Flipstream

Flipstream Privacy Policy

Last Updated: December 2025

This privacy policy explains how Flipstream AB collects and uses your personal data. We only use the information you provide in accordance with this privacy policy and the General Data Protection Regulation (EU 2016/679).

1. Personal Data We Collect

1.1 When You Use Our Services (Customers)

  • Contact Information: Name, email address, phone number, and office address of contact persons
  • Account Data: User credentials, API keys (encrypted), and authentication tokens
  • Usage Data: Product processing data, photos uploaded, listings created, API usage metrics
  • Product Data for AI Training: Product photos, identification results, pricing outcomes, condition assessments, and market research data used to improve our AI models
  • Support Data: Customer tickets, issues, and communication history

1.2 When You Supply Us (Suppliers)

  • Name, email address, phone number, and office address of contact persons

1.3 When You Join Our Waitlist

  • Name and email address

1.4 When You Contact Us

We may request additional information to assist you with your inquiry.

2. How We Use Your Personal Data

| Purpose | Data Categories | Legal Basis | Retention Period | |---------|----------------|-------------|------------------| | Provide AI processing services | Contact info, usage data, uploaded product photos | Contractual obligations | Duration of service + 1 year | | AI model training & improvement | Product photos, identification results, pricing data, market research outcomes | Legitimate interest (service improvement) | Indefinitely (for trained models), with periodic anonymization | | Customer relationship management | Name, email, phone, company name | Contractual obligations | Duration of relationship + 7 years (accounting law) | | Payment processing & invoicing | Name, email, company name, payment details | Contractual & legal obligations | 7 years (Swedish bookkeeping law) | | Technical support | Contact info, support tickets | Contractual obligations | Duration of support + 1 year | | Product improvement | Anonymized usage patterns, processing accuracy metrics | Legitimate interest | Indefinitely (anonymized) | | Waitlist communications | Name, email | Legitimate interest (marketing) | Until product launch + 1 year, or until unsubscribe | | Job applications | Application materials, CV | Legitimate interest / Consent | Until position filled, or longer with explicit consent |

Your personal data will be deleted when processing is no longer necessary, except where required by law.

3. Data We Process on Your Behalf

As part of our returns processing service, you may upload product photos and data to our platform. We act as a data processor for this information:

  • Product photos and metadata are processed to provide identification, pricing, and listing services
  • AI Training and Improvement: We use your product data (photos, descriptions, pricing results) to continuously improve our AI models and service accuracy. This training benefits all customers through better product recognition and pricing
  • Anonymization: Where possible, we anonymize product data used for training purposes
  • Data is stored securely during active use and for the retention period specified in Section 7
  • You retain ownership of your original product data and listings
  • Opt-Out: Enterprise customers may negotiate opt-out terms from AI training in their service agreement

4. Sharing of Personal Data

4.1 Subcontractors

| Subcontractor | Location | Purpose | Transfer Mechanism | |---------------|----------|---------|-------------------| | Appwrite | EU/Germany | Authentication, database, file storage | EU hosting (GDPR compliant) | | Anthropic | EU & U.S. | AI processing (Claude API) | EU-U.S. Data Protection Framework | | OpenAI | EU & U.S. | AI processing (GPT-4 Vision) | EU-U.S. Data Protection Framework | | Twenty CRM | EU/France | Customer relationship management | EU hosting (GDPR compliant) | | Lago | EU/France | Usage metering and billing | EU hosting (GDPR compliant) | | Fortnox AB | Sweden | Accounting and invoicing | Not applicable (Swedish company) |

4.2 Data Protection Measures

  • All subcontractors are bound by strict data processing agreements
  • Non-EU transfers are protected by EU-U.S. Data Protection Framework
  • All data in transit is encrypted (TLS 1.3)
  • All data at rest is encrypted (AES-256)
  • Role-based access controls limit data access to authorized personnel only

4.3 Legal Disclosures

We may disclose personal data to authorities if legally required (e.g., court orders, law enforcement requests, regulatory obligations).

4.4 Business Transfers

In the event of a merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity.

5. Your Rights Under GDPR

You have the following rights regarding your personal data:

5.1 Right of Access

Request a copy of all personal data we hold about you.

5.2 Right to Rectification

Correct any inaccurate or incomplete personal data.

5.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data. Note: This may prevent us from providing services.

5.4 Right to Restrict Processing

Request that we limit how we use your personal data.

5.5 Right to Data Portability

Receive your personal data in a structured, machine-readable format.

5.6 Right to Object

Object to processing based on legitimate interests, including marketing communications.

5.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time.

To exercise your rights, contact us at: privacy@flipstream.xyz

6. Data Security

We implement industry-standard security measures to protect your personal data:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access, multi-factor authentication for employees
  • Infrastructure: EU-hosted cloud services with ISO 27001 certification
  • Monitoring: 24/7 security monitoring and incident response procedures
  • Audits: Regular security audits and penetration testing
  • Employee Training: All employees receive GDPR and data protection training

7. Data Retention

We retain personal data only as long as necessary:

  • Customer data: Duration of service + 1 year
  • Product data for AI training: Indefinitely in trained models; raw data anonymized after 2 years of inactivity
  • Financial records: 7 years (Swedish bookkeeping legislation)
  • Support tickets: Duration of support + 1 year
  • Marketing data: Until you unsubscribe or product launch + 1 year
  • Anonymized analytics: Indefinitely (cannot identify individuals)

Note: Data incorporated into AI models becomes part of the model's learned patterns and cannot be individually extracted. We implement periodic anonymization and data minimization practices to protect privacy while maintaining service quality.

8. International Data Transfers

While we prioritize EU hosting, some services involve data transfers to the United States:

  • Legal Basis: EU-U.S. Data Protection Framework (DPF)
  • Safeguards: Standard Contractual Clauses (SCCs), encryption, access controls
  • Your Rights: You have the right to obtain information about safeguards for international transfers

9. Cookies and Tracking

Our website uses minimal cookies:

  • Essential cookies: Required for website functionality (authentication, preferences)
  • Analytics cookies: Privacy-focused analytics (Plausible/Umami) - no personal data collected
  • No advertising cookies: We do not use third-party advertising or tracking cookies

You can control cookies through your browser settings.

10. Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately.

11. Updates to This Policy

We may update this policy occasionally to reflect changes in our practices or legal requirements:

  • Notification: Significant changes will be communicated via email or in-app notification
  • Effective Date: Changes take effect 30 days after notification (or as required by law)
  • Your Options: Continued use of services after changes indicates acceptance

We recommend reviewing this policy periodically.

12. Complaints and Regulatory Authority

If you have concerns about how we handle your personal data:

Contact us first:

  • Email: privacy@flipstream.xyz
  • Address: Furusundsgatan 16, 115 37 Stockholm, Sweden

Or file a complaint with the Swedish Data Protection Authority:

  • Integritetsskyddsmyndigheten (IMY)
  • Email: imy@imy.se
  • Phone: +46 8 657 61 00
  • Website: www.imy.se

You may also contact the data protection authority in your EU/EEA country.

13. Contact Information

Flipstream AB Organization Number: 559485-1772 Stockholm, Sweden

Email:

  • General inquiries: contact@flipstream.xyz
  • Privacy matters: privacy@flipstream.xyz

Website: www.flipstream.xyz

By using Flipstream's services, you acknowledge that you have read and understood this Privacy Policy.