Privacy Policy

Reflowly Privacy Policy

Last updated: 17-02-2026

Reflowly (“we”, “us”, “our”) provides a Software-as-a-Service (SaaS) platform that allows businesses to automate post‑purchase follow‑up messages for feedback and reputation management (the “Service”).

We are committed to protecting the privacy of our website visitors, prospective customers and the end‑customers of our clients. This Privacy Policy explains how we collect, use, disclose and protect personal data in connection with our website and Service.

Because Reflowly is established in the European Union (the Netherlands), our processing of personal data is subject to the General Data Protection Regulation (“GDPR”) and applicable Dutch data protection law.

1. Data controller

For the processing activities described in this Privacy Policy, the data controller is:

Reflowly
Established in the Netherlands
Contact e‑mail: privacy@reflowly.com

At this time, Reflowly is in the process of being formally registered as a partnership (VOF) in the Netherlands. Once available, our Chamber of Commerce (KvK) number and registered address will be added to this Privacy Policy.

2. Scope of this Privacy Policy

This Privacy Policy applies to:

visitors to our website;

prospective business customers who submit their details to us;

representatives and employees of our business customers (direct clients);

end‑customers of our business customers, whose data we process on behalf of such customers in connection with post‑purchase follow‑up, feedback and review requests.

Our Service is targeted at businesses located in the European Union. However, some of our service providers are located outside the EU (in particular in the United States), which may involve limited transfers of personal data outside the EU/EEA. We describe this in more detail in Section 7.

3. Categories of personal data we process

3.1 Website visitors and prospective customers (direct clients)

When you visit our website or submit a contact/registration form as a potential business customer, we may process the following categories of personal data:

Business identification data: company name.

Contact data: business email address.

Technical data: IP address and basic device information, to record consent to our privacy terms and to secure our website.

We do not otherwise track or profile website visitors beyond what is necessary to run and secure the site and to follow up on legitimate business enquiries.

3.2 Direct business customers (clients)

For our (future) registered business customers, we may additionally process:

Business identification data: company name, VAT/registration number (once provided).

Contact data: name and business contact details of the contact person(s).

Billing and accounting data: information related to invoices and payments (for example through Mollie), as required for our contractual and legal obligations.

3.3 End‑customers of our clients

Our clients use Reflowly to send post‑purchase follow‑up messages to their own customers, for example to request feedback or a review. For this purpose, our clients upload or otherwise provide the following personal data about their end‑customers:

Name: first name or initials and last name.

Contact data: email address.

Order information: order identifier (if used), purchase date and product/transaction context (without storing the purchase amount).

Communication data: information relating to the follow‑up emails sent through our Service (for example whether an email was delivered or opened, and any feedback or review submitted in response).

We do not collect payment card numbers or other sensitive financial information of end‑customers.

4. Purposes and legal bases of processing

4.1 Website visitors and prospective customers

We process personal data of website visitors and prospective customers for the following purposes and on the following legal bases:

Responding to enquiries and establishing contact with potential business customers

Data: company name, business email address, IP address.

Legal basis:

Performance of pre‑contractual measures at the request of the data subject (Article 6(1)(b) GDPR), where you contact us to potentially use our Service; and

Our legitimate interest in promoting and developing our business and responding to legitimate enquiries (Article 6(1)(f) GDPR).

Ensuring security and proper functioning of our website

Data: IP address and device information.

Legal basis: our legitimate interest in ensuring the security, integrity and availability of our website and IT systems (Article 6(1)(f) GDPR).

4.2 Direct customers (clients)

We process personal data of our business customers for the following purposes:

Account creation, contract management and provision of the Service

Data: company name, contact details of the contact person, login data (once implemented).

Legal basis: performance of a contract or pre‑contractual steps (Article 6(1)(b) GDPR).

Billing, payments and accounting

Data: billing details, transaction information (via Mollie), invoice details.

Legal basis: compliance with legal obligations under tax and accounting law (Article 6(1)(c) GDPR) and our legitimate interest in receiving payment for our services (Article 6(1)(f) GDPR).

Customer service and communication about the Service

Data: contact details, communication data.

Legal basis: performance of the contract and our legitimate interest in maintaining the customer relationship and improving our Service (Article 6(1)(b) and (f) GDPR).

We do not currently use customer contact data for general marketing newsletters. If we start doing so in the future, we will rely on consent or applicable “soft opt‑in” rules and provide a clear opt‑out in every message.

4.3 End‑customers of our clients

For end‑customers of our clients, we process personal data exclusively in order to provide our Service to the relevant client, in particular to send automated post‑purchase follow‑up messages asking for feedback or reviews and to report back to our client.

Purpose: sending and tracking follow‑up emails, collecting feedback and review‑related information, and providing our client with aggregated or individual reports.

Legal basis:

For Reflowly: we act as a data processor on behalf of our client. The legal basis for processing is determined by our client (typically the client’s legitimate interest in reputation management and customer satisfaction, or consent where required).

For our clients (as controllers): typically legitimate interests in following up with customers after a purchase and improving their services, balanced against the rights and expectations of their customers (Article 6(1)(f) GDPR), or consent where required under applicable e‑privacy rules.

Where we process end‑customer data as a processor, this Privacy Policy applies in addition to the privacy notices of our clients. End‑customers should first contact the relevant client for the exercise of their data protection rights.

5. Roles: controller and processor

For website visitors, prospective customers and our own business customers, Reflowly is the data controller.

For end‑customers of our clients, Reflowly acts mainly as a data processor on behalf of the relevant client. Our processing is governed by a data processing agreement (DPA) with each client.

Where we act as a processor, we only process personal data on documented instructions from our client, and we implement appropriate technical and organisational measures to protect the data.

6. Data retention

We retain personal data only for as long as necessary for the purposes described above or as required by law:

Website enquiries / prospective customers: retained for up to [●] months after the last contact, unless a business relationship is established or longer storage is necessary for legal claims.

Business customer data: retained for the duration of the contract and, after termination, for as long as required by tax and accounting laws (typically up to 7 years under Dutch law for billing and accounting records).

End‑customer data: retained in our systems for as long as the relevant customer account remains active and in accordance with our contract with the client. Clients can request deletion or anonymisation of end‑customer data at any time, and we will comply within a reasonable timeframe.

We may retain data for a longer period if necessary to establish, exercise or defend legal claims, provided that access is restricted to what is strictly necessary.

7. Recipients and international data transfers

7.1 Service providers (processors)

We use carefully selected third‑party service providers that process personal data on our behalf:

Hosting and infrastructure provider

We host our website and Service with a European hosting provider (e.g. IONOS) whose servers are located within the European Union. This provider supplies infrastructure, storage and backup services necessary for running our Service and can process personal data such as contact details, order and communication data and technical logs.

CRM and automation platform

We use an external CRM and marketing automation platform (currently Go High Level) to store and manage data relating to the end‑customers of our clients and to send and track follow‑up emails. This provider is based in the United States and may therefore receive personal data of end‑customers outside the EU/EEA.

Payment service provider

For processing payments from our business customers, we intend to use Mollie B.V., a payment service provider established in the EU. Mollie processes payment‑related data necessary for executing transactions and for compliance with regulatory requirements.

Accounting provider

For bookkeeping and accounting purposes, we use a Dutch online accounting service (eBoekhouden.nl), which stores relevant business customer and invoice data in the EU.

All such service providers act as our processors. We conclude data processing agreements with them and require them to implement appropriate technical and organisational security measures.

7.2 Transfers outside the EU/EEA

Our goal is to keep personal data as EU‑sovereign as possible. Most of our core hosting and storage is therefore located within the European Union. However, some providers (in particular our CRM/automation platform) are located in the United States, meaning that certain personal data may be transferred to and processed in the US.

Where personal data is transferred outside the EU/EEA:

we only use service providers that offer an adequate level of data protection;

where there is no adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) or participation in a recognised data transfer framework, combined with additional technical and organisational measures as necessary.

You may contact us for more information about the specific safeguards used for international transfers.

8. Security of personal data

We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. These measures include, where appropriate:

secure hosting and storage in data centres within the EU;

access controls and authentication for our staff and systems;

encryption in transit (e.g. TLS/HTTPS) and, where feasible, at rest;

regular backups and monitoring of our infrastructure;

contractual obligations of confidentiality for staff and processors.

No system can be completely secure, but we continuously work to maintain a level of security appropriate to the risk.

9. Your rights under the GDPR

Depending on your relationship with us and subject to conditions and limitations in the GDPR, you have the following rights in relation to your personal data:

Right of access: to obtain confirmation as to whether we process personal data about you and to receive a copy of such data.

Right to rectification: to have inaccurate or incomplete personal data corrected.

Right to erasure: to request deletion of your personal data, for example where the data is no longer necessary for the purposes for which it was collected or where you withdraw consent (where applicable).

Right to restriction of processing: to request that we limit the processing of your personal data in certain circumstances.

Right to data portability: to receive personal data you have provided to us in a structured, commonly used and machine‑readable format and to transmit that data to another controller, where technically feasible and where the processing is based on consent or contract.

Right to object: to object, on grounds relating to your particular situation, to processing based on our legitimate interests, and to object at any time to processing of your personal data for direct marketing.

Right to withdraw consent: where processing is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

If you are an end‑customer of one of our clients, please contact the relevant client (the business with which you made a purchase) in the first instance to exercise your rights. We will assist our clients in responding to such requests.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or of an alleged infringement. In the Netherlands, this is the Autoriteit Persoonsgegevens.

10. Children’s data

Our Service is not directed at children and is intended for use by businesses only. We do not knowingly collect personal data from children under the age of 16. If you believe that a child has provided personal data to us, please contact us and we will take appropriate steps to delete such data.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our Service, our processing activities, or applicable law. The most recent version will always be available on our website and will indicate the date of last update.

Where appropriate and required by law, we will notify clients of material changes through our Service or by email and, if necessary, obtain renewed consent.

12. Contact

If you have any questions about this Privacy Policy or about our processing of personal data, or if you wish to exercise your rights, you can contact us at:

Reflowly
Email: privacy@reflowly.com

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.