Privacy Policy

Systems Flow | Issue 1 | April 2026 | Jurisdiction: European Union (Estonia)

Download privacy policy PDF

1. Who We Are

Systems Flow is an operational systems and automation infrastructure business registered in Estonia, European Union. We build conversion websites and connected automation systems for service businesses.

Depending on context, Systems Flow acts as a Data Controller for our own operations and as a Data Processor for client project delivery.

  • Legal name: Systems Flow
  • Address: Oismae tee 44-32, 13512 Tallinn, Estonia
  • Website: systems-flow.com
  • General contact: kirill@systems-flow.com
  • Privacy and DSAR: legal@systems-flow.com
  • Phone / WhatsApp: +372 5840 5646
  • Supervisory authority: Andmekaitse Inspektsioon (AKI), info@aki.ee, +372 627 4135

2. What This Policy Covers

This Privacy Policy explains how Systems Flow collects, uses, stores, and protects personal data connected to website usage, forms, scorecards, appointments, outreach, AI chat tools (when active), and client project delivery.

This policy does not cover third-party websites linked from our site. Where we act as a data processor, the client's own privacy policy governs the end-user relationship.

3. Data We Collect and Why

We collect only data required to provide services, run operations, and communicate with business contacts under GDPR lawful bases.

  • Website enquiry forms: name, email, company (optional), message. Basis: GDPR Art. 6(1)(b).
  • Scorecard/quiz: name, email, answers, calculated score, consent record. Basis: GDPR Art. 6(1)(a).
  • Appointment bookings (Cal.com): name, email, schedule details. Basis: GDPR Art. 6(1)(b).
  • Website analytics (Vercel Analytics): page navigation, approximate region, device/browser, referral source. Basis: GDPR Art. 6(1)(f).
  • B2B outreach: professional business/contact data and sequence status. Basis: GDPR Art. 6(1)(f), with objection rights and suppression handling.
  • AI chat widget (planned): chat content and contact details if provided. Basis: GDPR Art. 6(1)(a), with EU AI Act transparency notice.
  • Client delivery (processor role): processing on documented client instructions under signed DPA terms.

4. International Data Transfers

Systems Flow is established in Estonia (EU). Some sub-processors are located outside the EEA, including the United States.

Where required, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission. You may request relevant transfer documentation at legal@systems-flow.com.

5. Your Rights Under GDPR

You may exercise your GDPR rights by contacting legal@systems-flow.com. We respond within 30 days to valid requests and may verify identity before processing.

If unsatisfied, you can lodge a complaint with Andmekaitse Inspektsioon (AKI).

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction (Art. 18)
  • Portability (Art. 20)
  • Object (Art. 21)

6. Data Security

We apply appropriate technical and organisational safeguards including role-based access, multi-factor authentication, encryption in transit, encryption at rest, access reviews, API key rotation, and vendor DPA requirements.

Where a breach creates risk to rights and freedoms, we notify AKI within 72 hours and affected individuals without undue delay where GDPR requires.

7. Data Retention

Retention periods are defined per data category and legal basis.

  • Website enquiry (non-converting): 12 months from last interaction.
  • Outreach prospect (no response): 6 months from last contact attempt.
  • Outreach prospect (responded/booked): 24 months or relationship duration.
  • Client project data: contract duration + 12 months.
  • DSAR records: 3 years from request date.

8. Cookies

Strictly necessary cookies are placed without consent. Optional analytics and functional cookies are only placed after consent via our cookie banner.

For full cookie details, refer to the Cookie Policy available at systems-flow.com/privacy.

9. Changes to This Policy

We may update this policy to reflect legal, operational, or sub-processor changes. Material updates are shown with an updated issue date on this page.

The current version is always available at systems-flow.com/privacy.

10. Contact and Complaints

For privacy queries, data subject rights, or DSAR requests, contact legal@systems-flow.com.

General contact is kirill@systems-flow.com. You may also contact us at Oismae tee 44-32, 13512 Tallinn, Estonia, or +372 5840 5646.

If needed, complaints can be submitted to AKI via aki.ee, info@aki.ee, and +372 627 4135.

Schedule 1 - Sub-Processor Register

Systems Flow uses vetted sub-processors bound by data processing agreements requiring security controls and documented processing instructions.

Primary providers include Supabase, Vercel, n8n, Google Workspace/Cloud, Hunter.io, Anthropic, Cal.com, CookieYes, Slack, Linear, Sentry, GitHub, and Stripe (when activated), with SCCs or EU-based processing as applicable.

This document does not constitute legal advice. Review by a qualified legal professional is recommended.

For best readability on mobile, this page is optimized for both portrait and landscape orientations with responsive spacing, typography, and section navigation.