Privacy policy

(A) This Privacy Policy was last modified on 21.11.2022 and may be sporadically updated to reflect changes in legislation, so please review it now and then. You can always find the most recent version on our Website at http://wflow.com/en/privacy-policy. If we make substantial changes, we will try to provide at least a 30-day notice prior to any changes taking effect. What constitutes a substantial change will be determined at our sole discretion. By continuing to access or use our Platforms or Services after those revisions become effective, you agree to be bound by the revised terms. If you do not agree to the new terms, please stop using the Platforms.

(B) We process your data with due care, in accordance with all applicable laws and regulations, including the regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (the “GDPR”).

(C) The Privacy Policy only covers data processing carried out by us. The Privacy Policy does not address, and we are not responsible for, the privacy practices of any other parties.

1. Who processes your personal data?

1.1 Your personal data are being processed by our company wflow.com Czech Republic  s.r.o., ID No.: 072 12 241, with its registered office at Pobřežní 658/34, Karlín, 186 00 Prague 8, registered in the Commercial Register maintained by the Municipal Court in Prague, File No.: C 295488 (the “Controller“, “we”, “us” or “our”).

1.2 To learn more about personal data management or if you have any other questions, you're welcome to contact us at info@wflow.com.

2. What personal data are processed?

The subjects of personal data processing according to this Privacy Policy are persons representing our Customers, as defined in our Terms of Service, who are legal persons (the "Representative"), as well as all other Users of the Account on our Platforms (collectively the “Users” or “you” ). We may collect the following types of information about Users:

2.1. Personal Data

 We may collect and process your name, email address, telephone number and other data provided by you voluntarily when you use our Services.

2.2. Technical Information

We and/or our authorised external service providers (e.g., Google, LLC - Google Analytics) may automatically collect technical data when you visit or interact with our Services. Technical data may include, in particular, the URL of the website you visited before visiting our Website, the time and date of user visits, surfing habits, IP address, the browser name, the type of computer or device accessing our Services, time spent on the Website and other similar technical information (the “Technical Data”). In a limited  number of cases, it is possible to use technical data and identify you by them as an individual, thus making them personal data according to applicable legal regulations; however, we never use technical data to identify you as an individual.

2.3. User Data

When you have registered on our Platforms, we start collecting data from the devices and applications associated with your Account, which may include personal data relating to you, to your accounts or to third parties, including information about your devices used by accounts, websites and applications that your accounts use (collectively, the “User Data”).

2.4. Anonymised data provide aggregated analytics and statistics from the Platform

When you have used our Platform and Services, we may anonymise and aggregate these analytics and statistics generated from using the Platforms (the “Insights”). Insights may be used for research and development purposes. Unlike Technical Data, Insights are anonymous and it is not possible to identify you as an individual.

3. What are the purposes and legal basis for processing your personal data?

3.1. We process your personal data in order to:

3.1.1. carry out the agreement existing between us and the Customer based on the Customer’s decision to use our Services

This purpose includes mainly the following processing activities:

• opening an Account on our Platforms;
• informing you about any updates and new features of our Services (including changes in the pricing model);
• notifying you about the updates of our Terms of Service, Cookie Policy, and this Privacy Policy;
• responding to you in relation to any queries you may have with respect to our Services;
• resolving potential agreement-related troubleshoot problems and disputes.

We process your name, email address, and other data provided by you voluntarily when you use our Services (i.e., when you created an Account on our Website) for this purpose.

Legal basis for such processing: the performance of a contract in accordance with Article 6 (1) (b) of GDPR.

3.1.2. improve our Platforms and Services

We may recognize and count the number of visitors to our Website and record anonymous visits for the purpose of improving our Website and Services.

We process the Technical Data (as defined above) for this purpose on the following legal basis: legitimate interest of the Controller in accordance with Article 6 (1) (f) of GDPR.

3.1.3. market our Services

We may market to you our current or future Services only if you subscribe to the newsletter at our Website or give us your consent to send you updates when creating an Account on our Website and thus provide us your consent with the processing of your email address for the marketing purposes.

We process your email address on the following legal basis: your consent in accordance with Article 6 (1) (a) of GDPR.

You can stop direct marketing communications from us by clicking the “Unsubscribe from newsletter” link in any email communication that we send you.

3.1.4. keep our Platforms safe

We may monitor usage of the Platforms. The purpose of this collection and processing is to safeguard against abuse of the Platforms and prevent serious misuse from Users.

We process this usage data for this purpose on the following legal basis: legitimate interest of the Controller in accordance with Article 6 (1) (f) of GDPR.

4. Customer as a controller and Wflow as a processor

4.1. In relation to some personal data processed via the Platforms, e.g. personal data of subjects that are mined from the uploaded documents, Wflow acts as a processor.

4.2. The legal basis of such processing may be the performance of a contract between the Customer and a third party in accordance with Article 6 (1) (b) of GDPR, the compliance with a legal obligation of the Customer in accordance with Article 6 (1) (c) of GDPR, or a legitimate interest of the Customer in accordance with Article 6 (1) (f) of GDPR.

4.3. The categories of personal data concerned may be: identification data (e.g. first name, last name, address, ID No.), contact data (e.g. email, phone, address), data on the relationship to the third party (function, workplace).

4.4. The Customer, as the controller, is responsible for ensuring that it has a legal basis for the processing and that the subjects are provided with full information about the processing of the data it carries out through the Platforms. The information provided in this Section 4 is of a general and informative nature only, and its accuracy and completeness are not guaranteed.

5. Who are recipients of your personal data?

5.1. We only share your personal data within our organisation.

5.2. We do not share your personal data with any recipients outside of the Controller unless one of the following circumstances applies:

5.2.1. it is necessary to provide our Services to you

To the extent that our external service providers (sub-processors) need access to your personal data to help us perform our Services for you, we have taken the appropriate contractual and organisational measures to ensure that your personal data are processed in accordance with all applicable laws and regulations.

Below is a non-exclusive list of our sub-processors for compliance:

• Rossum Ltd, UK
  • We share your binary files (PDF, images) for data extraction. Privacy policy
• Actual Reports OÜ
  • We share your data to create transactional PDF documents. Privacy policy
• Dativery
  • We share your data for ERP integrations. Privacy policy
• Signi.com
  • We share your binary files (PDF) for digital signing. Privacy policy

The list of these sub-processors may change from time to time as we change or remove some of the providers listed above and/or put in place other providers to assist us in providing the Services.

5.2.2. It is necessary for legal reasons

 We may share your personal data with recipients outside the Controller if we have a good-faith belief that access to and use of your personal data is reasonably necessary to: (i) meet any applicable law, regulation, and/or court order; (ii) detect, prevent, or otherwise address fraud, security or technical issues; and/or (iii) protect the interests, properties or safety of the Controller, our users or the public as far as in accordance with the law. When possible, we will inform you about such processing.

5.2.3. it is needed to improve our Services

 In order to improve our Platforms and Services we may use third-party providers listed below to help us collect and analyze Technical Data.

 Below is a non-exclusive list of our sub-processors:

• Google Analytics (Google LLC) Privacy policy
• Smartlook (Smartlook.com, s.r.o.) Privacy policy
• Intercom (Intercom, Inc.) Privacy policy

The list of these sub-processors may change from time to time as we change or remove some of the providers listed above and/or put in place other providers to assist us in providing the Services.

5.3. Disclosures

We do not and will not share any data with third party AI models.

6. Do we transfer your data to countries outside the EU/EEA?

6.1. The Controller may transfer your personal data to countries outside the European Union and the European Economic Area where we engage with external service providers. In such a case, we transfer your personal data only to a country that is considered to have an adequate level of protection in accordance with the EU Commission's decision or there are appropriate safeguards in place to protect your personal data, such as standard contract clauses or binding internal company rules. Regardless of the country in which your personal data is processed, the Controller takes reasonable technical, legal and organisational measures to ensure that the level of protection is the same as in the European Union and the European Economic Area. If you wish to know more about international transfers of your personal data and the appropriate safeguards that we have in place to govern the transfer of your personal data, you may contact at info@wflow.com.

6.2. If we are involved in a merger, acquisition or other reorganisation, your information may be transferred as part of that deal. We will notify you (for example, via a message to the email address associated with your account) of any such deal and outline your choices in that event.

7. What is the storage period?

7.1. Storing the data - The Controller stores your personal data only if it is legally permitted and necessary for the purposes for which the data were collected, however, no longer than 5 years after you use our Platform for the last time.

8. What are your rights?

8.1. Right of access - The Controller offers you access to your personal data we process. This means you can contact us and request from us a confirmation whether or not your personal data are being processed and if so, you have the right to request access to your data, which we will provide to you in the form of a so-called "registry" (stating, in particular, purposes, categories of personal data, categories of recipients of personal data, storage periods or criteria for determining storage periods).

8.2. Right to rectification - You have the right to have inaccurate personal data we have stored about you rectified.

8.3. Right to erasure - You may also ask us to erase your personal data from our systems. We will comply with such requests unless we have a legitimate ground to not delete your personal data.

8.4. Right to restriction of processing - You may request us to restrict certain processing of your personal data. If you restrict certain processing of your personal data, this may lead to fewer possibilities to use our Services and Platforms.

8.5. Right to data portability - You have the right to receive your personal data from us in a structured, commonly used and machine-readable format in order to transmit the personal data to another controller.

8.6. How to use your rights - You may exercise your rights above, free of charge, in writing by sending an email to info@wflow.com. We may require confirmation of your identity depending on your request.

9. May you complain?

9.1. In case you consider our processing activities of your personal data to be inconsistent with the applicable data protection laws, you may lodge a complaint with the local supervisory authority for data protection.

10. Is data secured?

10.1. We take all reasonable, appropriate security measures to protect the Controller and our Users from unauthorised access to or unauthorised alteration, disclosure or destruction of personal data we hold. Measures include, where appropriate, anonymisation, encryption, firewalls, secure facilities and access rights systems. Should, despite the security measures, a security breach occur that is likely to have negative effects to your privacy, we will inform you about the breach as soon as reasonably possible. If you have any questions, feel free to contact us at info@wflow.com.

‍