NOTE TO CONSUMERS OUTSIDE OF THE UNITED STATES: Please be aware that Flow hosts data in the United States and by providing your information to Flow you are personally transferring your data to the United States.
NOTES TO USERS IN CALIFORNIA: For additional information for California residents, please see https://www.flow.io/policies/CA-privacy/
NOTES TO USERS IN EUROPE:
- Because we provide our offerings to individuals who are based in the European Economic Area (“Europe”), European data protection legislation known as the General Data Protection Regulation (“GDPR”) applies to us and our use of your Personal Data.
- For more information, please see the provisions under the heading “Provisions Specific to European Users”, below.
What Types of Personal Information Does Flow Collect?
We collect, store, and use information that you provide directly to us and information we acquire in other ways, each as detailed below:
- Information You Provide to Us Directly. We acquire information from you when you (a) provide information via any of the Flow Digital Properties, including any user accounts or other accounts, (b) when you apply for a job at Flow, (c) purchase goods and/or services from Flow, (d) communicate or interact with Flow customer service (via email, mail, courier, fax, web form, and/or phone), (e) download any whitepaper, article, research paper, infographic or other downloadable, (f) request or otherwise sign up to receive our newsletter(s) and/or watch any webinar, video or other online content, and/or (g) engage in any other electronic or oral conversation with an employee, contractor, agent or retail partner of Flow.
Through these channels, you might provide us with information about you, information about the recipient of any merchandise you are ordering and/or having shipped, including but not necessarily limited to, in either case, names, email addresses, postal addresses, phone numbers, genders, birthdays, marketing preferences, personal interests, credit card information, and other information, such as driver’s license numbers, CPF numbers or other national identifiers, and passport information.
To the extent that you provide us information that is retained as a user account or user profile through a Flow Digital Property, you may log into that profile to update, edit or delete any information contained therein. Information that is retained as a record of an order placed, item shipped, return request, customer service provided, or similar transaction is, by its nature, not editable.
- Information We Acquire in Other Ways. We also acquire other information about you when you interact with emails you receive from us, ads for Flow that you may interact with, or with any of the Flow Digital Properties and certain of their features, including user accounts and other accounts, checkouts, questionnaires, panels, and social media features, such as signing into a Flow Digital Property account using your social media sign-in credentials or otherwise interacting with third party social media features that are enabled on the Flow Digital Properties.
This information may be collected by us or our third party partners through tracking pixels, lead form extension, or through log files and may include your city and country location, your IP address, your browser, the type of device you have used to access the Flow Digital Property, URLs that refer you to a Flow Digital Property, date and times of your visits to Flow Digital Properties, information on actions taken while at Flow Digital Properties (such as page views, duration of page views, and site navigation patterns), a unique identifier for your browser or device and details of your usage such as your preferences, “pins”, “likes” and “dislikes.”
What Cookies and Other Technologies Does Flow Use?
Cookies can either expire at the end of a session (“Session Cookies”) or be persistent and last through multiple sessions (“Persistent Cookies”). Session Cookies can be helpful for remembering items you put in your shopping cart as you browse a site, or for security reasons when you are providing financial information. Persistent Cookies are stored on your device in between sessions, which allows for your preferences or actions to be remembered and used on a website or mobile app (or in some cases across different websites and/or mobile apps). Persistent Cookies may be helpful in remembering your preferences and choices when using a website or to ensure advertising messages are more relevant to you. Cookies are useful because they allow us to recognize your device and provide you with a high level of service and relevant offers.
Broadly speaking, Cookies placed on your computer or device fall into two categories:
- First Party Cookies – these are served directly by us to your computer or device and are used only by us to recognize your computer or mobile device when it revisits our website; and
- Third Party Cookies – these are served by our service providers, Retail Partners, and other partners on our website, and can be used by such parties to recognize your computer or mobile device when you use it to visit other websites.
The Flow Digital Properties may use the following types of Cookies for the purposes set out below:
How Can I Disable Cookies?
To limit disclosures and use of personal data – you can typically remove or reject Cookies via your browser settings. In order to do this, follow the instructions provided by your browser (usually located within the “settings”, “help” “tools” or “edit” facility). Many browsers are set to accept Cookies until you change your settings. You can take additional steps to disable or delete similar data, such as Flash Cookies, by modifying the “add-on” settings on your browser. Various browsers may offer their own management tools for access to HTML5 LSOs. However, please note that certain Cookies are required for you to be able to take advantage of some of Flow’s important functions. For example, if you do not allow our cookies, you may not be able to purchase items from one of our checkouts. You may find specific instructions for disabling cookies in some of the popular browsers via the following links: Google Chrome, Safari, Mozilla Firefox, Microsoft Internet Explorer.
See also “Does Flow Participate in Online Behavioral Advertising” Section below.
In addition to any Cookies that may be set via our Site, with their permission, we may also set Cookies via our partners’ Flow Digital Properties to assist both them and you in our provision of the Flow Services.
Where Else Does Flow Obtain Data?
- Our Retail Partners
- Other partners with which we offer co-branded services, sell or distribute our products, or engage in joint marketing activities.
- Publicly-available sources such as open government databases or other data in the public domain.
- Social networks when you reference our Flow or one of our hashtags.
- Lead generation services.
- Advertising networks (as described below).
We are not responsible for the accuracy of any information provided by third parties or third party policies or practices. You are subject to these third parties’ privacy policies. If you would like to opt-out of the collection and sharing of your information, such as remembering your contact information, you need to opt-out on these third party sites.
How Does Flow Use Your Information?
The type or identity of third parties to which Flow discloses personal information and the purpose is addressed herein. We use and retain your information as needed to provide you services, ship and track your order, maintain a record of your purchases and returns, for fraud detection, comply with our legal obligations, resolve disputes, to offer our services to your company, to review your job application and background as part of the recruitment process, and for other legitimate business reasons. By way of example, and not limitation, we analyze transactional data for the purpose of identifying trends, statistics and measurements that could contribute to the enhancement of Flow services. Such use could include identifying market sensitivities, and relative market interest in specific product categories. Another example would be if you place an order with us through a Flow Digital Property, we (directly or through our merchant supplier or other entity on our behalf) may contact you if there is an issue with the order (e.g., to find an alternative to a restricted item). If you are a client or potential client of the Flow Commerce Saas solution, we may use your information to send you newsletters, surveys, feature updates, invitations, and marketing messages about Flow or our partners.
You may opt-out of receiving our newsletters, feature updates and the like by clicking the “unsubscribe” link on the particular communication you receive from us. You may also request that we remove you from our marketing communications by sending an email to email@example.com .
How Does Flow Share Your Information?
- Marketplaces and Partners Involved in Your Transactions. Depending on how you interact with Flow, you may make purchases that involve third parties, including but not limited to our Retail Partners. For example, you may make a purchase that involves a third-party website or marketplace. In such a situation, you may initially view products on that website or marketplace and Flow is facilitating the order or otherwise involved. If this is the case, it will be very clear to you that a third party is involved in your transaction. And, if so, we will share your personal information with that third party.
- Flow’s Protection. We will disclose your personal information as required by law, when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process, to enforce or apply our Terms & Conditions and other agreements and to protect the rights of Flow.
- Business Transition. In the event Flow goes through a business transition, such as a merger with or acquisition by another company, sale of all or a portion of our assets or brands, your personal information will likely be among the assets transferred.
- You Otherwise Consent. We may, of course, share your information in other ways that you specifically consent to.
- Aggregated Content. We may also share “aggregated/blinded” information with our merchant partners, PR agencies, advertising agencies, and other third parties. By “aggregated/blinded” information we mean, information from multiple users that contains only zip codes, purchasing amounts, products, brands, categories, merchants involved, timing of transactions/usage and frequency of usage – with no other private information or personally identifying information included.
In addition, in the event of a merger, acquisition, reorganization, bankruptcy, or other similar events, certain information in our possession may be transferred to our successor or assign.
Does Flow Participate in Online Behavioral Advertising?
Flow does not deliver third party online advertisements on the owned and operated Flow Digital Properties but we advertise our services on other websites. We may use the analytics information from the Flow Digital Properties for retargeting and remarketing campaigns. Please familiarize yourself with those website operators’ or network advertisers’ privacy policies to understand their practices relating to advertising, including what type of information they may collect about your Internet usage. Some advertising networks we may use may be members of the Network Advertising Initiative (NAI) or the European Interactive Digital Advertising Alliance (EDAA). Individuals may opt-out of targeted advertising delivered by NAI or EDAA member ad networks by using tools provided visiting http://www.networkadvertising.org/ and http://www.youronlinechoices.eu/ respectively. If you wish to opt-out of receiving ads targeted to you based on your preferences, you may do so by clicking here. Please note that this does not opt you out of being served non-targeted advertising. You will continue to receive generic, non-targeted ads.
How Does Flow Handle, Store and Secure Your Information?
We take the security of your data very seriously at Flow. We use a variety of current technologies and processes to protect your data, including encryption at both the storage and transport level. However, please note that no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.
The security of your password is key to the security of your data. We recommend that you do not share, reuse, or store any of the passwords you may have set up with any of Flow’s Retail Partners with anyone else.
What You Should Understand About Third-Party Advertisers and Links to Other Digital Properties?
Does Flow Transfer Your Data Cross Border?
Flow adheres to applicable laws and regulations regarding your personal information moving across geographical and jurisdictional borders. This includes the use of data transfer agreements and model contractual clauses, where available, between our corporate entities, our partners and our clients where required.
Information submitted by you may be transferred by us to our other offices and/or to the third parties mentioned in the circumstances described above (see How Does Flow Use and Share Your Information?), which may be situated in, or employ staff in, places other than your home jurisdiction, the U.S., the U.K. and/or Europe. The countries concerned may not have similar data protection laws to your home jurisdiction, the U.S., the U.K. and Europe. Where we transfer your information we will take all reasonable steps to ensure that your privacy continue to be protected. By submitting information via the Flow Digital Property, you agree to this storing, processing and/or transfer.
We are responsible for all personal information in our possession, including information transferred to a third party service provider or agent, so that we can provide you with a product or service. In some instances our employees, service providers, agents, and any of their service providers, may be located in other provinces or jurisdictions outside Canada, and your personal information may be subject to the laws of those foreign jurisdictions, which may be different than Canada’s.
Flow’s accountability for personal data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Flow remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Flow proves that it is not responsible for the event giving rise to the damage.
We encourage you to contact us should you have a Privacy Shield-related (or general privacy-related) complaint. For any complaints that cannot be resolved with Flow directly, and you continue to have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://www.jamsadr.com/file-an-eu-us-privacy-shield-claim.
As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. Flow is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Are Children Allowed to Use Flow?
Flow does not allow anyone under the age of 18 to take part in any of its services. If you are under the age of 18, you must stop using the Flow Digital Properties and taking part in its services now. To be clear, but not to limit what you are not allowed to do, if you are under 18, you may not make purchases from Flow or any of its partners, you may not click through to any of our partners’ websites, and you may not take part in any surveys, panels or the like.
What are the Terms & Conditions and Dispute Resolution?
How to Contact Us:
If you’d like us to update, correct, delete, or deactivate any personal information that you have provided to us via our Site or elsewhere, or would like to restrict certain uses of your personal information, please send your request to us at firstname.lastname@example.org and we will review and process your request within 30 days of receiving it.
Flow Commerce Inc.
2 Hudson Place
Hoboken, NJ 07030
PROVISIONS SPECIFIC TO EUROPEAN USERS
Who is the Controller of your Personal Data?
A “Controller” is the person who determines the purposes and means of processing Personal Data.
When will Flow be the Controller? In many cases, Flow is the Controller. For data we collect on Flow.io or on checkout pages of Flow Digital Properties, Flow is the Controller. For the purchase of goods that Flow receives from its Retail Partners, Flow and its service providers, administer all matters relating to your – this includes providing the checkout page, payment processing facilities, communicating with you about your purchase, facilitating delivery and providing customer support etc.
When will the Retail Partner whose goods you purchase be the Controller? For data collected when you browse our Retail Partner’s websites or collected from pixels placed on the checkout pages of the Flow Digital Property related to that particular Retail Partner, or data that you provide to the Retail Partner directly, Flow commits to process your Personal Data only under the instructions of its Retail Partners. In these circumstances, Flow will be the Processor of your Personal Data and the relevant Retail Partner will be the Controller.
Please contact us using the details in the “How to Contact Us” section above if you want to find out whether Flow or the Retail Partner whose goods you purchase is the Controller of your Personal Data Flow processes in connection with your purchase.
What is Personal Data?
The GDPR definition of ‘personal data’ can be found here. Essentially, it boils down to: information about an individual, from which that individual is either directly identified or can be indirectly identified.
It does not include anonymous information (i.e., information where the identity of individual has been permanently removed).
However, it does include ‘indirect identifiers’ or ‘pseudonymous data’ (i.e., information which alone doesn’t identify an individual but, when combined with certain additional and reasonably accessible information, could be attributed to a particular individual).
What Personal Data do these “Provisions Specific to European Users” apply to?
They apply to any European User’s Personal Data that we process as a Controller (see the “When will Flow be the Controller?” subsection above). This is because, where we process Personal Data as a Processor of our Retail Partners we are bound by both the GDPR and our agreements with those Retail Partners to process your Personal Data only under their instructions.
What Personal Data do we collect?
We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, driver’s license numbers, CPF numbers or other national identifiers, and passport information.
- Contact Data includes billing address, shipping address, email address and telephone numbers.
- Financial Data includes payment card details.
- Transaction Data includes details about payments you make in respect of your purchases of Retail Partners’ goods.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and geolocation, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Site.
- Usage Data includes information about how you use our Site and offerings.
- Marketing and Communications Data includes your preferences in receiving marketing from us, our Retail Partners, and other third parties and your general communication preferences.
Our Purposes and “legal bases” for processing your Personal Data?
Where we act as a Controller of Personal Data, the GDPR requires us to ensure that we have a “legal basis” for that use. We typically rely on one of the following legal bases in respect of our processing of your Personal Data:
- Where we need to perform the contract we are about to enter into or have entered into with you (“Contractual Necessity”).
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (“Legitimate Interests”).
- Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
Generally we do not rely on “consent” as a legal basis for using your Personal Data.
Please note that where we act as a Processor of a Retail Partner, it is that Retail Partner’s responsibility to ensure that they have a valid legal basis for their processing of your Personal Data (including any processing we carry out on their behalf).
We have set out below, in a table format which of the legal bases we rely on in respect of the relevant Purposes for which we use your Personal Data, as well as what those purposes are.
Where more than one legal basis is listed in the below, if you want details about the specific legal basis we are relying on to process your Personal Data in a specific circumstance, please contact us using the details in the “How to Contact Us” section above.
We have put in place what we consider to be appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.
In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business “need to know”. They will only use or access your Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected ‘personal data breach’ and will notify you and any applicable regulator of a breach affecting your Personal Data where we are legally required to do so.
Your Legal Rights
Under certain circumstances, you have rights under the GDPR in relation to your Personal Data. These rights are described below:
- Request access to your Personal Data. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
- Object to processing of your Personal Data. This right exists where we are relying on a Legitimate Interest and there is something about your particular situation, which makes you want to object to processing on this ground. Additionally you have the absolute right to object to the processing of your personal data if it is for direct marketing purposes.
- Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your Personal Data. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. This right only applies to automated information that we process based on your consent or Contractual Necessity.
Please note that where we act as a Processor of a Retail Partner if you make a request in respect of any of the above directly to Flow, we will: (a) let the relevant Retail Partner (i.e., the one whose goods you purchased and who is the Controller of your Personal Data) know that you have made this request; (b) pass on your details to that Retail Partner; and (c) send you the necessary contact information for that Retail Partner so that you can make that request to them directly. Where we can, and where the law permits, we will also assist that Retail Partner in complying with any request you make to them.
No Fee Usually Required.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What We May Need From You.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time Limit to Respond.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
In addition to your right to complain to us directly at the details in the “How to Contact Us” section above, if you feel your complaint has not been adequately resolved, please note that the GDPR gives you the right to contact your local data protection supervisory authority, which for the UK, is the Information Commissioner’s Office.
Special Categories of Personal Data
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Please do not provide us with any such information.
What happens if you fail to provide any necessary Personal Data?
Where we need to collect Personal Data for the purposes of Compliance with Law, or due to Contractual Necessity, if you fail to provide that Personal Data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example: (1) we may not be able to fulfil your order without the required Personal Data; or (2) attempting to process your order without your Personal Data may put us in breach of our legal obligations).
How do we deal with Anonymous Information of our European Users?
When we refer to “Anonymous Information” we mean information that does not (either directly or indirectly) enable identification of any individual person. We may create Anonymous Information from your Personal Data – we do this by permanently removing any information that could enable us, or any third party that is reasonably likely to access that information, from identifying the individual to whom it previously related.
For example, we might create Anonymous Information from Usage Data and Technical Data to analyze trends, administer and improve the Flow Solution, prepare general usage reports and trends for current and potential Retail Partners and/or, to gather demographic information about our user base as a whole.
How do we share your Personal Data?
For more information on how, and with whom, we may share your Personal Data with third parties, please see the “How Does Flow Share Your Information?” above.
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it (see the “Our Purposes and “legal bases” for processing your Personal Data?” section above) for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider:
- the amount, nature, and sensitivity of the Personal Data we hold;
- the potential risk of harm from unauthorized use or disclosure of your Personal Data;
- the purposes for which we process your Personal Data and whether we can achieve those purposes through other means; and
- any applicable legal or regulatory requirements.
Flow complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.
For more information on this framework and how it applies to, and protects you, please see the section titled “Does Flow Transfer Your Data Cross Border? above.
Third party sources
For more information on the third party sources from which we may collect your Personal Data, please see the “Information We Acquire in Other Ways” subsection above. Please note that none of these third party sources of your Personal Data are publicly available.