GDPR Compliance

Flinque GDPR Compliance

The short version, so you know where we stand on GDPR

Flinque processes personal data of individuals in the European Economic Area, United Kingdom, and Switzerland, which means the General Data Protection Regulation (GDPR), UK GDPR, and Swiss FADP apply. This page explains exactly how we comply, what your rights are, how to exercise them, and how we handle international transfers.

GDPR applies whether you are a customer, a team member using a customer’s workspace, a creator whose public data appears in our platform, or a visitor to our website. Each relationship has specific rights and procedures. We have tried to make this accessible without dumbing it down.

To exercise your GDPR rights, use the contact page.

1. Scope and Legal Framework
2. Controller and Processor Roles
3. Lawful Bases for Processing
4. Categories of Data Subjects
5. Data Subject Rights
6. How to Exercise Your Rights
7. Response Timelines
8. International Data Transfers
9. Data Protection Impact Assessments
10. Records of Processing
11. Processor Obligations
12. Breach Notification
13. EU Representative
14. Lead Supervisory Authority and Complaints
15. Contact for GDPR Matters

1. Scope and Legal Framework

This GDPR Compliance policy applies to the processing of personal data relating to individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, in connection with the Flinque influencer marketing platform.

The applicable legal frameworks are:

• EU General Data Protection Regulation (Regulation (EU) 2016/679), known as the “GDPR”
• United Kingdom General Data Protection Regulation (UK GDPR) as retained under UK law
• UK Data Protection Act 2018
• Swiss Federal Act on Data Protection (revised FADP)
• EU ePrivacy Directive 2002/58/EC and national implementations

This policy should be read together with our Privacy Policy, Data Privacy Policy, Cookie Policy, and Data Processing Agreement.

2. Controller and Processor Roles

Under GDPR, we act as either a data controller or a data processor depending on the data category and processing purpose.

2.1 When Flinque is a controller

Flinque determines the purposes and means of processing for:

• Customer account management, authentication, and billing
• Our own marketing to prospective and existing customers
• Platform analytics used to improve our service
• Creator public data aggregation and algorithmic scoring from publicly accessible sources
• Security monitoring, fraud prevention, and abuse detection
• Website visitors and cookie-based tracking

2.2 When Flinque is a processor

Flinque processes personal data on behalf of our customers under their documented instructions for:

• User Content customers create in their workspaces (lists, campaigns, notes, outreach templates)
• Third-party contact data customers upload or import
• Integration data flowing from customer-connected tools

For processor relationships, our Data Processing Agreement forms the Article 28 contractual basis.

3. Lawful Bases for Processing

GDPR Article 6 requires a lawful basis for every processing activity. We rely on the following lawful bases:

3.1 Legitimate interests assessments

Where we rely on legitimate interests, we conduct a balancing assessment (Legitimate Interests Assessment or LIA) that weighs our interests against the rights and freedoms of data subjects. Summaries are available to regulators and to data subjects on request.

3.2 Special category data

Flinque does not intentionally collect special category data (data revealing racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, etc.) under GDPR Article 9. If such data appears incidentally in public creator content that we index, we process it under Article 9(2)(e) (data manifestly made public by the data subject) only to the extent necessary for the platform’s stated purposes.

4. Categories of Data Subjects

The main categories of data subjects whose personal data we process:

• Customers and prospects: individuals who create accounts, submit inquiries, subscribe to newsletters, attend webinars, or interact with our sales and support teams
• Team members: individuals invited to a customer workspace who use an allocated seat
• Creators: individuals whose publicly available social media profile data appears in our platform
• Visitors: individuals who browse our website without an account
• Vendors and partners: individuals associated with our sub-processors, partners, or service providers
• Applicants: individuals applying for roles via our Careers page

Each category has different rights available under GDPR as described in Section 5.

5. Data Subject Rights

Individuals in the EEA, UK, and Switzerland have the following rights under GDPR:

5.1 Right to information (Articles 13-14)

You have the right to be informed about what data we collect, why, how, and with whom we share it. Our Privacy Policy provides this information.

5.2 Right of access (Article 15)

You can request confirmation of whether we process your personal data and receive a copy of that data together with supplementary information including the purposes of processing, categories of data, recipients, retention periods, and your other rights.

5.3 Right to rectification (Article 16)

You can request that inaccurate personal data be corrected and incomplete data be completed.

5.4 Right to erasure (Article 17)

Also known as the “right to be forgotten”, you can request deletion of your personal data where one of the Article 17 grounds applies. Detailed procedures are in our Data Removal and Right to Erasure Policy.

5.5 Right to restriction of processing (Article 18)

You can request that we limit our processing of your personal data in specific circumstances, for example while accuracy is being verified or while an objection is being considered.

5.6 Right to data portability (Article 20)

For data you provided to us based on consent or contract, you can receive it in a structured, commonly used, machine-readable format (JSON or CSV) and have it transmitted to another controller where technically feasible.

5.7 Right to object (Article 21)

You can object to processing based on legitimate interests (including profiling) on grounds related to your particular situation. You have an absolute right to object to direct marketing at any time.

5.8 Rights relating to automated decision-making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Flinque does not make such decisions; our algorithmic scores are decision-support tools that require human review before action.

5.9 Right to withdraw consent (Article 7)

Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Marketing emails contain unsubscribe links. Cookie preferences can be updated per our Cookie Policy.

5.10 Right to lodge a complaint (Article 77)

You can lodge a complaint with a supervisory authority if you believe your rights have been infringed. See Section 14 for details.

6. How to Exercise Your Rights

To exercise any of the rights in Section 5, use one of the following methods:

• Contact form: use our contact page with the category set to “Privacy / GDPR”
• Dashboard self-service: many account actions (access, rectification, consent withdrawal for marketing) can be done directly from your account settings
• Creator data removal: use the procedure in our Data Removal and Right to Erasure Policy
• Postal mail: write to our registered office at the address in Section 15

6.1 Identity verification

To protect your data and prevent impersonation, we may need to verify your identity before fulfilling a request. Verification is proportionate to the sensitivity of the request: simple requests may only require confirmation of account access, while broader requests may require additional information.

6.2 Requests on behalf of others

Authorized agents, parents, and legal representatives can submit requests on behalf of data subjects. We require written authorization and may contact the data subject directly to confirm.

6.3 Free of charge

Fulfilling data subject rights requests is free of charge. We may charge a reasonable fee or refuse requests that are manifestly unfounded, excessive, or repetitive, with documented justification.

7. Response Timelines

We respond to data subject requests within the timelines required by GDPR:

• Initial acknowledgment: within 2 business days of receipt
• Standard response: within 30 days of verified request
• Extension: complex or high-volume requests may require up to 60 additional days (maximum 90 days total), with written notice of the extension and its reasons
• Creator removal requests: typically processed within 48 hours of verification

If we cannot fulfil your request, we tell you why and inform you of your right to lodge a complaint with a supervisory authority.

8. International Data Transfers

Because Flinque operates globally, personal data may be transferred outside the EEA, UK, or Switzerland. Where this occurs, we apply appropriate safeguards under GDPR Chapter V.

8.1 Transfer mechanisms

• EU Standard Contractual Clauses (SCCs): the 2021 SCCs approved by the European Commission are in place with our sub-processors and intra-group transfers
• UK International Data Transfer Agreement (IDTA) or UK Addendum: applied for UK-originating transfers
• Swiss Addendum: applied for Swiss-originating transfers
• Adequacy decisions: where the European Commission or UK government has decided a country provides adequate protection, transfers may proceed on that basis
• EU-US Data Privacy Framework: for transfers to certified US recipients, reliance on the framework where applicable

8.2 Supplementary measures

Where destination countries have laws that may affect the level of protection (as highlighted by the Schrems II decision), we apply supplementary measures including encryption in transit and at rest, pseudonymization, strict access controls, and contractual commitments with sub-processors.

8.3 Transfer impact assessments

We complete Transfer Impact Assessments (TIAs) for material transfers to countries without adequacy decisions, evaluating the legal environment, technical safeguards, and additional protections. Summaries are available to Enterprise customers on request.

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) under Article 35 when processing activities are likely to result in high risk to the rights and freedoms of data subjects.

Our DPIA process covers:

• Systematic description of the processing and its purposes
• Necessity and proportionality assessment
• Risk assessment for data subjects’ rights and freedoms
• Mitigation measures and residual risk evaluation
• Consultation with our privacy advisors and, where required, supervisory authorities

Features involving large-scale processing, profiling with significant effects, or special category data go through DPIA review before launch.

10. Records of Processing

As required by Article 30, we maintain Records of Processing Activities (RoPA) for both our controller and processor activities. Our records capture:

• Name and contact details of the controller or processor
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• International transfer details where applicable
• Retention periods
• Description of technical and organizational security measures

Records are available to supervisory authorities on request.

11. Processor Obligations

Where Flinque acts as a processor (see Section 2.2), we comply with Article 28 obligations:

• Process personal data only on documented instructions from the controller
• Ensure personnel authorized to process personal data are under confidentiality obligations
• Implement appropriate technical and organizational security measures
• Not engage sub-processors without prior written authorization
• Assist the controller in responding to data subject requests
• Assist the controller with breach notification, DPIAs, and prior consultation
• Return or delete personal data at the end of the services
• Make information available to demonstrate compliance and allow for audits

These obligations are contractually binding through our Data Processing Agreement.

12. Breach Notification

We comply with GDPR breach notification obligations under Articles 33 and 34:

• To supervisory authorities (Art. 33): within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to individuals’ rights and freedoms
• To affected data subjects (Art. 34): without undue delay where the breach is likely to result in high risk to their rights and freedoms
• As processor (Art. 33(2)): we notify affected controllers of any breach affecting their data without undue delay

Breach notifications include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

Full incident response procedures are detailed in our Security Policy.

13. EU Representative

Because Flinque is established outside the EEA and offers services to individuals in the EEA, we are required under Article 27 to appoint a representative in the Union.

Our EU and UK representative details are provided to supervisory authorities and data subjects on request. To contact our representative or request their details, submit a request through our contact page with the category set to “EU Representative”.

The representative acts as a point of contact for supervisory authorities and data subjects regarding matters related to GDPR compliance, in addition to, not in place of, Flinque directly.

14. Lead Supervisory Authority and Complaints

If you believe our processing of your personal data infringes GDPR, you can lodge a complaint with a supervisory authority.

14.1 Where to lodge a complaint

• The supervisory authority of your habitual residence
• The supervisory authority of your place of work
• The supervisory authority of the place of the alleged infringement

14.2 Key supervisory authorities

• United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk
• Ireland: Data Protection Commission (DPC) — dataprotection.ie
• France: Commission nationale de l’informatique et des libertés (CNIL) — cnil.fr
• Germany: Federal and state data protection authorities — bfdi.bund.de
• Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
• Italy: Garante per la Protezione dei Dati Personali — garanteprivacy.it
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch

A full list of EEA supervisory authorities is published by the European Data Protection Board at edpb.europa.eu.

14.3 Before lodging a complaint

We encourage you to contact us first through our contact page so we have an opportunity to address your concerns directly. You do not need to do this before lodging a complaint; it is not required by GDPR, but many issues can be resolved faster through direct communication.

15. Contact for GDPR Matters

For questions about this GDPR Compliance policy, to exercise your rights, or to request details of safeguards for international transfers, contact us.