Privacy policy
This policy describes the main personal data processing activities linked to the FlowRate website and service. It supplements the notices shown at the point of collection and should be read together with the Terms of Sale when an account is created.
1. Data controller
The data controller is Roman Soubiran / FlowRate, 22 rue de la Landelle, 22120 Quessoy, France, reachable at contact@flowrate.fr. When data is collected by a merchant through its FlowRate review page, that merchant may also act as controller for its own customer relationship. FlowRate then acts as a technical service provider for hosting and service delivery, to the extent applicable.
2. Data we process
Depending on how you use the service, we may process: - account data: name, email address, phone number and password encrypted/hashed by our authentication provider; - subscription and billing data: Stripe identifiers, subscription status, invoices and payment history; - business data: business name, city, slug, Google Place ID, public email, phone number, visual assets and page settings; - customer feedback data collected through review pages: rating, comment, callback request, customer email or phone number when provided, and collection context; - technical and security data: IP address, user agent, access logs, verification codes and technical cookies; - measurement and attribution data when you consent to it: browsing path, landing page, referral source, campaign identifiers and funnel events; - certain business details imported from Google when you select your listing.
3. Purposes and legal bases
We process this data to: - perform the contract and provide the service (account creation, administration, payments, support and business management); - secure the service, prevent fraud, trace sensitive actions and maintain technical logs; - measure website usage and improve the product when you have consented to analytics; - comply with our legal, accounting, tax and dispute-handling obligations; - answer contact requests, account deletion requests and data subject rights requests. Depending on the situation, the legal basis is contract performance, consent, FlowRate legitimate interests or compliance with a legal obligation.
4. Recipients and processors
Data is accessible, on a need-to-know basis, to FlowRate and its main technical providers: Supabase (database and authentication), Vercel (hosting/app delivery), Stripe (payments and billing), Resend (transactional emails) and the tools strictly necessary to operate the service. Some of these providers may process all or part of the data from countries outside the European Economic Area, including the United States. Where this happens, transfers rely on the appropriate legal mechanisms provided by the GDPR, such as standard contractual clauses where required.
5. Retention periods
We keep data for a period proportionate to the relevant purpose, including: - account and service information: for the duration of the contractual relationship and then for as long as needed to handle requests, disputes or residual obligations; - invoices and accounting records: up to 10 years where required by law; - verification, security and access logs: for a limited period compatible with service security; - detailed analytics events: in the live database for a limited period, then technical archiving or deletion according to our measurement and security needs; - contact form and support data: for the time needed to process the request, then for a reasonable archive period if necessary. Where immediate deletion is not possible, data may be isolated or archived until the relevant legal obligations expire.
6. Cookies and trackers
FlowRate uses cookies that are strictly necessary to run the website and authentication flows. Audience measurement and performance trackers are only enabled if you accept them through the cookie banner. You may change your choice later by deleting the saved consent in your browser or by reconfiguring the relevant tools where available.
7. Your rights
Subject to the conditions laid down by the GDPR, you may exercise the rights of access, rectification, erasure, objection, restriction, portability and the right to withdraw consent where consent is the legal basis. You can exercise your rights at contact@flowrate.fr. Where there is reasonable doubt about the requester identity, additional proof or verification may be requested. You may also lodge a complaint with the CNIL (www.cnil.fr).
8. Security
FlowRate implements reasonable technical and organisational measures to protect data against unauthorised access, loss, alteration or unlawful disclosure. Because no system is entirely risk-free, we also ask you to protect your credentials, devices and team access rights.
9. Policy updates
This policy may change to reflect legal, technical or product developments. The version date shown below identifies the policy currently in force.
Version effective on : March 21, 2026