1. About this notice
This Privacy Notice explains how Datopia handles personal data for Datopia Flow, our SaaS-style jewellery, watch, repair, and workshop tracking platform for business customers. It applies to Flow account use, subscriptions, billing, support, security, platform administration, and customer-controlled data hosted in Flow.
This notice is separate from the main Datopia website Privacy Policy. The main Datopia website has its own Privacy Policy at https://www.datopia.co.uk/privacy-policy.
Datopia is operated by a UK sole trader. Datopia is registered with the Information Commissioner's Office as a data protection fee payer. Registration reference: ZC177361.
2. Datopia as controller
Datopia acts as controller for its own Flow-related business data. This includes personal data used for account registration and login administration, business customer account details, package and subscription management, billing administration, invoices and payment-related records, support requests and service communications, security logs, audit logs, fraud prevention, abuse prevention and platform integrity, product communications and important service notices, and legal, tax, accounting, regulatory, complaint, and dispute records.
3. Datopia as processor
For customer, job, and repair data entered into Flow by business customers, Datopia normally acts as processor and the Flow business customer acts as controller.
Examples of customer-controlled Flow data include:
- end-customer names and contact details where entered;
- trade customer details;
- job references;
- item and repair descriptions;
- due dates, statuses, types, notes, pricing, estimates, tracking references, and parcel information;
- uploaded images or documents;
- staff/user activity and audit records connected with the customer's Flow account;
- partner-sharing records where applicable.
Flow business customers are responsible for:
- having a lawful basis for the personal data they enter into Flow;
- providing privacy information to their own customers, staff, trade partners, or other relevant individuals where required;
- deciding what data to enter, retain, share, export, delete, or restrict;
- responding to data subject requests for data where they are controller, with reasonable assistance from Datopia where required by the DPA.
4. Partner sharing
Where Flow business customers use partner sharing, Flow enables them to share selected operational job data with each other through the platform.
For partner-sharing decisions, each participating business is responsible for its own decision to send, receive, accept, import, retain, use, disclose, restrict, or delete shared data. Unless a separate written agreement says otherwise, the participating businesses act as independent controllers for those partner-sharing decisions.
Partner sharing is governed by the applicable in-app Partner Sharing Data Sharing Agreement, where that agreement has been accepted for the relevant partner-sharing relationship.
5. Personal data Datopia collects for Flow
- Account user data: name, email address, login details, role, company, and permissions.
- Business account data: company name, address, contact details, package, and subscription status.
- Billing data: Stripe customer/subscription IDs, invoice records, payment status, and billing contact details. Card details are handled by Stripe and are not stored by Datopia Flow.
- Support data: support messages, issue details, screenshots, or files provided for support.
- Technical/security data: IP address, device/browser information, login events, audit logs, error logs, access logs, and security events.
- Platform usage data: features used, package limits, account activity, and performance/debug information.
- Customer-controlled content: only as hosted or processed on behalf of the Flow business customer.
6. Purposes and lawful bases where Datopia is controller
| Purpose | Data used | Lawful basis |
|---|---|---|
| Creating and managing Flow accounts | Account user data, business account data, login and role details | Contract / legitimate interests |
| Providing and administering subscriptions | Business account data, package, subscription status, account records | Contract |
| Billing and accounting | Billing contact details, Stripe IDs, invoices, payment status, accounting records | Contract / legal obligation / legitimate interests |
| Support and troubleshooting | Support messages, screenshots, files, account and technical details | Contract / legitimate interests |
| Security, fraud prevention, abuse prevention, and audit logs | IP address, device/browser data, login events, audit logs, access logs, security events | Legitimate interests / legal obligation where applicable |
| Service notices and important product communications | Account user data, business account data, service status and product information | Contract / legitimate interests |
| Optional marketing communications | Contact details, communication preferences, account relationship | Consent or legitimate interests, with opt-out where required |
| Legal, regulatory, complaint, and dispute handling | Relevant account, billing, support, security, complaint, and dispute records | Legal obligation / legitimate interests |
7. Processing on behalf of Flow customers
Customer-controlled Flow data is processed under the Datopia Flow Data Processing Agreement. Datopia processes this data only as needed to provide, maintain, secure, support, troubleshoot, back up, transmit, display, and administer Flow, or as otherwise instructed by the Flow customer, unless law requires otherwise.
8. Cookies and similar technologies in Flow
Flow may use essential cookies, session storage, or local storage for login, authentication, security, preferences, and app functionality. Flow may also use analytics/performance technologies, error logging/debugging technologies, and cookie preference handling where applicable.
Where non-essential cookies or similar technologies require consent, we will ask for consent before using them. Where the law allows limited low-risk analytics or similar technologies without consent, we will provide clear information and a simple way to object where required.
9. Who Datopia shares Flow data with
Datopia may share Flow data with hosting, database and storage providers, authentication providers, payment providers such as Stripe, email/notification providers, analytics/performance/error logging providers where used, professional advisers, legal/regulatory authorities where required, and sub-processors listed in the Service Provider and Sub-processor List.
Datopia does not sell personal data or business data.
10. International transfers
Some providers may process data outside the UK. Where this happens, Datopia relies on appropriate safeguards where required, such as UK adequacy regulations or approved contractual safeguards.
11. Retention
- Account and subscription records are retained while the account is active and then for a reasonable period.
- Billing and accounting records are normally retained for up to 6 years where required.
- Support records are retained for as long as needed for support, audit, legal, or dispute purposes.
- Logs are retained for a limited period unless needed for security, legal, dispute, or investigation purposes.
- Customer-controlled Flow data is retained according to the customer account settings, subscription status, deletion/export processes, backup cycles, and the DPA.
- Partner-sharing acceptance and audit records are retained for legal, security, compliance, dispute, and evidential purposes where reasonably necessary.
12. User rights and requests
For Datopia controller data, individuals can exercise UK GDPR rights directly with Datopia. For customer-controlled Flow data, Datopia may need to refer the request to the relevant Flow business customer, because that customer is normally the controller. Rights may be subject to legal limits.
13. Data protection complaints
If you are unhappy with how Datopia handles personal data for which Datopia is controller, you can raise a data protection complaint with us. We will acknowledge your complaint within 30 days, investigate it appropriately, keep you informed where necessary, and tell you the outcome without undue delay. You also have the right to complain to the Information Commissioner's Office through its website at ico.org.uk.
If your complaint relates to personal data entered into Flow by one of our business customers, we may need to refer you to that business customer or work with them to respond, depending on the controller/processor relationship.
14. Security
Datopia uses reasonable technical and organisational measures to protect personal data. These may include access controls, authentication, role-based permissions where applicable, database security and row-level access controls where applicable, encryption in transit, backups where applicable, logging and monitoring, least-privilege access, and supplier/sub-processor controls.
No system can be guaranteed completely secure.
15. Contact
You can contact Datopia about this notice or your personal data using the Datopia contact form.