Product

Pricing

Company

Sign inSign up

Legal

Privacy Policy

Our privacy policy explains how we collect, use, disclose, and safeguard your information when you use our services.

Introduction

FleetFlow B.V. (i.o.) ("FleetFlow", "we", "us", or "our") is committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR). This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use our services ("Services") or when we process data on behalf of our customers.

Data Controller: FleetFlow B.V. (i.o.)
Address: Hazelaarlaan 13, 2267BH Leidschendam
Contact: privacy@fleetflow.io
Last Updated: 14-06-2025

1. Who We Are and How We Process Data

FleetFlow operates as both a data controller and data processor:

  • As Data Controller: For our own customer accounts, marketing, and business operations
  • As Data Processor: For personal data of end users (bike owners, test riders) that our customers collect and manage through our platform

Our customers (vehicle manufacturers, brands) act as data controllers for their end users' data and are responsible for ensuring lawful collection and processing.

2. Personal Data We Collect

2.1 Organization Account Data (We are Controller)

  • Contact information: name, email address, phone number, job title
  • Account credentials and authentication data
  • Company information: organization name, address, billing details
  • Usage data: IP addresses, browser information, platform activity logs
  • Communication records: support tickets, chat logs, email correspondence

2.2 End User Data (We are Processor)

When processing data on behalf of our customers, we may handle:

  • Personal identifiers: names, contact information, account details
  • Vehicle data: VIN numbers, GPS location data, ride history, maintenance records
  • Service interactions: support tickets, chat conversations, service appointments
  • Test ride data: usage patterns, route information, performance metrics
  • Technical data: device information, app usage statistics

3. Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR:

  • Contractual Necessity (Art. 6(1)(b)): To provide our services to customers and fulfill contractual obligations
  • Legitimate Interest (Art. 6(1)(f)): For business operations, security, fraud prevention, and service improvement
  • Legal Obligation (Art. 6(1)(c)): To comply with applicable laws and regulations
  • Consent (Art. 6(1)(a)): For marketing communications and optional features (where applicable)
  • Customer Instructions: When processing end user data, we act on behalf of our customers as data processors

4. How We Use Personal Data

4.1 For Our Own Business (Controller Role)

  • Providing and maintaining our platform and services
  • Customer support and communication
  • Billing and payment processing
  • Security monitoring and fraud prevention
  • Service improvement and analytics
  • Legal compliance and dispute resolution

4.2 On Behalf of Customers (Processor Role)

  • Storing and managing end user data as instructed by customers
  • Providing dashboard and reporting functionality
  • Facilitating customer support interactions
  • Processing service tickets and maintenance records
  • Enabling white-label app functionality

5. Data Retention

  • Customer Account Data: Retained for the duration of the service relationship plus $6 months for legal and business purposes
  • End User Data: Retained according to customer instructions and applicable legal requirements
  • Support Data: Typically retained for 2 years to ensure quality and continuity
  • Logs and Analytics: Generally retained for 12 months for security and optimization
  • Data may be retained longer if required by law or for legitimate business purposes (e.g., dispute resolution)

6. Data Sharing and Transfers

6.1 Subprocessors

We may share data with trusted subprocessors who help us provide our services:

  • AWS (Amazon Web Services): Cloud hosting and infrastructure (Europe-based data centers)
  • OpenAI: AI-powered FAQ assistant and customer support tools
  • Postmark/Mailgun: Transactional email delivery
  • Cloudflare: CDN, security, and performance optimization
  • Analytics, monitoring, and business tools (see full list in DPA)

A complete and current list of subprocessors is available in our Data Processing Agreement.

6.2 International Transfers

When data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for certain countries
  • Additional technical and organizational measures as required

7. Your Rights Under GDPR

If you are located in the European Union, you have the following rights:

  • Right of Access (Art. 15): Request information about how we process your data
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your data in certain circumstances
  • Right to Restrict Processing (Art. 18): Limit how we process your data
  • Right to Data Portability (Art. 20): Receive your data in a structured format
  • Right to Object (Art. 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent: Where processing is based on consent

For End Users: If you are an end user of one of our customers' services, please contact your bike brand or service provider directly for data requests. They are the data controller for your information.

8. Data Security

We implement appropriate technical and organizational security measures, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security audits and monitoring
  • Employee training on data protection
  • Incident response procedures
  • Physical security measures for our infrastructure

9. Cookies and Tracking

FleetFlow currently uses only essential cookies necessary for the operation of our services. For more information about our cookie practices, please see our Cookie Policy.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Inform affected customers promptly when we act as a processor
  • Provide all necessary information to enable customers to fulfill their own notification obligations
  • Take immediate steps to contain and remedy the breach

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable laws. Material changes will be communicated through email or prominent notice on our platform at least 30 days before taking effect.

12. Contact Information and Complaints

Data Protection Officer: To be appointed as needed
Privacy Contact: privacy@fleetflow.io
General Contact: support@fleetflow.io

If you have concerns about how we handle your personal data, you have the right to lodge a complaint with your local data protection authority.

For more detailed information about our data processing practices, please refer to our Data Processing Agreement.