Privacy Policy

1. Controller

CandleFlow (“we”, “us”) is the controller of your personal data under the General Data Protection Regulation (GDPR). For privacy-related requests, contact us at:

privacy@candleflow.eu

2. What personal data we process

Depending on how you use CandleFlow, we may process:

• Account data: email address, name or company name (if provided), hashed password.
• Authentication & security: login timestamps, session identifiers, device/browser technical data.
• Usage data: actions performed in the app (e.g., created records, settings), limited to operating and improving the service.
• Support communications: messages you send to us (if you contact support).
• Technical identifiers: IP address and server logs for security and abuse prevention.

3. Purposes of processing

• Creating and managing your account and providing the CandleFlow service.
• Operating core features (inventory, costing, production tools) and saving your data.
• Securing the platform, preventing fraud/abuse, and troubleshooting issues.
• Providing customer support and responding to requests.
• Complying with legal obligations where applicable.

4. Legal bases (GDPR)

We rely on the following legal bases under GDPR:

• Contract (Art. 6(1)(b)): to provide CandleFlow when you create an account and use the service.
• Legitimate interests (Art. 6(1)(f)): to secure the service, prevent abuse, and improve reliability.
• Legal obligation (Art. 6(1)(c)): when we must keep certain records (e.g., accounting) if applicable.
• Consent (Art. 6(1)(a)): only if we introduce optional analytics or similar non-essential processing.

5. Data retention

• Account data: kept for as long as your account is active.
• If you delete your account: data is deleted or anonymized unless legal obligations require retention.
• Security logs: retained for a limited period necessary for security and debugging.

6. Sharing & processors

We do not sell personal data. We may share data only with trusted service providers (“processors”) that help us run CandleFlow. Processors are bound by contracts and may process data only on our instructions.

7. International transfers

If any of our service providers process data outside the European Economic Area (EEA), we ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) or an adequacy decision.

8. Cookies

CandleFlow uses essential cookies for authentication and security. Optional cookies (such as analytics) are only used with your consent. Cookies Policy .

9. Your rights

Under GDPR, you have the right to:

• Access your personal data.
• Correct inaccurate or incomplete data.
• Request deletion of your data (where applicable).
• Restrict or object to processing (where applicable).
• Receive your data in a portable format (data portability).
• Withdraw consent at any time (if processing is based on consent).
• Lodge a complaint with your local supervisory authority.

10. Security

We use reasonable technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.

11. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will provide a notice within the app or on our website.