Last updated · May 13, 2026
The DPA governs how Floowzy Labs LLC processes personal data on behalf of customers under GDPR, CCPA, and equivalent privacy laws.
Customer is the data controller for personal data processed in the service. Floowzy Labs LLC acts as data processor, processing only on documented instructions from Customer (these terms, the Floowzy product, and any written instructions from authorized Customer personnel).
Categories of personal data processed: account details (name, email), ad-platform performance metrics, creative metadata, team collaboration content. Categories of data subjects: Customer's authorized end users, employees, and the audiences targeted by Customer's ad campaigns (only insofar as platform-supplied metrics reference them in aggregated form).
Floowzy may engage sub-processors listed at /security. Customer is notified of changes at least 30 days in advance via email and may object on reasonable data-protection grounds. If we cannot accommodate an objection, Customer may terminate the affected service.
Where EU/UK personal data is transferred outside the EEA/UK, transfers rely on the European Commission's Standard Contractual Clauses (Module 2: controller-to-processor) and equivalent UK addendums. A copy of the executed SCCs is available on request to privacy@floowzy.online.
As described in our Security page (/security) — TLS 1.2+ in transit, AES-256-GCM at rest, row-level security, hardware-key MFA for internal access, key rotation, and incident response procedures.
Floowzy provides tooling that enables Customer to fulfil data-subject requests (access, rectification, erasure, portability) directly via Settings → Account or by emailing privacy@floowzy.online.
On reasonable notice, no more than once per year, Customer may audit Floowzy's compliance with this DPA via written questionnaire. Customer also has the right to review the most recent third-party penetration test summary (once available).
The DPA applies for the term of the subscription. Upon termination, Customer data is retained for 30 days for export, then permanently deleted within 90 days, except where retention is required by applicable law (commonly billing/tax records).