flowkey logo
flowkey logo

Privacy Policy

Status: February 2026

Table of Contents

General

I. Name and address of the controller

II. Contact details of the Data Protection Officer

III. Rights of the data subject

IV. Hosting

V. Use of cookies

VI. Contact by email

VII. Company profiles

VIII. Use of company profiles on professional networks

Website

IX. General information on data processing on the website

X. Provision of the website and creation of log files

XI. Integration of plugins via external service providers

App

XII. Data processing in the flowkey app

XIII. Provision of the app and creation of log files

XIV. Registration

XV. Newsletter

XVI. Contact form

XVII. Orders and subscriptions

XVIII. Payment

XIX. Shipping service providers

XX. Plugins via external service providers

XXI. Geotargeting

General

I. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection provisions is:

flowkey GmbH

Alt-Moabit 103

10559 Berlin

Germany

+49 30 208 499 28

[email protected]

https://www.flowkey.com

II. Contact details of the Data Protection Officer

The Data Protection Officer of the controller is:

DataCo GmbH

Sandstraße 33

80335 Munich

Germany

+49 89 7400 45840

www.dataguard.de

III. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

Right of access to information about the processing of your data (Art. 15 GDPR).

Right to rectification of inaccurate data (Art. 16 GDPR).

Right to erasure of your personal data (Art. 17 GDPR).

Right to restriction of processing of your personal data (Art. 18 GDPR).

Right to data portability (Art. 20 GDPR).

Right to lodge a complaint with a supervisory authority (Art. 13(2)(d) and Art. 14(2)(e) GDPR).

IV. Hosting

The website and our app are hosted on servers operated by service providers commissioned by us. Our providers include in particular:

Netlify, Inc., 2325 3rd Street, Suite 296, San Francisco, California 94107, USA (website).

Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg, Luxembourg (website and app infrastructure; processing in the EU and, where applicable, in third countries).

The servers automatically collect and store information in so-called server log files that your browser transmits automatically when you visit the website or use the app. This includes in particular:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Host name of the accessing device
  • Date and time of the server request
  • IP address

These data are not merged with other data sources. The processing is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in the technically error-free provision, stability, security and optimisation of the website and app.

V. Use of cookies

1. Description and scope of data processing

When you visit our website, cookies or similar technologies are used (e.g. local storage or server-side interfaces). Cookies are files that are stored in the internet browser or by the internet browser on the user’s computer system. Information stored on the user’s device may include unique identifiers (e.g. a user ID), enabling recognition and allocation.

The German Telecommunications-Telemedia Data Protection Act (TTDSG) applies to the storage of information on the end user’s terminal equipment and/or access to information already stored on the terminal equipment. Where setting and reading cookies is technically necessary, this is done on the basis of Section 25(2) No. 2 TTDSG in order to ensure the functionality of our website.

Where cookies or similar technologies are not technically necessary, they are used exclusively on the basis of your explicit consent via our cookie banner. The legal basis is Section 25(1) TTDSG in conjunction with Art. 6(1)(a) and Art. 7 GDPR. You can withdraw your consent at any time with effect for the future or grant it again by adjusting your cookie settings.

If personal data is processed following the storage of and access to information, the GDPR applies. The following sections provide details.

2. Cookie banner (two-level approach)

Our cookie banner has two levels:

  • Level 1: first layer – only the legally required minimum information (GDPR/TTDSG compliant and user-friendly).
  • Level 2: second layer – full transparency including third-country transfers and server-side interfaces/APIs.

You can change your settings at any time via the “Cookie Settings” button.

3. Categories of cookies/services

We distinguish between the following categories:

  • Strictly necessary services (always active).
  • Functional services (optional).
  • Analytics/performance services (optional).
  • Marketing services (optional).

4. Strictly necessary services (always active)

These services are required for operating and securing the website and cannot be disabled.

Intercom

Parent company: Intercom.io

Address: Intercom R&D Unlimited Company, 3rd Floor, Stephens Court, 18-21 Saint Stephen's Green, Dublin 2, Ireland; Intercom, Inc., 55 2nd Street, 4th Fl., San Francisco, CA 94105, USA; Intercom Software UK Limited, Level 9, The Warehouse, 207-211 Old St, London, EC1V 9NR, UK; Intercom Software Australia Pty Ltd, 285A Crown St, Surry Hills NSW 2010, Australia.

Description: We use Intercom to provide customer support.

Privacy policy: https://www.intercom.com/legal/privacy

Cookie policy: https://www.intercom.com/legal/cookie-policy

Legal basis: Art. 6(1)(b) GDPR

AWS Cognito + Kinesis

Parent company: Amazon Web Services EMEA SARL

Address: 38 Avenue John F. Kennedy, 1855 Luxembourg, Luxembourg

Description: We use AWS Kinesis to record user events (e.g. registration, purchases, learning progress) and to provide the app/website technically. Without this processing, we could not provide essential contractual features (e.g. purchase confirmations, password reset).

Privacy policy: https://aws.amazon.com/privacy/

Legal basis: Art. 6(1)(b) GDPR

Prismic.io

Parent company: Prismic.io Inc.

Address: 9 rue de la Pierre Levée, 75011 Paris, France

Description: Prismic is a headless CMS for editorial management and delivery of website content via an API. Prismic itself does not store cookies on your device.

Privacy policy: https://prismic.io/legal/privacy

Cookie policy: https://prismic.io/legal/cookie-policy

Legal basis: Art. 6(1)(f) GDPR

Cloudflare CDN

Parent company: Cloudflare, Inc.

Address: 101 Townsend St, San Francisco, CA 94107, USA

Description: Cloudflare operates a content delivery network (CDN) to deliver content faster and more reliably and to defend against attacks. In rare cases, technically necessary cookies may be set for security purposes.

Privacy policy: https://www.cloudflare.com/en-gb/privacypolicy/

Information (GDPR/Trust Hub): https://www.cloudflare.com/en-gb/trust-hub/gdpr/

Legal basis: Art. 6(1)(f) GDPR

Amazon Web Services

Parent company: Amazon Web Services EMEA SARL

Address: 38 Avenue John F. Kennedy, L-1855 Luxembourg, Luxembourg

Description: We use AWS to securely provide and maintain our website and app infrastructure (hosting, databases, security functions). AWS is not used for analytics or marketing purposes.

Privacy policy: https://www.amazon.com/gp/help/customer/display.html?nodeId=GX7NJQ4ZB8MHFRNJ

Cookie policy: https://www.amazon.com/gp/help/customer/display.html?nodeId=GVASXV5UZ64R4Y25

Legal basis: Art. 6(1)(f) GDPR

Fastly CDN

Parent company: Fastly, Inc.

Address: 475 Brannan St, Suite 300, San Francisco, CA 94107, USA

Description: Fastly operates a CDN for fast delivery of static content. Fastly does not set cookies itself and processes personal data (e.g. IP address) only to the extent technically necessary.

Privacy policy: https://www.fastly.com/privacy/

Cookie policy: https://www.fastly.com/cookies

Legal basis: Art. 6(1)(f) GDPR

Stripe (payment processing)

Provider: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland

Description: We use Stripe to process online payments (e.g. credit card, Apple Pay, Google Pay). Stripe processes, among other things, payment information, IP address, device information and transaction data. Stripe may use technically necessary cookies/similar technologies for secure payment processing, authentication and fraud prevention.

Third-country transfer: Personal data may be transferred to countries outside the EU, in particular the USA. Transfers are based on the EU–U.S. Data Privacy Framework and, where required, on Standard Contractual Clauses pursuant to Art. 46 GDPR.

Privacy policy: https://stripe.com/privacy

Cookie policy: https://stripe.com/legal/cookies-policy

Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR (fraud prevention)

MongoDB (database service)

Provider: MongoDB, Inc., 1633 Broadway, 38th Floor, New York, NY 10019, USA (e.g. MongoDB Atlas).

Description: We use MongoDB as a database service to store and process usage and account data to the extent necessary for providing our services.

Third-country transfer: Processing in the USA may occur. In this case, transfers are based on the EU–U.S. Data Privacy Framework and/or Standard Contractual Clauses pursuant to Art. 46 GDPR.

Privacy policy: https://www.mongodb.com/legal/privacy-policy

Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR (operational security)

5. Functional services (optional)

Functional services enable additional convenience and personalization features (e.g. remembering settings). If you do not allow this category, certain functions may be limited.

These services are used exclusively on the basis of your consent (Art. 6(1)(a) GDPR; Section 25(1) TTDSG).

6. Analytics/performance services (optional)

These services help us understand how users interact with our website in order to improve content and functionality. They are used exclusively on the basis of your consent (Art. 6(1)(a) GDPR; Section 25(1) TTDSG).

Google Analytics

Parent company: Google Inc.; address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Description: Analysis of user behaviour (e.g. pages visited, time spent, devices/browsers). IP anonymisation is enabled; the IP address is shortened within the EU before transmission to the USA.

Privacy policy: https://policies.google.com/privacy

Cookie policy: https://policies.google.com/technologies/cookies

Legal basis: Art. 6(1)(a) GDPR.

7. Marketing services (optional)

These services help us measure advertising campaigns and show you relevant ads. Technical data (e.g. IP address, browser information, referrer URL) and pseudonymised identifiers may be processed. Some processing may take place via server-side interfaces (APIs) (e.g. Meta Conversion API, Google Ads APIs). These services are used exclusively on the basis of your consent (Art. 6(1)(a) GDPR; Section 25(1) TTDSG).

Google Marketing Platform

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Description: Measuring and managing advertising campaigns; transmission to the USA is possible.

Privacy policy: https://policies.google.com/privacy

Cookie policy: https://policies.google.com/technologies/cookies

Legal basis: Art. 6(1)(a) GDPR.

Meta Pixel & Meta Conversion API

Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Description: Measuring campaign success and delivering targeted advertising; data may also be transmitted server-side via the Meta Conversion API; third-country transfers (in particular to the USA) are possible.

Privacy policy: https://www.facebook.com/privacy/explanation/

Cookie policy: https://www.facebook.com/policies/cookies/

Legal basis: Art. 6(1)(a) GDPR.

8. Storage duration, withdrawal and objection

Cookies are stored on the user’s device and transmitted from there to our website. You have full control over the use of cookies. By changing your browser settings, you can disable or restrict the storage of cookies. Please note that browser settings only apply to the browser you use.

You can withdraw your consent at any time via “Cookie Settings”. This does not affect the lawfulness of processing carried out up to the point of withdrawal.

Note: In Safari (from version 12.1), cookies are automatically deleted after seven days. This may also affect opt-out cookies.

VI. Contact by email

You can contact us via the email address provided on our website and in our app. In this case, the personal data transmitted with the email will be stored and used exclusively to process your request.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in responding to your request). If the contact aims at concluding or performing a contract, Art. 6(1)(b) GDPR is an additional legal basis.

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected, usually when the conversation with the user has ended.

VII. Company profiles

We maintain company profiles on social networks (e.g. Instagram, X/Twitter, YouTube). We provide information there and enable communication. If you perform actions on our profiles (e.g. comments, posts, likes), you may make personal data publicly available.

As we do not have full influence over the data processing carried out by the respective platform operators, we cannot provide binding information on the purpose and scope of processing by the platform operators. Please refer to the privacy notices of the respective providers.

The legal basis for processing personal data for communicating with customers and interested parties is Art. 6(1)(f) GDPR. Where we carry out analyses/lead campaigns or competitions, this is based on your consent (Art. 6(1)(a) GDPR).

Instagram: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. Information: https://help.instagram.com/519522125107875

X/Twitter: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland. Information: https://twitter.com/de/privacy 

YouTube: YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. Information: https://policies.google.com/privacy?gl=DE&hl=en 

VIII. Use of company profiles on professional networks

We maintain company profiles on professional networks, in particular:

LinkedIn

LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland (privacy policy: https://www.linkedin.com/legal/privacy-policy)

XING

XING SE, Dammtorstraße 30, 20354 Hamburg, Germany (privacy policy: https://privacy.xing.com/de/datenschutzerklaerung)

These profiles are used, among other things, for applications, information/PR and active sourcing. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in communication and public relations).

Website

IX. General information on data processing on the website

We generally process personal data only insofar as this is necessary to provide a functional website and our content and services. Processing is usually carried out only with the user’s consent. Exceptions apply where obtaining prior consent is not possible for factual reasons and processing is permitted by law.

Depending on the purpose, the legal bases are Art. 6(1)(a) (consent), (b) (contract/pre-contractual measures), (c) (legal obligation), (d) (vital interests) or (f) GDPR (legitimate interests).

Personal data will be erased or restricted as soon as the purpose of storage ceases to apply, unless statutory retention obligations prevent this.

X. Provision of the website and creation of log files

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. This includes, in particular, browser type/version, operating system, internet service provider, IP address, date and time of access, and referrer and destination URLs.

Temporary storage of the IP address is necessary to deliver the website. Storage in log files serves to ensure functionality, optimisation and the security of our systems. The legal basis is Art. 6(1)(f) GDPR. Log files are generally deleted after no later than seven days or the IP address is anonymised, unless longer retention is required for security reasons.

XI. Integration of plugins via external service providers

We use third-party providers (e.g. plugins and content delivery networks) on our website. The specific services, purposes, legal bases and third-country transfers are described in Section V (“Use of cookies”) and in the information linked there for each provider.

Where consent is required, the service is only loaded after you have given your consent via the cookie banner (Art. 6(1)(a) GDPR; Section 25(1) TTDSG). Technically necessary integrations are carried out on the basis of Art. 6(1)(f) GDPR and Section 25(2) No. 2 TTDSG.

App

XII. Data processing in the flowkey app

Below we inform you about the data protection provisions applicable to the flowkey app for Android and iOS (“App”). The app is provided by flowkey GmbH (“flowkey”, “we” or “us”).

The app is used to provide our services on a mobile device. In this context, the following personal data may be processed in particular:

  • Name
  • Email address
  • Usage data
  • Purchase history
  • User ID
  • Device ID
  • Approximate location
  • Crash data
  • Data is transmitted via a TLS-secured channel.

The purposes of processing are the provision of the service, ensuring functionality, improving the app, and—where you have given consent—marketing and analytics purposes.

The legal bases are in particular Art. 6(1)(b) GDPR (contract performance) and—for optional analytics/marketing services—Art. 6(1)(a) GDPR (consent).

XIII. Provision of the app and creation of log files

Each time our app is accessed, our system automatically collects technical data (e.g. operating system, IP address, date and time of access). These data are stored in log files and processed separately from other personal data.

Purposes are delivery of the app, ensuring functionality, optimisation and system security. The legal basis is Art. 6(1)(f) GDPR. Log files are generally deleted after no later than seven days or the IP address is anonymised, unless longer retention is required for security reasons.

XIV. Registration

In the app, users can register by providing personal data. In particular, the email address is processed. Registration is necessary to perform a contract or to take pre-contractual steps.

The legal basis is Art. 6(1)(b) GDPR. Where consents are obtained during registration (e.g. for newsletters/marketing), the legal basis is Art. 6(1)(a) GDPR.

The data will be deleted as soon as it is no longer necessary for performing the contract, unless statutory retention obligations prevent this.

XV. Newsletter

Where we offer a newsletter, it is sent exclusively on the basis of your consent. In the context of registration, we process in particular your email address and, where applicable, name/first name and the date/time of registration.

The legal basis is Art. 6(1)(a) GDPR. You can withdraw your consent at any time, e.g. via the unsubscribe link in each newsletter. After unsubscribing, we delete the newsletter data unless retention is required for evidence purposes.

XVI. Contact form

If a contact form is provided in the app, the data entered there (e.g. email address and, where applicable, name/first name) are processed exclusively for handling the request.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in processing your request) or Art. 6(1)(b) GDPR if the request is aimed at concluding or performing a contract. The data will be deleted once the conversation has ended unless statutory retention obligations prevent this.

XVII. Orders and subscriptions

We offer digital subscriptions and in-app purchases within the app and via our website. As part of the ordering process, we process order and billing data (e.g. products/subscriptions purchased, transaction data, invoice data) to the extent necessary for contract performance, customer service, fraud prevention and statutory obligations (in particular invoicing/tax).

The legal bases are Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal obligations) and Art. 6(1)(f) GDPR (fraud prevention, IT security).

XVIII. Payment

We use payment service providers to process payments. Depending on the payment method selected, payment data are transmitted to the respective provider. After completion of the payment process, we receive payment confirmations/transaction data for invoicing and accounting purposes.

The legal basis is Art. 6(1)(b) GDPR. Where technically necessary cookies/similar technologies are used as part of payment processing, the legal basis is Section 25(2) No. 2 TTDSG; additionally Art. 6(1)(f) GDPR (fraud prevention, IT security).

Stripe

Provider: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland.

Purpose: payment processing, authentication, fraud prevention, stability/security of payment infrastructure.

Privacy policy: https://stripe.com/privacy

Cookie policy: https://stripe.com/legal/cookies-policy

Third-country transfer: possible (in particular to the USA) based on the EU–U.S. Data Privacy Framework and, where applicable, Standard Contractual Clauses (Art. 46 GDPR).

PayPal

Provider: PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.

Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full/

Apple Pay / Google Pay (where offered)

Apple Pay: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA; privacy policy: https://support.apple.com/en-us/HT203027

Google Pay: Google Ireland Limited; privacy policy: https://policies.google.com/privacy

Storage period: Payment and accounting data are stored in accordance with statutory retention obligations (in particular under the German Commercial Code (HGB) and Fiscal Code (AO)) for up to 10 years and are then deleted unless further retention is required.

XIX. Shipping service providers

We currently do not ship physical products via our own webshop. If shipping is nevertheless required in individual cases (e.g. promotional materials), we process shipping data exclusively for delivery and disclose them to the respective shipping provider. The legal basis is Art. 6(1)(b) GDPR (contract) or Art. 6(1)(f) GDPR (legitimate interest in efficient delivery).

XX. Plugins via external service providers

Third-party services may be used in the app (e.g. for support, infrastructure, analytics/marketing). Depending on the service, details, legal bases and third-country transfers are described in Section V (“Use of cookies”) and in the provider information linked there. Where consent is required, the corresponding services are only activated after consent (Art. 6(1)(a) GDPR).

XXI. Geotargeting

We use the IP address and, where applicable, other information provided by the user (e.g. postal code, if provided) for regional targeting (“geotargeting”) as well as to determine the time zone for time-of-day-based app functions.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in providing relevant content and correct app functionalities). Where technically possible, only part of the IP address is read and not stored separately.

You can restrict geotargeting, for example, by using a VPN/proxy or by adjusting the settings of your browser/device.

This privacy policy was created with the support of DataGuard.