient’s e-mail address, the type of event, the identifier and name of the affected file or folder, IP address, browser user-agent data and event identifier;
h) the fact and time of acceptance of the terms of use and privacy notice, and the related technical identifiers;
i) data appearing in download or access certificates, including the technical fingerprint generated from the event data.
4. Purposes of processing
The purposes of processing are:
a) the creation and operation of the Share;
b) the identification of the Recipient and the prevention of unauthorised access;
c) the sending and verification of the Verification Code, the handling of failed attempts and the prevention of misuse;
d) the provision of viewing and download access to the shared documents;
e) the documentation of access events relating to the Share;
f) the management of expiry, revocation and access sessions relating to the Share;
g) the generation of access and download certificates;
h) the prevention, detection and investigation of IT security incidents and misuse;
i) the establishment, exercise or defence of legal claims by the Customer, the Issuing Attorney, the Recipient or the Service Provider.
5. Legal bases of processing
The legal basis for the creation of the Share, the determination of the scope of the shared documents and the designation of the Recipient shall be determined by the Customer. Depending on the nature of the specific matter, such legal basis may in particular be:
a) the performance of a contract or the taking of steps prior to entering into a contract pursuant to Article 6(1)(b) of the GDPR;
b) compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR;
c) the legitimate interests of the Customer, the Issuing Attorney or a third party pursuant to Article 6(1)(f) of the GDPR, in particular for the secure handover of documents, the performance of an attorney’s mandate, or the establishment, exercise or defence of legal claims;
d) in exceptional cases, the consent of the data subject pursuant to Article 6(1)(a) of the GDPR, where the Customer considers this to be the appropriate legal basis for the specific processing.
The legal basis for the processor activities of Flowyer LegalTech Kft. is the contractual relationship with the Customer and the controller instructions of the Customer.
The legal basis for processing carried out by Flowyer LegalTech Kft. as an independent controller for IT security, misuse prevention, service protection and legal enforcement purposes is the legitimate interest under Article 6(1)(f) of the GDPR. Where the retention or disclosure of certain data is required by law, the legal basis for the processing shall be compliance with a legal obligation under Article 6(1)(c) of the GDPR.
6. Special categories of data and attorney-client privilege
Depending on the case file determined by the Customer, the content of the shared documents may contain special categories of personal data, criminal offence data, attorney-client privileged information, trade secrets or other confidential information.
Flowyer LegalTech Kft. does not analyse, classify or determine the legal nature of the content of the shared documents. The Customer, as controller, shall be responsible for the content of the shared documents, the lawfulness of the Share and the provision of appropriate information to the data subjects.
Where special categories of personal data are processed, the Customer shall determine the applicable exception under Article 9 of the GDPR. Where criminal offence data are processed, the Customer shall determine the applicable conditions under Article 10 of the GDPR.
7. Recipients and processors
Personal data relating to the Share may, by virtue of the nature of the Share, be accessed by:
a) the Recipient for whom the Share has been created;
b) the Customer and the Customer’s authorised users;
c) the Issuing Attorney;
d) those employees or contributors of Flowyer LegalTech Kft. whose access is necessary for the provision of the service, troubleshooting, investigation of security incidents or compliance with legal obligations;
e) hosting, infrastructure, e-mail delivery, logging, file storage or other technical service providers involved as processors or sub-processors in the operation of the Software;
f) authorities, courts or other bodies entitled to receive the data under applicable law.
Depending on the technical solution, file downloads may take place directly through the infrastructure of the file storage provider. The ZIP packaging process may involve a technical contributor or a separate processing environment. When engaging sub-processors, the Service Provider shall ensure that such sub-processors are subject to data protection obligations essentially equivalent to those undertaken towards the Customer.
8. Transfers to third countries
The primary data processing and data handling environment of the Software is based on infrastructure located within the European Union. Where the operation of the function involves a transfer of personal data to a third country, such transfer shall take place only if the conditions set out in Chapter V of the GDPR are met.
9. Data security measures
In operating the function, the Service Provider may apply, in particular, the following data security measures:
a) use of a unique, cryptographically random Share Link;
b) use of a one-time Verification Code linked to an e-mail address;
c) storage of the Verification Code in hashed form;
d) time-limited Verification Code and access session;
e) limitation of failed code entry attempts and temporary lockout;
f) HTTPS-based encrypted data transmission;
g) session cookies protected by HttpOnly and other security settings;
h) logging of access and security events;
i) expiry and revocation mechanisms;
j) use of download URLs with a short validity period;
k) role-based access control on the attorney-side interface of the Software.
10. Retention period
The retention period of data relating to the Share depends on the type of data and the purpose of processing.
The metadata of the Share, including the identifiers connected to the Share Link, the e-mail addresses of Recipients, the subject matter of the Share, its expiry date and status, may be retained for the duration of the Share and thereafter for as long as necessary for the establishment, exercise or defence of legal claims by the Customer or the Service Provider, for accountability obligations, or for IT security interests.
The Verification Code is stored only in hashed form and may be processed for the period necessary to complete the verification process, manage the expiry time and prevent misuse.
Access session data may be processed for the duration of the validity of the session and, for security reasons, for the logging period connected to such session.
Access log data and certificates generated on the basis thereof may be retained for the retention period determined by the Customer, or in the absence thereof for a period aligned with the limitation period for legal claims, attorney document retention obligations and IT security purposes.
The retention period of the shared documents shall be governed by the general document and file management rules of the Software and by the Customer’s own document management and attorney retention obligations.
11. Rights of data subjects
The data subject may exercise the rights provided for under the GDPR, including in particular the right to:
a) request information and access to the personal data relating to them;
b) request the rectification of inaccurate personal data;
c) request the erasure of personal data, where the statutory conditions are met;
d) request restriction of processing;
e) object to processing based on legitimate interests;
f) exercise the right to data portability, depending on the applicable legal basis;
g) withdraw consent at any time where processing is based on consent.
Since, as a general rule, the Customer qualifies as the controller in respect of the creation of the Share and the determination of the scope of the shared documents, data subject requests should primarily be submitted to the Customer or the Issuing Attorney.
Where the data subject submits a request directly to Flowyer LegalTech Kft., the Service Provider may, having regard to its processor role, forward the request to the Customer and cooperate in the fulfilment of the request in accordance with the Customer’s instructions. In respect of processing activities where Flowyer LegalTech Kft. acts as an independent controller, the Service Provider shall assess the request in its own capacity.
12. Complaints and remedies
The data subject may primarily address any data protection question or request to the Issuing Attorney or the Customer. Data protection enquiries addressed to Flowyer LegalTech Kft. may be submitted to support@flowyer.hu with the subject line "Data Protection".
The data subject shall be entitled to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information and shall also be entitled to bring proceedings before a court if they consider that the processing of their personal data infringes applicable data protection laws.
13. Data protection effect of expiry and revocation of the Share
The expiry or revocation of the Share shall result in the termination of the Recipient’s further access right. Expiry or revocation shall not automatically result in the immediate deletion of all personal data relating to the Share, as the retention of certain data, in particular access log data and data necessary for the generation of certificates, may remain necessary for the establishment, exercise or defence of legal claims, accountability, IT security or compliance with legal obligations.
On the basis of an expired or revoked Share, the Recipient shall not be able to perform any further document viewing or download, and active sessions may be invalidated.
Flowyer LegalTech LLC processes personal data solely in the capacity of a data processor (providing hosting services), with the exception of the data provided for the fulfilment of the order and for contact purposes as detailed above. All decisions related to data processing are exclusively made by the data controller business partner (hereinafter referred to as the "Client") who provides personal data in relation to their own clients. The Client assumes liability for any claims made by third parties against Flowyer LegalTech LLC regarding personal data processing or breaches of business confidentiality. Flowyer LegalTech LLC does not make substantive decisions concerning data processing, processes personal data solely according to the Client’s instructions, does not process data for its own purposes, and stores and retains personal data in compliance with the Client’s instructions. Both parties agree that the Client acknowledges and approves the data storage and retention system established by Flowyer LegalTech LLC, while retaining the right to inspect it. Flowyer LegalTech LLC declares that it takes into account the state of the art in determining and applying technical and organisational measures to ensure data security.
The Client may specify actions for Flowyer LegalTech LLC to execute decisions related to data processing to ensure the proper fulfilment of contractual tasks. However, the Client is responsible for the legality of such instructions. Flowyer LegalTech LLC must immediately inform the Client before executing an instruction if it is deemed impractical, unprofessional, or in violation of legal regulations. Flowyer LegalTech LLC may only deviate from the Client’s instructions if mandated by (domestic or EU) law.
Flowyer LegalTech LLC may engage additional data processors. Should it do so, the same data protection obligations will apply to the engaged processor as those stipulated between the Client and Flowyer LegalTech LLC. Flowyer LegalTech LLC ensures that contracts are established with its personnel or parties involved in data processing concerning the confidentiality of personal data.
Flowyer LegalTech LLC is obliged to prevent unauthorised access to the data and to notify the Client without undue delay about any data protection incident, providing detailed information.
If the Client decides not to renew their subscription after it expires, Flowyer LegalTech LLC will provide "read-only" access to the data, allowing the Client to access and copy the data in the same manner as during upload (certain features may include export functionality).
Any disputes arising in relation to the above should be resolved primarily through mutual negotiations. If the dispute cannot be resolved within 30 days of initiating written discussions, the matter may be brought before the competent court with general jurisdiction as determined by Act CXXX of 2016.
