Privacy Policy

A) General Data Protection Information

1. Who is responsible for data processing and who can you contact?

Responsible for data processing is:

2. Use of Website and Software

You can browse our website without registering. If you register for a free trial account or as part of a paid account, the information below applies. For the use of our website and blog, please refer to the Special Privacy Notice under Section C.

3. Your Rights as a Data Subject

In accordance with Art. 15 GDPR, you have the right to request information free of charge about the personal data stored about you and the purpose of the data processing. In accordance with Art. 16, 17 and 18 GDPR, you also have the right to correct incorrect data and to block and delete your personal data. Under the conditions set out in Art. 20 GDPR, you are also entitled to receive your personal data stored by us in a structured, commonly used, and machine-readable format and to transmit this data to another controller without hindrance. In addition, in accordance with Art. 21 para. 1 GDPR, you are entitled to object to the processing of personal data concerning you for reasons arising from your particular situation. You also have the right to lodge a complaint with a data protection supervisory authority.

In addition, pursuant to Tunisian Organic Law n° 2004-5 on the protection of personal data, you have the right to access, rectify, and delete your personal data. You may exercise these rights by contacting us at the address listed above. You also have the right to file a complaint with the National Authority for the Protection of Personal Data (INPDP).

B) Special Data Protection Information for the Social Flows Software

1. Which data is processed and from which sources does it originate?

We process personal data in our software (Art. 4 No. 1 GDPR) which we receive as part of our activities as a provider of cloud software for social commerce management. The personal data processed includes name, address, email addresses, phone numbers, and communication content. We only process personal data that we have received from customers or their employees on the basis of a registration. In our software, we also process the data of people who interact with our customers' social media profiles and online stores — such as profile information, order details, and exchanged communication content — which we process on behalf of our customers on the basis of a data processing agreement.

2. For what purpose is the data processed and on what legal basis?

Insofar as we act as the controller in the context of data processing, we process data in order to provide our services as a cloud software provider. The data processing is legitimized in accordance with Art. 6 para. 1 lit. b) GDPR.

3. SSL Encryption

Our software uses SSL encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser bar. If SSL encryption is activated, the data you send to us cannot be read by third parties.

4. Server Logfiles

We collect and store information about the use of our software in so-called server log files, which your browser automatically transmits to us, on the basis of Art. 6 para. 1 lit. f GDPR. These are:

• IP Address
• Browser type / version
• Operating system
• Referrer URL
• Date and time of the server request
• Amount of data transferred

This data is collected exclusively for statistical purposes and is not merged with other data sources.

5. Use of Cookies

Our software uses so-called “cookies” on the basis of Art. 6 para. 1 lit. b GDPR. A cookie stores the information that a user has logged in with their username and password. We set technically necessary cookies required for the operation of the software on the basis of our legitimate interest in accordance with Art. 6 para. 1 f) GDPR. We only set other cookies, such as analytics cookies, with your express consent in accordance with Art. 6 para. 1 a) GDPR. You can manage your cookie preferences via the cookie banner displayed on your first visit. You can also allow or deactivate cookies via the settings in your browser. However, not all functions of our software may then be available.

6. Waitlist & Registration

When you join our waitlist, we store and process the contact information you provide. This includes:

• Your email address, or
• Your phone number

We use this data solely to notify you when the platform becomes available. We do not pass on personal data to third parties. Storage and processing is based on Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. f GDPR (legitimate interest in pre-launch communication).

7. Social Media Integrations

Our software integrates with Facebook and Instagram via the Meta Graph API and Messenger API. Support for TikTok and WhatsApp is planned for the future. When customers (businesses) connect their Facebook Page or Instagram Business Account, we access the following data on their behalf as their data processor:

• Facebook Page profile information (name, profile picture, category)
• Instagram Business Account profile information (username, biography, profile picture)
• Posts and engagement data (comments, reactions, shares) on the customer's Page
• Direct messages received through Facebook Messenger and Instagram DM
• Visitor and follower insights and analytics for the customer's Page

This data is used solely to provide our social commerce management services — including order management, customer communication, and analytics — within the customer's account. We act as the customer's data processor under a data processing agreement. We do not use Facebook or Instagram user data for our own purposes.

Permissions requested: We request the following Meta Graph API permissions on behalf of our customers:

• pages_manage_posts— to create, schedule, and publish posts on the customer's Facebook Page
• pages_read_engagement— to read comments, reactions, and engagement metrics on the customer's Page
• pages_messaging— to send and receive messages via Facebook Messenger on behalf of the customer's Page
• instagram_basic— to access the customer's Instagram Business Account basic profile
• instagram_manage_messages— to manage Instagram Direct messages for the customer's account
• instagram_manage_comments— to read and respond to comments on the customer's Instagram posts

Data use commitments: In accordance with the Meta Platform Terms and Developer Policies:

• We do not sell, lease, or share Facebook or Instagram user data with any third party for advertising or any other purpose.
• We do not transfer data received from Facebook or Instagram to any ad network, data broker, or analytics service.
• We do not use Facebook or Instagram user data for targeted advertising.
• We only use the data received from Meta APIs to provide and improve the Social Flows platform for our customers.
• We comply with all applicable Meta Platform Policies, including the Facebook Terms of Service and the Facebook Data Policy.

7a. Data Deletion for End Users

If you are a user who has interacted with a business that uses Social Flows (for example, by sending a message or leaving a comment on a Facebook Page or Instagram account managed through our platform), you may request the deletion of your personal data that was collected through our platform in connection with that interaction.

To request deletion of your data, you may:

• Send an email to [email protected] with the subject line “Data Deletion Request” and include your name and the page/account you interacted with.
• Contact the business directly and ask them to delete your data from their Social Flows account.

We will process deletion requests within 30 days and confirm completion via email. Please note that some data may be retained if the business has a legitimate interest or legal obligation to keep it, or if you are the customer's existing customer with an ongoing order or transaction.

9. Information on the transfer of data to a third country

We do not transfer personal data processed by us as the controller within our software to a third country outside the EU/EEA unless permitted under the EU-US Data Privacy Framework or legitimized by standard contractual clauses.

10. Automated Decision-Making

We do not use automated decision-making processes in accordance with Art. 22 GDPR that would have legal consequences for the data subject or similar significant negative effects.

11. List of Sub-processors

In order to provide the functions of Social Flows, it may be necessary to disclose personal data to third parties. The following sub-processors are currently engaged:

• Supabase Inc. — Database hosting and edge function execution (EU region)

An updated list of sub-processors, including the purpose and place of processing, is available upon request.

C) Special Data Protection Information for the Social Flows Website

1. Which data is processed and from which sources does it originate?

We process personal data (Art. 4 No. 1 GDPR) that we collect on our website or receive from you directly. The personal data processed includes name, address, email addresses, and communication content.

2. For what purpose is the data processed and on what legal basis?

We process personal data in order to provide our services and to be able to receive and process your inquiries.

• a) Processing with your consent (Art. 6 para. 1 a) GDPR): We process personal data to draw your attention to our offers.
• b) Processing for fulfillment of legal obligations (Art. 6 para. 1 c) GDPR): Where required by law, such as for tax obligations.
• c) Processing to protect vital interests (Art. 6 para. 1 d) GDPR): In rare cases where processing is necessary to protect the vital interests of the data subject or another natural person.
• d) Processing due to overriding legitimate interests (Art. 6 para. 1 f) GDPR): Processing operations not covered by the aforementioned legal bases.

3. SSL Encryption

Our website uses SSL encryption for security reasons and to protect the transmission of confidential content.

4. Server Logfiles

We collect and store information about your visit to our website in server log files on the basis of Art. 6 para. 1 lit. f GDPR. These are:

• Abbreviated IP address
• Browser type / version
• Operating system used
• Referrer URL
• Date and time of the server request
• Amount of data transferred
• The requesting provider

5. Use of Cookies

Our website uses cookies. We set technically necessary cookies required for the operation of the website on the basis of our legitimate interest in accordance with Art. 6 para. 1 f) GDPR. We only set other cookies, such as analytics cookies, with your express consent in accordance with Art. 6 para. 1 a) GDPR. When you first visit our website, a cookie banner will appear allowing you to accept or decline non-essential cookies. You can change your preferences at any time by clearing your browser cookies, which will cause the banner to reappear.

6. Duration of Storage

We process and store personal data only for the period necessary to achieve the purpose of processing or if this is provided for by laws or regulations. If the storage purpose no longer applies or if a legally prescribed storage period expires, the personal data is routinely blocked or deleted.

7. Contact Forms

We provide a contact form on our website to give you the opportunity to contact us electronically. If you use our contact form, we store and process the following data:

• Name
• Email address
• Phone number
• Company name
• Your message

We do not pass on personal data to third parties. Data is only used to respond to your request. Storage and processing is based on Art. 6 para. 1 lit. f GDPR.

8. Third-Country Data Transfer

For our website, we may use cloud services from providers based outside the EU/EEA. We only transfer personal data to such providers if the transfer is permitted under the EU-US Data Privacy Framework or legitimized by standard contractual clauses.

9. Automated Decision-Making

We do not use automated decision-making processes in accordance with Art. 22 GDPR.

10. Documentation of Consents

If you have given us your consent to contact you via our website in accordance with Art. 7 GDPR, you can revoke your consent at any time free of charge (e.g., by email or by using the unsubscribe function).