Legal
Privacy Policy
OccasionFlow LLC (“OccasionFlow,” “we,” “our,” or “us”) respects your privacy and is committed to protecting the personal data you share with us. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it.
This Privacy Policy applies to all users of the OccasionFlow web application and related services (the “Service”). By using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller
The data controller responsible for your personal data is:
OccasionFlow LLC
Email: legal@occasion-flow.com
Website: www.occasion-flow.com
If you have any questions or concerns about how we handle your data, you may contact us at the address above.
2. Information We Collect
We collect the following categories of personal data when you use the Service:
Account Information
| Data | Purpose |
|---|---|
| Full name | Account identification and personalisation |
| Email address | Authentication, notifications, and account recovery |
| Password (hashed) | Secure authentication |
Recipient Information
| Data | Purpose |
|---|---|
| Recipient name | Addressing and personalising gift deliveries |
| Delivery address (street, city, postal code, country) | Fulfilling delivery orders through Third-Party Vendors |
| Relationship label (e.g. “Partner,” “Mother”) | Helping you organise recipients |
Occasion Data
| Data | Purpose |
|---|---|
| Occasion type (e.g. birthday, anniversary) | Scheduling automated gift deliveries |
| Occasion date | Triggering orders at the correct time |
| Gift preferences and budget limits | Selecting appropriate products within your parameters |
Order and Payment Data
| Data | Purpose |
|---|---|
| Order history (items, amounts, dates, status) | Order tracking, billing transparency, and support |
| Payment method reference (last four digits, expiry) | Displaying your saved payment method in the dashboard |
We do not store full credit card numbers, CVV codes, or bank account details. All payment processing is handled by our third-party payment processor (see Section 5).
Automatically Collected Data
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention, and abuse detection |
| Browser type and operating system | Ensuring compatibility and debugging issues |
| Pages visited and timestamps | Understanding usage patterns to improve the Service |
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases:
- Performance of a contract (Art. 6(1)(b) GDPR) — Processing your account, recipient, occasion, and order data is necessary to provide the Service you have subscribed to.
- Legitimate interests (Art. 6(1)(f) GDPR) — We process automatically collected data (IP address, browser information, usage data) to maintain the security and stability of the Service, to detect fraud, and to improve the user experience. Our legitimate interests do not override your fundamental rights and freedoms.
- Legal obligation (Art. 6(1)(c) GDPR) — We may process certain data to comply with applicable tax, accounting, or regulatory requirements.
- Consent (Art. 6(1)(a) GDPR) — Where we send you optional marketing communications or use non-essential cookies in the future, we will obtain your explicit consent beforehand. You may withdraw consent at any time.
4. How We Use Your Information
We use the information we collect for the following purposes:
- Creating and managing your account
- Scheduling and placing automated gift orders on your behalf
- Transmitting delivery details to Third-Party Vendors for order fulfilment
- Processing subscription payments and product charges
- Sending transactional notifications (order confirmations, delivery updates, billing receipts)
- Providing customer support and responding to your inquiries
- Monitoring and improving the security, performance, and reliability of the Service
- Complying with legal obligations
We do not sell, rent, or trade your personal data to third parties for their marketing purposes.
5. Third-Party Service Providers
We share your personal data with the following categories of third-party service providers, strictly to the extent necessary to operate the Service:
Infrastructure and Authentication
We use Supabase (hosted in Frankfurt, Germany, EU) for database hosting, user authentication, and backend infrastructure. Your account data and all associated records are stored on Supabase’s EU-based servers.
Payment Processing
We use Stripe to process subscription payments and product charges. When you provide payment details, they are transmitted directly to Stripe and are subject to Stripe’s Privacy Policy. OccasionFlow does not receive or store your full card details.
Gift Fulfilment
When an order is placed, we share the recipient’s name and delivery address with the applicable Third-Party Vendor (florist, gift retailer, or delivery service) solely for the purpose of fulfilling the delivery. We share only the minimum information required to complete the order.
Hosting and Deployment
The Service is hosted on Vercel, which may process your IP address and request metadata as part of serving the application. Vercel’s infrastructure includes servers in the EU and the United States.
We require all third-party service providers to handle your data in accordance with applicable data protection laws and to use your data only for the purposes for which it was shared.
6. International Data Transfers
Your primary data is stored on servers in the European Union (Frankfurt, Germany). However, some of our service providers (such as Stripe and Vercel) operate servers in the United States and other countries outside the EEA.
Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The EU-U.S. Data Privacy Framework, where applicable
- Other legally recognised transfer mechanisms under GDPR
7. Cookies and Tracking Technologies
OccasionFlow uses a minimal set of cookies that are strictly necessary to operate the Service:
| Cookie | Type | Purpose |
|---|---|---|
| Authentication session token | Strictly necessary | Keeping you signed in and securing your session |
We do not currently use any analytics, advertising, or marketing cookies. If we introduce such cookies in the future, we will update this Privacy Policy and obtain your explicit consent before placing them, in accordance with applicable law.
Strictly necessary cookies do not require consent under the GDPR and the ePrivacy Directive, as they are essential for the Service to function.
8. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, or as required by law:
- Active accounts: Your data is retained for the duration of your Subscription and account.
- After account deletion: When you delete your account, we will delete or anonymise your personal data within 90 days, except where retention is required for legal, tax, or regulatory purposes.
- Order records: Transaction records may be retained for up to 7 years after the transaction date to comply with applicable tax and accounting obligations.
- Server logs: Automatically collected data (IP addresses, access logs) is retained for a maximum of 90 days and then permanently deleted.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right of access — You may request a copy of the personal data we hold about you.
- Right to rectification — You may ask us to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) — You may request that we delete your personal data, subject to legal retention requirements.
- Right to restriction of processing — You may ask us to temporarily restrict how we use your data while a concern is being resolved.
- Right to data portability — You may request your data in a structured, commonly used, machine-readable format.
- Right to object — You may object to processing based on legitimate interests.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at legal@occasion-flow.com. We will respond within 30 days of receiving your request, as required by the GDPR.
If you believe that we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.
10. Data Security
We take the security of your data seriously and implement appropriate technical and organisational measures to protect your personal information, including:
- Encrypted data transmission (TLS/HTTPS) for all connections to the Service
- Passwords are hashed using industry-standard algorithms and are never stored in plain text
- Row-Level Security (RLS) policies on all database tables, ensuring users can only access their own data
- Access to production infrastructure is restricted to authorised personnel only
- Regular security reviews of the application and its dependencies
While we strive to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents that may occur.
11. Children’s Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take immediate steps to delete that information.
If you believe that a child has provided us with personal data, please contact us at legal@occasion-flow.com and we will investigate promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email or by posting a prominent notice within the Service at least 30 days before the changes take effect.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
13. Contact Information
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:
OccasionFlow LLC
Email: legal@occasion-flow.com
Website: www.occasion-flow.com
By using OccasionFlow, you acknowledge that you have read and understood this Privacy Policy.