Two-line summary: we collect only the data strictly required to operate b-flow. We don't sell data to anyone. We use a single analytics tool (PostHog, EU-hosted in Germany) configured to neither profile users nor collect identifying data. If you are a venue customer and use the loyalty programme (see §2.6), we only collect what you give us voluntarily — and you can unsubscribe or delete yourself on your own, at any time, from the app itself. Your data stays mostly in Europe; any exception is documented below. You can export or delete it whenever you want.
The b-flow service is operated by [LEGAL ENTITY NAME], headquartered in [ADDRESS], VAT number [VAT ID].
For any request related to your personal data, contact us at support@b-flow.app.
| Data | Why | Legal basis | How long |
|---|---|---|---|
| Send you the confirmation and program welcome | Consent (Art. 6(1)(a) GDPR) | 7 days if you don't confirm; as long as the program runs if you do | |
| Hashed IP | Reduce form spam | Legitimate interest (Art. 6(1)(f)) | As above |
| Browser language | Send the email in your language | Service execution | As above |
You can unsubscribe at any time using the "unsubscribe" link at the bottom of every email.
| Data | Why | Legal basis | How long |
|---|---|---|---|
| Email + password | Let you sign in | Contract (Art. 6(1)(b)) | While your account is active |
| Venue name, language | Configure the interface | Contract | While your account is active |
In this case you (the venue owner) are the Controller of your staff's data: we act as Processor (Art. 28 GDPR) on your behalf. You can sign our dedicated DPA — write to support@b-flow.app to request it.
Staff data we collect:
We do not monitor individual working hours of your staff, we do not geolocate them and we do not track their times. This is a deliberate design choice that helps you comply with Italian Workers' Statute Art. 4 and similar EU legislation.
When your staff records an order, we store: table or label, party size, items, notes (e.g. "gluten-free"), prices, timestamps. In orders we do not collect the end customer's name, surname, phone number or email. The loyalty programme (§2.6) is instead a separate, optional service that the customer joins voluntarily: the data from that programme is processed as described below and is never linked to orders.
Order notes may sometimes contain food preferences that could be linked to health (e.g. allergies). We recommend not entering identifying customer data or medical diagnoses — sticking to generic categories ("no gluten", "no lactose") is enough for service.
Order data retention. Delivered orders are permanently deleted after 12 months from the delivery date, via an automated scheduled procedure. This period is justified by the need for year-over-year KPI analysis and for commercial disputes within the year. Older orders are no longer recoverable. If you need to keep specific orders longer for audit/accounting purposes, download the operational backup before the cut-off.
When you contact us at support@b-flow.app we keep the email, the message content and the conversation history to help you and to reconstruct any issues. Legal basis: contract performance and legitimate interest.
Who the Controller is in this case. The loyalty programme is a feature of the b-flow app aimed at venue customers. Unlike orders and staff data (where the venue is the Controller and we are only a Processor), for loyalty programme data b-flow is the Data Controller directly: we provide you with the app, the identity it recognises you by, the email and push channels, and the list of venues you follow. The venue only decides the content of the announcements it sends you; everything else is handled by us, and you exercise your rights against us (see §6) or, even faster, directly from the app.
Joining is always voluntary. Depending on what you choose to enable, we process:
| Data | Why | Legal basis | How long |
|---|---|---|---|
| Anonymous device identifier (technical account, no name and no registration) | Remember which venues you follow, from one visit to the next, without asking you to register | Legitimate interest in operating the app (Art. 6(1)(f)) | As long as you follow at least one venue; deleted when you delete your profile from the app |
| List of the venues you follow and the subscription date | Show you "my venues" and have you receive the right announcements | Legitimate interest / consent | As above; each venue is removed individually |
| Last access timestamp | Understand in aggregate form whether the app is used, without profiling you | Legitimate interest | As above |
| Email (only if you enter and confirm it) | Send you the announcements of the venues you follow by email | Consent (Art. 6(1)(a)) — double opt-in with confirmation link | Until you unsubscribe or delete your profile |
| Push notification token (only if you enable notifications) | Send you the announcements of the venues you follow via push notification | Consent (Art. 6(1)(a)) — explicit authorisation from the browser/device | Until you disable notifications or delete your profile |
What we do NOT do. We do not ask you for your name, surname or phone number. We do not geolocate you: the venue map shows where the venues are, not where you are. We do not link the loyalty programme to the individual orders you place at the counter. We do not sell or share this data with third parties for marketing.
You are always in control. Directly from the app, at any time and without writing to us, you can: stop following a single venue, disable push notifications, remove your email, or completely delete your profile (withdrawal of consent under Art. 7(3) GDPR — as easy as enabling it). Every announcement email also contains an unsubscribe link.
To operate b-flow we rely on a small number of providers. They are all bound by contractual data-protection guarantees.
| Provider | What they do for us | Where your data is |
|---|---|---|
| Google Ireland (Firebase) | Database, authentication, hosting, push notifications (including loyalty programme announcement pushes) | Operational data in Europe (Belgium); Google control plane globally — covered by the EU-US Data Privacy Framework + Standard Contractual Clauses. |
| Resend | Transactional emails (confirmation, welcome, support) and of the loyalty programme announcements to customers who have confirmed their email | United States (migration to Europe planned before commercial launch). Transfer covered by Standard Contractual Clauses. See here for details. |
| PostHog (Cloud EU) | Aggregated product analytics to understand what works and what to improve (pageviews, clicks, navigation paths) | Europe (Germany, Frankfurt). No extra-EU transfer. Configured to not record sessions, not capture input field values, not profile anonymous visitors (no profile created until you log in), not share data with advertising third parties. Honours the browser "Do Not Track" signal. Retention 365 days, then automatic deletion. |
We do not use: Google Analytics, Meta Pixel, Mixpanel, Hotjar, Sentry, or any other advertising tracking, cross-site profiling, or ad-targeting tool. The single analytics tool in use (PostHog, see above) is configured in minimal-collection mode in line with the data minimisation principle (GDPR Art. 5(1)(c)).
Operational data (orders, venue records, staff records) is hosted in Europe. Some residual transfers occur to the United States:
All transfers are covered by Standard Contractual Clauses and by our internal Transfer Impact Assessment (TIA). You can request a copy by writing to us.
b-flow uses only technical storage in your browser, does not install profiling cookies, and shares no data with third parties for advertising.
| What we store | Where | Purpose |
|---|---|---|
| Language preference | localStorage | Remember your language choice |
| Auth token | IndexedDB / localStorage (Firebase Auth) | Keep your session open |
| Last table, waiter name | localStorage | Speed up repeated use |
| Onboarding tour seen | localStorage | Don't show the intro again |
| Anonymous PostHog identifier (UUID) | localStorage | Enable aggregated statistical analysis of pageviews and navigation paths (see §3). No third-party cookies, no device fingerprinting. |
| List of followed venues (loyalty programme) | localStorage | Remember "my venues" even before login and across sessions of the customer app (see §2.6) |
These are all technical and preference storage not requiring consent under Italian Privacy Code Art. 122 (transposing ePrivacy). The PostHog anonymous identifier falls under first-party statistical analytics, configured not to profile users and to honour the browser "Do Not Track" signal. If we introduce consent-requiring tools (e.g. session replay, marketing pixels) we'll ask first via a dedicated banner.
You have the following rights over your personal data. Exercise them by writing to support@b-flow.app; we reply within 30 days.
For waitlist subscriptions you can unsubscribe at any time using the "unsubscribe" link in any email — it's immediate and automatic.
For the loyalty programme (§2.6) you don't even need to write to us: from the app you can stop following a venue, disable push notifications, remove your email or delete your entire profile — with immediate effect.
Providing data is always optional, but refusal of some data prevents service delivery (e.g. without an email we can't create your account).
b-flow does not make automated decisions based on your personal data under Art. 22 GDPR and does not profile you. If we ever introduce AI-based features (e.g. assisted support chat), we will tell you explicitly in the interface.
We adopt reasonable technical and organisational measures to protect your data: encryption in transit (TLS), encryption at rest, tenant isolation, credential hashing, privilege segregation, audit logs, periodic backups, access control. Full description in our legal page and internal incident response procedures.
In the event of a personal data breach with risk to your rights, we will notify you within the timeframes set by Art. 34 GDPR.
We may update this policy to reflect changes in the service or the regulatory landscape. The "Last updated" date at the top of the page always shows the current version. Substantial changes will be communicated by email or via a prominent notice in the app.