1. Controller

2. What data does OrgFlow process?

• Account and authentication data (email, login sessions).
• Profile data within an organisation (name, optional phone, role, status).
• Organisation data managed by admins (teams, tasks, shifts, resources, finance entries).
• Technical log data (e.g., IP/logs) as required for stability and security.

3. Purposes and legal bases

• Providing the platform (Art. 6(1)(b) GDPR – contract/pre-contract).
• Security, abuse prevention, debugging (Art. 6(1)(f) GDPR – legitimate interest).
• Communication and support (Art. 6(1)(b)/(f) GDPR).

4. Cookies

OrgFlow uses essential cookies (e.g., for sign-in/session and security). No tracking cookies are used.

5. Recipients / processors

We may use service providers to operate OrgFlow (e.g., hosting, email, database/auth). We enter data processing agreements under Art. 28 GDPR where required.

• Supabase (auth & database)
• Hosting/deployment (e.g., Vercel)

Note: Depending on configuration, processing may occur outside the EU/EEA. In such cases, appropriate safeguards (e.g., SCCs) are used.

6. Retention and deletion

Data is stored only as long as necessary for the purposes described or as required by law.

You can request a data export and a deletion request at any time via the settings in OrgFlow. After confirmation by the controller, your data will be deleted unless retention obligations apply. Organisations may also request cleanup after project end.

7. Your rights

You have rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21) under the GDPR. In the app you can export your data and submit a deletion request via Settings.

Contact for requests: info@lyniqmedia.com

8. Changes

We may update this privacy policy. The current version is available within OrgFlow.