Flowtag logo

Data Processing Agreement

Last updated: Mar 23, 2026

1. Parties

This Data Processing Agreement (“Agreement”, “DPA”) is entered into between:

(1) The Customer (“Controller”) The entity subscribing to or using the Flowtag service.

(2) Flowtag (“Processor”) Pruszcz Gdański, Poland (“Flowtag”)

The Controller and the Processor are jointly referred to as the Parties.

This DPA forms an integral part of the Flowtag Terms of Service.

2. Subject of the Agreement

  1. The Processor shall process personal data on behalf of the Controller for the sole purpose of providing the Flowtag analytics service ("Service").
  2. This DPA governs the scope, nature, and purpose of processing in accordance with Article 28 GDPR.
  3. Processing begins when the Controller starts using the Service and ends when the Controller account is deleted or terminated.

3. Definitions

  • “Personal Data”: any information relating to an identified or identifiable natural person.
  • “Processing”: as defined in Article 4(2) GDPR.
  • “Sub-processor”: third-party service provider engaged by the Processor.
  • “TOMs”: Technical and Organizational Measures implemented by the Processor.

4. Nature, Purpose and Categories of Processing

4.1 Nature of processing

The Processor collects and processes interaction data generated by visitors and users on digital properties connected to Flowtag.

4.2 Purpose of processing

Flowtag processes personal data solely for providing analytics, including:

  • click tracking
  • event measurement
  • campaign performance analysis
  • session and traffic data
  • organization-level usage reporting

No data is processed for advertising, profiling, resale or unrelated business purposes.

4.3 Categories of personal data

Depending on configuration:

  • Pseudonymous identifiers (UUID, session ID)
  • IP address (optional/always truncated or hashed if enabled)
  • User agent metadata
  • Device, browser, language information
  • Referrer, UTM parameters
  • Page views, click data, events
  • Organization account metadata (team members)

No special categories of data are intentionally processed.

4.4 Categories of data subjects

  • Visitors/end-users of the Controller’s website or application
  • Members of the Controller’s organization using Flowtag

5. Obligations of the Processor

The Processor shall:

  1. Process data only on documented instructions from the Controller.

  2. Ensure that persons authorized to process the data are bound by confidentiality.

  3. Implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including:

    • encryption in transit and at rest
    • access control
    • audit logging
    • least-privilege access
    • network isolation and firewalling

  4. Assist the Controller in responding to data subject requests.

  5. Assist the Controller with GDPR obligations regarding:

    • security
    • breach notifications
    • data protection impact assessments

  6. Delete or return all personal data after the end of the Service.

  7. Make available all information necessary to demonstrate compliance with GDPR.

6. Obligations of the Controller

The Controller shall:

  1. Ensure a valid legal basis for processing end-user data.
  2. Provide proper privacy notices to its users.
  3. Configure Flowtag in accordance with its own GDPR responsibilities (e.g., cookie/no-cookie mode).
  4. Not use the Service to process unlawful or sensitive data unless legally permitted.
  5. Ensure transmission of data to the Processor is lawful.

7. International Transfers

Where Personal Data is transferred outside the EU/EEA:

  • the Processor uses Standard Contractual Clauses (SCCs),
  • or ensures adequacy decisions,
  • or equivalent GDPR-compliant safeguards.

8. Confidentiality

The Processor shall ensure:

  • data confidentiality,
  • restricted access policies,
  • non-disclosure obligations for all personnel,
  • protection of trade secrets and business data.

9. Data Retention and Deletion

  1. Data is retained according to the Controller’s selected retention plan:

    • 1 month
    • 4 months
    • 8 months
    • 12 months
    • 24 months
    • 36 months

  2. After retention expires, data is automatically deleted.

  3. Upon termination of the Service, all personal data will be deleted within 30 days, unless otherwise requested by the Controller.

10. Security and Breach Notification

  1. The Processor implements industry-best-practice security measures (TOMs).

  2. The Processor shall notify the Controller without undue delay after becoming aware of a data breach.

  3. Notifications will include:

    • nature of incident
    • likely consequences
    • steps taken or proposed
    • recommended mitigation measures

11. Audits

  1. The Controller may request documentation demonstrating compliance.

  2. On-site audits are permitted only if:

    • required by law, or
    • a serious security incident occurs

  3. Audits must be reasonable, scheduled, and non-disruptive.

12. Liability

Liability is governed by the main Flowtag Terms of Service. Nothing in this DPA extends liability beyond what is stated in the Terms.

13. Termination

Upon termination:

  • The DPA automatically ends.
  • Processor deletes all personal data within 30 days.
  • Controller may export remaining data before deletion.

14. Contact

For questions regarding data protection:

Flowtag – Data Protection Office Email: hello-flowtag@qwerty.ovh Pruszcz Gdański, Poland

15. Final Provisions

  1. In case of conflict between this DPA and the Terms, this DPA prevails.
  2. Changes to this DPA must be made in writing.
  3. The DPA is governed by EU law, unless otherwise required.

Signed electronically

This DPA is deemed accepted by both Parties upon acceptance of Flowtag Terms of Service.

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our privacy policy.