Privacy Policy

1.    Introduction

In the company dFlow d.o.o. (Predilniška cesta 16, 4290 Tržič, registration number: 9855033000, tax number: SI20209550) we respect your right to privacy and protection of personal data. This privacy policy explains what personal data we collect, how and why we process it, and what rights you have as an individual.

The Privacy Policy refers to the processing of personal data of users of our website, the Flowbills web application, the mobile application, and all other communication channels (e-mail, events, telephone contact, etc.) through which we obtain your data.

We are committed to lawful, fair, and transparent processing of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Act (ZVOP-2).

We recommend that you read this policy carefully to understand how we manage your data and how you can exercise your rights. This policy supplements other privacy information you may receive from individual services or interactions with us.

By using the services of Flowbills, the user confirms that he is familiar with this Privacy Policy and that, as the personal data controller, he appoints dFlow d.o.o. as a contractual processor within the meaning of Article 28 of the GDPR.

2.    Personal data controller

The controller of your personal data is:

dFlow d.o.o.
Predilniška cesta 16
+4290 Tržič
Slovenia

Registration number: 9855033000
Local Tax ID: SI20209550
E-mail: info@dflow.si

For all questions related to the processing of your personal data or the exercise of your rights, you can contact the contact details above.

3.    What personal data do we collect?

Personal data is any data that allows you to be identified, directly or indirectly. We collect and process the following types of personal data:

  1. a) Information you provide to us directly:

When you use our services (e.g., register, contact us, use the Flowbills app), you can provide us with the following data:

Identification data: first name, last name, username, title, language preferences.

Contact information: email address, phone number, company address.

Company information (if you are a legal entity): company name, tax number, registration number, address, bank account.

Other content: data that you enter the Flowbills app (e.g. documents, invoices, labels, notes), including contained data about third parties (customers, suppliers, etc.).

  1. b) Data collected automatically:

When you use our website or app, we automatically collect certain technical and user data, such as:

Technical data: IP address, device type, operating system, browser type and version, time zone.

Usage data: pages you visit, actions you perform within the app (e.g. upload documents, send e-invoices), access time, session duration.

Analytics data: collected through tools such as Google Analytics for the purpose of improving the user experience.

  1. c) Information obtained from third parties:

Data from public registers (e.g. AJPES, tax administration),

Data from integrated services, such as bank statements, third-party APIs (e.g. cash tax registers, accounting programs), if you have actively established a connection.

4.    How We Collect Personal Information

We collect your personal information in a variety of ways, depending on how you use our services. We obtain data through the following sources:

  1. a) Direct interaction with you

You provide us with personal data yourself when:

  • Register in the Flowbills app or create a user account.
  • submit an inquiry or subscribe to services,
  • send us a message via e-mail or contact form,
  • participate in research, surveys, or promotions,
  • upload content to the application (e.g. invoices, documents, attachments),
  • Request help or provide feedback.
  1. b) Automatic data collection

When you use the Flowbills website or app, certain information is automatically collected using the following technologies:

Cookies and other tracking technologies: for session monitoring, usage analytics, storing user settings, etc.

Server logs: records technical information such as IP address, browser type, session duration, access location (if enabled).

Analytics tools: such as Google Analytics to analyze usage and optimize system performance.

  1. c) Data from third parties or publicly available sources

We may also receive your personal data from other sources, such as:

Public registers (e.g. AJPES, tax register) where this is necessary for the verification of legal people.

Service providers (e.g. payment providers, bank details through integrations, accounting systems) if you have established a connection to our services.

Third-party authentication systems if you choose to log in via social networks or other integrated systems (e.g. Microsoft, Google).

5.    Purposes and legal bases for processing

We only process your personal data when there is a lawful legal basis for doing so in accordance with the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (ZVOP-2). We collect and process data for the following purposes:

  1. a) Performance of a contract with you

Processing is necessary for:

  • registering a user account in the Flowbills app,
  • providing access to the functionality of the application,
  • processing and exchanging documents (e.g. invoices, attachments, notes),
  • notifying you of changes in services or technical support,
  • billing for services and managing payments.

Legal basis: Article 6(1)(b) GDPR – performance of the contract.

  1. b) Compliance with legal obligations

We process data when we are required to do so by law, e.g. in the fields of tax, accounting, or consumer law.

Legal basis: Article 6(1)(c) GDPR – compliance with a legal obligation.

  1. c) Legitimate interest

We may also process your data for the legitimate interests of our company, except when your interests or fundamental rights and freedoms prevail over them. This includes:

  • improving user experience and service development,
  • safeguarding the system and preventing abuse,
  • marketing of own services under an existing business relationship,
  • Communication with users and support.

Legal basis: Article 6(1)(f) GDPR – legitimate interest.

  1. d) Your consent (consent)

For certain forms of personal data processing (e.g. sending newsletters, using optional cookies), we will ask for your explicit consent beforehand.

You can revoke your consent at any time without consequences for your continued use of the service. Revocation does not affect the lawfulness of the processing prior to the revocation.

Legal basis: Article 6(1)(a) GDPR – consent.

Purpose of processingLegal basis (GDPR)Retention Period
Create and manage a user accountPerformance of a contract (Art. 6(1)(b) GDPR)Until account closure + 5 years (legal deadlines for exercising rights and obligations)
Invoicing, documents, using the functions of the applicationPerformance of a contract (Art. 6(1)(b) GDPR)For the duration of the contractual relationship + 10 years (in accordance with tax legislation)
Technical support, communication with customersLegitimate interest (Art. 6(1)(f) GDPR) or contract (Art. 6(1)(b))2 years after the last communication or closure of the account
Send notifications about services, important updates to the applicationLegitimate interest (Art. 6(1)(f) GDPR)Until the individual unsubscribes or objects
Sending e-newsletters and promotional messages (if consent is given)Consent (Art. 6(1)(a) GDPR)Until the withdrawal of consent
Safety and protection of the information systemLegitimate interest (Art. 6(1)(f) GDPR)Up to 6 months (e.g. access logs, backups)
Compliance with legal obligations (e.g. accounting, taxes)Legal obligation (Art. 6(1)(c) GDPR)10 years after the end of the fiscal year (tax legislation)
Using AI to improve the user experience (if active)Legitimate interest (Art. 6(1)(f)) or consent (Art. 6(1)(a))Depending on the function – e.g. until cancellation or automatic anonymization
Processing of personal data of third parties on behalf of the subscriber (e.g. invoice data)Data processing agreement (Art. 28 GDPR); client as controller, dFlow as processorDetermined by the client; dFlow stores data only for the duration of the contract or until the data is deleted by the client
Asserting legal claims or defending in legal proceedingsLegitimate interest (Art. 6(1)(f) GDPR)Until the conclusion of the procedure + 5 years

6.    Cookies and Other Tracking Technologies

Our website and the Flowbills app use cookies and similar technologies to ensure performance, improve user experience, and perform analytics. Cookies are small text files that are stored on your device when you visit a website.

  1. a) Types of cookies we use:

– Strictly necessary cookies: Enable the basic functioning of the website or application (e.g. login to the account, saving settings, security).

– Analytical cookies: They collect information about how visitors use our website or application (e.g. number of visits, time of visit, most visited pages). This data is anonymous and helps us to optimize the service.

– Functional cookies: Enable improved functionality and personalization (e.g. language setting, display of customized content).

– Marketing cookies (only with your consent)
They are used to display relevant ads and track the user between websites.

  1. b) Tools used:

Google Analytics (for usage analysis),

  1. c) Cookie management:

On your first visit, you will receive a notification about the use of cookies, where you will be able to choose which types you want to allow. Strictly necessary cookies are always enabled.

You can control or delete cookies at any time through your browser settings. If you reject certain types of cookies, certain parts of the website or application may not work properly.

  1. d) Legal basis:

Necessary cookies: legitimate interest (Article 6(1)(f) GDPR),

All other cookies: your consent (Article 6(1)(a) of the GDPR).

More information about the cookies used and your options can be found in our Cookie Policy.

7.    When we function as a processor of personal data

In addition to the role of the personal data controller, dFlow d.o.o. also acts as a personal data processor in certain cases when it provides services to its clients (legal entities) who themselves function as personal data controllers.

This means that as part of the use of the Flowbills application, our clients can upload or process personal data of their customers, employees, partners, etc., for which they are the controllers. In such cases, dFlow d.o.o. acts exclusively on the instructions of the client and does not decide on the purpose or method of processing.

Examples of dFlow acts as a Data Processor (Art. 28 GDPR):

  • The user (customer) is the data controller for any personal data entered into the Flowbills system.
  • dFlow d.o.o. acts as the data processor, processing data exclusively on behalf of and according to the controller’s instructions.
  • dFlow does not claim ownership of the data and does not access, modify, or disclose data without explicit instruction.
  • data subject requests are referred to the relevant controller unless otherwise agreed.
  • when the user (subscriber – company) uploads invoices, contracts, documents containing personal data of third parties (e.g. customers, employees, suppliers) to the application,
  • when Flowbills allows the processing of financial and tax data containing personal data, and this data is used on behalf of the client,
  • when the application connects to the accounting or tax systems of the subscriber (via API connections), where the data is the exclusive property and control of the subscriber.

Obligations of the contracting authority as the controller:

In these cases, the Subscriber (Service User) is solely responsible for:

  • obtaining lawful legal bases for the processing of personal data,
  • compliance with obligations regarding the notification of individuals (e.g. through their own privacy policy),
  • taking appropriate data protection measures (e.g. internal policies, accesses, instructions for employees).

Method of dealing with requests from individuals:

If the data sends a request for access, erasure, or other exercise of rights regarding personal data processed by dFlow on behalf of the client, the company will immediately forward the request to the controller (client), if he or she can be identified. Otherwise, it will inform the individual to address the request directly to the controller.

By registering and using the Flowbills services, the user expressly confirms and agrees that:

  • is the controller of the personal data entered into the system,
  • appoints dFlow d.o.o. as a contractual processor in accordance with Article 28 of the General Data Protection Regulation (GDPR), for the tasks of storing and processing data within the functionality of the application,
  • has obtained all necessary consent for the processing of personal data of third parties,
  • is aware that dFlow does not change, analyze or transmit personal data without special instructions from the controller.

8.    Who has access to your personal data?

We may disclose your personal data to third parties only when it is necessary for the provision of our services, the fulfilment of legal obligations or based on your explicit consent. We do not sell or transmit data to unauthorized entities.

  1. a) Contractual processors

We may share your data with trusted contractual partners (so-called processors) who perform certain services on our behalf, such as:

  • computer infrastructure providers (e.g. cloud application hosting – AWS, Microsoft Azure, etc.),
  • payment service providers (e.g. Stripe),
  • providers of e-mail and communication systems (e.g. SendGrid, Twilio),
  • providers of CRM systems and customer support tools (e.g. Salesforce, Zendesk),
  • external contractors for accounting, legal services, and IT support.

We have a personal data processing agreement with each processor, which ensures that they respect your privacy and process the data exclusively according to our instructions and in accordance with the GDPR.

  1. b) Transfers of data outside the EU/EEA

If processors or their subcontractors operate outside the European Economic Area (e.g. in the USA), we provide appropriate safeguards, such as:

  • a decision of the European Commission on the adequacy of data protection in a third country,
  • conclusion of standard contractual clauses (SCCs),
  • additional security measures where necessary.

We are transparent about these transfers when relevant to the use of our services.

  1. c) Other eligible recipients

We may also disclose information to the following entities:

  • government authorities (e.g. FURS, supervisory authorities) when required by law,
  • courts or law enforcement authorities, if there is a legal obligation or court order,
  • auditors or consultants, where necessary for compliance or business security,
  • in the case of mergers or acquisitions – to new legal successors if they continue to enjoy the same protection of personal data.
  1. d) Internal access

Only those employees who need it to perform their work tasks (e.g. customer support, system management) have access to your data within the company and are bound by confidentiality.

9.    Retention of personal data

We will only keep your personal data for as long as it is strictly necessary to fulfil the purposes for which it was collected or for as long as required by applicable regulations (e.g. tax or accounting legislation).

  1. a) Criteria for determining the retention period

The retention period of personal data depends on:

  • Types of data,
  • legal retention obligations (e.g. 10 years for invoices and books of accounts according to ZDDV-1 and ZGD-1),
  • the duration of the contractual relationship or the use of services,
  • the possibility of asserting legal claims (e.g. limitation periods).
  1. b) Examples of retention periods:
  • User account and basic contact information: until account cancellation + up to 5 years (due to legal claims).
  • Invoices, documents, and transaction data: 10 years after the termination of the business relationship (in accordance with tax legislation).
  • Cookies and analytics data: in accordance with the lifetime of the cookie or until the user withdraws consent.
  • Marketing data (e.g. newsletter subscription): until you withdraw your consent or request for deletion.
  1. c) Anonymization and deletion

After the expiration of the retention period or at your request, we will collect the data:

deleted or anonymized so that you can no longer be identified.

You can delete your account and related data at any time within the Flowbills application or by requesting the company’s contact address.

10. Personal data protection

In the company dFlow d.o.o. We are aware of the importance of personal data protection and implement appropriate technical and organizational measures to ensure their security, confidentiality, integrity, and availability.

  1. a) technical measures shall include:
  • encryption of data in transmission and, if necessary, in storage (e.g. TLS/SSL, AES),
  • backups to prevent data loss,
  • user authentication (e.g. strong passwords, two-factor authentication),
  • control of access to data (based on the minimum necessary scope of access),
  • Regularly updating software and systems to prevent known security vulnerabilities.
  • capture and review of log entries (logs) to detect unusual activities.
  1. b) organizational measures shall include:
  • data protection policies and internal rules,
  • training of employees on personal data protection and information security,
  • confidentiality agreements with employees and contractual associates,
  • risk evaluation and implementation of risk mitigation measures,
  • data processing agreements with contractual processors,
  • procedures for responding to security incidents, including notifying the Information Commissioner and individuals if security breaches occur.
  1. c) Access restrictions

Only authorized people within the company and selected contractual processors have access to your personal data, and only to the extent necessary for the performance of the tasks.

Despite our efforts to keep your data secure, please note that no system is completely secure. Although we strive for the highest level of protection, we cannot guarantee the absolute security of data transmission over the Internet.

11. Use of artificial intelligence

As part of the operation of the Flowbills application, we use artificial intelligence (AI) technology exclusively for automatic account recognition and related optimization of the user experience.

The AI system enables:

  • The AI system used in Flowbills extracts key information from uploaded invoices (e.g., issuer name, amount, date, reference number) to assist users in document entry. This process is fully automated but subject to human oversight. AI functionalities do not produce legally binding decisions and are governed by principles of data minimization and security.
  • Simplification and acceleration of document entry into the system,
  • improved accuracy in the processing of incoming invoices.

All AI systems operate in accordance with the principles of personal data protection, in particular the principles of legality, proportionality, and data minimization. AI functionalities do not make automated decisions with legal or similarly significant effects for an individual without human oversight.

Personal data processed in the context of the use of AI shall be protected by appropriate technical and organizational measures to prevent unauthorized access, loss, or misuse of data.

12. Rights of individuals

As an individual, you have the following rights in accordance with the General Data Protection Regulation (GDPR) and ZVOP-2 regarding your personal data. You can exercise these rights at any time by requesting our contact details listed in this policy.

  1. a) Right of access

You have the right to confirm whether we are processing your personal data and the right to inspect this data and additional information (e.g. purpose of processing, categories of data, recipients, etc.).

  1. b) Right to rectification

If your data is inaccurate or incomplete, you have the right to request that it be corrected or supplemented.

  1. c) Right to erasure (“right to be forgotten”)

In certain cases (e.g. when the data is no longer necessary for the purposes for which it was collected or when you withdraw your consent), you have the right to request the deletion of your data.

  1. d) Right to restriction of processing

In certain cases, you can request that we restrict the processing of your data (e.g. during the verification of the accuracy of the data or the resolution of an objection).

  1. e) Right to object

If we process data based on a legitimate interest or for direct marketing purposes, you have the right to object to such processing.

  1. f) Right to data portability

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and to transmit it to another controller.

  1. g) Right to withdraw consent

If we process data on the basis of your consent, you have the right to withdraw this consent at any time, without affecting the lawfulness of the processing prior to the withdrawal.

  1. h) Right to lodge a complaint

If you believe that we are processing your data unlawfully or that we have not properly dealt with your request, you can lodge a complaint with:

Information Commissioner of the Republic of Slovenia
Dunajska cesta 22, 1000 Ljubljana
Phone: 01 230 97 30
E-mail: gp.ip@ip-rs.si
Website: www.ip-rs.si

13. Children’s data protection

Our services, including the Flowbills application, are not intended for children or minors (under 15 years of age), in accordance with the provisions of the Personal Data Protection Act (ZVOP-2).

We do not intentionally collect personal information from children. If we become aware that we have inadvertently received a child’s personal data without the appropriate consent of the parents or legal guardians, we will delete such data immediately.

If you believe that we have collected data from a child without an appropriate legal basis, please inform us immediately using the contact details provided in this policy.

14. Links to third-party websites

From time to time, our website or the Flowbills app may contain links to third-party websites, apps, or services (e.g. payment providers, accounting systems or business partners).

Important: When you click on such a link, third parties may collect or share information about you. We are not responsible for the way in which personal data is processed by these external websites or services.

We recommend that you read the privacy policy of each third-party website you visit, as this privacy policy applies exclusively to the services of dFlow d.o.o. and does not include other operators.

15. Changes to the Privacy Policy

We review this privacy policy regularly and update it as necessary to reflect changes in legislation, our services, or data processing practices.

If the changes are material (e.g. change in the purposes of processing, introduction of new categories of recipients, change in legal bases), we will explicitly inform you of this:

  • via e-mail (if you are a registered user),
  • or by means of an in-app or website notification.

The date of the last update will always be indicated below, so we recommend that you review this privacy policy from time to time.

By continuing to use our services after a change in the privacy policy, you are deemed to agree with its content.

16. Contact details

For any questions, comments, or exercise of your rights in relation to the processing of personal data, you can contact us:

Data controller:

dFlow d.o.o.
Predilniška cesta 16
4290 Tržič
Slovenija

Registration number: 9855033000
Local Tax ID: SI20209550
E-mail: privacy@dFlow.si
Website: https://www.flowbills.com

If you believe that your questions or requests have not been properly addressed, you have the right to lodge a complaint with the supervisory authority – the Information Commissioner of the Republic of Slovenia (more in Chapter 12).

17. Last Privacy Policy Update

This privacy policy was last updated on: August 6, 2025

and effective August 10, 2025.

We will inform you of any material changes in due course.