Last updated: March 6, 2026
This privacy policy explains how ExactFlow collects, uses, stores and shares your personal information when you use our website and services. It also explains your rights and how to contact us.
When We Act as Data Controller
We act as a Data Controller (or "Business" under US law) for information where we decide the purpose of processing, such as:
Website visitor analytics and marketing.
Account registration and billing data.
Customer support correspondence.
When We Act as Data Processor / Service Provider
We act as a Data Processor (or "Service Provider" under US law) when:
Our customers upload or sync data from third-party marketplaces (e.g., Amazon, Shopify).
We process order, inventory, and shipment data on behalf of our customers. In these instances, our customers are the Controllers, and we process data strictly according to their instructions and our Data Processing Addendum (DPA).
Business Account Information
Identity: Full name, company name, and job title.
Contact: Business email, physical address, and telephone number.
Credentials: Username and hashed passwords.
Operational Data (Processed on Behalf of Customers)
We process data retrieved via API from integrated marketplaces, which may include:
End-Customer Info: Names, shipping/billing addresses, and email addresses.
Transaction Info: Order IDs, product details, and tracking numbers.
Marketplace Specifics: Warehouse logs and inventory records.
Payment Information
Payments are handled by secure third-party processors (e.g., Stripe). ExactFlow does not store full credit card numbers; we only retain metadata (last 4 digits, expiry) for billing management.
Technical & Usage Data
IP addresses, device type, and browser identifiers.
API Logs: We monitor API performance and authentication tokens to ensure system stability and security.
We process data under the following GDPR pillars:
Contractual Necessity: To provide the SaaS services you signed up for.
Legitimate Interest: For platform security, fraud prevention, and improving UI/UX.
Legal Obligation: For tax reporting and compliance with financial regulations.
Consent: Where you have opted-in to receive marketing communications.
ExactFlow integrates with platforms including Amazon, Shopify, BigCommerce, and WooCommerce, and many others.
Amazon Data Protection: For data retrieved via Amazon Marketplace APIs, we strictly adhere to Amazon’s Data Protection Policy (DPP). This includes the automatic deletion of PII within 30 days of order fulfillment unless retention is legally required for tax purposes.
Third-Party Terms: We are not responsible for the privacy practices of these platforms. We encourage you to review their respective privacy policies.
We do not sell your personal data or your customers data
We share data only with "processors" necessary to provide the service:
Infrastructure: AWS, Vercel, MongoDB.
Communication: SendGrid, Intercom.
Analytics: Google Analytics (where consented).
All processors are contractually bound by a DPA to ensure the same level of protection we provide. A full list of processors is available at [Insert Link, e.g., exactflow.com/subprocessors].
Personal data may be transferred to the United States. Where data moves from the EEA/UK to a country without an adequacy decision, we utilize:
Standard Contractual Clauses (SCCs) approved by the European Commission.
The UK International Data Transfer Addendum.
Additional Safeguards: Such as encryption at rest and in transit.
Security
We maintain a written information security program including:
Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest.
Access Control: Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA).
Monitoring: Continuous intrusion detection and audit logging.
Retention
Account Data: Retained for the life of the subscription plus a period required for tax audits.
Customer Operational Data: Retained according to the customers settings or marketplace requirements (e.g., 30-day PII purging for Amazon).
EU/UK Rights
You have the right to access, rectify, or erase your data, and the right to data portability. Please contact privacy@exactflow.com.
US State Rights (CCPA/CPRA, etc.)
Right to Know/Delete: Request what data we collect and ask for its deletion.
Opt-Out: We do not sell your data. We also do not "share" data for cross-context behavioral advertising.
GPC: We honor Global Privacy Control (GPC) signals sent by your browser.
In the event of a data breach, we maintain a response plan to:
Identify and contain the breach.
Notify affected customers without undue delay (typically within 48-72 hours of verification).
Notify relevant Supervisory Authorities where legally required.
For privacy inquiries or to reach our Data Protection Officer (DPO):
Email: privacy@exactflow.com
Address: Stanisława Bodycha 87, 05-816 Reguły Polska