GDPR Rights & Data Requests

Last Updated: March 2026

This page explains your rights under the General Data Protection Regulation (GDPR) and the UK GDPR when using Inflowave, operated by AIAGS Ltd ("Inflowave", "we", "us", or "our").

For the full details of how we collect, use, and protect your data, please see our Privacy Policy.

Who We Are

Detail	Information
Data Controller	AIAGS Ltd d/b/a Inflowave
Registered Address	71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Data Protection Officer	Mateusz Kielbasa — [matt@inflowave.io](mailto:matt@inflowave.io)
EU Representative (Art. 27)	Mateusz Kielbasa — [matt@inflowave.io](mailto:matt@inflowave.io)
Lead Supervisory Authority	UK Information Commissioner's Office (ICO)

Your Rights

Under the GDPR and UK GDPR, you have the following rights regarding your personal data:

1. Right of Access (Art. 15)

You can request a copy of all personal data we hold about you. We will provide this within 30 days of verifying your identity. The first copy is free; additional copies may be subject to a reasonable fee.

2. Right to Rectification (Art. 16)

If any personal data we hold is inaccurate or incomplete, you can request correction. We will update your data and notify any third parties we have shared it with.

3. Right to Erasure / Right to Be Forgotten (Art. 17)

You can request deletion of your personal data when:

The data is no longer necessary for the purpose it was collected
You withdraw consent (where consent was the legal basis)
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed

Exceptions: We may retain data where required by law (e.g., billing records for 6 years under UK tax law) or for the establishment, exercise, or defense of legal claims.

Server-side conversion data: When you register or make a purchase, we send irreversibly hashed (SHA-256) identifiers to Meta and Google for advertising measurement. Because the data is cryptographically hashed before transmission, it cannot be reversed, read, or linked back to you by Meta or Google. An erasure request to Inflowave will delete all your data from our systems; however, the hashed data already transmitted to Meta and Google is anonymized by design and falls outside the scope of erasure under GDPR Recital 26 (data relating to an unidentifiable person). If you wish, you may also submit separate deletion requests directly to Meta and Google.

4. Right to Restrict Processing (Art. 18)

You can request that we restrict processing of your data while:

You contest the accuracy of the data
The processing is unlawful but you prefer restriction over erasure
We no longer need the data but you need it for legal claims
You have objected to processing pending verification

5. Right to Data Portability (Art. 20)

You can request your personal data in a structured, commonly used, machine-readable format (JSON or CSV). This applies to data you provided to us that is processed based on consent or contract performance.

6. Right to Object (Art. 21)

You can object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

You have an absolute right to object to processing for direct marketing purposes at any time, including server-side conversion tracking. To exercise this right, email support@inflowave.io and we will disable server-side event transmission for your account.

7. Right Not to Be Subject to Automated Decision-Making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Inflowave does not currently use fully automated decision-making that produces such effects.

Where we process your data based on consent (e.g., marketing communications, cookie preferences, AI data consent), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

Legal Bases for Processing

We process your personal data under the following legal bases:

Legal Basis	When We Use It
Contract (Art. 6(1)(b))	To provide our platform, manage your account, process payments, deliver CRM and automation features, server-side conversion tracking for registration and purchases
Consent (Art. 6(1)(a))	Marketing emails, analytics cookies, AI data processing (opt-in), Microsoft Clarity session recording
Legitimate Interest (Art. 6(1)(f))	Security monitoring, fraud prevention, service improvement, support communications, measuring advertising effectiveness via server-side conversion tracking
Legal Obligation (Art. 6(1)(c))	Tax records retention (6 years), responding to law enforcement requests, regulatory compliance

How to Exercise Your Rights

Submit a data subject access request (DSAR) to:

Email: support@inflowave.io

Subject line: GDPR Data Request — [Your Request Type]

Please include:

Your full name and email address associated with your Inflowave account
The specific right you wish to exercise
Any details that help us locate your data

What happens next:

1. We will acknowledge your request within 3 business days

2. We may ask you to verify your identity to prevent unauthorized access

3. We will fulfill your request within 30 days (extendable by 60 days for complex requests, with notification)

4. If we cannot fulfill your request, we will explain why

Cost: Requests are free. We may charge a reasonable fee for manifestly unfounded or excessive requests.

International Data Transfers

Your data may be transferred outside the UK/EEA to the following locations:

Destination	Service	Safeguard
Canada	Dedicated server infrastructure	EU Adequacy Decision
Poland	Regional server (EEA)	Within EEA
Singapore	Regional server, backups	Standard Contractual Clauses (SCCs)
United States	Cloud database provider, cloud key management, Stripe (payments), Cloudflare (CDN), Netlify (hosting), Microsoft Clarity, Meta/Facebook, Calendly	Standard Contractual Clauses (SCCs) + EU-US Data Privacy Framework where applicable

We ensure all transfers are protected by appropriate safeguards as required by GDPR Chapter V.

Sub-Processors

We use the following sub-processors to deliver our services:

Sub-Processor	Purpose	Location	Data Processed
Cloud database provider	Database hosting	US (AWS)	All account and platform data
Dedicated server provider	Server infrastructure	Canada, Poland, Singapore	Application data, logs
Cloudflare	CDN, DDoS protection, WAF	Global (edge network)	IP addresses, request headers
Netlify	Landing page hosting	US	Analytics, form submissions
Stripe	Payment processing	US	Payment status, subscription data (no card numbers stored by us)
CoinPayments	Cryptocurrency payments	Cayman Islands	Transaction data, wallet addresses
Cloud KMS provider	Secret management	US	Encryption keys, API credentials
Google Analytics	Website analytics, server-side conversion tracking (Measurement Protocol)	US	Anonymized IP, page views, sessions, hashed conversion events (registration, purchase)
Google Tag Manager	Tag management	US	Event tracking data
Microsoft Clarity	Session recording, heatmaps	US	Mouse movements, clicks, scroll depth (excludes message content)
Meta (Facebook)	Advertising pixel, Instagram/Facebook API, server-side Conversions API (CAPI)	US	Conversion events (hashed email, event type, transaction value), IG account data (authorized by user)
Calendly	Appointment scheduling	US	Name, email, meeting times
Zoom	Video meetings	US	Meeting metadata, calendar events

We maintain contracts with all sub-processors that include GDPR-compliant data processing terms.

Data Retention

Data Category	Retention Period
Instagram & Facebook messages	12 months after account cancellation
CRM contacts, leads, pipelines	12 months after account cancellation
Marketplace profiles	Until disabled or account deletion + 12 months
Platform analytics & usage logs	24 months
Support tickets & chat transcripts	3 months
Integration data (Zoom, Calendar)	3 months
Security & audit logs	As required by law
Billing & tax records	6 years (UK legal obligation)

After retention periods expire, data is permanently deleted or irreversibly anonymized.

Children's Data

Inflowave does not knowingly collect data from individuals under 18 years of age. If we discover that a minor has provided personal data, we will promptly delete it.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights:

We will notify the ICO within 72 hours as required by GDPR Art. 33
We will notify affected users within 24 hours if the breach poses high risk (Art. 34)
Notifications will include: what happened, what data was affected, what we are doing about it, and what you can do

Right to Complain

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with:

UK Information Commissioner's Office (ICO)

Website: https://ico.org.uk

Phone: +44 303 123 1113

Your local EU Data Protection Authority

Find yours at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

You can manage your cookie preferences at any time:

Cookie Settings — Review and change your cookie consent
Cookie Policy — Full details on cookies we use

Privacy Policy — Full privacy notice
Cookie Policy — Cookie details and consent
AI Data Consent Policy — AI-specific data processing
Do Not Sell/Share — US opt-out rights
California Privacy Notice — CCPA/CPRA rights
Terms of Service — Platform terms

Last reviewed: March 2026

Next review due: September 2026

YOUR RIGHTS UNDER GDPR