Privacy Policy

1. Who we are

WashFlow is a product of Kad Agency Global AB ("we", "us"), a company registered in Sweden. Kad Agency Global AB is the data controller for personal data processed through the WashFlow platform in the cases described in this notice.

Privacy contact: privacy@washflows.com

2. When we are controller vs. processor

WashFlow is a multi-tenant SaaS product for truck-wash operators. We play two different GDPR roles depending on the data in question:

• Controller for the accounts of people who sign in to the platform (staff users and portal customer users), our own marketing and analytics, and platform-level audit logs.
• Processor for operational data each wash company stores inside their tenant workspace (their bookings, invoices, customer companies, vehicles). For that data, the wash company is the controller and we process it on their documented instructions under a Data Processing Agreement. See Terms of Service & DPA.

3. What personal data we process as controller

For users of the platform (staff and customer accounts):

• Identity and contact details: name, email address, optional phone number.
• Authentication data: Clerk user ID, session tokens, last-seen timestamps, multi-factor configuration. (Primary auth data is stored by our identity provider Clerk, Inc.)
• Organizational data: which tenant workspace and role you belong to.
• Operator-console PIN hashes and failed-attempt counters (for shared-kiosk staff).
• Audit log entries: IP address, user agent, action performed, timestamp — kept for 2 years for security and fraud prevention.
• Support correspondence you send us by email or in-app message.

For visitors to www.washflows.com (unauthenticated): minimal analytics (see §7 below) and, if you fill in the signup form, the business name / contact details you submit.

4. Why we process it and on what legal basis

• To provide the service you or your employer signed up for — legal basis: performance of a contract (GDPR Art. 6(1)(b)).
• To secure the platform: audit logs, abuse detection, rate limiting, PIN brute-force prevention — legal basis: legitimate interests (Art. 6(1)(f)).
• To comply with law: Swedish accounting law (Bokföringslagen) requires us to retain invoice data and related bookings for 7 years — legal basis: legal obligation (Art. 6(1)(c)).
• To improve the product: aggregate usage analytics — legal basis: legitimate interests (Art. 6(1) (f)), with opt-out available via the cookie banner.
• To contact you with transactional emails (booking confirmations, invoices, account changes) — legal basis: contract (Art. 6(1)(b)).

5. Who we share it with

We share personal data with the sub-processors listed at /legal/sub-processors under written Data Processing Agreements. These include our authentication provider, email sender, file storage, accounting integration, and error-monitoring tools.

We do not sell personal data. We do not share it with third parties for their own marketing purposes.

6. International transfers

Some of our sub-processors are located outside the EU/EEA (notably in the United States). Where a transfer takes place, it is covered either by the EU–US Data Privacy Framework or by the European Commission's Standard Contractual Clauses (2021/914). Copies of the relevant safeguards are available on request from privacy@washflows.com.

7. Cookies

We use a small set of strictly necessary cookies for authentication and security (Clerk session, CSRF, Cloudflare Turnstile), and optionally first-party analytics cookies for error monitoring. See the Cookie Policy for the full list and controls.

8. Retention

• Active user accounts: for the duration of the contract.
• Deactivated accounts: anonymized 90 days after deactivation, except where retention is required by law.
• Invoices, credit notes and bookings linked to them: 7 years from issue date (Swedish Bokföringslagen), then anonymized (financial totals kept; personal fields scrubbed).
• Cancelled or no-show bookings: 2 years, then hard-deleted.
• Audit logs: 2 years, then hard-deleted.
• Backups: up to 7 years under R2 lifecycle rules, encrypted at rest.

9. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you, and obtain a copy in a structured, machine-readable format (data portability).
• Rectify inaccurate data — you can edit most of it yourself in your profile, or ask us.
• Eraseyour data ("right to be forgotten"), subject to legal retention obligations. Self-service available in the customer portal at /portal/settings/privacy. Staff requests go through your tenant admin or privacy@washflows.com.
• Restrict processing (we deactivate your account without deleting it).
• Object to processing based on legitimate interests, including unsubscribing from optional emails.
• Lodge a complaint with the Swedish supervisory authority Integritetsskyddsmyndigheten (IMY), imy.se.

We respond to rights requests within 30 days. We may need to verify your identity first to avoid disclosing data to the wrong person.

10. Security

We implement organizational and technical measures proportionate to the risk, including: encryption in transit (TLS) and at rest, scoped database access, tenant isolation at the application layer, rate limiting, audit logging, backups, and regular dependency updates. Staff access is least-privilege and logged.

11. Changes

We may update this notice to reflect changes to the service or legal requirements. Material changes will be announced by email and/or in-app notification at least 30 days before they take effect.

12. Contact

For any privacy question or to exercise your rights, write to privacy@washflows.com.