Privacy
Privacy policy
This policy explains what personal data Flowstate Works processes, why, on what legal basis, and how long we keep it. We keep it short and concrete on purpose: we collect only what we need to help you, and we never sell or trade your data.
Who is responsible
Flowstate Works is the data controller for the personal data processed through this website. We are a company registered in Amsterdam (KvK 84002875).
Questions about this policy or your data? Email us at amogh@flowstateworks.nl.
What we collect and why
Here is what we process for each part of the site: what we collect, what for, and on what legal basis.
Contact form
When you fill in the contact form, we process your name, email address, an optional company name, and your message. We use that data only to answer your question and get in touch. Your message is sent to us by email (via the Gmail API) and stored in a private, restricted space so we can follow up.
— Performance of, or steps prior to, a contract (Art. 6(1)(b) GDPR).
Booking a call
When you book an intro call, we process your name, email address, and the answers to a short questionnaire. We create an event in Google Calendar and send you a calendar invite with a Google Meet link. You receive a confirmation by email.
— Performance of, or steps prior to, a contract (Art. 6(1)(b) GDPR).
Botler chat
The chat assistant (Botler) processes the messages you type in order to answer your question. Those messages are processed by Google Gemini, the language model behind the assistant. If you leave your name and email in the chat for a call or callback, we process those the same way as the contact or booking form.
— Legitimate interest — offering a useful assistant that helps visitors right away (Art. 6(1)(f) GDPR).
Security and abuse prevention
To prevent spam and abuse we use ALTCHA (a privacy-friendly bot check that runs entirely on our own server, with no cookies or tracking) and IP-based rate limiting. Your IP address is salted and hashed before storage, so we can group requests without keeping the IP address itself.
— Legitimate interest — securing our website and systems (Art. 6(1)(f) GDPR).
Analytics
We measure how the site is used at an aggregate level with Vercel Analytics. It works without cookies and without cross-site tracking; no individual profiles are built.
— Legitimate interest — understanding how the site performs and improving it (Art. 6(1)(f) GDPR).
Legal bases
We process personal data on two bases. For the contact form and booking a call, that is the performance of — or steps taken before entering into — a contract (Art. 6(1)(b) GDPR): without your data we cannot answer your question or set up the appointment.
For the chat assistant, security, and analytics, we rely on our legitimate interest (Art. 6(1)(f) GDPR): offering a useful site, protecting it against abuse, and measuring how it performs. We always weigh that interest against your privacy and process no more than needed.
Who processes your data for us
We use a number of processors that handle data on our behalf. Our arrangements with each are documented, and they may only use your data to provide their service to us.
- Vercel
Website hosting and cookieless analytics.
- Google
Google Calendar and Gmail (appointments and email) and Google Gemini (the chat assistant).
- Sanity
CMS and the private storage of form submissions.
- Upstash
Rate limiting against abuse.
- n8n (self-hosted)
Workflow automation that processes submissions — on our own infrastructure.
Transfers outside the EU
Some of our processors are located in the United States. Where data is processed outside the European Economic Area, this happens on the basis of the EU-US Data Privacy Framework or, where that does not apply, the Standard Contractual Clauses adopted by the European Commission.
How long we keep data
We do not keep data longer than necessary. Form submissions (contact, booking, and chat leads) in our private space are automatically deleted after at most twelve months.
The chat session cookie expires after two hours. Email correspondence is kept as ordinary business records, for as long as needed for our operations and legal retention obligations.
Your rights
Under the GDPR you have the following rights regarding your personal data:
- Access — request which data we hold about you
- Rectification — have inaccurate data corrected
- Erasure — have your data deleted (the 'right to be forgotten')
- Objection — object to processing based on legitimate interest
- Portability — receive your data in a common format
Want to exercise one of these rights? Send your request to amogh@flowstateworks.nl. We respond within the statutory period.
If you disagree with how we handle your data, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
Cookies
This site uses one strictly necessary cookie: a session cookie for chat security that expires after two hours. It is needed to confirm the chat is used by a real visitor and not a bot.
We set no tracking or marketing cookies, and our analytics (Vercel Analytics) work entirely without cookies. That is why this site does not ask you for cookie consent — there is nothing non-essential to consent to.
Questions or changes
We update this policy when our website or processing changes. The date at the top shows when we last updated it.
Have a question about your privacy or this policy? Feel free to reach out at amogh@flowstateworks.nl.