NoimaFlow

Legal

Last updated 25 April 2026

Data Processing Terms

Article 28-style processor commitments for customer data handled by NoimaFlow while providing the service.

When These Terms Apply

These Data Processing Terms apply when GTO Business OÜ processes Customer Personal Data on behalf of a customer in connection with the provision of NoimaFlow. They supplement the Terms of Service and are intended to reflect Article 28 GDPR-style processor commitments.

Roles and Scope

The customer is the controller (or, where applicable, a processor acting on behalf of its own client) for Customer Personal Data submitted to the service. GTO Business OÜ acts as processor for that Customer Personal Data except where we clearly act as an independent controller for our own account administration, billing, marketing, security, abuse prevention, or legal compliance activities.

Processing elementDescription
Subject matterProvision of a SaaS platform for brand analysis, AI-assisted content generation, scheduling, publishing, and reporting.
DurationFor the duration of the customer relationship, plus deletion and backup rotation periods described in our legal documentation.
Categories of data subjectsCustomer users, customer staff, customer clients or brand contacts included in service data, and social account operators linked by the customer.
Categories of personal dataAccount identifiers, prompts, uploaded assets, website analysis inputs, social account identifiers, publishing records, analytics, and related support data as determined by the customer.

Customer Instructions and Responsibilities

The customer instructs us to process Customer Personal Data as necessary to provide the service, maintain security, and carry out documented customer actions within the product. The customer is responsible for ensuring that its instructions are lawful and that it has a valid legal basis, transparency notice, and all required permissions for the Customer Personal Data it submits.

Customers must not instruct us to process special category data or other highly sensitive personal data unless such processing is strictly necessary, lawful, and supported by appropriate safeguards.

Confidentiality

We ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

Security Measures

We implement technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are risk-based and may include access controls, encrypted transport, token encryption, restricted operational access, credential segregation, and vendor security reviews.

Subprocessors

The customer authorises us to use subprocessors reasonably required to operate the service, including infrastructure, storage, billing, email, AI, and social platform providers. We remain responsible for managing those subprocessors in accordance with applicable data protection obligations.

RECHYNY CORP S.R.L. (Digital Wizards) supports technical development, product maintenance, and operational administration as a service provider acting under our instructions.

Our public Privacy Policy identifies the principal categories of providers currently used. Material changes to subprocessors may be reflected there or otherwise communicated through customer-facing documentation.

International Transfers

Where subprocessors or authorised personnel process Customer Personal Data outside the EEA, we use a transfer mechanism recognised under Chapter V GDPR, such as an adequacy decision or Standard Contractual Clauses, together with supplementary safeguards where appropriate.

Assistance with Data Subject Rights, DPIAs, and Consultations

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to help the customer respond to data subject requests and comply with obligations relating to security, breach notification, data protection impact assessments, and prior consultations, where applicable.

Personal Data Breaches

If we become aware of a personal data breach affecting Customer Personal Data, we will notify the relevant customer without undue delay and provide information reasonably available to us so the customer can assess and meet its own notification obligations.

Deletion or Return

At the end of the customer relationship, we will delete or return Customer Personal Data in accordance with the customer's instructions, product functionality, and our ordinary deletion processes, unless applicable law requires continued retention.

Information and Audits

We will make available information reasonably necessary to demonstrate compliance with these Data Processing Terms. Where a customer reasonably requires further assurance, the parties may agree an appropriate and proportionate audit or information-sharing process that protects other customers, security, and confidentiality.

Precedence and Contact

If there is a conflict between these Data Processing Terms and the Terms of Service with respect to processor obligations, these Data Processing Terms prevail to that extent. Questions may be sent to hello@noimaflow.com.

Legal Contact

GTO Business OÜ · Estonia · Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551, Estonia · Registry code 17489502

Privacy and legal requests can be sent to hello@noimaflow.com. You may also lodge a complaint with your local supervisory authority or the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

hello@noimaflow.com