This Privacy Statement (“Privacy Statement”) accompanies the Terms of Service entered into between you, the Customer, and FlatPeak. Capitalised terms used in this Privacy Statement that are not defined herein have the meanings given to them in the Terms of Service.

This privacy statement applies to all Services as provided by FlatPeak and contains information about what personal data we collect, why we collect it, and how we process it so that you can make an informed decision before making use of Services.

Personal Data refers to information that would allow any natural person to be directly or indirectly identified. Your use of our websites or Services may involve Personal Data relating to three categories of individuals:

  • A Customer or potential Customer is referred to as “Customer Account Data” or ‘potential customer information’.
  • An End-User or recipient, meaning the individual that is interacting with you via our services and/or receiving communications from you via our services, referred to as ‘end-user data’ (collectively, “End-User”).
  • Personal data related to website visitors, referred to as ‘website visitor data’.

Data privacy and protection of your personal data (including personal data relating to your End-Users) is one of FlatPeak’s core principles. Our privacy statement is intended to give you a detailed understanding of our data processing practices. It is important to us that we are transparent, and you feel informed and empowered when it comes to the privacy of your and your End Users’ personal data, and the steps we take to protect that personal data.

If you or any of your End-Users residing in California, references in this privacy statement to terms such as “personal data”, “data subject”, “data controller”, and “data processor” should be taken to refer to the equivalent terms of “personal information”, “consumer”, “business”, and “service provider” under the California Consumer Privacy Act of 2018 (“CCPA”). FlatPeak does not sell, rent, or otherwise disclose personal data or the personal data of End Users for money or anything else of value.

1. Our personal data processing practices

We will only process personal data to the extent necessary to fulfill the specific purpose(s) for which you have submitted personal data. When you sign up for our services through our website, we request you to provide contact information details such as your name and email address. We subsequently use that information to create your account, facilitate your use of the services, and billing purposes, and provide you with relevant information about our services. Some basic examples of actions that result in us processing your personal data are (a) when you sign up for our newsletter, (b) you sign up for the services via our website and accept the General Terms and Conditions (the “Terms”), or (c) sign up for the services through an order form. To the extent permitted or required by applicable law, you will be given the opportunity to explicitly agree to the collection, use, disclosure, and sharing of the personal data you’ve provided. We do not use your personal data for any other purposes than those agreed to by you or as permitted by the Terms and this privacy statement.

When you share personal data with us, we commit to handling that information in accordance with the applicable data protection and e-privacy regulations, including the General Data Protection Regulation (“GDPR”). Due to the nature of the services we do not interact with End Users directly. You are responsible for ensuring that you have all applicable rights and consents to share any End User personal data with us and that the personal data is accurate and complete.

1.1 Roles and responsibilities. When it comes to processing personal data, there are several different roles and responsibilities that come into play. This privacy statement provides an explanation of the relevant roles, the corresponding responsibilities of each role, and the systems of governance that play an integral part in protecting your personal data. The data controller determines the purpose (why) and means (how) of personal data processing and remains ultimately responsible for the correct handling of the data subject’s personal data. In practice, the data controller is often the company to which an individual (or data subject) provides their personal data directly.

The data processor is a company that provides services to the data controller and receives personal data from or on behalf of the data controller in order to perform those services. To give an example, when you provide your End-Users with an interface that enables them to authorise access to their energy supplier account, we receive personal data from that End-User such as an authentication token, in order to provide the service. In this example, FlatPeak acts as the data processor of the customer, who in turn is acting as the data controller of the authentication token entrusted to it by the End-User to which this personal data belongs. The data processor only processes personal data according to the instructions of the data controller. These instructions are typically laid down in a data processing agreement between the controller and the processor.

Depending on your relationship with us, we can be either data controller or data processor, or in certain circumstances we can be both. If you have any questions about these practices or more general inquiries about how we handle personal data, you can contact us at privacy@flatpeak.com.

2. Why we collect personal data

We have a few key priorities when it comes to protecting your personal data. Not only do we prioritize keeping your personal data safe and secure, we are also highly focused on protecting your privacy rights and freedoms as an individual.

2.1 Legal bases. All personal data we process is lawfully obtained and will only be processed to the extent we have a legal basis to do so. The legal bases we rely upon for processing personal data are (a) consent, (b) performance of a contract, (c) compliance with a legal obligation, and (d) legitimate interest. The specific legal basis that permits us to process your personal data may differ when you receive our services from an entity located outside the European Economic Area (“EEA”) and as a result, the services and our processing obligations may be subject to non-EU data protection requirements.

As indicated above, we process personal data on a limited set of legal bases:

  • Explicit consent from the data subject. For example, by ticking a box on our website when you want to download product information.
  • Performance of a contract. This includes not only the provision of the services but also negotiating and signing a contract in order to receive a service.
  • Compliance with legal obligations applicable to us. For instance, preventing misuse of our services, cooperating with formal disclosure requests, and retaining customer account data and financial data.
  • Our legitimate interest. This applies for example to direct marketing targeted to existing customers on an opt-out basis or to keep you updated on information regarding our services. Where we rely upon legitimate interest, we have assessed the processing is not high risk, does not involve the processing of special categories of personal data, and will not violate fundamental human privacy rights.

2.2 Purposes. The purposes for which we process your personal information depend on your relationship with us. For starters, you will be required to submit personal data related to you and the business you work for when creating an account. In addition, we may also require personal data in order to enable you and your End-users (as applicable) to make use of our services. In other circumstances, we may process your personal data to conduct and expand our day-to-day business, such as for analytical improvements to the service, support, sales, marketing, and legitimate business purposes. Personal data can also help us improve the quality of our services and develop new functionalities to fit the needs of our customers, such as product and experience personalization. In our Data Processing Agreement (DPA) we refer to these purposes combined as ‘legitimate business purposes’.

We only request personal data that is necessary to fulfill the specified purposes listed below as applicable to you; provided, however, if the nature of our relationship with you changes, we may need you to provide additional information. For example, if you fill out a form to request more information about one of our products, we will use your contact information to send the requested product information to you. If you then decide to become a customer, you will need additional information including your billing address for the purpose of account creation and providing you with the services.

The following is a list of purposes for which we may use your personal data. The specific purpose applicable to our processing of your personal data depends on the nature and extent of your relationship with us.

  • To promote the use of our services in accordance with your marketing preferences.
  • To share relevant information about our products and services in accordance with your marketing preferences, including important notifications about the services.
  • To create an account connected to you and the company you represent.
  • To verify your identity.
  • To facilitate access and use of the services in line with the Terms.
  • Finance and billing, including fulfilling financial obligations such as paying taxes and ensuring invoices are paid.
  • To provide customer support and communicate with you about your account.
  • To analyze the usage of our products and services.
  • For the transmission of information over the services; defining communications processing priority, routing configurations, and optimizing infrastructure.
  • To enforce compliance with the Terms and applicable law.
  • To keep our site and your account safe and secure.
  • To detect, prevent, and combat fraudulent or unlawful activity.
  • To protect the rights, property, or safety of us, you, our other customers, or any other third party.
  • To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
  • To conduct questionnaires and surveys in order to provide better services to you, our other customers, and End Users; provided, however your participation in and completion of any questionnaires is always voluntary.

3. What personal data we collect and how

The exact type of data we collect depends on the relationship we have with you and the product or service you use. Applying your cookie management settings on our website, signing up for a newsletter, downloading marketing materials, requesting to be contacted by our Sales team, creating an account, or using any of our products and services, are all examples of actions you take that require you to share certain personal data with us that is specific to that particular interaction.

3.1 Personal data directly collected from you. The categories of personal data we collect from you include personal identifiers, employment or professional information, financial information, commercial information, information related to internet activities, and location-related information.

  • Personal identifiers. When you create an account and make use of any of our products and services, you are required to provide us with personal identifiers. Personal identifiers submitted as part of account creation or use of products and services are referred to as “Customer Account Data”. Customer Account Data consists of your name, contact details such as business address, phone number, email address, financial information, gender (optional), and signature (subject to our business interactions). Additionally, when you request product-related information, request to be contacted by our sales team, or attend events, we may request personal identifiers from you such as your name and contact details.
  • Employment or professional information. The information we process about you that relates to your employment or profession, the company you work for, and your job title.
  • Financial information. The payment and billing information we require you to share with us or directly with a payment service provider, such as billing name and related address, bank account number, or credit card information.
  • Commercial information. Commercial data relates to your interest in products, your use of services, platforms, account dashboards, and any of our web pages that you visit.
  • Internet activity information. When you interact with our websites, marketing emails, and services, data is collected about your device and browser, time zone setting, web pages visited, products you view or search for, page response times, download errors, length of visits to certain pages, page interaction information, internet protocol (IP) address used to connect your computer to the internet, use of cookies, pixels, or similar technologies.
  • Location-related information. The use of our services and products involves the processing of location-related information. The type of data involved will differ depending on the service you use but location-related information may include your and/or your End User’s IP address, business address, and service traffic-related metadata such as the routing path and terminating carriers.
  • Support interaction information. When you interact with our Customer Support team over the phone we process the phone number you use and inform you that the call may be recorded in accordance with applicable laws.

3.2 Personal data collected from other sources. We collect personal data we obtain from sources other than you (“Third Party Data”). Third-Party Data may include, but is not limited to, (a) personal identifiers, and (b) employment or professional information, such as company name, company description and website, company (estimated) revenue and employee range, company industry, employment role and title, seniority, full name, and phone number. The information we collect about you from other sources is business related but even in a business relationship certain information might be considered personal data.

Third-party data is collected from the following sources:

Third-party service providers of business information. We obtain business data such as employment or professional information from third parties. This information includes email addresses, the company the individual works for, job titles, phone numbers, and URLs of LinkedIn profiles. We obtain this information to expand our business through direct marketing, targeted advertising, and event promotion. Third-party data may be combined with personal data that you provide to us. Information can be used to develop our business by updating, expanding, and analyzing our customer relationship records.

Third-party social media providers. Depending on your and/or your End Users’ privacy settings, third-party social media service providers such as Google, Twitter, and Facebook can provide us with information about you or an End User, as applicable. However, if you or an End User connects to a social media page you may (depending on the platform) be presented with the option to decide whether or not you would like to share that information with us. Third-party data may be combined with personal data that you provide to us. Information can be used to develop our business by updating, expanding, and analyzing our customer relationship records.

Third-party services & connectors. We make connectors available on the FlatPeak Platform that will allow our services to be used in connection with third-party services through APIs or other connectors. For the sole purpose of enabling and facilitating the connector, your information may be made available to or shared by our services with the relevant third-party service (and vice versa). Personal data that we may receive from the third-party service provider on your behalf are contact data, activities and event data. Activities and event data may include personal data in case you as a customer include such information in the use case that you apply to the use of the services.

Someone else working for your company. Colleagues of yours can provide us with personal data about you such as your name, job title, email address, or phone number.

If you no longer want to be contacted by our sales and marketing teams, you can always unsubscribe from an email campaign by contacting your account manager or our Support team via support@flatpeak.com.

Subject to any exceptions noted in this privacy statement or in the Terms, you will always have a choice when it comes to the types and extent of the personal data you share with us. When we ask you to provide personal data to us, you can decline. However, some of our products and services require personal data so your choice not to provide personal data in certain instances can prevent you from using a certain product, service, or functionality.