FlowRota GDPR Compliance Statement
FlowRota (“we”, “our”, “us”) is committed to protecting the privacy and personal data of our users and their employees. This GDPR Compliance Statement explains how FlowRota complies with the General Data Protection Regulation (GDPR) — both the UK GDPR and EU GDPR — ensuring that data is processed lawfully, fairly, and transparently.
1. Our commitment to data protection
FlowRota is designed with privacy and compliance at its core. We ensure that all data collected and processed through our platform is handled in accordance with GDPR principles. This includes the lawful basis for processing, minimisation of data collection, and the protection of individual rights.
2. Lawful basis for processing
FlowRota processes personal data based on the following lawful bases:
- Contractual necessity — to provide the FlowRota service to registered users and customers.
- Consent — where users voluntarily provide data or agree to specific processing activities.
- Legal obligation — to comply with UK or EU regulatory and tax requirements.
- Legitimate interests — such as improving the platform and ensuring system security.
3. Data storage and security
FlowRota uses secure, GDPR-compliant cloud infrastructure. All data is encrypted in transit (TLS) and at rest. We partner with trusted third parties — including Paddle (payments), Wasabi (file storage), and ImageKit (image delivery) — all of whom maintain GDPR-compliant frameworks and security certifications.
4. Data minimisation and retention
We collect only the data necessary to operate our service. Personal data is retained only for as long as required to fulfil contractual obligations or comply with legal requirements. When data is no longer needed, it is securely deleted or anonymised.
5. Your rights under GDPR
Under GDPR, users have the right to:
- Access and obtain a copy of their personal data
- Request correction or deletion of their data
- Object to or restrict processing
- Withdraw consent at any time
- Request data portability to another service
To exercise any of these rights, please contact: contact@flowrota.com
6. Data transfers outside the UK/EU
Where data is transferred outside the UK or EU, we ensure it is protected by appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions approved by regulatory bodies.
7. Data breaches
In the unlikely event of a data breach, FlowRota will promptly notify affected users and relevant authorities in accordance with GDPR Article 33. We maintain incident response procedures and continuous monitoring to detect and prevent unauthorised access.
8. Data processor responsibilities
FlowRota acts as both a Data Controller (for our own users) and a Data Processor (for our customers who manage employee data within the platform). We process such data only under our customers’ instruction and never for our own marketing or unrelated purposes.
9. Contact and data protection queries
For any questions regarding this statement or data protection practices, contact us at: contact@flowrota.com
If you are unsatisfied with our response, you may contact the UK Information Commissioner’s Office (ICO) or your local data protection authority.
10. Updates to this statement
We may update this GDPR statement periodically to reflect changes in regulation or our business operations. Any updates will be published on this page with a revised “Last updated” date.