NOTES TO USERS IN EUROPE:
- Although we are not based in the European Economic Area (“Europe”), because we target our offerings (and enable our retail partners whose goods you may purchase (“Retail Partners”) to target sales of their goods) to individuals who are based in Europe, European data protection legislation known as the General Data Protection Regulation (“GDPR”) applies to us and our use of your Personal Data.
- For more information, please see the provisions under the heading “Provisions Specific to European Users”, below.
What Types of Personal Information Does Flow Collect?
We collect, store, and use information that you provide directly to us and information we acquire in other ways, each as detailed below:
- Information You Provide to Us Directly. We acquire information from you when you (a) provide information via any of the Flow Websites, including any user accounts or other accounts, (b) interact with any Flow Website’s checkout pages, (c) purchase goods and/or services from Flow, (d) communicate or interact with Flow customer service (via email, mail, courier, fax, web form, and/or phone) and/or (e) engage in any other electronic or oral conversation with an employee, contractor, agent or retail partner of Flow. Through these channels, you might provide us with information about you, information about the recipient of any merchandise you are ordering and/or having shipped, including, in either case, names, email addresses, postal addresses, phone numbers, genders, birthdays, marketing preferences, personal interests, credit card information, and other information, including driver’s license numbers, CPF numbers or other national identifiers, and passport information. To the extent that you provide us information that is retained as a user account or user profile on the Flow Website, you may log into that profile to update, edit or delete any information contained therein. Information that is retained as a record of an order placed, item shipped, return request, customer service provided, or similar transaction is, by its nature, not editable.
What Cookies and Other Technologies Does Flow Use?
A cookie is a small file downloaded on to a device when a user accesses certain websites. When you interact with Flow or its partners, cookies and other technologies may be used for storing information, and accessing information stored on your devices, such as your computer, mobile device or other device. These cookies and other technologies may include first party cookies (i.e., those placed by the website being visited) and third party cookies (i.e., those placed by a website other than the one being visited), local shared objects (“LSO,” and commonly referred to as “Flash Cookies” or “HTML 5 Cookies”) and tracking pixels (including transparent or clear gifs also known as “web beacons”).
Cookies can either expire at the end of a session (“Session Cookies”) or be persistent and last through multiple sessions (“Persistent Cookies”). Session Cookies can be helpful for remembering items you put in your shopping cart as you browse a site, or for security reasons when you are providing financial information. Persistent Cookies are stored on your device in between sessions, which allows for your preferences or actions to be remembered and used on a website (or in some cases across different websites). Persistent Cookies may be helpful in remembering your preferences and choices when using a website or to ensure advertising messages are more relevant to you. Cookies are useful because they allow us to recognize your device and provide you with a high level of service and relevant offers.
Broadly speaking, Cookies placed on your computer or device fall into two categories:
- First Party Cookies – these are served directly by us to your computer or device and are used only by us to recognize your computer or mobile device when it revisits our website; and
- Third Party Cookies – these are served by our service providers and partners on our website, and can be used by such parties to recognize your computer or mobile device when you use it to visit other websites.
The Flow Websites may use the following types of Cookies for the purposes set out below:
|Type of cookie||Purpose|
|Essential Cookies||These Cookies are essential to provide you with services available through our Site and to enable you to use some of its features. For example, they allow you to log in to secure areas of our Site and help the content of the pages you request load quickly. Without these Cookies, the services that you have asked for cannot be provided, and we only use these Cookies to provide you with those services.|
|Functionality Cookies||These Cookies allow our Site to remember choices you make when you use our Site, such as remembering your currency and language preferences, remembering your log-in details and remembering the changes you make to other parts of our Site which you can customize.
The purpose of these Cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you visit our Site.
|Analytics and performance Cookies||These Cookies are used to collect information about traffic to our Site and how users use our Site. The information gathered does not identify any individual visitor. The information is aggregated and therefore anonymous. It includes the number of visitors to our Site, the websites that referred them to our Site, the pages that they visited on our Site, what time of day they visited our Site, whether they have visited our Site before, and other similar information. We use this information to help operate our Site more efficiently, to gather broad demographic information and to monitor the level of activity on our Site.
We use Google Analytics for this purpose. Google Analytics uses its own Cookies. It is only used to improve how our Site works. You can find out more information about Google Analytics Cookies here: Click Here
You can find out more about how Google protects your data here: www.google.com/analytics/learn/privacy.html
You can prevent the use of Google Analytics relating to your use of our Site by downloading and installing the browser plugin available via this link: http://tools.google.com/dlpage/gaoptout?hl=en–GB
|Targeted and advertising Cookies||These Cookies track your browsing habits to enable you to see advertising which is more likely to be of interest to you. These Cookies use information about your browsing history to group you with other users who have similar interests. Based on that information, and with our permission, third party advertisers can place Cookies to enable them to show adverts which will be relevant to your interests while you are on third party websites.|
How Can I Disable Cookies?
To limit disclosures and use of personal data – you can typically remove or reject Cookies via your browser settings. In order to do this, follow the instructions provided by your browser (usually located within the “settings”, “help” “tools” or “edit” facility). Many browsers are set to accept Cookies until you change your settings. You can take additional steps to disable or delete similar data, such as Flash Cookies, by modifying the “add-on” settings on your browser. Various browsers may offer their own management tools for access to HTML5 LSOs. However, please note that certain Cookies are required for you to be able to take advantage of some of Flow’s important functions. For example, if you do not allow our cookies, you may not be able to purchase items from one of our checkouts. You may find specific instructions for disabling cookies in some of the popular browsers via the following links: Google Chrome, Safari, Mozilla Firefox,Microsoft Internet Explorer.
In addition to any Cookies that may be set via our Site, with their permission, we may also set Cookies via our partners’ Flow Websites to assist both them and you in our provision of the Flow Services.
How Does Flow Use Your Information?
The type or identity of third parties to which Flow discloses personal information and the purpose is addressed herein. We use and retain your information as needed to provide you services, ship and track your order, maintain a record of your purchases and returns, comply with our legal obligations, resolve disputes, and for other legitimate business reasons. By way of example, and not limitation, we analyze transactional data for the purpose of identifying trends, statistics and measurements that could contribute to the enhancement of Flow services. Such use could include identifying market sensitivities, and relative market interest in specific product categories. Another example would be if you place an order with us through a Flow Website, we (directly or through our merchant supplier or other entity on our behalf) may contact you if there is an issue with the order (e.g., to find an alternative to a restricted item).
How Does Flow Share Your Information?
- Marketplaces and Partners Involved in Your Transactions. Depending on how you interact with Flow, you may make purchases that involve third parties. For example, you may make a purchase that involves a third-party website or marketplace. In such a situation, you may initially view products on that website or marketplace and Flow is facilitating the order or otherwise involved. If this is the case, it will be very clear to you that a third party is involved in your transaction. And, if so, we may share your personal information with that third party.
- Service Provider. Flow may provide your personal information to certain service providers in connection with the fulfillment of your purchase instructions, including but not limited to delivery agents, email service providers to send you emails on our behalf, customer support providers to process your feedback, customs brokers, international revenue authorities and fraud management parties. Flow will always attempt to limit the information we provide to be what is reasonably sufficient for those service providers to carry out their responsibilities as they relate to the fulfillment of your purchase instructions, and no service provider shall be authorized by us to use or disclose the information except as necessary to perform services on our behalf, or to comply with legal requirements, or for legitimate and legal business purposes. For example, in the case of fraud management service providers, they may use and retain information relating to your transaction to analyze and detect fraudulent transactions to compare to your transaction.
- Flow’s Protection. We will disclose your personal information as required by law, when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process, to enforce or apply our Terms & Conditions and other agreements and to protect the rights of Flow.
- Business Transition. In the event Flow goes through a business transition, such as a merger with or acquisition by another company, sale of all or a portion of our assets or brands, your personal information will likely be among the assets transferred.
- You Otherwise Consent. We may, of course, share your information in other ways that you specifically consent to.
- Aggregated Content. We may also share “aggregated/blinded” information with our merchant partners, PR agencies, advertising agencies, and other third parties. By “aggregated/blinded” information we mean, information from multiple users that contains only zip codes, purchasing amounts, products, brands, categories, merchants involved, timing of transactions/usage and frequency of usage – with no other private information or personally identifying information included.
In addition, in the event of a merger, acquisition, reorganization, bankruptcy, or other similar events, certain information in our possession may be transferred to our successor or assign.
How Does Flow Handle, Store and Secure Your Information?
We take the security of your data very seriously at Flow. We use a variety of current technologies and processes to protect your data, including encryption at both the storage and transport level. However, please note that no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.
The security of your password is key to the security of your data. We recommend that you do not share, reuse, or store any of the passwords you may have set up with any of Flow’s retail partners with anyone else.
What You Should Understand About Third-Party Advertisers and Links to Other Websites?
Does Flow Transfer Your Data Cross Border?
Flow adheres to applicable laws and regulations regarding your personal information moving across geographical and jurisdictional borders. This includes the use of data transfer agreements and model contractual clauses, where available, between our corporate entities, our partners and our clients where required.
Information submitted by you may be transferred by us to our other offices and/or to the third parties mentioned in the circumstances described above (see How Does Flow Use and Share Your Information?), which may be situated in, or employ staff in, places other than your home jurisdiction, the U.S. and/or the European Economic Area (EEA). The countries concerned may not have similar data protection laws to your home jurisdiction, the US and the EEA. Where we transfer your information we will take all reasonable steps to ensure that your privacy continue to be protected. By submitting information via the Flow Website, you agree to this storing, processing and/or transfer.
Flow’s accountability for personal data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Flow remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Flow proves that it is not responsible for the event giving rise to the damage.
We encourage you to contact us should you have a Privacy Shield-related (or general privacy-related) complaint. For any complaints that cannot be resolved with Flow directly, Flow has chosen to cooperate with EU data protection authorities (DPAs) and comply with the information and advice provided to it by an informal panel of DPAs in relation to such unresolved complaints (as further described in the Privacy Shield Principles). If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback–form.truste.com/watchdog/request.
As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. Flow is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) and the US Department of Transportation.
Are Children Allowed to Use Flow?
Flow does not allow anyone under the age of 18 to take part in any of its services. If you are under the age of 18, you must stop using the Flow Websites and taking part in its services now. To be clear, but not to limit what you are not allowed to do, if you are under 18, you may not make purchases from Flow or any of its partners, you may not click through to any of our partners’ websites, and you may not take part in any surveys, panels or the like.
What are the Terms & Conditions and Dispute Resolution?
How to Contact Us:
Flow Commerce Inc.
2 Hudson Place
Hoboken, NJ 07030
PROVISIONS SPECIFIC TO EUROPEAN USERS
Who is the Controller of your Personal Data?
A “Controller” is the person who determines the purposes and means of processing Personal Data.
When will the Retail Partner whose goods you purchase be the Controller? In the vast majority of circumstances, Flow commits to process your Personal Data only under the instructions of its Retail Partners. In these circumstances, Flow will be the Processor of your Personal Data and the relevant Retail Partner will be the Controller.
However, please note that Flow may be a Controller in respect of certain Personal Data that we collect through your use of this Site outside the context of any purchase you might make of Retail Partner’s goods.
Please contact us using the details in the “How to Contact Us” section above if you want to find out whether Flow or the Retail Partner whose goods you purchase is the Controller of your Personal Data Flow processes in connection with your purchase.
What is Personal Data?
The GDPR definition of ‘personal data’ can be found here. Essentially, it boils down to: information about an individual, from which that individual is either directly identified or can be indirectly identified.
It does not include anonymous information (i.e., information where the identity of individual has been permanently removed).
However, it does include ‘indirect identifiers’ or ‘pseudonymous data’ (i.e., information which alone doesn’t identify an individual but, when combined with certain additional and reasonably accessible information, could be attributed to a particular individual).
What Personal Data do these “Provisions Specific to European Users” apply to?
They apply to any European User’s Personal Data that we process as a Controller (see the “When will Flow be the Controller?” subsection above). This is because, where we process Personal Data as a Processor of our Retail Partners we are bound by both the GDPR and our agreements with those Retail Partners to process your Personal Data only under their instructions.
What Personal Data do we collect?
We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, driver’s license numbers, CPF numbers or other national identifiers, and passport information.
- Contact Data includes billing address, shipping address, email address and telephone numbers.
- Financial Data includes payment card details.
- Transaction Data includes details about payments you make in respect of your purchases of Retail Partners’ goods.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and geolocation, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Site.
- Usage Data includes information about how you use our Site and offerings.
- Marketing and Communications Data includes your preferences in receiving marketing from us, our Retail Partners, and other third parties and your general communication preferences.
Our Purposes and “legal bases” for processing your Personal Data?
Where we act as a Controller of Personal Data, the GDPR requires us to ensure that we have a “legal basis” for that use. We typically rely on one of the following legal bases in respect of our processing of your Personal Data:
- Where we need to perform the contract we are about to enter into or have entered into with you (“Contractual Necessity”).
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (“Legitimate Interests”).
- Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
Generally we do not rely on “consent” as a legal basis for using your Personal Data.
Please note that where we act as a Processor of a Retail Partner, it is that Retail Partner’s responsibility to ensure that they have a valid legal basis for their processing of your Personal Data (including any processing we carry out on their behalf).
We have set out below, in a table format which of the legal bases we rely on in respect of the relevant Purposes for which we use your Personal Data, as well as what those purposes are.
Where more than one legal basis is listed in the below, if you want details about the specific legal basis we are relying on to process your Personal Data in a specific circumstance, please contact us using the details in the “How to Contact Us” section above.
|Purpose:||Personal Data involved:||Legal basis:|
|To process and deliver your order.||
|To provide you with support relating to your purchase and to facilitate returns.||
|To collect and recover money owed to us and our Retail Partners||
||Legitimate Interests. We have a legitimate interest in recovering debts due to both ourselves and our Retail Partners (where applicable).
Compliance with Law.
|To administer and protect our business and this Site (including fraud prevention, troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data||
||Legitimate Interests. We have a legitimate interest in ensuring the ongoing security and proper operation of our offering and associated IT services and networks.|
|To enable us and our partners to deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you||
||Legitimate Interests. We have a legitimate interest in studying how our users use our offerings. This helps us improve our offering and this Site, grow our business and to inform our marketing strategy.|
|To use data analytics to improve our Site, offerings, marketing, customer relationships and experiences||
||Legitimate Interests. We have a legitimate interest in analyzing our user base to keep our Site and offerings relevant and up-to-date. As well as developing our business and to informing our marketing strategy.|
|Respond to your requests and to resolve disputes.||
||Legitimate Interests. We have a legitimate interest in analyzing our user base to keep our Site and offerings relevant and up-to-date. As well as developing our business and to informing our marketing strategy.|
We have put in place what we consider to be appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.
In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business “need to know”. They will only use or access your Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected ‘personal data breach’ and will notify you and any applicable regulator of a breach affecting your Personal Data where we are legally required to do so.
Your Legal Rights
Under certain circumstances, you have rights under the GDPR in relation to your Personal Data. These rights are described below:
- Request access to your Personal Data. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
- Object to processing of your Personal Data. This right exists where we are relying on a Legitimate Interest and there is something about your particular situation, which makes you want to object to processing on this ground.
- Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your Personal Data. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. This right only applies to automated information that we process based on your consent or Contractual Necessity.
Please note that where we act as a Processor of a Retail Partner if you make a request in respect of any of the above directly to Flow, we will: (a) let the relevant Retail Partner (i.e., the one whose goods you purchased and who is the Controller of your Personal Data) know that you have made this request; (b) pass on your details to that Retail Partner; and (c) send you the necessary contact information for that Retail Partner so that you can make that request to them directly. Where we can, and where the law permits, we will also assist that Retail Partner in complying with any request you make to them.
No Fee Usually Required.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What We May Need From You.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time Limit to Respond.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
In addition to your right to complain to us directly at the details in the “How to Contact Us” section above, if you feel your complaint has not been adequately resolved, please note that the GDPR gives you the right to contact your local data protection supervisory authority, which for the UK, is the Information Commissioner’s Office.
Special Categories of Personal Data
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Please do not provide us with any such information.
What happens if you fail to provide any necessary Personal Data?
Where we need to collect Personal Data for the purposes of Compliance with Law, or due to Contractual Necessity, if you fail to provide that Personal Data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example: (1) we may not be able to fulfil your order without the required Personal Data; or (2) attempting to process your order without your Personal Data may put us in breach of our legal obligations).
How do we deal with Anonymous Information of our European Users?
When we refer to “Anonymous Information” we mean information that does not (either directly or indirectly) enable identification of any individual person. We may create Anonymous Information from your Personal Data – we do this by permanently removing any information that could enable us, or any third party that is reasonably likely to access that information, from identifying the individual to whom it previously related.
For example, we might create Anonymous Information from Usage Data and Technical Data to analyze trends, administer and improve the Flow Solution, prepare general usage reports and trends for current and potential Retail Partners and/or, to gather demographic information about our user base as a whole.
How do we share your Personal Data?
For more information on how, and with whom, we may share your Personal Data with third parties, please see the “How Does Flow Share Your Information?” above.
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it (see the “Our Purposes and “legal bases” for processing your Personal Data?” section above) for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider:
- the amount, nature, and sensitivity of the Personal Data we hold;
- the potential risk of harm from unauthorized use or disclosure of your Personal Data;
- the purposes for which we process your Personal Data and whether we can achieve those purposes through other means; and
- any applicable legal or regulatory requirements.
Flow complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.
For more information on this framework and how it applies to, and protects you, please see the section titled “Does Flow Transfer Your Data Cross Border?” above.
Third party sources
For more information on the third party sources from which we may collect your Personal Data, please see the “Information We Acquire in Other Ways” subsection above. Please note that none of these third party sources of your Personal Data are publicly available.