Privacy policy

1. Data controller

FLOW XP BV, a Belgian private limited company with registered office at Wit Kapelleke 26, 1652 Beersel, Belgium, registered with the Crossroads Bank for Enterprises under number BE 0669.982.661, represented by Loïc Eylenbosch.

Contact for any data-related question: admin@flowxp.eu.

Within the FLOW XP audit service, FLOW XP BV acts as a data processor on behalf of the contracting Club (data controller). A Data Processing Agreement (DPA) is signed at contract signature.

Data Protection Officer. No Data Protection Officer has been formally appointed at this stage of the Founding Beta phase. A DPO will be appointed when the audited population reaches 1,000 athletes or when FLOW XP enters V1 commercial scale, whichever comes first. Until then, all data protection requests, complaints, and inquiries should be directed to admin@flowxp.eu, which is monitored daily by the publication director (Loïc Eylenbosch).

2. Data collected

Depending on your interaction with the website and service, we process:

• Identification data — first name, last name, professional email, club name, role (president, sports director, general manager, head coach, technical director, board member), country, city, main sport (collected via the Founding Club Beta application form and the invitation flow).
• Declarative data (Founding Club Beta application) — club identity, primary challenge, ambition, teams count, athletes count, readiness, fit reasoning, commitment attestations, discovery source.
• Psychometric audit responses (Article 9 — sensitive data) — answers to the FLOW XP MVP instruments: Edge, Grit, Alliance (inspired by the peer-reviewed instruments PCDEQ-2, ACSI-28, CART-Q respectively), SynC (proprietary FLOW XP coach emotional intelligence assessment), Drive, Climate, Mirror, Squad, Compass, Pulse, Onboard, 1on1 (proprietary FLOW XP instruments), as well as computed scores and baseline progression. These are mental performance assessments and qualify as health-related data under GDPR Article 9.
• Booking data — slot, time zone (when you reserve a demo call via Cal.com).
• Technical data — truncated IP, browser type, pages consulted (aggregated and anonymised Netlify Analytics).

3. Purposes and legal bases

• Founding Club Beta application qualification and demo call scheduling — legal basis: performance of pre-contractual measures at your request (Art. 6.1.b GDPR).
• Delivery of the audit service (questionnaires, scoring, AI-generated reports) — legal basis: performance of the contract between the Club and FLOW XP (Art. 6.1.b); for Article 9 sensitive data, explicit consent obtained from each adult athlete (Art. 9.2.a) and from the legal guardian for minors under 16 (Art. 8 + Art. 9.2.a).
• Educational follow-up communications — legal basis: explicit consent given at sign-up (Art. 6.1.a), withdrawable at any time.
• Service security and fraud prevention — legal basis: legitimate interest (Art. 6.1.f).
• Compliance with legal obligations (accounting, invoicing) — legal basis: legal obligation (Art. 6.1.c).

4. Minors — strict regime

Audited athletes are aged from U13/U14 (approximately 13 years) to Seniors (no upper age limit). For all athletes under 16, FLOW XP applies:

• Mandatory double parental consent— the parent / legal guardian receives a dedicated consent request by email and must explicitly confirm acceptance of (a) personal-data processing, (b) sharing of results with the club's coach, (c) their status as parent or legal guardian. No audit is sent to the athlete before parental confirmation.
• Audit content adapted — psychometric instruments are calibrated for adolescents and exclude any sensitive private question outside the strict sports psychology scope.
• Right to withdraw consent at any time — the parent may withdraw consent through the dedicated data-deletion procedure, immediately interrupting all future audits and triggering full deletion of past responses within 30 days.

For athletes aged 16 and over, consent is given directly by the athlete on their first connection to the platform.

5. Recipients and processors

Your data is accessible only to authorised FLOW XP staff and to the technical processors listed below, each governed by a Data Processing Agreement compliant with Article 28 GDPR:

• Netlify, Inc. (USA, EU-US Data Privacy Framework certified) — landing-page hosting, CDN, aggregated analytics for www.flowxp.eu.
• Supabase, Inc. (EU region — Frankfurt, Germany) — CRM database for prospect leads, club registration data, and communication tracking. All data remains in the EU.
• n8n GmbH (Germany, EU) — workflow orchestration for transactional emails and lead processing automation.
• Google LLC (USA, EU-US Data Privacy Framework certified) — email sending and reception via Google Workspace (sender admin@flowxp.eu), Google Fonts for website typography.
• Cal.com, Inc. (USA, EU-US Data Privacy Framework certified) — booking of demo calls with FLOW XP team.
• Anthropic PBC (USA, EU-US Data Privacy Framework certified) — AI report generation (Claude API). No prolonged storage per Anthropic Enterprise terms — submitted data is not used for model training.

Note on the FLOW XP application stack. The list above covers processors used in the current website and pre-launch CRM phase. Once the FLOW XP application launches (post-Founding Beta), athlete and coach psychometric audit data will be processed within a separate dedicated application stack, distinct from the current CRM. The list of application processors will be added to this policy at application launch, with a public notice sent to all users under contract.

6. Transfers outside the EEA

Some processors are established in the United States. These transfers are framed by:

• The EU-US Data Privacy Framework adequacy decision (July 2023, upheld by the Court of Justice of the European Union on 3 September 2025) when the processor is certified. All of our US-based processors (Netlify, Google, Cal.com, Anthropic) are DPF-certified.
• Otherwise, Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021, supplemented by transfer impact assessments (TIA).

On request to admin@flowxp.eu, we provide the current list of guarantees applicable to each processor.

7. Retention periods

• Lead data and Founding Club Beta application responses — 36 months from the last contact, then deletion or anonymisation.
• Audit responses and reports (Article 9 sensitive data) — 3 years after the last activity of the athlete on the platform, then anonymisation.
• Client data (orders, invoices) — 7 years from the end of the service (Belgian accounting obligation).
• Audience cookies — 13 months maximum.
• Technical logs — 12 months maximum.

8. Your rights

In accordance with Articles 15 to 22 GDPR, you have the following rights, exercisable at any time by email to admin@flowxp.eu:

• Right of access and copy of your data
• Right of rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent at any time
• Right to define directives regarding the retention, deletion and communication of your data after your death

You may also lodge a complaint with the Belgian Data Protection Authority: dataprotectionauthority.be, Rue de la Presse 35, 1000 Brussels, or any other competent supervisory authority in your Member State.

9. Cookies and trackers

The website uses a minimal number of cookies:

• Strictly necessary cookies — site operation, display preferences. No consent required (Art. 129 Belgian Electronic Communications Act).
• Anonymised audience measurement (Netlify Analytics) — no cookie deposited on the browser, no individual user tracking. Exempt from prior consent under DPA guidelines.
• Cal.com — this service deposits its own functional cookies when you interact with the booking widget. See its policy: Cal.com.

No advertising cookie or marketing third-party tracker is deposited by www.flowxp.eu.

10. Sub-processing for AI report generation

Anonymised audit responses from Edge, Grit, Alliance, SynC, Anonymised audit responses from all 12 FLOW XP instruments (Edge, Grit, Alliance, SynC, Drive, Climate, Mirror, Squad, Compass, Pulse, Onboard, and 1on1) are sent to Anthropic's Claude API to generate personalised reports (athlete / coach / club). The following safeguards apply:

• Anonymisation gateway — names, emails, phone numbers, addresses, dates of birth and any directly identifying field are stripped from the payload before transmission. The API receives only psychometric scores and structural team context.
• Output validation — generated reports are validated against a strict schema before being stored. Any non-conforming response is rejected.
• No model training — Anthropic Enterprise terms prohibit use of submitted data for model training.
• Audit log — every AI call is logged (timestamp, model, latency, status) for accountability.

11. Security

The website is served over HTTPS (Let's Encrypt) with strict security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). Critical processors (Supabase, n8n, Cal.com, Anthropic) apply equivalent or superior security standards (SOC 2, ISO 27001).

12. Modifications

This policy may be updated to reflect changes in processing activities, processors or regulations. The last-updated date is shown at the top of this page. In the event of a substantial change, affected users are notified by email.

13. Contact

Any question, request to exercise rights, or complaint should be sent to admin@flowxp.eu.