Last Updated: 02.10.2025.

At Flowlix (the “Flowlix”), we value your privacy and are committed to maintaining the confidentiality and security of your personal information. This Privacy Notice (the “Policy”) is designed to provide you with clear and transparent information about how we collect, use, and protect your data in line with data protection laws, including the General Data Protection Regulation (GDPR), Cyprus Law 125(I) of 2018 and other applicable laws and regulations.

We encourage you to read this Policy carefully to understand our practices and how they affect you, before you begin using our website https://flowlix.eu/ (the “Website”) or use Flowlix’s services.

By accessing or using the Website or Flowlix’s services, you acknowledge that you have read, understood, and agree to this Policy and our Cookie Notice. If you have any questions or concerns about any aspect of our privacy practices, please do not hesitate to contact us using the following details:

FLOWLIX LTD
Address: Georgiou A 30, Chrysanthos Apartments, Flat-Office G-H, Potamos Germasogeias, 4047, Limassol, Cyprus
E-mail: dpo@flowlix.eu

2.1. We may update this Policy from time to time. Any changes will be posted on our website, and the date of the latest revision will be indicated. In the event of significant changes, we may, at our discretion, notify you using the contact details at our disposal.

2.2. However, it is your responsibility to review this Policy to stay informed about how we are protecting your personal information. If you do not agree with the changes, you should stop using our services and contact us if you have specific concerns.

3.1. For the purposes outlined in this Policy, we may collect data that mainly falls under the following categories:

• ID-Related Data: name, surname, government-issued ID number, date of birth, nationality, ID document details, country of residence, and other similar data;

• Contact Information: email address, phone number, residential address, and other similar information.

• User Information: name of the user of Flowlix’s services, account preferences, etc.

• User Activity Information: for example, login and session data, usage patterns, activity logs, clickstream data, etc.

• Transaction Information: history and details of transactions made through our services, information about the recipient and sender, information about the purpose of the transaction, current balance, portfolio details and similar information.

• Payment Information: bank account information, payment card details, billing address, payment confirmation, etc.

• Information related to Risk Assessment: for example, risk profile.

• Technical and Device Information: IP address, browser type, device type, operating system, information related to interactions with our Website or Flowlix’s services, cookies, information about technical problems and other similar information.

• Communication Data: for example, details of user’s interactions with customer support, records of incoming and outgoing audio calls with Flowlix.

• Feedback Data: for example, user feedback, usage patterns, preferences.

• Compliance Data: information and documents necessary for compliance with Anti-Money Laundering (AML), Know Your Customer (KYC) and other similar legal and regulatory requirements (including without limitations identity verification information, proof of address (for example, utility bills, bank statements, etc.), photographic evidence (for example, photographs or scans of ID documents, selfies for facial recognition purposes, etc.), sanctions and watchlist screening information, etc.).

• Information related to Claims and Disputes: for example, information about the nature and specifics of the claim or dispute, information about how the claim or dispute was resolved, etc.

4.1. Flowlix may collect personal data from various sources to fulfill the purposes described in this Policy. These sources include:

• Information provided by you: including when you create an account, use our services, make transactions, communicate with us, or provide feedback.

• Automated technologies: including information collected via cookies, log files, and similar technologies when you interact with our Website.

• Third-party sources: we may receive information from third parties (e.g., payment processors and identity verification services) and from publicly available sources.

5.1. General information

5.1.1. Flowlix processes your personal information for specific purposes and only where a lawful basis applies under data protection law. We process your data transparently, fairly, and only for the purposes for which it was collected. The main legal bases for processing are:

a) Performance of Contract (Contractual Necessity): we process your data to perform a contract with you or to take steps at your request before entering into a contract.

b) Legal Obligation: we process your data to comply with the law (for example, tax or regulatory requirements).

c) Legitimate Interests: we process data for our or a third party’s legitimate interests unless your interests or fundamental rights and freedoms prevail.

d) Consent: we process your data based on your explicit consent for certain features or services, and you may withdraw your consent at any time.

e) Vital Interests: we process your data to protect your vital interests or those of another person.

f) Public Task: we process your data where necessary to perform a task in the public interest or in the exercise of official authority.

5.2.1. To provide you with a comprehensive understanding of how we process your personal data, we have outlined the various purposes and their corresponding legal bases in the table below. This table details the specific reasons for which we collect and process your data, along with the legal foundations that guide these practices and retention period. We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations.

5.3. Retention Obligation

5.3.1. After the relevant retention period has passed, we securely delete or anonymize your data to protect your privacy. If you have any questions about our data retention practices, please do not hesitate to contact us via dpo@flowlix.eu. We are committed to transparency and to ensuring that your privacy is fully safeguarded.

6.1. Should we rely on your consent for certain processing activities, such as marketing communications, you have the right to withdraw that consent at any time. Managing your preferences or withdrawing consent can typically be done through provided opt-out mechanisms or by contacting us directly.

In order to deliver our services effectively, certain personal information is obligatory. This obligatory data, clearly identified during collection, is required for access to specific features and functions, required by legal, contractual, or regulatory obligations. Providing such information is a prerequisite for utilizing our services, without this information we will be unable to provide our services to you. Obligatory information will be clearly marked, where applicable.

On the other hand, optional data is not vital for service delivery and does not affect your ability to use our core services. You are free to provide this data at your discretion, and it can be updated or managed through your Website or service’s settings at any time. If you have any questions about which data is required or optional, or need assistance managing your information, please feel free to reach out to us.

8.1. At Flowlix we may use automated tools, including algorithms and machine learning, to help operate and improve our services. We are committed to being transparent about how these tools influence your experience and to protecting your rights.

8.2. Flowlix will not make decisions that produce legal effects concerning you or similarly significantly affect you based solely on automated processing, including profiling, without meaningful human involvement.

8.3. We may use automated processing to support decisions related to: (a) service eligibility and onboarding checks; (b) transaction monitoring, fraud detection, and abuse prevention; and (c) security, risk assessment, and service performance optimization. These tools surface indicators and recommendations for our teams. Final determinations include human review, considering relevant context and information.

8.4. We may create or use profiles—automated analyses of personal data—to evaluate or predict aspects related to your preferences, behavior, or interests. We use profiling to: (a) personalize features, content, and in app experiences; (b) provide tailored recommendations and communications; and (c) improve the relevance and quality of our services. We take steps to keep profiles accurate, up to date, and proportionate to the stated purposes.

8.5. To help ensure fair and unbiased outcomes, Flowlix: (a) tests and monitors automated systems for accuracy, relevance, and potential bias; (b) applies data minimization and role based access controls; (c) regularly reviews model inputs, outputs, and performance; and (d) documents decision logic at an appropriate level of detail to support explainability.

8.6. Automated tools may use data you provide, data generated by your use of our Services (such as device, transaction, and usage data), and, where permitted by law, data from verified third party sources (for example, fraud prevention databases). We do not use special categories of personal data for automated decision support unless permitted by law and subject to heightened safeguards.

8.7. Where required, Flowlix conducts and maintains data protection impact assessments for automated processing that is likely to result in a high risk to individuals’ rights and freedoms.

9.1. Purpose of Sharing. To operate our business and provide the services, Flowlix may share personal data with carefully selected recipients that perform services on our behalf. We only share what is necessary for the stated purpose, under enforceable contracts that require confidentiality, security, and compliance with applicable data protection laws.

9.2. Categories of Recipients. We may share personal data with:

(a) Payment and Acquiring Service Providers, card networks, and banking partners to process transactions, verify payment details, and support settlement and chargeback handling;

(b) Fraud Prevention and Risk Management Providers to analyze Transactions, authenticate users, prevent fraud and abuse, and comply with legal and regulatory obligations (including anti money laundering and sanctions screening);

(c) IT, Hosting, and Support Providers that host, maintain, secure, back up, and support our Website, System, and related infrastructure;

(d) Analytics Providers to help us understand Website and app usage, improve performance, and diagnose issues;

(e) Marketing and Customer Engagement Partners to deliver in product communications, measure campaign effectiveness, and provide targeted content strictly within our Website or Services based on your browsing behavior and preferences. We do not permit third parties to use your personal data for their own marketing without your consent;

(f) Professional Advisors, Auditors, and Insurers where necessary for governance, audit, legal advice, insurance coverage, or the establishment, exercise, or defense of legal claims;

(g) Corporate Transactions. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate confidentiality and data protection safeguards and, where required, notice to you.

9.3. Disclosures Required by Law. We may disclose personal data to courts, regulators, tax authorities, law enforcement, or other public bodies when required to do so by applicable law, regulation, subpoena, or court order, or when we believe disclosure is necessary to protect our rights, users, or the public.

9.4. Aggregated and De Identified Data. We may share aggregated or de identified statistics with third parties, including other businesses and the public, to describe how and when users use our Website and services. This data does not identify you and cannot reasonably be used to re identify you. We will not attempt to re identify such data.

10.1. We maintain a comprehensive information security program designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Our controls are risk based, documented, and regularly reviewed for effectiveness.

10.2. Technical and Organizational Measures. Flowlix implements appropriate technical and organizational measures, including:

(a) Encryption. Industry standard encryption for data in transit (e.g., TLS) and at rest, with robust key management and segregation of duties;

(b) Access Controls. Role based access, least privilege principles, strong authentication (including multi factor authentication for administrative access), and periodic access reviews;

(c) Network and Infrastructure Security. Layered defenses including firewalls, intrusion detection and prevention, endpoint protection, DDoS mitigation, and secure configuration baselines;

(d) Logging and Monitoring. Centralized logging, security event monitoring, and alerting with defined escalation paths and incident runbooks.

(e) Data Minimization and Retention. Collection limited to what is necessary for stated purposes and retention aligned to defined schedules. Secure deletion or anonymization upon expiry.

(f) Physical and Cloud Security. Use of secure data centers and cloud environments with audited controls, environmental safeguards, and access restrictions.

(g) Vendor and Subprocessor Management. Security due diligence, contractual security obligations, and ongoing oversight of service providers handling personal data.

(h) Certifications and Standards. Where applicable, Flowlixand key processors maintain relevant industry standards or certifications (e.g., PCI DSS for payment processing).

(i) Security Assessments. We conduct regular risk assessments, vulnerability management, and independent audits or assessments to identify and remediate vulnerabilities and continuously improve our controls.

(j) Incident Response and Notification. In the event of a personal data breach likely to result in a risk to individuals’ rights and freedoms, we will notify affected users and, where required, regulators without undue delay, including details of the nature of the breach, likely consequences, and measures taken or proposed to address it.

10.3. Your Responsibilities. You play a critical role in keeping your data secure. You agree to: (a) use strong, unique passwords and keep credentials confidential; (b) enable multi factor authentication where available; (c) keep devices, browsers, and applications updated; (d) avoid using unsecured public networks for sensitive activities; (e) monitor account activity and promptly report suspicious activity; and (f) stay alert to phishing and social engineering; verify requests for sensitive information and avoid clicking suspicious links.

10.4. No Absolute Security. While we use commercially reasonable safeguards appropriate to the risk, no method of transmission or storage is completely secure. We continually improve our controls to address evolving threats.

10.5. If you believe your Account has been compromised or you need security guidance, contact us immediately at dpo@flowlix.eu.

You retain control over the information you provide. If you have an Account with us, you can easily access and update your information through your account settings. For specific requests or assistance, please contact us using the details provided in Section 1.

12.1. Overview. Subject to applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access. You may request confirmation of whether we process your personal data and obtain a copy, along with related information (e.g., purposes, categories, recipients, retention periods, and your rights).

• Right to Rectification. You may request correction of inaccurate personal data and completion of incomplete data, taking into account the purposes of processing.

• Right to Erasure (“Right to Be Forgotten”). You may request deletion of personal data where one of the grounds in law applies (e.g., data no longer needed, consent withdrawn, successful objection), subject to legal obligations and overriding legitimate grounds. We may retain certain records (e.g., transaction data) to comply with legal and regulatory requirements.

• Right to Restrict Processing. You may request that we restrict processing where you contest accuracy, processing is unlawful and you prefer restriction over deletion, we no longer need the data but you require it for legal claims, or you have objected and verification is pending.

• Right to Object. You may object at any time to processing based on our legitimate interests, including profiling on that basis. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests or the processing is needed for legal claims. You may also object at any time to processing for direct marketing; we will then stop marketing to you.

• Right to Data Portability. Where processing is based on consent or contract and carried out by automated means, you may receive your personal data in a structured, commonly used, machine readable format and, where technically feasible, request transmission to another controller.

• Right to Withdraw Consent. Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. We will honor your updated preferences promptly.

• Automated Decision Making and Profiling. Flowlix does not make decisions producing legal or similarly significant effects based solely on automated processing (including profiling). If this changes, we will notify you and provide a way to exercise your rights, including the right to obtain human intervention, to express your view, and to contest a decision.

12.2. How to Exercise Your Rights:

(a) Submit requests at dpo@flowlix.eu;

(b) We may request information necessary to verify your identity and to locate the data (for security and fraud prevention);

(c) We will explain any exemptions or limitations that apply (e.g., where honoring a request would adversely affect the rights and freedoms of others, conflict with legal obligations, or undermine fraud prevention or security);

(d) We will respond within the period required by law and inform you if additional time is needed due to request complexity or volume;

(e) Requests are typically free of charge. We may charge a reasonable fee or refuse manifestly unfounded or excessive requests as permitted by law.

12.3. Local Rights. Depending on your location, you may have additional rights under local law. You also have the right to lodge a complaint with your data protection authority.

13.1. While most processing occurs in the European Economic Area (EEA), your personal data may be transferred to and processed in countries outside your country of residence, including countries that may not offer the same level of data protection as your home jurisdiction.

13.2. Where we transfer personal data internationally, we do so in compliance with applicable data protection laws and implement appropriate safeguards, such as: (a) an adequacy decision by the European Commission or other competent authority recognizing the destination country as providing an adequate level of protection; (b) Standard Contractual Clauses adopted by the European Commission with recipients, including subprocessors and affiliates; and/or (c) other lawful transfer mechanisms permitted by applicable law. Where required, we implement supplementary technical and organizational measures to ensure a level of protection essentially equivalent to that required under applicable law.

13.3. Transfers may involve our affiliates, cloud hosting and IT service providers, payment and acquiring partners, risk and fraud prevention providers, professional advisors, and support vendors located in jurisdictions in which we or our providers operate.

13.4. All recipients are bound by enforceable contractual obligations to protect personal data, including confidentiality, security, limited purpose use, onward transfer restrictions, and audit/assurance rights. We conduct transfer risk assessments and vendor due diligence and review safeguards periodically.

14.1. Contact Us First. If you have questions or concerns about how Flowlix processes your personal data, please contact us using the details in Section 1. Our privacy team will review your inquiry and work to resolve it promptly and fairly.

14.2. Escalation. If we are unable to resolve your concern, you have the right to lodge a complaint with a competent data protection authority listed in Clause 14.3. You may do so without prejudice to any other rights or remedies available to you under applicable law.

14.3. Supervisory Authorities:

(a) Cyprus. In Cyprus you may contact Cyprus Data Protection Commissioner at Office of the Commissioner for Personal Data Protection, registered at: kypranoros 15, Nicosia 1061 , Cyprus. Postal address: P.O.Box 23378, 1682 Nicosia, Cyprus. Tel: + +357 22818456, Fax: +357 22304565, Email: commissioner@dataprotection.gov.cy.

(b) European Union/EEA. You may contact your local supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement. A directory is available at: https://edpb.europa.eu/about-edpb/board/members_en.

(c) Other Jurisdictions. If you reside outside the above regions, please contact your local data protection or privacy regulator for guidance on filing a complaint.

14.4. Response Times. We aim to acknowledge and respond to privacy inquiries without undue delay and within the time limits required by law.

14.5. Using our internal process is encouraged but not required. You may contact a supervisory authority at any time.

15.1. Our services are intended for individuals who are at least 18 years old. We do not knowingly collect or solicit personal data from anyone under 18. If you are under 18, do not use the services or provide any personal data to us.

15.2. If you are a parent or legal guardian and believe your child under 18 has provided personal data to Flowlix, please contact us immediately at dpo@flowlix.eu.

15.3. Upon becoming aware that we have collected personal data from a minor contrary to this section, we will take reasonable steps to: (a) delete the personal data and, where feasible, any associated account; (b) cease further processing of that data; and (c) notify the parent or guardian, where contact details are available.

15.4. In jurisdictions with different age thresholds for online consent or special protections for minors, we will apply the higher standard as required by local law and obtain verifiable parental consent where applicable.

15.5. We may request reasonable information to verify a requester’s parental or guardianship status before providing details or taking action on a minor’s data.