Effective Date: 1 April 2026 | Version 1.0
| Entity Name | ExactFlow Spółka Akcyjna (p.s.a.) |
| Registered Address | Stanisława Bodycha 87, 05-816 Reguły, Poland |
| Country of Registration | Republic of Poland |
| Website | www.exactflow.com |
| Contact (Data Protection) | privacy@exactflow.com |
| Supervisory Authority | Urząd Ochrony Danych Osobowych (UODO), Warsaw, Poland |
ExactFlow p.s.a. ('ExactFlow', 'we', 'us', or 'our') is committed to protecting the privacy and personal data of all individuals who interact with our platform, website, and services. This Privacy Policy explains how we collect, use, store, share, and protect personal data in accordance with:
Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR)
Act of 10 May 2018 on the Protection of Personal Data (Dz.U. 2018 poz. 1000, as amended)
Act of 18 July 2002 on Providing Services by Electronic Means (Dz.U. 2002 Nr 144, poz. 1204, as amended)
Act of 16 July 2004 – Telecommunications Law (Dz.U. 2004 Nr 171, poz. 1800, as amended)
Any other applicable national and EU data protection legislation
This Privacy Policy applies to all users of the ExactFlow platform, including registered business clients, their authorized users, visitors to our website, prospective clients, and third parties whose data we may process in the course of providing our services. By accessing or using our services, you acknowledge that you have read and understood this Privacy Policy.
2.1 Data Provided Directly by You
When you register, subscribe, or interact with ExactFlow, we collect:
Identity data: full name, job title, role within your organization
Contact data: business email address, telephone number, postal address
Account credentials: username, hashed password, authentication tokens
Billing and payment data: company name, VAT identification number (NIP), billing address, payment method details (processed via certified payment processors)
Communication data: messages, support tickets, feedback, and correspondence with our team
2.2 Data Collected Automatically
When you access our platform or website, we may automatically collect:
Technical data: IP address, browser type and version, operating system, device identifiers
Usage data: pages visited, features accessed, session duration, click-stream data, error logs
Cookie and tracking data: as described in our separate Cookie Policy
Log data: server logs, access records, and diagnostic information
2.3 Data from Third-Party Integrations
Where you connect ExactFlow to third-party marketplaces, ERP systems, logistics providers, or other platforms, we may receive data necessary to perform the integration, including order data, product listings, inventory figures, customer details from your marketplace accounts, and shipping information. You are responsible for ensuring you have appropriate authority and a lawful basis to share such data with us.
| Purpose of Processing | Legal Basis (GDPR Art.) | Retention Period |
|---|---|---|
| Account creation and platform access | Art. 6(1)(b) – Contract performance | Duration of contract + 3 years |
| Service delivery and AI agent operation | Art. 6(1)(b) – Contract performance | Duration of contract |
| Billing and invoicing | Art. 6(1)(c) – Legal obligation | 5 years (Polish tax law) |
| Security and fraud prevention | Art. 6(1)(f) – Legitimate interests | 2 years |
| Service improvement and analytics | Art. 6(1)(f) – Legitimate interests | 2 years (anonymized) |
| Marketing communications (opt-in) | Art. 6(1)(a) – Consent | Until withdrawal of consent |
| Legal claims and compliance | Art. 6(1)(c)(f) – Legal obligation / Legitimate interests | 10 years (civil law limitation) |
| Customer support | Art. 6(1)(b) – Contract performance | 3 years after last contact |
ExactFlow's platform incorporates AI agents (Axel, Zane, Tesa, Raya, Nia, and Kai) that perform automated data processing to deliver core service functionality. We inform you of the following:
4.1 Nature of Automated Processing
Our AI agents process business operational data including order histories, inventory records, financial data, sales patterns, and HR-related records to generate insights, recommendations, and automated actions on your behalf. This processing is undertaken at your direction and under your instructions as data controller for your clients' data.
4.2 No Solely Automated Individual Decisions with Legal Effects
ExactFlow does not subject natural persons to solely automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 GDPR, without human review. All material AI-generated recommendations require human confirmation before execution, unless explicitly configured otherwise by the Account Administrator with appropriate safeguards.
4.3 AI Training
We do not use your specific business data or client personal data to train our general AI models without your explicit written consent. Aggregated, anonymized performance statistics may be used to improve system performance in accordance with our legitimate interests.
We share personal data only where necessary and with appropriate safeguards:
5.1 Service Providers (Processors)
We engage carefully vetted sub-processors to support our operations, including cloud infrastructure providers (EU-based or with appropriate transfer mechanisms), payment processors certified to PCI-DSS standards, email delivery services, customer support platforms, and analytics providers. All sub-processors are bound by Data Processing Agreements (DPAs) complying with GDPR Article 28.
5.2 Third-Party Integrations
Where you activate marketplace or platform integrations (e.g., Amazon, eBay, Shopify, Allegro), data is exchanged with those platforms pursuant to your instructions. ExactFlow acts as your data processor in respect of such exchanges.
5.3 Legal and Regulatory Disclosure
We may disclose personal data where required by law, court order, or at the request of Polish or EU regulatory authorities, including the Urząd Ochrony Danych Osobowych (UODO). We will notify you of any such requests unless legally prohibited from doing so.
5.4 Corporate Transactions
In the event of a merger, acquisition, or sale of all or part of ExactFlow's business, personal data may be transferred to the successor entity, subject to the same level of protection as provided under this Policy and applicable law.
ExactFlow is established in Poland and primarily processes data within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure adequate protection through one or more of the following mechanisms:
European Commission Adequacy Decisions
Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
Binding Corporate Rules where applicable
Specific derogations under GDPR Article 49 where permitted
You may request a copy of the applicable transfer mechanism by contacting privacy@exactflow.com.
ExactFlow implements enterprise-grade technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction, including:
Encryption in transit (TLS 1.2 or higher) and at rest (AES-256)
Role-based access control and least-privilege principles
Multi-factor authentication for platform access
Regular penetration testing and vulnerability assessments
ISO 27001-aligned information security management practices
Comprehensive employee data protection training
Business continuity and disaster recovery planning
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay and, where required, notify the UODO within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
Under the GDPR and applicable Polish law, you have the following rights in relation to your personal data:
| Right | Description |
|---|---|
| Right of Access (Art. 15) | Request a copy of personal data we hold about you and information on how it is processed. |
| Right to Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data. |
| Right to Erasure (Art. 17) | Request deletion of personal data where no longer necessary or where you withdraw consent. |
| Right to Restriction (Art. 18) | Request restriction of processing in specific circumstances. |
| Right to Portability (Art. 20) | Receive personal data in a structured, machine-readable format. |
| Right to Object (Art. 21) | Object to processing based on legitimate interests or for direct marketing purposes. |
| Right to Withdraw Consent (Art. 7(3)) | Withdraw consent at any time where processing is consent-based, without affecting prior processing. |
| Right to Lodge a Complaint | Lodge a complaint with the UODO (www.uodo.gov.pl) or the supervisory authority in your EU Member State. |
To exercise any of your rights, please contact us at privacy@exactflow.com. We will respond within one calendar month of receiving your request. In complex cases, we may extend this period by a further two months, informing you accordingly. We may verify your identity before processing your request.
We use cookies and similar tracking technologies on our website and platform. Detailed information about the cookies we use, their purposes, and how to manage your preferences is set out in our separate Cookie Policy, available at www.exactflow.com/en/cookie. In summary:
Strictly necessary cookies are used to enable core functionality and cannot be disabled.
Analytical/performance cookies help us understand how visitors use our platform (requires consent).
Marketing/targeting cookies may be used to deliver relevant advertising (requires consent).
You may manage your cookie preferences at any time via our Cookie Consent Manager or your browser settings.
ExactFlow's services are directed exclusively at business clients (B2B) and are not intended for, nor directed at, individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact privacy@exactflow.com and we will promptly delete it.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for legal, accounting, or reporting requirements. The specific retention periods applicable to each category of processing are set out in Section 3. Upon expiry of the applicable retention period, personal data is securely deleted or anonymized in accordance with our Data Retention Policy.
We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or best practice. We will notify registered account holders of any material changes by email at least 30 days before they take effect. The updated Policy will also be published on our website with the revised effective date. Continued use of our services after the effective date of changes constitutes acceptance of the updated Policy.
For any questions, concerns, or requests relating to this Privacy Policy or our data processing activities, please contact:
| Data Protection Contact | privacy@exactflow.com |
| Postal Address | ExactFlow p.s.a., Stanisława Bodycha 87, 05-816 Reguły, Poland |
| Website | www.exactflow.com/en/privacy |
| Supervisory Authority | Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland | www.uodo.gov.pl |
— END OF PRIVACY POLICY —