Privacy Policy · Flowtark

Flowtark ("we", "us") operates an invoicing web application for freelancers and small businesses. This policy explains what personal data we collect, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Data we collect

Account data: name, email, password hash, workspace (tenant) name.
Billing data: company name, registration number, VAT number, address, bank details — all supplied by you, shown on your invoices.
Customer data you enter: your clients' names, addresses, tax numbers, emails. You are the data controller for this content; we are a processor.
Usage data: session cookies (essential), IP-based rate limiting, error logs.

2. Why we process it

To operate the service, generate invoices, authenticate your sessions, prevent abuse, and comply with our own tax/accounting obligations. Legal basis: performance of the contract (Art. 6(1)(b) GDPR) and our legitimate interest in running a secure service (Art. 6(1)(f)).

3. Sharing & processors

We use the following sub-processors: Hetzner Online (hosting, EU), Resend (transactional email, EU/US with Standard Contractual Clauses), Cloudflare (DNS & DDoS protection). No ad networks, no data brokers.

3.1 EU VIES — VAT number validation

When you click Verify with VIES on a client's VAT number, we send the two-letter country code and the numeric VAT identifier to the European Commission's VIES service (ec.europa.eu/taxation_customs/vies/) to check its validity. VIES is operated directly by the European Commission under its own privacy policy for websites managed by the European Commission. We store the returned verification timestamp, consultation number, and registered company name on your behalf as audit-trail for reverse-charge invoicing (Article 226, VAT Directive 2006/112/EC). No personal identifiers about you are sent — only the client's VAT ID you already typed in.

3.2 Google Analytics (optional, consent-gated)

If analytics are enabled on this deployment, we use Google Analytics 4 with IP anonymisation (anonymize_ip) and Google Consent Mode v2. Data is not loaded until you click Accept analytics in the cookie banner; until then, all storage and ad flags remain denied and no events are sent. We do not share or sell analytics data, and we do not enable advertising or personalisation features in GA. You can revoke consent at any time by clearing site data in your browser or via this link.

4. Retention

Active accounts: for as long as your workspace exists. After deletion: all tenant-scoped data (invoices, clients, users, comments) is hard-deleted within 30 days. Backups are purged within 60 days.

5. Your rights

You have the right to access, rectify, export, restrict, and erase your personal data. Two self-service tools are in Settings: download your data as JSON, and delete your account. For anything else, email us at privacy@flowtark.com.

6. Cookies

We use one strictly-necessary cookie (invoice_session) to keep you logged in. No tracking, no advertising cookies.

7. Contact

Data Protection Officer: privacy@flowtark.com. Supervisory authority: Estonian Data Protection Inspectorate (aki.ee).