Terms of Service & Data Processing Agreement

Part A — Terms of Service

These Terms govern the use of the WashFlow SaaS platform (the "Service"), a product of Kad Agency Global AB("WashFlow", "we"), provided to the business entity that creates a workspace and accepts these terms ("Customer", "you"). They form a binding contract between Kad Agency Global AB and the Customer.

A.1 The service

WashFlow provides a multi-tenant web application for truck-wash booking, queue management, invoicing, and accounting integration. The features available depend on the plan you subscribe to. WashFlow may add, change, or discontinue features as the product evolves, subject to the notice rules in §A.10.

A.2 Accounts and workspaces

When you sign up you provide a business name, an admin email, and a subdomain. WashFlow provisions a Clerk organization and a tenant workspace. You are responsible for your users' activities within your workspace and for keeping credentials confidential.

A.3 Free trial

New workspaces start on the Premium plan with a 30-day free trial. You may cancel at any time during the trial at no charge. At the end of the trial, unless you have added a valid payment method and selected a plan, your workspace will be automatically downgraded. Trial limits (bookings per month, staff seats, etc.) are enforced from the start.

A.4 Fees and billing

Subscription fees are billed in advance on the cadence selected at checkout (monthly or annually). Fees are shown exclusive of VAT; Swedish VAT is added where applicable. Paid fees are non-refundable except where required by mandatory law.

A.5 Customer data ownership

You retain all rights to data you upload to or generate in your workspace ("Customer Data"). You grant WashFlow a non-exclusive, world-wide, royalty-free license to host, process, and display Customer Data solely to the extent necessary to provide the Service. We will never sell Customer Data or use it to train third-party AI models.

A.6 Acceptable use

You agree not to:

• Upload content that is illegal, infringing, or that violates the rights of third parties;
• Attempt to circumvent rate limits, quotas, or tenant isolation;
• Use the Service to send unsolicited marketing in violation of the ePrivacy Directive or equivalent;
• Reverse-engineer the Service except as permitted by mandatory EU law.

A.7 Uptime

We target 99.5% monthly uptime during the MVP phase. Once Part B's service levels are formally published we will notify you. Scheduled maintenance is excluded; emergency security patches are excluded.

A.8 Termination

Either party may terminate for convenience at the end of any billing period by giving 30 days' notice. We may suspend or terminate for material breach (e.g., unpaid invoices after reminder, abuse) with 14 days' cure period. On termination we export your data as JSON/CSV on request and then delete or anonymize it within 30 days, subject to the retention obligations in the Privacy Policy.

A.9 Liability

To the maximum extent permitted by law, WashFlow's aggregate liability under these Terms is limited to the fees you paid in the 12 months preceding the event giving rise to liability. Neither party is liable for indirect or consequential damages. Nothing in these Terms limits liability for gross negligence, wilful misconduct, or matters that cannot be excluded by Swedish law.

A.10 Changes and notice

We may update these Terms; material changes take effect 30 days after notice to your admin email. Continued use after the effective date means acceptance. If you disagree, you may terminate during the notice period.

A.11 Governing law and jurisdiction

These Terms are governed by Swedish law, excluding its conflict-of-laws rules. Disputes are subject to the exclusive jurisdiction of the courts of Stockholm, Sweden.

Part B — Data Processing Agreement (Art. 28 GDPR)

This DPA forms part of the Terms above. It applies whenever WashFlow processes personal data on Customer's behalf in the context of providing the Service. In this Part, "Customer" is the controller and "WashFlow" is the processor.

B.1 Subject-matter and duration

The subject-matter is the provision of the Service. The duration is the same as the Customer's subscription plus 30 days (export / deletion window).

B.2 Nature, purpose, and categories

• Nature: storage, organization, retrieval, display, transmission, and deletion of Customer Data.
• Purpose: to provide, secure, and support the Service.
• Categories of data subjects: Customer's staff users, Customer's end-customers (companies and private individuals), drivers, and any other person whose data Customer enters into the Service.
• Categories of personal data: names, email addresses, phone numbers, vehicle license plates, billing addresses, booking history, invoice records.

B.3 Instructions

WashFlow processes Customer Data only on documented instructions from Customer (these Terms, the Service configuration, and any written requests). WashFlow will immediately inform Customer if an instruction infringes GDPR.

B.4 Confidentiality

Personnel with access to Customer Data are bound by written confidentiality obligations.

B.5 Security (Art. 32)

WashFlow implements appropriate technical and organizational measures including: TLS in transit; encryption at rest (Neon, Cloudflare R2); least-privilege access; tenant isolation at the application layer; audit logging; multi-factor authentication for staff; dependency update policy; and a documented incident-response procedure.

B.6 Sub-processors

Customer grants general authorization for WashFlow to engage sub-processors. The current list is published at /legal/sub-processors. WashFlow will give 30 days' notice of new or replaced sub-processors; Customer may object within that period on reasonable data-protection grounds, in which case the parties will work in good faith to find an alternative or, failing that, Customer may terminate the affected Service component.

B.7 International transfers

Transfers outside the EU/EEA rely on the EU–US Data Privacy Framework (where the sub-processor is certified) or on the European Commission's Standard Contractual Clauses (2021/914) as controller-to-processor or processor-to-sub- processor, with additional technical safeguards.

B.8 Assistance with data-subject rights

Taking the nature of the processing into account, WashFlow assists Customer in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection). Self-service tools exist in the admin dashboard; for requests that can't be served self-serve, write to privacy@washflows.com.

B.9 Breach notification

WashFlow will notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal-data breach affecting Customer Data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and the measures taken.

B.10 Return or deletion on termination

On termination or expiry of the Terms, WashFlow will, at Customer's written option, export Customer Data as JSON/CSV or delete it, except where retention is required by law (e.g., Swedish Bokföringslagen 7-year rule for invoices). Any data retained under a legal obligation is anonymized where feasible.

B.11 Audits

WashFlow will make available to Customer all information necessary to demonstrate compliance with Art. 28 GDPR, and allow for and contribute to audits conducted by Customer or an independent auditor mandated by Customer, on reasonable prior written notice, during business hours, and under confidentiality. In practice, the first response will normally be a completed security questionnaire or the most recent third-party security report.