Privacy Policy

Last updated:

Privacy Policy

Last Updated: October 15, 2025

1. Introduction

SoloFlow SRL (hereinafter “SoloFlow”, “we”, “us”, or “our”), with registered office at Brussels, Belgium, is the data controller responsible for the processing of your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, “GDPR”).

This Privacy Policy describes how we collect, use, store, and protect your personal data when you use the SoloFlow mobile application and associated services (collectively, the “Services”).

2. Data We Collect

2.1 Account Data

  • Email address (authentication)
  • Name and business information (invoicing)
  • Company registration number (VAT compliance)
  • Phone number (optional, for notifications)
  • Profile settings and preferences

2.2 Business Data

  • Invoices, quotes, and credit notes
  • Customer and prospect contact information
  • Payment records and transaction history
  • Calendar appointments and reminders
  • Business documents and attachments

2.3 Technical Data

  • Device identifiers (for multi-device sync)
  • IP address and geolocation (fraud prevention)
  • Application usage analytics (performance optimization)
  • Error logs and crash reports (service improvement)
  • Offline sync metadata

2.4 Payment Data

Payment card information is processed exclusively by our payment processor Stripe Inc. and is not stored on our servers. We only retain transaction identifiers and payment status.

We process your personal data based on the following legal grounds under GDPR Article 6(1):

  • (b) Contract Performance: Processing necessary for the provision of SoloFlow Services, including invoicing, document management, and customer relationship management
  • (c) Legal Obligation: Compliance with Belgian and European tax law, accounting regulations, and anti-money laundering requirements
  • (f) Legitimate Interest: Service improvement, fraud prevention, security monitoring, and customer support

For marketing communications, we rely on your explicit consent under GDPR Article 6(1)(a), which you may withdraw at any time.

4. Data Storage and Retention

4.1 Storage Location

All personal data is stored on servers located within the European Union, specifically using Supabase’s EU region infrastructure (Frankfurt, Germany). Data is never transferred outside the EU/EEA without adequate safeguards under GDPR Chapter V.

4.2 Retention Period

  • Business documents: 7-10 years (Belgian tax law requirement for accounting records)
  • Account data: Duration of your account plus 30 days after deletion request
  • Usage analytics: 24 months maximum
  • Error logs: 90 days maximum

You may request early deletion of non-legally mandated data by contacting privacy@soloflow.online.

5. Data Sharing and Sub-Processors

We do not sell, rent, or trade your personal data. We share data only with the following sub-processors under GDPR Article 28 data processing agreements:

  • Supabase Inc. (USA, EU servers): Database hosting and authentication
  • Stripe Inc. (USA, EU servers): Payment processing
  • Sentry.io (USA): Error monitoring and crash reporting
  • Expo/EAS (USA): Mobile application infrastructure

All sub-processors comply with GDPR requirements and have executed Standard Contractual Clauses (SCCs) where applicable.

5.1 Peppol Network

When you send e-invoices via the Peppol network, your invoice data is transmitted to the recipient’s access point in accordance with the Peppol specifications. This transmission is necessary for contract performance.

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access (Art. 15): Obtain confirmation of data processing and a copy of your data
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of data (subject to legal retention obligations)
  • Right to Restriction (Art. 18): Limit processing under certain circumstances
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interest
  • Right to Withdraw Consent (Art. 7): For marketing communications

To exercise these rights, contact us at privacy@soloflow.online. We will respond within 30 days.

6.1 Right to Lodge a Complaint

You have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit):

7. Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Authentication: OAuth 2.0 with multi-factor authentication (MFA) support
  • Access Control: Row-Level Security (RLS) policies in database, role-based access
  • Offline Security: Encrypted local storage on mobile devices
  • Monitoring: Real-time intrusion detection and automated threat response
  • Auditing: Regular security audits and penetration testing

8. Cookies and Tracking

The SoloFlow mobile application uses only technical cookies strictly necessary for authentication and session management. We do not use marketing or advertising cookies.

Our website (soloflow.online) uses:

  • Essential cookies: Authentication, language preference, security
  • Analytics cookies: Anonymous usage statistics (with your consent)

You may manage cookie preferences at any time in your browser settings.

9. Children’s Privacy

SoloFlow Services are intended for business use by adults (18+ years). We do not knowingly collect data from children under 16. If you believe we have inadvertently collected such data, contact us immediately at privacy@soloflow.online.

10. International Data Transfers

As our services operate exclusively within the EU, your data is not transferred outside the European Economic Area. Should this change in the future, we will implement appropriate safeguards (Standard Contractual Clauses or adequacy decisions) and notify you in advance.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you under GDPR Article 22.

AI-powered suggestions (invoice categorization, client insights) are advisory only and do not execute automatic actions without your explicit approval.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified via email and in-app notification 30 days before taking effect.

The current version is always available at: https://soloflow.online/en/privacy

13. Contact Information

Data Controller: SoloFlow SRL Brussels, Belgium Email: privacy@soloflow.online Website: www.soloflow.online

Data Protection Officer: For data protection inquiries, contact: dpo@soloflow.online

This Privacy Policy is governed by Belgian law and GDPR. For any disputes, the courts of Brussels, Belgium have exclusive jurisdiction.

Questions about your data?

Contact our Data Protection Officer:

privacy@soloflow.online