Data Protection

When you visit Freshflow.ai (hereinafter referred to as "Website") and use the services offered thereon, personal data of you will be processed, your data will be collected, stored, used and transmitted. In accordance with Art. 13 of the EU General Data Protection Regulation (GDPR), this data protection policy informs you about this processing and your related rights.

1. Data Controller

We, Freshflow GmbH, Unter den Linden 24, 10117 Berlin, Germany, hello@freshflow.ai, are controllers within the meaning of Art. 4 (7) GDPR of the processing of your personal data on the Website.

2. Processing

2.1 Website (general)

Each time you visit the Website, even if you are merely informing yourself, we process the following data that your browser automatically transmits to our server:

  • IP address
  • date and Time of the browser request
  • time zone difference from Greenwich Mean Time (GMT)
  • content of the request (specific webpage requested)
  • access status/HTTP status code
  • amount of data transferred respectively
  • referer website
  • information about your web browser
  • the operating system of your end device and its user interface, and
  • language and version of your web browser

We require this data because, otherwise, we would, for technical reasons, be unable to display the Website to you. We also use that data to ensure the stability and security of the Website. The legal basis for this processing is Art. 6 (1) lit. f GDPR (‘legitimate interest’). The Website is hosted on GitHub Pages by GitHub Inc., which may result in the personal data described above in this section or any personal data that you send to our web server being transferred outside the European Economic Area (EEA), including to the United States of America. Please note that – according to GitHub’s privacy policy, GitHub may collect personal information from visitors to the Website, including logs of visitor IP addresses, to comply with legal obligations, and to maintain the security and integrity of the Website and the hosting services.

2.2 Contact

If you approach us by email or via our contact form, data that you provide will be stored so that we can take care of your request and, if appropriate, respond to you. This data includes your email address and your name, but also any other contact information you provide us with, as well as your request. The legal basis for this processing is our legitimate interest to communicate with you and to provide customer support in accordance with Art. 6 (1) lit. f GDPR.

As soon as we no longer require this information to be able to help you, we will delete it within a few days. There is only one exception to this rule: We must store some information because the law requires us to do so (e.g., because of commercial or tax law retention obligations). In these cases, however, we restrict the processing of and our access to your data as far as possible.

To provide you with a convenient contact form, we use technology of Formspree Inc., (Formspree) which may result in the personal data described above in this section being transferred outside the European Economic Area (EEA), including to the United States of America.

Please note that Formspree may collect personal information from users of the contact form, including logs of IP addresses. For more detailed information about that processing of your personal data, please refer to Formspree’s privacy policy.

2.3 Newsletter

On the Website, you can register to receive newsletters or other promotional emails from us. For this purpose, your email address and whether you have subscribed to the newsletter will be processed by us.

We store this data exclusively to be able to send you the newsletter. The legal basis for the processing of your email address is Art. 6 para. 1 lit. a GDPR. We may, however, process your personal data (e.g., whether and when you have opened a newsletter email, your interaction with the newsletter, your default language settings, operating system and device settings) to assess – in particular – the performance of our email marketing campaigns and optimize the success of our newsletter campaigns in the future. Therefore, tracking technologies such as – e.g. – tracking pixels may be used and personal profiles might be created.

The registration for the newsletter service follows the so-called ‘double opt-in procedure’: After entering your email address, we will send you a confirmation email to that email address, which will include a confirmation link. If you click on the confirmation link in the email, we will store your email address until you unsubscribe from the newsletter.

To prevent abuse of your personal data, we also store the time of your registration and your IP address. The legal basis for this processing is Art. 6 (1) lit. f GDPR.

In addition, the time of the last change to your respective data record, the time of giving consent and the status of a completed double opt-in will be stored. This serves to fulfil our accountability obligations under applicable data protection law. The legal basis for this processing is Art. 6 (1) lit. c in conjunction with Art. 5 (2) GDPR.

You can withdraw your consent to receiving the newsletter at any time. You can declare the withdrawal of consent by clicking on the respective link provided in each newsletter. That way, you can also view and change your existing newsletter settings. A withdrawal does not affect the lawfulness of the processing carried out based on the consent until before the withdrawal.

We will only process your personal data as long as you are subscribed to our newsletter. As soon as you have unsubscribed from our newsletter, we will immediately delete your data from our newsletter subscriber list, provided that this does not conflict with any mandatory retention obligations.

The technical execution of the newsletter delivery takes place via the tool MailChimp of The Rocket Science Group LLC. Mailchimp is an American marketing automation platform and email marketing service for managing mailing lists and creating email marketing campaigns. In the process, your data will be transferred to The Rocket Science Group. The Rocket Science Group may process your personal data for its own purposes. For further details, cf. below and check their data protection policy.

2.4 Analytics

We process your personal data to optimize the Website and our products, in which we hold a legitimate interest. For this purpose, we use the widely known tool Google Analytics. The legal basis for such processing is Art. 6 (1) lit. a GDPR.

Google Analytics analyses user behavior on the Website on our behalf. This allows us to track, inter alia, how long a visitor stays on the Website and exactly which pages he or she has visited. This allows us to see which of our pages are the most popular, and which ones we might be able to design better. Therefore, pseudonymized user profiles may be created.

For these purposes, Google sets cookies, which are used to transfer traffic information to Google servers in the U.S. However, your IP address is shortened (the last digits of the IP address are deleted) to protect your privacy which is in your legitimate interest and therefore in accordance with Art. 6 (1) lit. f GDPR. This shortened IP address will then be transferred to Google servers in the USA, but can no longer be associated with your person. While Google is also responsible for shortening your IP address, this processing will take place in the USA in exceptional cases only. Normally, the shortening takes place on servers within the EU or other contracting states of the Agreement on the European Economic Area. According to Google, the full IP address transmitted in this process is not merged with other data that Google has about you.

For further details, please refer to Google's privacy policy.

2.5 Career

If you visit the ‘Careers’ section on the website, you will be referred to our HR service provider Notion (notion.so). We and Notion will process personal information that you share when visiting the Careers section as part of an application for an open position at Freshflow. The purpose of such processing is to enable us to grow our team of talents at Freshflow, and the legal basis of processing is Art. 6 (1) lit. b GDPR or – if the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) applies – Sec. 26 (1) BDSG.

When visiting Notion’s website or applying for an open position at Freshflow via Notion, Notion may set cookies on your end device and may also process your personal data for its own purposes. Your personal data might be transferred to countries outside the European Economic Area (EEA). For further information, please refer to Notion’s cookie notice and privacy policy.

3. Data Recipients

A transfer of your personal data may also take place for the following purposes:

  • to enforce, exercise or defend legal claims. For example, to investigate an illegal or abusive use of the Website or to enforce our rights, we may disclose your personal data to the necessary extent to the competent authorities, courts or third parties.
  • to protect your vital interests or those of another natural person.
  • to comply with a legal obligation to disclose imposed by the European Union or one of its Member States.

To the extent we are legally required to do so or it is necessary for law enforcement purposes, personal data will be disclosed to law enforcement agencies or other authorities and, if applicable, to injured third parties or legal counsel. Disclosure may also take place if it serves to enforce our terms of use or other legal claims. We are also required by law to provide information to certain public authorities upon request. These may be, for example, law enforcement agencies, authorities that prosecute administrative offences subject to fines, or tax authorities. Any such disclosure of personal data is justified by the fact that the processing is necessary for compliance with a legal obligation (in accordance with Art. 6 (1) lit. c GDPR), or that we have a legitimate interest in disclosing the data to the aforementioned third parties if there are indications of abusive behavior or to enforce our terms of use, other terms or legal claims (in accordance with Art. 6 (1) lit. f GDPR).

4. Third Country Transfers

In order to be able to carry out the processing operations described in this data protection policy, we may transfer your personal data to external service providers in some cases. These transfers also include the transfer of personal data to countries that are not part of the European Economic Area (EEA) (third country transfers). If the European Commission has not issued a decision on an adequate level of protection of personal data for a country to which we transfer your data, we will take our own measures in accordance with the requirements of the GDPR to ensure an adequate level of protection.

These are the recipients of personal data which may require a third country transfer:

  • To send and manage our newsletter, we transfer your personal data to The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Atlanta, Georgia 30308, US. We have therefore entered into the applicable EU Standard Contractual Clauses with the Rocket Science Group.
  • To analyze website traffic and user behavior on the Website, we transfer personal data to Google LLC, Amphitheatre Parkway Mountain View, CA 94043. USA (Google). We have therefore entered into the applicable EU Standard Contractual Clauses with Google.
  • To grow our team of talents, we may transfer personal data to Notion Labs, Inc., 2300 Harrison Street, Floor 2, San Francisco, CA 94110, United States (Notion). We have therefore entered into the applicable EU Standard Contractual Clauses with Notion.
  • To host the Website, we transfer personal data to GitHub, Inc., 88 Colin P Kelly Junior Street San Francisco, CA 94107 USA (GitHub). We have therefore entered into the applicable EU Standard Contractual Clauses with GitHub.
  • To provide you with a convenient contact form, we transfer personal data to Formspree, Inc., 309 E 21st St, Rm 3331, Austin, Texas, 78705, United States.

5. Data Retention

We process your personal data only as long as it is necessary for the fulfilment of our contractual obligations to you, for the protection of our legitimate interests or those of third parties. Excluded from this principle is such data that we must store due to legal obligations. These include, for example, the retention obligations under commercial and tax law. These retention periods are – as of now – up to ten years.

6. Data Subject Rights

To the extent provided by law under the GDPR, you have the following rights with respect to personal data relating to you:

  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restriction of processing
  • the right to object to the processing
  • the right to withdraw consent, and
  • the right to data portability

If you withdraw your consent to a processing of your personal data, please note that this does not affect the lawfulness of that processing up to that point in time.

If we process your personal data on the basis of our legitimate interests (Art. 6 (1) (f) GDPR), you can object to the processing by contacting us (e.g. by email, contact data above).

Cases in which we base processing on our legitimate interest are expressly described in this data protection policy. If you exercise your right to object, we kindly ask you to explain to us the reasons why we should not process your personal data. In the event of your justified objection, we will discontinue or restrict our processing.

You also have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data.