Privacy Policy

Last Revised: May 20, 2024

Introduction

This document (hereinafter: “Privacy Policy”) describes the privacy practices of Flowstates Inc, located at 330 Madison Avenue, 27th Floor, New York, NY 10017, SR: 20223077628, EIN: 88-3465626 (hereinafter: “we,” “us,” “our,” or “Flowstates”). Flowstates is the owner and provider of www.flowstates.net and the SendmuleCX Plugins, which collectively comprise a proprietary software-as-a-service (SaaS) marketing platform for sending SMS messages (the “Flowstates Services”).

We understand the importance of protecting personal information and have designed both our internal operations and the Flowstates Services with data privacy and security in mind.

Our Data Protection Officer can be contacted at:
📧 dataprotectionofficer@flowstates.co

If you have questions about this Privacy Policy or our data protection practices, you can contact us using the email above. We encourage you to reach out so we may address your concerns directly. If needed, you also have the right to lodge a complaint with your relevant U.S. state or federal data protection authority — see links in the "Data Subject Rights" section below.

Flowstates acts as both:

• A Data Controller for information collected through our own business operations; and

• A Data Processor is when we process information on behalf of our customers via Flowstates Services (e.g., when they collect data from their own customers or end users).

This Privacy Policy is divided into three parts:

Part A – Processing where Flowstates acts as Data Controller
Part B – Processing where Flowstates acts as Data Processor
Part C – Provisions that apply to both roles, including security, retention, and rights

Key Terms and Definitions

Applicable Legislation means all relevant U.S. privacy laws and regulations, including but not limited to:

• California Consumer Privacy Act (CCPA)

• California Privacy Rights Act (CPRA)

• Children’s Online Privacy Protection Act (COPPA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Any other applicable federal or state laws governing personal data.

Flowstates Services refers to Flowstates’ SaaS marketing tool for sending SMS, RCS, or other forms of electronic messages, available through www.flowstates.net.

Data Processing Agreement (DPA) is the agreement that governs how Flowstates (as Processor) handles personal data on behalf of the Customer (as Controller) when using Flowstates Services.

Controller means any legal entity that determines the purposes and means of processing personal data.

Customer means a business or organization that registers with Flowstates to use Flowstates Services and acts as a Controller of any personal data they input or collect through the platform.

Processing / Data Processing includes any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

End User means the customer or contact of a Flowstates Customer, whose data is processed through the Flowstates Services.

End User Messages refers to SMS messages sent from Flowstates Customers to End Users via the SendmuleCX platform, categorized as A2P (“application-to-person”) messages.

Personal Data refers to any information related to an identifiable person, including names, email addresses, IP addresses, or phone numbers, as defined under U.S. privacy law and, where relevant, the GDPR.

Processor means any entity that processes personal data on behalf of a Controller.

Part A – Flowstates as Data Controller

Data Controller Contact Details

Flowstates Inc
330 Madison Avenue, 27th Floor
New York, NY 10017, United States
SR: 20223077628
EIN: 88-3465626

Personal Data Types and Processing Details

Account Registration Data

• Data Collected: Name, email address, job title, company name, company registered address, and country.

• Purpose: To form and maintain a business relationship with our customers and provide Flowstates Services.

• Legal Basis: Contractual obligation (Terms of Service).

Payment Method Data

• Data Collected: Card details (processed by our payment providers; Flowstates does not store this data).

• Purpose: To process payments for Flowstates Services.

• Legal Basis: Contractual obligation.

Invoicing Information

• Data Collected: Business representative names, emails, and phone numbers.

• Purpose: To issue invoices and meet legal obligations, such as fraud prevention and tax compliance.

• Legal Basis: Legal obligation.

Customer Service Records

• Data Collected: Name, email, phone number, and any information voluntarily provided during inquiries.

• Purpose: To respond to inquiries and provide support.

• Legal Basis: Contractual obligation.

Commercial Communication with Existing Customers

• Data Collected: Email addresses, possibly phone numbers.

• Purpose: To send newsletters, service updates, and promotional offers.

• Legal Basis: Legitimate interest (existing business relationship).

Commercial Communication with Non-Customers

• Data Collected: Email addresses.

• Purpose: To send marketing communications (e.g., newsletters, promotions).

• Legal Basis: Consent (e.g., newsletter sign-up).

Usage Data

• Data Collected: Technical details (IP address, session data, service usage logs).

• Purpose: To analyze service performance, prevent fraud, and improve functionality.

• Legal Basis: Legitimate interest.

Cookie Data

• Data Collected: IP address, visit duration, interaction data, interests via Google or Facebook pixels.

• Purpose: Marketing and analytics (e.g., Google Analytics, Facebook Ads).

• Legal Basis: Consent.

Retention of Personal Data

We retain personal data for:

• The duration of the business relationship plus 3 years for inquiries or disputes.

• Longer if required by law (e.g., tax records for at least 10 years).

• Until consent is withdrawn for marketing communications.

• Payment data is not stored by Flowstates (handled by payment providers).

• Cookie data is retained per our marketing partners’ policies.

You may request deletion or stop processing your data anytime at dataprotectionofficer@flowstates.co.
Please note: Some data must be retained for legal or fraud prevention purposes.

Part B – Flowstates as Data Processor

(Processing Personal Data on behalf of our Customers via Flowstates Services)

Flowstates Services are used by Customers (i.e., registered business entities) to send SMS messages to their customers or users (referred to as “End Users”). In this context, Flowstates is the Data Processor, and the Customer is the Data Controller.

Each Customer is responsible for obtaining proper legal consent from their End Users before using SendmuleCX to send messages. If you received an SMS via SendmuleCX and want to know where your data came from or how it is used, you should contact the sender directly or consult their privacy policy.

Flowstates does not monitor, alter, or assume responsibility for the content or legality of any messages sent through SendmuleCX by our Customers.

If you are an End User and want to exercise your data rights (access, deletion, etc.), you may contact:

• The Customer who sent the SMS, or

• Flowstates at dataprotectionofficer@flowstates.net (we’ll forward your request appropriately).

Personal Data Processed in Connection with SendmuleCX

Data Type Purpose Legal Basis Event/User Actions (e.g., purchase completed, cart abandoned, newsletter subscribed) Enables Customers to segment users and tailor SMS messages. Contractual (via DPA) Storefront/Website Data (e.g., discount codes, platform type)Enables compatibility with e-commerce platforms and restores abandoned carts. Contractual Plugin/Widget Version Info ensures platform compatibility and troubleshooting. Contractual Basic End User Info (Name, Phone, IP, Delivery Address) Required for message personalization, country prefix detection, and fraud prevention (e.g., DDoS). Contractual or Legitimate Interest (DDoS) Cart Data (Cart value, contents, payment method, coupon code, URL)Enables cart recovery and personalized messaging. Contractual Consent Checkbox Values (Marketing opt-ins, SMS consent) Records End User opt-in status for compliance.Contractual or Legitimate Interest Traffic Data (Message routing, timing)Needed for message delivery and billing. Contractual SMS Message Content (Actual message text)Enables provision of the core service (message delivery). Contractual

🔒 Some of this information may be anonymous unless combined with other identifiers.

⚠️ If a Customer chooses to process special categories of personal data (e.g. health or religious info), they must obtain explicit consent from End Users. Flowstates does not require or process this data by default.

Retention of End User Personal Data (as Processor)

• Flowstates processes End User data only for as long as necessary to fulfill the purposes of message delivery and analytics.

• Upon termination of a Customer account, we delete all associated End User data within 15 business days, unless legally required to retain it longer.

• Data may also be deleted sooner if:

  • Requested by the Customer,

  • Requested by the End User,

  • Required by a court order or applicable U.S. law.

Examples of legitimate data retention scenarios include:

• Fraud or criminal investigations

• Customer service records containing End User data

• Technical logs for platform maintenance (deleted post-maintenance)

Part C – General Provisions Applicable to All Data Processing

These provisions apply to all data subjects, whether Flowstates is acting as a Data Controller or Data Processor.

🔐 Data Security & Safeguards

We protect all Personal Data using appropriate measures:

• Technical measures (e.g. encryption, firewalls, secure servers)

• Organizational policies (e.g. access controls, staff confidentiality)

• Physical security where relevant (e.g. secure offices/data centers)

While we take every reasonable step to ensure your data is secure, no system is 100% immune from risk. You accept that data transmission over the internet inherently involves some security risks.

🗄️ Where We Store Personal Data

• Our primary data servers are hosted in Frankfurt, Germany (subject to international transfer protections).

• Data may be transferred and processed in the U.S., and Flowstates ensures adequate protections (e.g., Standard Contractual Clauses) are in place if data is transferred from the EU/EEA.

🔁 Data Sharing and Sub-Processors

We may share Personal Data with:

• Internal Flowstates staff (under strict access control and confidentiality obligations)

• Authorized third-party subprocessors (e.g., hosting providers, payment processors, marketing platforms) who act under contract and follow our instructions

• Public authorities or courts, when legally required (e.g., with a subpoena or court order)

We do not sell or rent Personal Data to third parties or use it for unrelated marketing purposes.

👤 Your Privacy Rights (as a Data Subject)

If you are a U.S. resident (including California), you may exercise the following rights under state and federal law:

RightWhat it meansRight to be InformedKnow what data we collect and why.Right of AccessObtain a copy of your personal data.Right to RectificationRequest corrections to inaccurate data.Right to ErasureAsk us to delete your data ("right to be forgotten").Right to Restrict ProcessingAsk us to temporarily or permanently stop using your data.Right to Data PortabilityReceive your data in a portable format (e.g. CSV).Right to ObjectObject to data processing in specific situations (e.g. marketing).

📩 To exercise your rights, contact us at:
dataprotectionofficer@flowstates.net

👶 Children's Privacy (Under Age 18)

Our services are not intended for users under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, please notify us immediately at dataprotectionofficer@flowstates.net so we can delete it.

🍪 Cookies and Tracking

Flowstates uses cookies on www.flowstates.net for analytics and marketing purposes. For full details, refer to our Cookie Policy.

📝 Changes to This Policy

We may update this Privacy Policy at any time. The “Last Revised” date will always reflect the most recent version. We recommend checking it regularly when using our site or services.

Contact Us

If you have questions, concerns, or complaints about this Privacy Policy, please contact:

📧 webmaster@flowstates.co
📧 dataprotectionofficer@flowstates.co