Juridisch document

Privacy Policy

Flexys.AI

Privacy Policy of Flexys.ai

Last updated: 3 April 2026

1. Introduction

Flexys.ai ("we", "our") is an AI Business platform that helps businesses with AI chat, voice agents, CRM, website builder, invoicing and automated workflows. We are committed to protecting your personal data in accordance with the GDPR.

2. Data we collect

  • Account data: Name, email, phone, company, chamber of commerce registration number
  • Business information: Industry, services, employee contact details
  • Communication data: Chat conversations, call transcripts, email, WhatsApp
  • Payment data: Billing, membership type (Stripe and NOWPayments)
  • Technical data: IP, browser, device, cookies
  • Usage data: Login times, features used
  • Social media data: OAuth access tokens, linked platform accounts, post content and engagement analytics when using the social media module (Facebook, Instagram, LinkedIn, X/Twitter). Tokens are stored encrypted with AES-256-GCM.

3. AI data processing

  • AI Chat: Processed by Anthropic (Claude) and OpenAI models via OpenRouter
  • Voice AI: Calls handled by Telnyx AI. Transcripts encrypted (AES-256-GCM)
  • Content generation: AI for web content, email campaigns and research

Important: Your conversations are not used to train AI models.

4. Voice calls

  • Processed by Telnyx for telephony and AI
  • Transcripts encrypted with AES-256-GCM
  • Maximum 30 minutes per call
  • Retained while your account is active

5. Service providers

  • Telnyx (US/EU) — Telephony (SIP)
  • Twilio (US) — SMS and WhatsApp
  • ElevenLabs (US) — Voice AI (voice agents)
  • Stripe (US) — Payments and memberships
  • NOWPayments (EU) — Cryptocurrency payments
  • Anthropic (US) — AI Chat (Claude)
  • OpenAI (US) — AI Chat
  • OpenRouter (US) — AI model routing
  • Google (US) — Workspace (optional)
  • Replicate (US) — Image/video generation (optional)
  • Meta (US) — WhatsApp Cloud API, Facebook & Instagram publishing via Graph API
  • LinkedIn (US) — Company page publishing via LinkedIn API
  • X/Twitter (US) — Tweet publishing via X API v2

We have signed data processing agreements (DPAs) with all above service providers (sub-processors) in accordance with Article 28 GDPR, or their standard DPAs cover these processing activities.

We may change or add sub-processors. For material changes, we will notify you at least 14 days in advance by email, giving you the opportunity to object.

6. Legal basis

  • Contract performance: Necessary for our SaaS services
  • Consent: Marketing and optional features
  • Legitimate interest: Platform security and improvement
  • Legal obligation: Accounting and tax compliance

7. Data security

  • AES-256-GCM encryption for sensitive data
  • JWT authentication with encrypted tokens
  • HTTPS/TLS for all communications
  • Rate limit of 5 login attempts per minute
  • HMAC verification for webhooks
  • Passwords hashed with bcrypt

8. Data Breaches

In the event of a personal data breach, we will act as follows:

  • Notification to DPA: Within 72 hours of discovery, we will report the breach to the relevant Data Protection Authority, unless the breach is unlikely to result in a risk to your rights.
  • Notification to you: If the breach is likely to result in a high risk to your rights, we will inform you without undue delay by email.
  • Documentation: We document every data breach, including the facts, consequences, and corrective measures taken.
  • Your obligation: If you process personal data of your own customers through our platform, you are the data controller for that data. You must independently report breaches affecting your end users to the relevant DPA.

9. Retention periods

  • Chat and calls: While your account is active
  • After deletion: Data removed from backups within 30 days
  • Billing: 7 years (legal obligation)
  • Logs: Maximum 90 days

10. API Keys and Credentials

Within the Flexys.ai platform, you can connect third-party API keys (e.g., your own OpenAI, Anthropic, Google, Stripe Connect, or social media tokens). The following applies:

  • API keys are stored encrypted (AES-256-GCM) in your tenant database.
  • Keys are never exposed in log files, error messages, or API responses.
  • You are responsible for securely managing, rotating, and revoking your own API keys.
  • Flexys.ai is not liable for costs or damages resulting from compromised API keys that you entered yourself.
  • Upon account termination, all stored API keys are permanently deleted within 30 days.

11. Your rights (GDPR)

  • Access: Request what data we process
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion
  • Objection: Object to processing
  • Portability: Receive data in a machine-readable format
  • Restriction: Temporarily restrict processing
  • Complaint: To the Autoriteit Persoonsgegevens

12. Location

Servers in the EU (Germany). Some providers in the US with safeguards via Standard Contractual Clauses (SCCs).

13. Changes

We may update this policy periodically. We will notify you of material changes by email.

14. Contact

Flexys.ai
Email: info@flexys.ai
Support: support@flexys.ai
Website: https://flexys.ai