Privacy Policy

FlowBnB is the data controller responsible for the personal data collected through the Platform. Data Protection Officer (DPO) contact: privacy@flowbnb.co FlowBnB is operated from Portugal and processes data in accordance with the EU General Data Protection Regulation (GDPR) and Portuguese data protection law.

We collect the following types of data: Registration Data • Full name and email address • Password (stored encrypted via Supabase Auth) • Google account information (if you register via Google OAuth) Platform Usage Data • Properties registered and their details • Message templates and scheduled messages • Digital guide content (map pins, itineraries, photos) • Booking and guest information (synced via iCal or entered manually) • Access logs and platform activity • Account preferences and settings • Acquisition source (how you found FlowBnB) Payment Data • Processed exclusively by Stripe — FlowBnB does not store card details • Transaction history and invoices • Subscription plan and billing period Guest Data (processed on behalf of the Host) • Guest names and contact information (from iCal sync or manual entry) • Booking dates, check-in/check-out times • Guest messages and chat conversations • Review responses and feedback

We use the data collected for: • Service Delivery: Authentication, property management, automated messaging, digital guide generation, guest chat, review collection, upsell management • AI Content Generation: Creating property descriptions, recommendations, itineraries, and message suggestions via OpenAI (data is processed but not stored by OpenAI) • Communications: Welcome emails, invoices, payment notifications, onboarding drip campaigns, and service updates via Resend • Analytics: Understanding usage patterns to improve platform features and performance • Security: Fraud detection, abuse prevention, and rate limiting via activity logs • Legal Compliance: Tax obligations, GDPR requirements, and applicable regulations FlowBnB does not make automated decisions or profiling with legal effects on users.

We process your data based on the following legal grounds (GDPR, Art. 6): • Contractual performance (Art. 6(1)(b)): Necessary to provide the subscribed service — account management, messaging, guides, calendar sync • Legitimate interest (Art. 6(1)(f)): Service improvement, security, fraud prevention. Legitimate interest assessments are documented internally and available upon request to the DPO • Consent (Art. 6(1)(a)): Marketing communications, analytics cookies, and optional data collection (e.g., acquisition source) • Legal obligation (Art. 6(1)(c)): Retention of tax and billing records (10 years under Portuguese law)

FlowBnB uses the following sub-processors to provide the service. Data Processing Agreements (DPAs) are in place with all sub-processors. For international transfers, we apply the EU Standard Contractual Clauses (SCCs). • Supabase — Database and authentication — EU (Frankfurt) • Stripe — Payment processing (PCI DSS compliant) — USA (SCCs) • OpenAI — AI content generation (data processed, not stored) — USA (SCCs) • Mapbox — Interactive maps in guest guides — USA (SCCs) • Resend — Transactional email delivery — USA (SCCs) • Vercel — Platform hosting and deployment — USA (SCCs) • Twilio — WhatsApp and SMS messaging — USA (SCCs) We do not sell or share your data with third parties for advertising purposes. Users will be notified by email with 30 days' notice if sub-processors change.

Under the GDPR, you have the following rights: • Access — Request a copy of your personal data • Rectification — Correct incomplete or inaccurate data • Erasure ("right to be forgotten") — Request deletion of your data • Portability — Receive your data in a structured, machine-readable format (JSON) • Objection — Object to processing based on legitimate interest • Restriction — Request restriction of processing • Withdraw consent — For consent-based processing, you may withdraw at any time without affecting the lawfulness of prior processing To exercise any of these rights, contact: privacy@flowbnb.co — guaranteed response within 30 days (GDPR, Art. 12). You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) at www.cnpd.pt, or with the supervisory authority in your EU member state. For EU consumers: you may also submit disputes to the European Online Dispute Resolution platform at https://ec.europa.eu/consumers/odr.

Data is retained for the following periods: • Account data: While the account is active + 90 days after cancellation • Billing data: 10 years (Portuguese tax obligation, Art. 123 CIRC) • Access logs: 12 months • Guest data: 24 months after the last booking • Analytics data: 26 months (aggregated and anonymized) After account cancellation, data is permanently deleted after the 90-day retention period. Deletion is irreversible and covers all backups within an additional 30 days.

We implement technical and organizational measures to protect your data: • Encryption: All data transmitted via HTTPS/TLS 1.3 • Authentication: Passwords encrypted with bcrypt via Supabase Auth • Minimal access: Least-privilege principle for database permissions • Row Level Security (RLS): User-level data isolation at the database level • Backups: Automatic daily backups with 30-day retention • Monitoring: Regular security reviews and access audits

In the event of a personal data breach, FlowBnB commits to: • Notify the CNPD within 72 hours of detection (GDPR, Art. 33) • Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms (GDPR, Art. 34) • The notification will include: the nature of the breach, categories of data affected, measures taken, and recommendations for the user We maintain an internal record of all data breaches, including those that do not require notification to the supervisory authority.

FlowBnB uses strictly necessary cookies for authentication, language preferences, and cookie consent. We also use analytics cookies with your explicit consent. For a complete list of cookies, their purposes, and how to manage them, please see our Cookie Policy at /cookies.

When a Host uses FlowBnB to manage guest data, the Host acts as the Data Controller and FlowBnB acts as the Data Processor. • FlowBnB processes guest data exclusively according to the Host's instructions and to provide the service • We do not use guest data for our own purposes • The Host is responsible for ensuring the legal basis for processing their guests' data • If a guest exercises their data rights, FlowBnB will forward the request to the responsible Host

We may update this Privacy Policy periodically. When we do: • We will notify users by email with at least 30 days' notice for material changes • The "Last updated" date at the top of this page will be updated • Changes take effect on the date indicated in the notification Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

For privacy-related questions, contact us at: Data Protection Officer: privacy@flowbnb.co General inquiries: hello@flowbnb.co Website: https://www.flowbnb.co FlowBnB is operated from Portugal.