Legal
Privacy Policy
Last updated: 13 April 2026
This Privacy Policy explains how Flow Inc. Ltd("Creative Flow", "we", "us" or "our") collects, uses and protects personal data when you visit our website, book a demo, or use the Creative Flow design subscription service (the "Service").
We are the data controllerfor personal data we process about you. We process personal data in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
1. Who we are
Flow Inc. Ltd is a company registered in England and Wales under company number [00000000]. Our registered office is at [Street, City, Postcode, United Kingdom]. You can contact us at privacy@creativeflow.example.
2. The personal data we collect
Depending on how you interact with us, we may collect:
- Identity and contact data — name, business email address, telephone number, job title and the company you represent.
- Account data — login credentials, profile information and account preferences.
- Service data — design briefs, files, comments, revisions and other content you submit or that we generate while delivering the Service.
- Billing data — billing name and address, VAT number and payment method tokens. Card numbers themselves are processed by our payment processor (Stripe Payments UK Ltd) and are not stored on our systems.
- Technical data — IP address, browser type and version, device identifiers, time zone setting and operating system.
- Usage data — pages visited, links clicked, features used and other interactions with the Service. Where required by law, this is only collected if you have given us consent (see Section 8).
- Communications data — your messages to us via email, contact forms or in-product chat.
We do not knowingly collect special category data (such as health or biometric data) and we ask you not to send it to us through the Service.
3. How we collect personal data
- Directly from you when you submit a demo request, create an account, communicate with us or use the Service.
- Automatically when you interact with our website, through cookies and similar technologies (see our Cookie Policy).
- From third parties, such as our payment processor, analytics providers, and (where applicable) public business registries.
4. Purposes and lawful bases for processing
Under the UK GDPR we must have a lawful basis for processing your personal data. We rely on the following:
| Purpose | Lawful basis |
|---|---|
| Providing the Service and managing your account | Performance of a contract |
| Processing payments and managing subscriptions | Performance of a contract; legal obligation |
| Responding to enquiries and demo requests | Legitimate interests (responding to prospects who contact us); steps to enter into a contract |
| Service emails and important account notifications | Performance of a contract |
| Marketing emails to existing business customers | Legitimate interests (PECR "soft opt-in"), with an unsubscribe option in every message |
| Marketing emails to other recipients | Consent |
| Analytics and performance measurement | Consent |
| Security, fraud prevention and service integrity | Legitimate interests; legal obligation |
| Compliance with accounting, tax and legal obligations | Legal obligation |
5. Who we share personal data with
We share personal data only with:
- Service providers who process data on our behalf under written instructions, including hosting, email delivery, payment processing, customer support, error monitoring and analytics.
- Professional advisers such as accountants and lawyers, where necessary.
- Authorities and regulators, where required by law or to protect our rights.
- Successors in the event of a sale, merger or reorganisation of our business.
We do not sell personal data.
6. International transfers
Some of our service providers are located outside the United Kingdom. Where personal data is transferred outside the UK, we ensure an adequate level of protection by relying on UK adequacy regulations, the International Data Transfer Agreement, or the EU Standard Contractual Clauses together with the UK Addendum, supplemented by appropriate technical and organisational measures.
7. Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting or reporting requirements. Typical retention periods:
- Account and Service data — for the duration of the contract and up to 6 years thereafter.
- Billing and transactional records — 6 years (UK tax requirements).
- Marketing contact data — until you unsubscribe or for up to 24 months of inactivity.
- Demo enquiries that do not become customers — up to 24 months.
- Cookie consent records — up to 12 months.
8. Cookies and similar technologies
We use strictly necessary cookies to operate the website and, with your consent, analytics and marketing cookies. We implement Google Consent Mode v2 so that no analytics or marketing cookies are set until you give consent through our cookie banner. You can change your choice at any time using the "Manage cookies" link in the footer. See our Cookie Policy for details.
9. Your rights
Subject to certain conditions, you have the right to:
- access the personal data we hold about you;
- request rectification of inaccurate or incomplete data;
- request erasure of your data (the "right to be forgotten");
- restrict processing or object to processing;
- request portability of data you have provided to us;
- withdraw consent at any time where we rely on consent; and
- object to direct marketing at any time.
To exercise any of these rights, please email privacy@creativeflow.example. We will respond within one month.
10. Security
We use appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, principle of least privilege and regular review of our suppliers. No method of transmission or storage is 100% secure; if we become aware of a personal data breach affecting your rights and freedoms we will notify you and the Information Commissioner's Office where required by law.
11. Children
The Service is intended for business users and is not directed at children under 16. We do not knowingly collect personal data from children.
12. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top of this page indicates when it was last revised. Material changes will be highlighted on this page or notified to you directly.
13. Complaints
If you have a concern about the way we handle your personal data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
Template notice.This document contains placeholder values in square brackets and is provided as a starting point only. It must be reviewed and adapted to the company's actual practices by a UK-qualified legal adviser before being relied upon.