Privacy Policy
Version 2 (2025-06-09)
1. Scope and Controller
This Privacy Policy describes how OrgFlow GmbH (hereinafter: OrgFlow, we, us, our) processes personal data in connection with our websites, products, and business relationships. Our services are provided exclusively to business customers (B2B).
2. Contact Details of the Controller
OrgFlow GmbHAm Kaiserberg 1
61231 Bad Nauheim
GERMANY
Email: privacy@orgflow.io
Privacy Contact
We are not legally required to appoint a Data Protection Officer under Art. 37 GDPR because we neither process special categories of data nor monitor individuals on a large scale. Nevertheless, you can direct privacy‑related queries to privacy@orgflow.io.
3. Categories of Personal Data
| Category | Examples |
|---|---|
| Identification data | Name, job title, employer |
| Contact data | Business email address, phone number, postal address |
| Contract data | Orders, invoices, payment status |
| Usage data | Page visits, clicks, feature use |
| Log data | IP address, browser type, device identifiers, server timestamps |
If you disclose personal data of third parties to us, you must ensure you have a lawful basis to do so.
4. Sources of Personal Data
We obtain personal data:
- Directly from you (e.g., contact forms, contract conclusion).
- Automatically via cookies, server logs, and similar technologies.
- From public business sources (e.g., LinkedIn, company registers) where permitted by law.
5. Purposes and Legal Bases
| Purpose | Data categories | Legal basis |
|---|---|---|
| Contract initiation and performance | Identification, contact, contract | Art. 6 (1)(b) GDPR |
| Customer support & correspondence | Identification, contact, usage | Art. 6 (1)(f) GDPR – legitimate interest to assist clients |
| Payment processing | Identification, contact, contract | Art. 6 (1)(b) GDPR; § 312i BGB |
| Compliance with legal obligations (tax, commerce, sanctions lists) | Identification, contract | Art. 6 (1)(c) GDPR; §§ 147 AO, 257 HGB |
| Security monitoring, fraud prevention, server logs | Usage, log | Art. 6 (1)(f) GDPR – legitimate interest to protect systems |
| Marketing to existing customers ("soft opt‑in") | Identification, contact | § 7 (3) UWG; Art. 6 (1)(f) GDPR |
| Marketing to prospects | Identification, contact | Art. 6 (1)(a) GDPR – consent |
| Website analytics & non‑essential cookies | Usage | Art. 6 (1)(a) GDPR; § 25 (1) TTDSG |
Legitimate‑interest assessment: We have balanced our business interests against your rights and freedoms. Processing is proportionate, and IP addresses are truncated (anonymised) where feasible.
OrgFlow does not use personal data for profiling or automated decision‑making within the meaning of Art. 22 GDPR.
6. Obligation to Provide Data
Providing the information marked as mandatory on our forms is required to enter into or perform a contract. Without it, we cannot supply our services. All other information is voluntary.
7. Recipients and International Transfers
We share data only with trusted service providers and authorities where legally mandated.
| Recipient | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Microsoft Azure | Cloud hosting | EU/EEA | Data stored exclusively in EU data centres |
| Stripe Payments Europe, Ltd. | Payment processing | EU/EEA | – |
| Google LLC (Analytics) | Website analytics | USA | Standard Contractual Clauses; certified under EU–U.S. DPF |
| Twilio SendGrid Inc. | Transactional email | USA | Standard Contractual Clauses; end‑to‑end encryption |
| Zendesk Inc. | Support ticketing | USA | Standard Contractual Clauses; end‑to‑end encryption |
We have executed Data Processing Agreements pursuant to Art. 28 GDPR with all subprocessors and performed transfer‑impact assessments for third‑country transfers.
8. Data Retention
We erase or anonymise personal data when it is no longer needed for the purposes stated, unless statutory duties require longer storage:
- 10 years for accounting/tax documents (§ 147 AO).
- 6 years for commercial correspondence (§ 257 HGB).
- Up to 3 years for potential contractual claims (§ 195 BGB).
- 14 months for Google Analytics data (IP anonymised).
9. Cookies and Similar Technologies
We use cookies, web beacons and similar technologies (collectively "cookies") to operate and secure our website, remember your preferences and—only with your consent—analyse usage.
9.1 What are cookies?
Cookies are small text files placed on your device. They can identify your browser on subsequent visits and may store information such as settings or IDs.
9.2 Cookie categories, purposes, retention and legal bases
| Category | Purpose | Typical examples | Storage duration | Legal basis |
|---|---|---|---|---|
| Essential | Enable core site functions such as page navigation, load balancing, security and fraud prevention | __Host-session, csrf_token | Session or up to 12 months | § 25 (2) TTDSG (no consent required) |
| Preference / Functional | Remember your choices (e.g., language, cookie banner response) | lang, cookie_consent | 6 months | Art. 6 (1)(a) GDPR; § 25 (1) TTDSG (consent) |
| Analytics | Collect aggregated statistics to improve our site (IP anonymised) | _ga, _gid, _gat | 14 months | Art. 6 (1)(a) GDPR; § 25 (1) TTDSG (consent) |
| Marketing | Currently not used | – | – | – |
9.3 Obtaining and withdrawing consent
On your first visit a banner lets you accept, reject or customise non‑essential cookies. You can change your choice at any time via the "Cookie Settings" link in the footer or by clearing cookies in your browser. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.
9.4 Third‑party cookies
Google Analytics cookies are provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data may be transferred to the USA on the basis of Standard Contractual Clauses and certification under the EU–U.S. Data Privacy Framework. IP addresses are truncated within the EU before transmission. We have concluded a Data Processing Agreement with Google and disabled data sharing and advertising features.
9.5 Browser settings
Most browsers allow you to block or delete cookies. Instructions can be found at:
- Microsoft Edge: edge://settings/content/cookies
- Firefox: about:preferences#privacy
- Chrome: chrome://settings/cookies
- Safari: Settings → Privacy
Rejecting or deleting cookies may impair certain website functions.
10. Data Security
We maintain appropriate technical and organisational measures under Art. 32 GDPR, including:
- TLS 1.2+ encryption in transit and AES‑256 at rest.
- Role‑based access control (least‑privilege principle).
- Regular penetration tests and vulnerability scans.
- Incident‑response and disaster‑recovery plans.
11. Your Rights
You may exercise the following rights at any time:
- Access (Art. 15 GDPR).
- Rectification (Art. 16 GDPR).
- Erasure (Art. 17 GDPR).
- Restriction of processing (Art. 18 GDPR).
- Data portability (Art. 20 GDPR).
- Objection to processing based on Art. 6 (1)(f) GDPR (Art. 21 GDPR).
- Withdrawal of consent (Art. 7 (3) GDPR).
Requests can be sent to support@orgflow.io. We will respond within one month as required by law.
12. Right to Lodge a Complaint
If you believe that your personal data is being processed unlawfully, you have the right to lodge a complaint with a supervisory authority – in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR).
Lead supervisory authority
Because OrgFlow GmbH has its registered seat in Landsberg am Lech, Bavaria, our competent lead authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18 91522 Ansbach Germany Email: poststelle@lda.bayern.de Phone: +49 (0) 981 180093‑0
You may also address any other supervisory authority of your choice, for example the authority in your habitual residence or the Hessian authority responsible for our branch office.
13. Children Children
Our services are intended exclusively for businesses and are not directed at children under 16. We do not knowingly process children’s data.
14. Processing on Behalf of Customers
When acting as a processor under Art. 28 GDPR, we process data strictly in accordance with the Data Processing Agreement (DPA) concluded with the customer.
15. Updates
We may amend this Privacy Policy to reflect legal, technical, or business developments. The latest version is always available at orgflow.io/privacy. If changes significantly affect your rights, we will give prior notice by email.