Privacy

Privacy policy

This policy explains what personal data Flowstate Works processes, why, on what legal basis, and how long we keep it. We keep it short and concrete on purpose: we collect only what we need to help you, and we never sell or trade your data.

Last updated: 18 July 2026

Who is responsible

Flowstate Works is the data controller for the personal data processed through this website. We are a company registered in Amsterdam (KvK 84002875).

Questions about this policy or your data? Email us at amogh@flowstateworks.nl.

What we collect and why

Here is what we process for each part of the site: what we collect, what for, and on what legal basis.

Contact form

When you fill in the contact form, we process your name, email address, an optional company name, and your message. We use that data only to answer your question and get in touch. Your message is sent to us by email (via the Gmail API) and stored in a private, restricted space so we can follow up.

Legal basis Performance of, or steps prior to, a contract (Art. 6(1)(b) GDPR).

Booking a call

When you book an intro call, we process your name, email address, and the answers to a short questionnaire. We create an event in Google Calendar and send you a calendar invite with a Google Meet link. You receive a confirmation by email.

Legal basis Performance of, or steps prior to, a contract (Art. 6(1)(b) GDPR).

Botler chat

The chat assistant (Botler) processes the messages you type in order to answer your question. Those messages are processed by Google Gemini, the language model behind the assistant. If you leave your name and email in the chat for a call or callback, we process those the same way as the contact or booking form.

Legal basis Legitimate interest — offering a useful assistant that helps visitors right away (Art. 6(1)(f) GDPR).

Security and abuse prevention

To prevent spam and abuse we use ALTCHA (a privacy-friendly bot check that runs entirely on our own server, with no cookies or tracking) and IP-based rate limiting. Your IP address is salted and hashed before storage, so we can group requests without keeping the IP address itself.

Legal basis Legitimate interest — securing our website and systems (Art. 6(1)(f) GDPR).

Analytics

We measure how the site is used at an aggregate level with Vercel Analytics. It works without cookies and without cross-site tracking; no individual profiles are built.

Legal basis Legitimate interest — understanding how the site performs and improving it (Art. 6(1)(f) GDPR).

Legal bases

We process personal data on two bases. For the contact form and booking a call, that is the performance of — or steps taken before entering into — a contract (Art. 6(1)(b) GDPR): without your data we cannot answer your question or set up the appointment.

For the chat assistant, security, and analytics, we rely on our legitimate interest (Art. 6(1)(f) GDPR): offering a useful site, protecting it against abuse, and measuring how it performs. We always weigh that interest against your privacy and process no more than needed.

Who processes your data for us

We use a number of processors that handle data on our behalf. Our arrangements with each are documented, and they may only use your data to provide their service to us.

  • VercelUS

    Website hosting and cookieless analytics.

  • GoogleUS

    Google Calendar and Gmail (appointments and email) and Google Gemini (the chat assistant).

  • SanityEU / US

    CMS and the private storage of form submissions.

  • UpstashEU / US

    Rate limiting against abuse.

  • n8n (self-hosted)Self-hosted

    Workflow automation that processes submissions — on our own infrastructure.

Transfers outside the EU

Some of our processors are located in the United States. Where data is processed outside the European Economic Area, this happens on the basis of the EU-US Data Privacy Framework or, where that does not apply, the Standard Contractual Clauses adopted by the European Commission.

How long we keep data

We do not keep data longer than necessary. Form submissions (contact, booking, and chat leads) in our private space are automatically deleted after at most twelve months.

The chat session cookie expires after two hours. Email correspondence is kept as ordinary business records, for as long as needed for our operations and legal retention obligations.

Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Access — request which data we hold about you
  • Rectification — have inaccurate data corrected
  • Erasure — have your data deleted (the 'right to be forgotten')
  • Objection — object to processing based on legitimate interest
  • Portability — receive your data in a common format

Want to exercise one of these rights? Send your request to amogh@flowstateworks.nl. We respond within the statutory period.

If you disagree with how we handle your data, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Cookies

This site uses one strictly necessary cookie: a session cookie for chat security that expires after two hours. It is needed to confirm the chat is used by a real visitor and not a bot.

We set no tracking or marketing cookies, and our analytics (Vercel Analytics) work entirely without cookies. That is why this site does not ask you for cookie consent — there is nothing non-essential to consent to.

Questions or changes

We update this policy when our website or processing changes. The date at the top shows when we last updated it.

Have a question about your privacy or this policy? Feel free to reach out at amogh@flowstateworks.nl.