If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent national laws give you specific rights over your personal data. This page explains what those rights are, how they apply when you use Flosona, and how to exercise them.
For the wider context on how we collect and use data, see our Privacy Policy.
1. Who is the controller?
The answer depends on how you use Flosona:
- If you sign up as a business owner or a team member, Flosona is the data controller for the personal data you give us about yourself (name, email, phone, billing).
- If you are a customer of a business that uses Flosona (for example, you booked an appointment through a Flosona powered booking page), that business is the controller of your data. Flosona acts as a data processor on the business's behalf. To exercise your rights, contact the business first. We will assist them in answering your request.
2. Your rights
Under the GDPR you have the following rights in respect of your personal data.
2.1 Right of access (Article 15)
You can ask us to confirm whether we hold personal data about you, and if so, to give you a copy along with information about how we use it, who we share it with, and how long we keep it.
2.2 Right to rectification (Article 16)
You can ask us to correct data that is wrong or complete data that is missing. Most profile data is editable directly from your account settings. For anything you cannot change yourself, contact us.
2.3 Right to erasure (Article 17)
You can ask us to delete your personal data. We will do so unless we have a valid reason to keep it, for example to meet tax or accounting obligations, to defend legal claims, or to preserve transaction records a business customer is required by law to keep. If we cannot delete, we will explain why.
2.4 Right to restrict processing (Article 18)
You can ask us to pause processing of your data while a dispute is resolved, for example while we check the accuracy of data you have asked us to correct.
2.5 Right to data portability (Article 20)
You can request a copy of the personal data you have given us in a structured, commonly used, machine readable format. Where it is technically possible, you can also ask us to send this data to another provider directly.
2.6 Right to object (Article 21)
You can object to processing that we carry out on the basis of our legitimate interests, and to any processing for direct marketing purposes. If you object to direct marketing, we will stop straight away.
2.7 Automated decisions (Article 22)
Flosona does not make decisions about you that produce legal or similar effects based only on automated processing. AI assisted features (such as the AI chat assistant) support you and your team but do not make binding decisions on your behalf.
2.8 Right to withdraw consent
Where we rely on your consent to process data (for example, for optional integrations you connect to your account), you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing we carried out before you withdrew it.
2.9 Right to complain
If you believe we have mishandled your data, you can lodge a complaint with your local supervisory authority. We would appreciate the chance to address your concern first, so please contact us before or alongside any complaint.
3. How to exercise your rights
Send a request to privacy@flosona.com including:
- The right you want to exercise (access, erasure, portability, and so on).
- The email address on your Flosona account.
- Enough information to let us verify your identity. For requests about sensitive data we may ask for extra verification so we do not hand your data to the wrong person.
- If you are acting for someone else (for example, a parent acting for a minor), evidence of your authority to do so.
4. Response times
We respond to verified requests within 30 days. If a request is complex or you have sent us several requests, we can extend this by up to two further months and will tell you why within the first 30 days. There is no charge for a reasonable request. We may charge a fair administrative fee or refuse requests that are clearly unfounded or repetitive, and will explain why if we do.
5. What we process
Typical categories of personal data Flosona processes include:
- Account data: name, email, hashed password, phone number, timezone, user type, role.
- Organization data: business name, address, country, currency, custom URL, subscription plan.
- Customer records (controlled by the business): contact details, appointment history, job history, invoices, payment status, notes, files.
- Usage data: login timestamps, IP addresses for rate limiting and abuse detection, audit log entries for sensitive actions.
- Communications: emails you send or receive through Flosona's inbox feature, if you have connected a mailbox.
- Payment metadata: amount, currency, status, processor reference. Full card numbers are handled only by the payment processor, not by Flosona.
6. International transfers
Your data may be processed in countries outside your own, including places that have not been recognised by the European Commission as offering an adequate level of protection. Where that happens, we rely on Standard Contractual Clauses and, where needed, extra safeguards. Contact us if you want a copy of the clauses that apply to a specific processing activity.
7. Data retention
We keep personal data only for as long as we need it to run the service and to meet legal, accounting, or reporting obligations. When an account is deleted, we remove its personal data from active systems. Backup copies age out of our backup rotation over time and are then destroyed.
8. Contact
For privacy questions, data subject requests, or other concerns, contact us at privacy@flosona.com. For security matters, see our Security page. For cookies, see our Cookie Policy.