NoimaFlow

Legal

Last updated 25 April 2026

Privacy Policy

Corporate-level information about controller and processor roles, personal data categories, legal bases, transfers, security, retention, and GDPR rights across NoimaFlow.

Controller, Scope, and Roles

GTO Business OÜ (Estonia) operates NoimaFlow. This Privacy Policy explains how we process personal data when you visit our website, create or administer an account, use the service, contact us, subscribe to marketing communications, or otherwise interact with us.

NoimaFlow is commercially operated by GTO Business OÜ. Certain technical operations, including development, maintenance, support tooling, and Meta integration administration, are carried out by RECHYNY CORP S.R.L. (Digital Wizards) in Romania as a technical service provider acting under our instructions. Digital Wizards is not the seller of the subscription and does not independently decide the commercial purposes of NoimaFlow.

NoimaFlow is a business software product. In many situations, we process customer workspace data as a processor on behalf of the relevant workspace customer, while processing account, billing, marketing, security, and compliance data as an independent controller. Where a workspace customer uploads brand materials, prompts, post drafts, website URLs, social publishing connections, or similar service data relating to its own business or clients, that workspace customer is normally responsible for the underlying legal basis, notices, and instructions for that service data.

For privacy requests, contact hello@noimaflow.com.

Categories of Personal Data We Process

Depending on how you use the service, we may process the following categories of personal data:

CategoryExamplesTypical source
Account and identity dataName, email address, password hash, role, workspace membership, verification and password reset records.Directly from you or your workspace administrator.
Workspace and brand dataClient names, websites, brand memory fields, uploaded assets, logos, schedules, post drafts, approvals, campaign settings, and monthly plans.Workspace users, website analysis flows, and imported brand assets.
AI and generation inputsPrompts, website content selected for analysis, generation preferences, structured model outputs, image prompts, QA notes, and regeneration instructions.Workspace users and automated product workflows triggered by them.
Social publishing dataFacebook Page IDs, Instagram account IDs, permission metadata, encrypted access tokens, publishing logs, external post IDs, and post performance metrics.Meta APIs and actions performed by authorised workspace users.
Billing and commercial dataPlan, subscription status, Paddle customer and subscription IDs, invoices, tax-related records, and usage counters.You, Paddle, and our billing workflows.
Support and correspondenceEmails, support requests, bug reports, feedback, and any attachments you provide.Directly from you.
Technical, device, and log dataIP-derived security logs, session identifiers, browser metadata, timestamps, error logs, cron job logs, and activity records needed to secure or operate the service.Your browser, our application servers, and infrastructure providers.
Marketing preference dataNewsletter subscription status, consent evidence, source path, unsubscribe records, and campaign delivery metadata.Directly from you and our email provider.

How We Collect Data

We collect personal data in several ways:

  • directly from you when you create an account, subscribe, contact us, or configure a workspace;
  • from your organisation when a workspace owner or admin invites you or assigns you a role;
  • from public websites that you explicitly ask us to analyse for brand onboarding;
  • from connected third-party providers such as Meta or Paddle when you choose to connect or pay for the service;
  • automatically from your device and our systems when you log in, schedule posts, generate content, or use the product.

Purposes of Processing and Legal Bases

Where we act as controller, we rely on one or more of the legal bases recognised by Article 6 GDPR.

PurposeOur roleLegal basis
Create and administer user accounts, workspaces, and subscriptions.ControllerPerformance of a contract and pre-contract steps.
Authenticate users, protect sessions, enforce permissions, prevent abuse, and maintain platform security.ControllerLegitimate interests in securing the service and, where relevant, legal obligations.
Provide hosting, workflow automation, AI generation, scheduling, publishing, and related support for workspace content.Usually processor for customer service dataThe relevant workspace customer determines the applicable legal basis and instructs us through use of the service.
Provide support, operational notices, product emails, and customer success communications.ControllerPerformance of a contract and legitimate interests in operating the service.
Process payments, maintain accounting records, manage taxes, and enforce plan limits.ControllerPerformance of a contract and compliance with legal obligations.
Send newsletters, product launches, and marketing messages.ControllerConsent, where required by applicable law.
Investigate claims, handle disputes, comply with regulator requests, and defend legal rights.ControllerLegal obligations and legitimate interests.

Recipients, Processors, and Subprocessors

We share personal data only on a need-to-know basis with personnel, contractors, and service providers involved in operating NoimaFlow. As of the last updated date, our principal providers may include:

  • Digital Wizards / RECHYNY CORP S.R.L. for technical development, product maintenance, and operational assistance under our instructions;
  • Vercel for application hosting and deployment;
  • Supabase for database, storage, and related infrastructure;
  • Paddle for billing, subscription management, tax handling, and invoicing workflows;
  • Resend for transactional and marketing email delivery;
  • Meta for social account connection, publishing, and platform metrics;
  • OpenAI and Google for AI-assisted text, image, and analysis features when enabled by product configuration.

We may also disclose information to auditors, professional advisers, insurers, corporate transaction counterparties, or competent authorities where necessary and legally justified.

International Data Transfers

Some of our providers operate outside the EEA or permit remote access from third countries. Where personal data is transferred outside the EEA, we use a transfer mechanism recognised under Chapter V GDPR, such as an adequacy decision or the European Commission's Standard Contractual Clauses, and we implement supplementary technical and organisational measures where appropriate.

Further information about applicable transfer safeguards can be requested at hello@noimaflow.com.

Security and Confidentiality

We apply technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are risk-based and may include role-based access controls, session security, encrypted transport, secret management, token encryption, vendor due diligence, and restricted operational access.

No system can guarantee absolute security. We therefore review and adapt our controls over time in light of the state of the art, the context of processing, and the risk to individuals.

Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or for the period required by law. Where it is not possible to state a single fixed retention period, we apply the following criteria:

Data setRetention approach
Account and workspace dataKept while the account or workspace remains active and for a limited period afterwards to allow recovery, security review, and dispute handling.
Customer service dataKept until the relevant customer deletes it, the workspace is removed, or we receive verified deletion instructions, subject to backup rotation and legal holds.
Social publishing tokens and connection recordsKept until disconnected, expired, replaced, or deleted, and longer only if required to document publishing history or respond to a dispute.
Billing, tax, and invoice recordsRetained for the period required under applicable accounting, tax, and financial record-keeping rules.
Marketing and newsletter dataKept until you unsubscribe or withdraw consent, after which we may retain minimal suppression data to respect the opt-out.
Security and audit logsKept for operational security, fraud prevention, and incident investigation windows, then deleted or anonymised in the ordinary course.

Your Rights

Subject to applicable law, you may request access, rectification, erasure, restriction, objection, portability, or withdrawal of consent where consent is the basis for processing. You also have the right not to be subject to a decision based solely on automated processing where Article 22 GDPR applies.

We will normally respond within one month after receiving a verified request, although complex requests may take longer where the GDPR permits this and we notify you accordingly. We may request information necessary to verify identity or authority before acting.

If your request concerns customer-controlled service data inside a workspace, the relevant workspace customer is normally the primary controller and may be better placed to respond. We will assist that customer where required by applicable law or contract.

You may also lodge a complaint with your local supervisory authority or with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

AI Features, Website Analysis, and Automated Decisions

If you use our AI features, prompts, website text, structured brand memory, image directions, and similar inputs may be sent to configured AI providers to generate summaries, post drafts, image prompts, images, or QA recommendations. These operations are used to provide the requested feature set.

In the ordinary course of the service, NoimaFlow does not make decisions with legal or similarly significant effects on individuals solely by automated means. Human review remains part of the product workflow before publishing.

Marketing Communications

Marketing emails are optional. We send newsletters, product notes, and selected offers only where there is an appropriate legal basis, typically your consent. Every marketing email contains an unsubscribe mechanism, and you may also manage preferences through /newsletter/unsubscribe.

Children and Sensitive Data

NoimaFlow is intended for professional and business use and is not directed to children. Do not use the service to upload or analyse special category data, criminal offence data, or other highly sensitive personal data unless this is strictly necessary, lawful, and supported by appropriate notices and safeguards.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal, operational, or product changes. Material updates will be posted here and, where appropriate, communicated by email or in-product notice.

Legal Contact

GTO Business OÜ · Estonia · Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551, Estonia · Registry code 17489502

Privacy and legal requests can be sent to hello@noimaflow.com. You may also lodge a complaint with your local supervisory authority or the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

hello@noimaflow.com