Privacy Policy

Last updated: 26 June 2026

Flow ("Flow", "we", "us" or "our") is committed to protecting your privacy. This policy explains what personal data we handle, both the data you share through this website and the limited customer data we process when fulfilling our own marketplace orders, how we use it, who we share it with, and the rights you have over it.

01 Who we are

Flow is a marketplace operating partner working with brands across Europe, with operations in London, München and Dubai. For the purposes of UK and EU data protection law, Flow is the data controller responsible for the personal data described in this policy.

If you have any questions about this policy or how we handle your data, contact us at [email protected].

02 What data we collect

Information you give us

When you submit our contact form, we collect the details you choose to provide:

• Name: so we know who we're speaking with.
• Email address: so we can reply to you.
• Company (optional): to understand the context of your enquiry.
• Your message: the content of your enquiry.

Information collected automatically

Like most websites, our infrastructure records limited technical data needed to deliver and secure the site, including your IP address, browser type and the pages you request. This is used for security, abuse prevention and reliability, not to build a profile of you.

We do not use analytics, advertising trackers or tracking pixels on this site, and we do not sell your data.

03 Order fulfilment data (Amazon marketplace)

Separately from this website, Flow operates its own Amazon seller account and uses Amazon's Selling Partner API to run that business. For orders we fulfil ourselves (rather than through Amazon's fulfilment network), Amazon provides a limited amount of customer personal data so the order can be shipped and invoiced.

What we receive

• Buyer name and address: the details needed to dispatch and invoice a self-fulfilled order.
• Order identifier: the Amazon order number used to process and reconcile the shipment.

How we use it

This data is used solely to dispatch and reconcile the shipment for that order and to issue the VAT/tax invoice the order legally requires. It is never used to build marketing profiles, never resold, and never shared with anyone beyond the carrier needed to deliver the parcel and the relevant tax authority. Our lawful bases are the performance of the purchase contract with the customer and compliance with our legal (tax) obligations.

How we protect it

Customer data received from Amazon is encrypted in transit (TLS) and at rest (AES-256), access is limited to the minimum number of named staff who need it, and it is excluded from our application logs (we record only the Amazon order identifier where a reference is required).

How long we keep it

In line with Amazon's Data Protection Policy, we delete customer personal data from orders within 30 days of the order being delivered. The exception is tax invoices: where tax law requires us to keep invoice records for longer (in the UK, for example, six years), those records are held in an encrypted, offline archive used only for tax compliance, and are deleted, from live systems and all backups, once the statutory period ends.

04 How and why we use your data

• To respond to your enquiry and discuss whether we're a good fit to work together.
• To operate and secure the website, including preventing spam and abuse.
• To keep records of our business correspondence.

Our legal bases under the UK GDPR and EU GDPR are our legitimate interests (to respond to enquiries and run our business securely) and, where your enquiry relates to a potential engagement, steps taken at your request prior to entering a contract.

05 Who we share it with

We don't sell or rent your personal data. We use a small number of trusted service providers ("processors") to run this website. Each processes data only on our instructions:

We may also disclose data where required by law or to protect our legal rights.

06 Cookies

This website does not set analytics or marketing cookies. Cloudflare may set strictly-necessary cookies to keep the site secure and detect automated abuse. These are required for the site to function and do not track you across other websites.

07 International transfers

Flow operates in the UK, Germany and the UAE, and some of our providers (such as Cloudflare, Resend and Google) may process data outside your country, including in the United States. Where personal data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an adequacy decision.

08 How long we keep it

We keep enquiry correspondence for as long as needed to respond and to maintain reasonable records of our business communications, after which it is deleted. Automatically-collected technical logs are retained for a short period for security and then discarded.

09 Your rights

Subject to UK and EU data protection law, you have the right to:

• Access the personal data we hold about you.
• Ask us to correct inaccurate or incomplete data.
• Ask us to erase your data ("right to be forgotten").
• Object to, or ask us to restrict, our processing.
• Request a copy of your data in a portable format.
• Withdraw consent where we rely on it.

To exercise any of these rights, email [email protected]. You also have the right to complain to a data protection authority. In the UK this is the Information Commissioner's Office (ICO); in Germany, your relevant state data protection authority.

10 Changes to this policy

We may update this policy from time to time. When we do, we'll revise the "Last updated" date above. Material changes will be made clear on this page.