Privacy Policy
Last updated: 26 June 2026
1. Who We Are
2-IC DATA SYSTEMS (“we”, “us”, “our”) operates the Flow-X platform at flow-x.madethis.app. We are a data controller under GDPR (EU & UK), CCPA (US), PIPEDA (Canada), Privacy Act (Australia), and other applicable data privacy regulations. Our Data Protection Officer (DPO) can be reached at team@flow-x.madethis.app.
2-IC DATA SYSTEMS serves clients globally.
2. Data We Collect
We collect data in two contexts:
a) Enquiry & Account Data
- Name, job title, and work email address
- Company name, company size, and industry
- CRM/ERP platform in use and estimated record counts
- Project requirements provided voluntarily in contact forms
- Payment details (processed by Stripe — we do not store card data)
b) Usage Data (collected automatically)
- IP address, browser type, and operating system
- Pages visited, time on page, and referral source
- Session identifiers via cookies (see Section 7)
3. Purpose & Legal Basis
| Purpose | Legal Basis (GDPR / Data Privacy Regulations) |
|---|---|
| Respond to enquiries and provide quotes | Article 6(1)(b) — contract performance |
| Deliver purchased migration services | Article 6(1)(b) — contract performance |
| Process payments | Article 6(1)(b) — contract performance |
| Send transactional communications (invoices, delivery updates) | Article 6(1)(b) — contract performance |
| Send marketing communications (newsletter, updates) | Article 6(1)(a) — consent |
| Improve the platform via analytics | Article 6(1)(f) — legitimate interests |
| Comply with legal obligations (tax, GDPR records) | Article 6(1)(c) — legal obligation |
4. Client Data Handled During Migration
When you engage us for a migration project, we act as a data processor on your behalf, handling personal data contained within your CRM or ERP records (e.g. contact names, email addresses, customer history). We process such data solely for the purpose of completing the agreed migration and in accordance with our Data Processing Agreement.
Migration data is held in isolated, encrypted project workspaces. All client data is permanently deleted from our systems within 30 days of project completion or termination, unless you request earlier deletion. You may also request deletion at any time by writing to our DPO at team@flow-x.madethis.app.
5. Retention Periods
- Enquiry & contact data: 2 years from last interaction
- Project records and correspondence: 6 years (for legal/tax purposes)
- Migration data (client personal data processed): deleted within 30 days of project close
- Payment records: 7 years (HMRC requirements)
- Marketing consent records: until consent is withdrawn
6. Third-Party Processors
We share data only with processors necessary to deliver our services:
| Processor | Purpose | Location |
|---|---|---|
| Stripe (via MadeThis platform) | Payment processing | USA (SCCs in place) |
| Vercel | Web hosting and edge delivery | USA/EU (SCCs in place) |
| Convex | Database and serverless backend | USA (SCCs in place) |
| PostHog | Product analytics | EU |
All international transfers are protected by UK-approved Standard Contractual Clauses (SCCs) or equivalent adequacy decisions.
7. Cookies
We use essential cookies for platform functionality and session management. We also use analytics cookies (PostHog) to understand how visitors use the platform. You may decline non-essential cookies via your browser settings. Essential cookies cannot be disabled without impairing core functionality.
8. Your Rights Under GDPR / Data Privacy Regulations
You have the right to:
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data (“right to be forgotten”)
- Restriction — ask us to limit processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests or for direct marketing
- Withdraw consent — at any time where processing is consent-based
To exercise any right, email team@flow-x.madethis.app with “Data Rights Request” in the subject line. We will respond within one calendar month.
9. Complaints
If you believe we have mishandled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. We would appreciate the opportunity to address your concern directly first — please contact our DPO before escalating.
10. Changes to This Policy
We may update this Privacy Policy. Material changes will be communicated via the platform or email at least 14 days before taking effect. Continued use of our services constitutes acceptance.