Floynk logo

Privacy Policy

Privacy Policy for Floynk (DigitX B.V.) — how we collect, use, and protect your personal data under the GDPR.

Probeer Gratis

Privacy Policy

Effective date: 21 April 2026

1. Who we are

The data controller responsible for the processing of personal data described in this policy is:

DigitX B.V., trading as Floynk Jonkerbosplein 52, 6534 AB Nijmegen, the Netherlands Chamber of Commerce (KvK): 82240264 Email: info@floynk.com Privacy enquiries: privacy@floynk.com Website: www.floynk.com

This policy applies to the domains www.floynk.com and app.floynk.com, and to the services offered through them (together, the "Services").

2. Overview of our processing

2.1 Scope

We process personal data only where we have a lawful basis to do so and only to the extent needed to deliver and improve our Services, keep them secure, and meet our legal obligations.

2.2 Legal bases

Depending on the activity, we rely on one or more of the following legal bases in Article 6(1) GDPR:

  • (a) Consent — where you have given consent (for example, marketing emails, analytics cookies).
  • (b) Contract — where processing is necessary to provide the Services you have contracted for, or to take pre-contractual steps at your request.
  • (c) Legal obligation — where we must process data to comply with a law we are subject to (for example, tax and invoicing obligations).
  • (d) Vital interests — in rare cases where processing is needed to protect someone's life.
  • (f) Legitimate interests — where processing is necessary for our legitimate interests (for example, securing our systems, preventing fraud, basic server logging) and those interests are not overridden by your rights and freedoms.

2.3 Data retention and deletion

We retain personal data only for as long as is necessary for the purposes for which it was collected, or for as long as we are required to keep it by law. When the purpose has ended and no legal retention period applies, we delete or anonymise the data.

3. Providing the website and server log files

3.1 What is collected

Each time our website is accessed, our systems automatically collect technical information from the device making the request, including:

  • Browser type and version
  • Operating system
  • IP address
  • Date and time of the request
  • Referring URL
  • Pages visited on our site

This information is also stored in server log files.

3.2 Legal basis

Article 6(1)(f) GDPR — our legitimate interest in delivering a functional, stable, and secure website.

3.3 Purpose

  • Deliver the website to your device
  • Keep the website operational and secure
  • Detect and investigate abuse or attacks

We do not use this log data for marketing profiling.

3.4 Retention

Server log data is retained for no more than seven days, unless a longer retention period is required for security or legal reasons. After that, IP addresses are deleted or anonymised.

3.5 Objection

Collecting log data is necessary to run the website, so there is no practical way to object to this processing while continuing to use the site.

3.6 Sign-in services

  1. You can log in to Floynk using Google as a sign-in provider, in addition to signing in with an email address and password. Sign-in via LinkedIn is planned and will be enabled in the future; this policy will be updated before it goes live.
  2. When you use a third-party sign-in service, the provider authenticates your identity and returns to us only the minimum profile information needed to create or match your Floynk account: your name, email address, and a unique identifier. We do not request access to your contacts, posts, or other data held by the sign-in provider.
  3. Your use of the sign-in provider is subject to that provider's own privacy policy. Revoking access in your Google (or, in future, LinkedIn) account settings will disable that sign-in method for Floynk; your Floynk account itself remains until you delete it.

4. Cookies

4.1 What we use cookies for

Our websites use cookies — small text files stored in your browser — to keep the site usable across page loads. Depending on your consent, cookies are used for:

  • Strictly necessary: session state, authentication, CSRF protection, load balancing.
  • Preferences: language, currency, and UI choices you make.
  • Analytics: aggregated usage statistics via PostHog (EU) and Google Analytics (consent-gated via Cookiebot).

4.2 Legal basis

  • Strictly necessary cookies: Article 6(1)(f) GDPR — legitimate interest in operating the Service.
  • Preferences and analytics cookies: Article 6(1)(a) GDPR — your consent, collected via our cookie banner (Cookiebot).

4.3 Managing cookies

You can accept, refuse, or change your cookie preferences at any time via the cookie banner. You can also manage cookies in your browser settings. Disabling strictly necessary cookies may break parts of the Service.

5. Registration and accounts

5.1 What is collected

To create a Floynk account, you provide information through a sign-up form (for example, name, email address, company details, password). We also automatically record the IP address and the date and time of registration.

5.2 Legal basis

Article 6(1)(b) GDPR — performance of our contract with you, or pre-contractual steps taken at your request (for example, starting a free trial). Where you have also given consent for a specific purpose, Article 6(1)(a) applies to that purpose.

5.3 Purpose

  • Create and manage your account
  • Authenticate you when you sign in
  • Prevent abuse of free trials and sign-ups
  • Provide the Services you have subscribed to

5.4 Retention

We retain account data for as long as you have an active account. After you close your account, we delete or anonymise your data unless we are required to keep certain records (for example, invoices under Dutch tax law — typically seven years).

5.5 Your rights

You can update your account data at any time from within the Service. You may also close your account; see Section 10 for your rights under the GDPR.

6. Product and service communications

6.1 What we send

We contact registered customers by email about matters directly relevant to the Service — for example, scheduled maintenance, releases, security updates, and billing notices.

6.2 Legal basis

Article 6(1)(b) GDPR — these communications are part of delivering the contracted Service.

6.3 Marketing emails

Optional marketing emails (newsletters, product announcements, tips) are sent only with your consent under Article 6(1)(a) GDPR, and you can withdraw consent at any time using the unsubscribe link in every such email, or by contacting privacy@floynk.com.

6.4 Retention

We retain your email address for these purposes for as long as your account is active. Unsubscribing from marketing does not close your account; it only stops marketing emails.

7. Email contact

7.1 Description

If you contact us by email (for example, at support@ or info@), we store the content of your message and your contact details to handle the conversation.

7.2 Legal basis

  • Article 6(1)(b) GDPR where the exchange is about entering into or performing a contract.
  • Article 6(1)(f) GDPR for other general enquiries — our legitimate interest in responding to you.

7.3 Retention

We retain email correspondence only for as long as needed to handle your enquiry and to comply with legal obligations (for example, keeping records of complaints). Purely commercial email is retained under applicable Dutch bookkeeping rules where relevant.

8. Processing of marketplace and selling-partner data

8.1 Framework

When you connect a marketplace account to Floynk (bol.com, Amazon, Shopify, WooCommerce, or Mirakl), we process data pulled from that marketplace on your behalf. You are the data controller for your own seller data and for the personal data of your end customers. Floynk is your data processor under Article 28 GDPR. A separate Data Processing Agreement governs this relationship.

The principles below apply to every connected marketplace. Section 8.2 sets out the specific provisions that apply when you connect an Amazon Seller Central account via the Amazon Selling Partner API (SP-API); Section 8.3 confirms that the same principles apply to the other marketplaces we integrate with.

8.2 Amazon Selling Partner data

When an Amazon Selling Partner connects their Amazon Seller Central account to Floynk via the Amazon Selling Partner API (SP-API), we process the following categories of data.

Data categories

  • Order data: order ID, order status, order items, quantities, prices, fees, and fulfilment information.
  • Buyer personal information (PII): buyer name, shipping address, and phone number — processed solely for order fulfilment (generating shipping labels and packing slips) and tax-invoice generation on behalf of the authorised Selling Partner.
  • Product data: ASIN, SKU, title, description, pricing, inventory levels, and listing status.
  • Financial data: fee breakdowns, settlement data, and commission information.

Purpose of processing

Amazon data is processed exclusively to provide marketplace management services to the authorised Selling Partner. Floynk acts as a data processor on behalf of the Selling Partner (who is the data controller for their own seller data). Amazon data is used only to:

  • synchronise product listings, inventory, and orders between Amazon and the seller's other sales channels;
  • enable the seller to fulfil orders (which requires the buyer's shipping address);
  • provide the seller with financial reporting and profit calculations;
  • generate tax invoices as required by applicable law.

Data isolation

Each Selling Partner's Amazon data is logically isolated at the database level using PostgreSQL Row Level Security (RLS) policies. Data from one Selling Partner is never visible to, accessible by, shared with, or aggregated with data from any other Selling Partner or third party.

Data retention

Buyer personally identifiable information (name, shipping address, phone number) is automatically deleted 30 days after order delivery through an automated daily retention job. Exception: where Dutch or EU law requires longer retention for tax-invoice purposes (Article 52 of the Dutch General Tax Act, Algemene wet inzake rijksbelastingen), PII on tax documents is retained in encrypted storage for the legally mandated period only.

Data sharing

Amazon data is never shared with third parties. Data flows exclusively between Amazon ↔ Floynk ↔ the authorised Selling Partner. We do not sell, license, share, or aggregate Amazon seller data for any purpose.

Encryption

All Amazon data is encrypted in transit (TLS 1.3) and at rest (AES-256 for storage volumes, Fernet / AES-128-CBC for application-layer field encryption of sensitive items such as API credentials). See our Security Measures page for details.

Data deletion

Selling Partners can request deletion of all their Amazon data at any time by contacting info@floynk.com. Upon account termination, all Amazon data associated with the account is permanently deleted within 30 days, subject to the tax-retention exception above.

Sub-processors and location

The list of sub-processors involved in Amazon data handling is at /sub-processors. Amazon data is processed exclusively within the European Union (Hetzner Germany, Supabase Frankfurt).

8.3 Other marketplaces (bol.com, Shopify, WooCommerce, Mirakl)

The same principles set out in §8.2 — processor role, purpose limitation, RLS-based data isolation, 30-day buyer-PII retention after delivery (subject to the Dutch tax-law exception), no third-party sharing, EU-only processing, and deletion on request — apply in equivalent form to bol.com, Shopify, WooCommerce, and Mirakl. Marketplace-specific terminology (for example, EAN/SKU on bol.com, handle/variant ID on Shopify) maps to the same data categories.

9. Sub-processors and data sharing

We use a small set of carefully selected sub-processors to deliver the Service (hosting, database, email delivery, analytics, payments, error tracking, and similar). Each is bound by a Data Processing Agreement.

The current list, including what each sub-processor does, where they process data, and the transfer mechanism for any non-EEA providers, is published at /sub-processors.

We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.

10. Your rights

Under the GDPR you have the following rights in relation to your personal data:

  • Right of access (Article 15) — confirmation of whether we process your data, and a copy of that data.
  • Right to rectification (Article 16) — correction of inaccurate or incomplete data.
  • Right to erasure (Article 17) — deletion of your data where one of the grounds in Article 17 applies.
  • Right to restriction of processing (Article 18) — temporary restriction in the circumstances listed in Article 18.
  • Right to data portability (Article 20) — receive the data you have provided in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
  • Right to object (Article 21) — object to processing based on legitimate interests, and to object at any time to processing for direct marketing (we will stop immediately).
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Rights concerning automated decision-making (Article 22) — not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Floynk does not make such decisions about you.
  • Right to complain — lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. For the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

To exercise any of these rights, email privacy@floynk.com. We may ask for information to verify your identity before acting on a request. We aim to respond within one month, extendable by up to two further months for complex requests.

11. International transfers

Personal data is primarily stored and processed within the European Economic Area (our compute is hosted in Germany and our primary database is in Frankfurt). Where a sub-processor is based outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914) together with appropriate supplementary measures. The sub-processors page lists the transfer mechanism applied to each vendor.

12. Security

We maintain technical and organisational measures appropriate to the risk, including TLS 1.3 in transit, AES-256 at rest, application-layer encryption of sensitive fields such as API keys, intrusion detection (CrowdSec), vulnerability scanning (OpenVAS), firewalls, multi-factor authentication on all operator accounts, and multiple independent backup layers. For detail, see Security Measures.

13. Changes to this policy

We may update this policy from time to time. When we do, we will change the "Effective date" above and, for material changes, notify customers by email or in-product notice.

14. Contact

DigitX B.V. (trading as Floynk) Jonkerbosplein 52, 6534 AB Nijmegen, the Netherlands KvK 82240264

You also have the right to contact the Dutch supervisory authority directly:

Autoriteit Persoonsgegevens P.O. Box 93374, 2509 AJ The Hague, the Netherlands autoriteitpersoonsgegevens.nl

Last updated: 21 April 2026.