Privacy Policy

Who We Are

Flowly People is a trading name of DoArt, a sole proprietorship (eenmanszaak) registered in the Netherlands with the Dutch Chamber of Commerce (Kamer van Koophandel) under KVK number 58598464, with its principal place of business in Helmond, Netherlands.

Flowly People operates the website at flowlypeople.com and provides a proprietary white-label digital lead capture and profile platform for real estate agencies and professionals.

For the purposes of the GDPR, Flowly People acts as:

• Data Controller — for personal data we collect about website visitors, prospective clients, and our own clients in the course of providing our services;

• Data Processor — for prospect contact data captured through the Platform on behalf of our clients, who act as Data Controllers of that data.

When this Policy refers to "Flowly People", "we", "us" or "our", it means DoArt trading as Flowly People. When it refers to "you", it means the individual whose personal data we are processing — whether you are a website visitor, a prospective client, a current client, or an agent using the Platform.

What This Policy Covers

This Privacy Policy covers personal data processed in the following contexts:

• Visitors to flowlypeople.com — including browsing data and contact form submissions;

• Prospective clients who book a demo, complete our lead audit calculator, or contact us directly;

• Current clients — real estate agencies and individual agents who have subscribed to the Platform;

• Platform users — agents who use the Platform under a client's subscription;

• Contracted parties — individuals whose details appear in signed service agreements.

This Policy does not cover prospect contact data captured through the Platform's bilateral exchange feature on behalf of our clients. That data is processed by us as a Processor under our clients' instructions. Our clients are the Data Controllers of that data and are responsible for their own privacy notices to their prospects. Our data processing obligations as Processor are set out in the Service Agreement (Schedule B).

Data We Collect and Why

Website visitor data

When you visit flowlypeople.com, we automatically collect your IP address, browser type, pages visited, time on site, referring URL, and device type. This data is collected by Framer, our website platform, and is used for platform security, analytics, and improving website content.

Demo and enquiry requests

When you submit a contact form or book a demo, we collect your name, email address, phone number, agency name, and the content of your message. We use this to respond to your enquiry, qualify your interest, and schedule a demo call.

Commission Leak Audit

If you complete our free audit calculator, we collect the data you enter voluntarily — including your agency size, estimated lead volume, CRM type, and market data. We use this to generate your audit result and follow up with you as a prospective client.

Client account data

When you sign up as a client, we collect your full name, email address, phone number, business name, business address, and KVK or EIN number. This is collected via your signed Service Agreement through PandaDoc and is used for contract performance, account management, invoicing, and legal compliance.

Payment data

We collect your billing name, billing address, last 4 digits of your card, payment method type, and transaction history. We never receive or store raw card details — all payment processing is handled directly by Stripe, our payment processor. This data is used to process subscription payments, issue invoices, and manage failed payments.

Agent profile data

To create Agent Profiles on the Platform, we collect agent names, photos, job titles, agency names, social media links, property listings, and contact details. This is provided by the client or agent during onboarding and is used solely to operate the Agent Profiles.

Support communications

When you contact us for support, we collect your name, email address, phone number, WhatsApp number, and the content of your messages. This is collected via email and WhatsApp and is used to provide customer support, resolve issues, and maintain records of our communications.

Platform usage data

The Platform automatically collects login activity, dashboard interactions, feature usage, and per-agent interaction statistics. This is used to operate the Platform, troubleshoot issues, improve features, and provide admin dashboard data to clients.

Zapier account access

Where you request CRM integration, you provide us with temporary access to your Zapier account. We use this access solely to configure the Zapier-based CRM integration. This access is temporary and your credentials are not stored beyond the setup period.

Signed contract data

PandaDoc, our electronic signature platform, records the name, signature, IP address, timestamp, and email address of each contracting party as part of the legally binding audit trail. We retain this as evidence of contract execution and for compliance purposes.

Legal Bases for Processing

Under the GDPR, we must have a valid legal basis for each processing activity. We rely on the following legal bases.

Performance of a contract (Article 6(1)(b) GDPR)

We process client account data, payment data, agent profile data, and platform usage data because it is necessary to perform our Service Agreement with you — to provide, manage, and operate the Platform and deliver the Services you have subscribed to.

Legitimate interests (Article 6(1)(f) GDPR)

We process website visitor data, enquiry data, support communications, and signed contract data on the basis of our legitimate interests in operating and improving our website and Platform, responding to and following up on sales enquiries, maintaining records of contracts and communications, and protecting our business and clients against fraud and security threats. We have assessed that these legitimate interests are not overridden by your interests or fundamental rights, given the B2B nature of our services and the reasonable expectations of professional users.

Legal obligation (Article 6(1)(c) GDPR)

We process certain data — including invoicing records and contract documents — because we are required to do so under applicable law, including Dutch tax law (Belastingwet), accounting obligations under Article 52 AWR (7-year retention requirement), and applicable commercial legislation.

Consent (Article 6(1)(a) GDPR)

Where we use non-essential cookies or tracking technologies on our website, we rely on your consent. You can withdraw this consent at any time via our cookie settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

How We Use Your Data

We use the personal data we collect for the following purposes:

• Providing the Platform and Services — configuring your agency dashboard, agent profiles, and CRM integration; running the Platform; delivering onboarding;

• Account management — managing your subscription, processing payments, issuing invoices, handling billing queries;

• Communications — responding to enquiries, sending service-related notifications such as payment receipts, renewal reminders, and platform updates, and providing support;

• Sales and marketing — following up on demo requests and audit submissions, and sending information about our services to prospective clients who have expressed interest. We do not send unsolicited marketing emails. You can opt out at any time by contacting us at info@flowlypeople.com;

• Legal and compliance — maintaining records required by Dutch law, enforcing our Service Agreement, and defending or pursuing legal claims;

• Security and fraud prevention — monitoring for unauthorised access and protecting the integrity of the Platform;

• Improving our services — analysing usage patterns, in aggregated or anonymised form where possible, to improve the Platform and website.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

Who We Share Data With

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We share personal data only with the following categories of recipients, and only to the extent strictly necessary.

Platform Technology Provider

We use a third-party white-label platform to provide the underlying infrastructure of the Flowly People Platform. This provider acts as a sub-processor and processes data only to operate the Platform on our behalf. The provider's identity is confidential for commercial reasons. Data may be processed in the EEA or the USA, subject to appropriate safeguards.

Stripe Inc. (payment processing)

Stripe processes subscription payments and billing on our behalf. Stripe receives your billing name, billing address, and payment method details. Stripe does not receive prospect lead data. Stripe is based in the USA and is subject to Standard Contractual Clauses. Stripe's own privacy policy applies to payment data.

PandaDoc (electronic signatures)

PandaDoc is used to send, sign, and store our Service Agreements electronically. PandaDoc receives the names, email addresses, and IP addresses of contracting parties as part of the signature audit trail. PandaDoc is based in the USA and operates under Standard Contractual Clauses.

Zapier Inc. (CRM integration)

Where you have configured CRM integration, Zapier connects the Platform to your CRM and may process lead data as part of that connection. Zapier acts as a sub-processor for this purpose only. Zapier is based in the USA and operates under Standard Contractual Clauses.

Google (Gmail and Google Drive)

We use Google Workspace for business email communications and for secure storage of signed contracts. Google may process names, email addresses, and contract content. Google operates under Standard Contractual Clauses for transfers outside the EEA.

Meta / WhatsApp

We use WhatsApp to provide support to clients during the first 30 days after onboarding, and where agreed with the client for ongoing communications. WhatsApp is operated by Meta Platforms Inc., based in the USA, and operates under Standard Contractual Clauses.

Framer (website hosting)

Framer hosts and operates the flowlypeople.com website and collects standard web analytics data including IP addresses and browsing behaviour. Framer may process data in the USA or EEA, subject to appropriate safeguards.

Legal and professional advisors

Where necessary to obtain legal advice or enforce our rights, we may share relevant data with legal or professional advisors based in the Netherlands. These advisors are bound by professional confidentiality obligations and act as independent controllers.

Competent authorities

Where required by applicable law, a court order, or a regulatory authority, we may disclose personal data to the relevant authority. We will notify you of any such disclosure where we are legally permitted to do so.

All sub-processors listed above are engaged under contracts that include GDPR-compliant data processing terms. Where sub-processors are located outside the EEA, appropriate safeguards are in place as described in Section 7.

International Data Transfers

Several of our sub-processors — including Stripe, PandaDoc, Zapier, Google, Meta/WhatsApp, and Framer — are based in or operate infrastructure in the United States, which is outside the European Economic Area (EEA).

When we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. The primary mechanism we rely on is the use of Standard Contractual Clauses (SCCs) approved by the European Commission, which impose equivalent data protection obligations on the receiving parties.

Where required by the Dutch Autoriteit Persoonsgegevens (AP), we conduct a Transfer Impact Assessment (TIA) to verify that the level of protection afforded by the SCCs is not undermined by the laws of the destination country.

You may request a copy of the safeguards we have in place for international data transfers by contacting us at info@flowlypeople.com.

How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by applicable law. The following retention periods apply.

Client account data

Retained for the duration of your subscription plus 7 years after termination, as required by Dutch accounting and tax law (Article 52 AWR).

Payment records and invoices

Retained for 7 years from the date of the transaction, as required by Dutch fiscal law.

Signed contracts

Retained for 7 years from the contract end date, to enable enforcement of contractual rights and compliance with Dutch commercial law.

Agent profile data

Retained for the duration of the client's subscription. Deleted or returned within 30 days of subscription termination, upon written request.

Prospect lead data (as Processor)

Retained for the duration of the client's subscription plus 30 days post-termination. The client, as Data Controller, may instruct earlier deletion at any time.

Support communications

Retained for 3 years from the date of the last communication, or for the duration of the subscription if longer, to allow us to address recurring issues.

Website analytics data

Retained for 26 months from collection, in aggregated or anonymised form where possible.

Enquiry and demo request data

Retained for 12 months from initial contact if no subscription is taken up, after which data is deleted unless you have given consent for longer retention.

Zapier credentials

Not retained. Access is used only for the duration of the integration setup and is not stored by Flowly People.

When data is no longer required, we delete or anonymise it securely. Where we are required by law to retain data beyond these periods, we will do so and inform you where possible.

Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights in relation to your personal data. These rights apply to data we process as Controller. For data we process as Processor — specifically prospect lead data — please contact our client who is your agency and the Data Controller of that data.

Right of Access (Article 15)

You can request a copy of the personal data we hold about you and information about how we use it.

Right to Rectification (Article 16)

You can ask us to correct inaccurate or incomplete personal data we hold about you.

Right to Erasure (Article 17)

You can ask us to delete your personal data where it is no longer necessary for the purpose it was collected, among other grounds.

Right to Restriction (Article 18)

You can ask us to restrict processing of your data in certain circumstances, for example while we verify accuracy you have contested.

Right to Data Portability (Article 20)

Where processing is based on contract or consent and carried out by automated means, you can request your data in a structured, machine-readable format.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing. We will stop unless we have compelling legitimate grounds.

Right to Withdraw Consent (Article 7)

Where processing is based on consent, such as non-essential cookies, you can withdraw consent at any time without affecting prior processing.

Right to Complain

You have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (AP), at autoriteitpersoonsgegevens.nl.

To exercise any of these rights, contact us at info@flowlypeople.com. We will respond within 30 days of receiving your request. Where requests are complex or numerous, we may extend this by a further 2 months and will notify you if this applies. We do not charge a fee for handling rights requests unless they are manifestly unfounded or excessive.

We may need to verify your identity before processing your request to protect your data from unauthorised access.

Cookies and Tracking

Our website at flowlypeople.com is built on Framer, which may place cookies or use similar tracking technologies in connection with operating the website.

Essential cookies

These are necessary for the website to function correctly and do not require your consent under Dutch law and the EU ePrivacy Directive. They include session management and security cookies.

Analytics cookies

We may use analytics tools to understand how visitors use our website — including which pages are visited, how long visitors stay, and where they come from. Where these tools process personal data such as IP addresses, we require your consent before placing them. You can withdraw consent at any time through your browser settings or our cookie management tool.

Your cookie choices

Under updated Dutch guidelines from November 2025, opt-in consent is required for non-essential cookies, including tracking or marketing cookies that monitor user behaviour. Where we use such cookies, we will present you with a clear consent banner before placing them.

Blocking certain cookies may affect the functionality of our website. Essential cookies cannot be disabled as they are required for the website to operate.

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, alteration, or disclosure. These measures include:

• Encryption in transit: All data transmitted between your browser and our systems is encrypted using TLS (HTTPS);

• Access controls: Access to personal data is restricted to authorised personnel who require it to perform their functions, and is subject to confidentiality obligations;

• Payment security: We do not store raw payment card details. All payment processing is handled by Stripe, which is PCI DSS certified;

• Secure contract storage: Signed contracts are stored in encrypted Google Drive with restricted access;

• Sub-processor security: We only engage sub-processors that provide sufficient guarantees regarding their security measures, as required by Article 28(1) GDPR.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Dutch Autoriteit Persoonsgegevens (AP) within 72 hours of becoming aware of it, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

No system is completely secure. If you believe your data has been compromised, please contact us immediately at info@flowlypeople.com.

Data We Process on Your Behalf

Where you are a client of Flowly People and use the Platform to capture prospect contact data through the bilateral exchange feature, you are the Data Controller of that prospect data and Flowly People is your Data Processor.

In this capacity, we process prospect contact data only on your instructions and only to provide the Services. We do not use prospect data for our own purposes or share it with third parties beyond what is necessary to operate the Platform. We implement appropriate security measures, notify you of any personal data breach affecting prospect data within 72 hours, and delete or return prospect data upon termination of your subscription as set out in your Service Agreement.

As Data Controller of prospect data, you are responsible for ensuring you have a lawful basis for capturing prospect contact data, providing appropriate privacy notices to prospects at the point of data capture, responding to data subject rights requests from prospects, and maintaining your own privacy policy that covers your use of the Platform.

The full terms of our data processing relationship are set out in Schedule B of your Service Agreement, which constitutes a Data Processing Agreement under Article 28 GDPR.

Children's Privacy

The Platform and our services are intended for use by businesses and professionals only. We do not knowingly collect personal data from individuals under the age of 16. Under the Dutch GDPR Implementation Act (UAVG), the age of digital consent in the Netherlands is 16 years. We do not offer information society services directly to children and do not process data about children.

If you believe we have inadvertently collected personal data about a child under 16, please contact us immediately at info@flowlypeople.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we provide, or applicable law. When we make material changes, we will notify current clients by email at least 30 days before the changes take effect.

For website visitors and prospective clients, the updated Policy will be published at this URL with a revised "Last updated" date. We encourage you to review this Policy periodically. Your continued use of the Platform or website after the effective date of any updated Policy constitutes your acknowledgement of the changes. If you do not accept the updated Policy, you may terminate your subscription in accordance with your Service Agreement.

Contact us

For any questions, requests, or concerns about this Privacy Policy or how we handle your personal data, please contact us. Our business name is DoArt, trading as Flowly People, registered in the Netherlands under KVK number 58598464, with our principal place of business in Helmond, Netherlands. You can reach us by email at info@flowlypeople.com or through our website at flowlypeople.com. We aim to respond to general enquiries within 2 Business Days and to formal data subject rights requests within 30 days.