Privacy Policy

The controller of your personal data is the natural person who operates Beat Flow, reachable at beatflow.event@gmail.com and using the trade name “Beat Flow”. The Service is not provided by a separate legal entity (such as a limited company) and there is no dedicated customer office; the operator works remotely.

For privacy matters and to exercise your rights under data protection law, contact: beatflow.event@gmail.com. No Data Protection Officer (DPO) has been appointed; you may use the same address for all data-protection enquiries.

This policy applies to the Beat Flow web application and related services (the “Service”), including account registration, authenticated use of the dashboard, optional integrations (such as Google sign-in and Google Calendar sync), subscription billing where enabled, and public event pages generated through the Service.

Public event pages may display information you choose to publish (for example event details intended for clients). You are responsible for ensuring you have a valid legal basis to publish any personal data of third parties on those pages.

Account and profile data: for example username, email address, password hash (if you use password login), plan or subscription status, and preferences stored in your account.

Authentication and security data: session tokens stored in cookies or similar mechanisms, timestamps, and technical logs needed to secure the Service and investigate abuse.

Event and operational data: information you enter about events (dates, locations, contacts, notes, financial fields, etc.), exports/imports you perform, and configuration of public pages.

Usage and product analytics: aggregated or pseudonymous metrics relating to use of the Service (for example charts in your account), where applicable.

Billing data: when paid plans are enabled, identifiers and payment-related data processed by our payment provider (Stripe), such as customer id, subscription status, and billing history as available in the provider’s systems.

Integration data: if you connect Google, tokens and calendar-related data required to provide the integration, within the scope you authorise.

Communications: messages we send you (for example email verification, password reset, billing notices) and metadata necessary to deliver them.

Providing the Service and managing your account (GDPR Art. 6(1)(b), performance of a contract).

Security, abuse prevention, troubleshooting, and service improvement where strictly necessary (GDPR Art. 6(1)(f), legitimate interests, balanced against your rights).

Compliance with legal obligations, such as tax or accounting rules applicable to invoicing (GDPR Art. 6(1)(c)).

Optional integrations (for example Google Calendar sync) based on your request and, where required, your consent (GDPR Art. 6(1)(a)), which you may withdraw by disconnecting the integration.

Direct marketing only if expressly authorised by you and in line with ePrivacy rules; Beat Flow’s core product is not oriented to unsolicited marketing.

We keep personal data only for as long as necessary for the purposes above, including statutory retention periods (for example accounting records).

When you delete your account or data is no longer needed, we will delete or anonymise it in accordance with our technical and organisational procedures, subject to legal retention requirements.

Security logs may be kept for a limited period to ensure network and information security.

We use trusted service providers who process data on our instructions (processors), including: payment processing (Stripe, Inc. or its affiliates), email delivery providers (for example Resend or equivalent), cloud hosting and infrastructure where the application runs, and database/storage providers used to persist Service data.

If you enable Google OAuth or Google Calendar features, Google Ireland Limited / Google LLC may process authentication and calendar data as set out in Google’s terms and privacy notices.

We do not sell your personal data.

Some processors may be located outside the European Economic Area. Where required, we implement appropriate safeguards under Chapter V GDPR, such as Standard Contractual Clauses approved by the European Commission, supplemented measures where necessary, or reliance on adequacy decisions.

You may request further information about transfers and safeguards using the contact details in section 1.

Under the GDPR, you may request access, rectification, erasure, restriction of processing, data portability, and object to processing based on legitimate interests, where applicable.

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise your rights, contact us at beatflow.event@gmail.com. We may need to verify your identity before responding.

You also have the right to lodge a complaint with a supervisory authority. In Spain, the Spanish Data Protection Agency (AEPD), www.aepd.es.

We use cookies or local storage as strictly necessary to maintain your session after login, to protect forms (for example CSRF protections where implemented), and to operate optional OAuth flows (for example short-lived state cookies for Google sign-in).

You can control cookies through your browser settings; disabling essential cookies may prevent sign-in or certain features from working.

The Service is not directed at children under 16. If you believe we have collected data from a minor without appropriate authority, contact us and we will take steps to delete it.

We may update this policy to reflect legal, technical, or organisational changes. We will publish the revised version on this page and adjust the “Last updated” date. Where changes materially affect you, we will provide additional notice if required by law.