← Go back
What describes you best?
I do dropshipping
Stores not operating as a brand, focused on low-friction, fast conversions.
I have a brand
Stores that use storytelling, branding and customer loyalty and focus on long-term retention. Including branded dropshipping.
Enterprise

Privacy Policy

Last updated: March 23, 2026

1. Introduction

Ecomflows.io (“Ecomflows”, “we”, “us”, or “our”) is operated by Flows Marketing Solutions LLC, a Wyoming, United States limited liability company.

We respect your privacy and are committed to protecting personal data. This Privacy Policy explains how we collect, use, store, and protect personal information when you visit our website, use our services, or interact with us.

This policy applies to all users, clients, partners, and visitors worldwide.

2. Who We Are

  • Legal entity: Flows Marketing Solutions LLC
  • Trade name: Ecomflows
  • Website: https://ecomflows.io
  • Email: legal@ecomflows.io
  • Jurisdiction: Wyoming, United States
  • Server infrastructure: Google Cloud Platform, EU region (Europe)

Ecomflows provides email marketing, retention marketing, and automation services to e-commerce businesses, delivered through professional agency services and a SaaS platform.

For the purposes of GDPR:

  • When processing data of website visitors and direct clients, Ecomflows is the Data Controller.
  • When processing end-consumer data accessed via Klaviyo OAuth on behalf of connected shops, Ecomflows is the Data Processor. The connected shop is the Data Controller.

3. Data We Collect

When you interact with us directly — through our website, by signing up, or by engaging our services — we may collect:

a. Personal Information

  • Name
  • Email address
  • Company name
  • Phone number
  • Billing details
  • Communication preferences

b. Technical & Usage Data

  • IP address
  • Browser type
  • Device information
  • Pages visited
  • Referring URLs
  • Cookie identifiers

c. Client & Platform Data

When providing services, we may process data from platforms such as:

  • Klaviyo
  • Shopify
  • Email marketing platforms
  • Analytics and advertising tools

This data may include aggregated campaign performance, events, and customer behavior metrics.

d) Klaviyo OAuth Data (Platform Users)

When you connect your Klaviyo account to the Ecomflows Platform via OAuth 2.0, we access and may synchronize the following data from your Klaviyo account:

  • Profile data: Email addresses, names, phone numbers, and associated metadata of your end-consumers
  • Event data: Purchase events, behavioral events, device and location data, and custom events associated with end-consumer profiles
  • Campaign data: Campaign metadata, performance metrics, and send history
  • Flow data: Automated flow configurations, trigger types, and performance metrics
  • Segment data: Segment definitions and membership criteria
  • Form data: Form configurations and submission metadata
  • Metric data: Key performance indicators and aggregated metric values
  • Account data: Account-level settings and configuration

Legal basis for processing Klaviyo OAuth data (GDPR):

  • Contractual necessity (Article 6(1)(b)): Processing is necessary for the performance of the service agreement between Ecomflows and the connected shop.
  • Legitimate interest (Article 6(1)(f)): Processing aggregated and anonymized data for product improvement, benchmarking, and service optimization, balanced against the minimal impact on data subjects given the anonymization applied. Ecomflows has conducted a legitimate interest assessment confirming that this processing does not override the fundamental rights and freedoms of data subjects, given the anonymized and aggregated nature of the data.

4. How We Use Your Data

We use personal data to:

  • Provide and manage our services, including the Platform and agency services
  • Synchronize Klaviyo account data to power Platform analytics, dashboards, and optimization features
  • Generate performance reports and custom triggers for connected shops
  • Communicate with clients and prospects
  • Improve website performance and user experience
  • Analyze marketing and campaign performance
  • Produce aggregated, anonymized benchmarks and insights
  • Comply with legal and contractual obligations
  • Improve and optimize our internal systems

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data based on:

  • Consent (Art. 6(1)(a))
  • Contractual necessity(Art. 6(1)(b))
  • Legitimate interest (Art. 6(1)(f))
  • Legal obligation

6. Analytics, Advertising & Tracking

We use third-party tools such as:

  • Google Analytics
  • Meta (Facebook) Ads
  • Tracking pixels and cookies

These tools help us understand website usage and improve marketing effectiveness. Tracking technologies are only activated after user consent where required by law.

7. Cookies

We use cookies and similar technologies as follows:

a) Strictly Necessary Cookies

These cookies are essential for the website and Platform to function. They include authentication cookies, session cookies, and security cookies. These do not require consent.

b) Analytics Cookies

We use Google Analytics and PostHog (deployed via CNAME proxy) for website analytics. These cookies track page views, interactions, and usage patterns to help us improve our services. Analytics cookies are only set after you provide consent.

c) Marketing Cookies

Marketing cookies from Meta (Facebook) and similar platforms may be used for advertising purposes. These are only activated after consent.

You can manage or withdraw cookie consent at any time via our cookie banner or browser settings. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

8. Client Data & Data Processing Roles

When providing Platform services to connected shops:

  • The shop is the Data Controller for its end-consumer data
  • Ecomflows acts as the Data Processor

We process data solely based on client instructions and the service agreement. We do not use client end-consumer data for independent purposes.

The relationship between Ecomflows and connected shops is governed by our Data Processing Agreement (DPA), which forms a binding addendum to the Terms of Service. The DPA is available at https://www.ecomflows.io/legal/dpa.

9. Internal Analytics & Aggregated Data

To improve our services, Ecomflows may process aggregated and anonymized data derived from client accounts.

This data is used exclusively for:

  • Internal analytics
  • System optimization
  • Performance benchmarking
  • Product and service improvement

Aggregated data:

  • Does not identify individual clients or customers
  • Cannot be traced back to a specific person or business
  • Is never sold or shared with third parties

10. Data Sharing

We may share data with trusted third parties who act as sub-processors or service providers:

Google Cloud Platform

Purpose : Infrastructure, database hosting, background processing

Location : EU (Europe)

Firebase Authentication (Google)

Purpose : User authentication and token verification only (no user data stored in Firebase)

Location : US (global service)

Stripe

Purpose : Payment processing

Location : US (PCI-DSS compliant)

Google Analytics (Google)

Purpose : Website traffic analytics

Location : US (global service)

Sentry

Purpose : Error tracking and monitoring (no PII transmitted)

Location : US

Webflow

Purpose : Website hosting and form collection

Location : US

Make.com

Purpose : Workflow automation for form submissions

Location : EU/US

All sub-processors are contractually required to safeguard data and process it only according to our instructions.

Use of Webflow Forms and Make.com

Our website uses Webflow Forms to collect contact requests, inquiries, and other information submitted voluntarily by users. When you submit a form on our website, the personal data you provide may be processed and stored by Webflow Inc.

Webflow Inc. may store and process form data on servers located in the United States. To ensure compliance with the General Data Protection Regulation (GDPR), Webflow relies on a Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) approved by the European Commission. These safeguards ensure an adequate level of protection for personal data transferred outside the European Economic Area.

In addition, we use Make.com (formerly Integromat) to securely transfer form submissions from Webflow to our internal systems and communication tools. Make.com acts as a data processor and processes personal data only according to our instructions and for the intended purpose of handling inquiries, client communication, and service delivery.

Make.com complies with GDPR requirements and applies appropriate technical and organizational measures to protect personal data. Where applicable, data processed through Make.com may also be transferred outside the European Economic Area using approved legal safeguards such as Standard Contractual Clauses.

We use data submitted through Webflow Forms and processed via Make.com solely for the purpose for which it was provided, such as responding to inquiries, providing requested information, or managing client relationships. We do not sell or use this data for unrelated purposes.

By submitting a form through our website, you acknowledge and agree that your personal data may be processed and stored as described in this Privacy Policy.

11. International Data Transfers

Flows Marketing Solutions LLC is a United States limited liability company organized under the laws of Wyoming. However, all personal data processed through the Ecomflows Platform is stored and processed on servers located in the European Union (Google Cloud Platform, EU region).

To the extent that personal data is accessible by Ecomflows personnel or sub-processors located outside the European Economic Area (EEA), the following safeguards are in place:

  • Standard Contractual Clauses (SCCs): Transfers of personal data from the EEA to Ecomflows in the United States are governed by the Standard Contractual Clauses (Module 2: Controller to Processor) adopted by the European Commission pursuant to Decision 2021/914. These SCCs are incorporated into the Data Processing Agreement.
  • Sub-processor SCCs: Each sub-processor that processes personal data outside the EEA is required to maintain appropriate transfer mechanisms, including SCCs where applicable.
  • Supplementary measures: In addition to the SCCs, Ecomflows implements supplementary technical measures including AES-256-GCM encryption at rest, TLS encryption in transit, and strict Identity and Access Management (IAM) controls.

For data processed by Webflow and Make.com, transfers outside the EEA are covered by the SCCs and DPAs maintained by those providers, as described in Section 10.

12. Data Retention

We retain personal data for the following periods:

Klaviyo OAuth data (profiles, events, campaign/flow metadata)

Deleted within 30 days of account disconnection or service termination

OAuth tokens

Deleted immediately upon disconnection (encrypted at rest while active)

Aggregated, anonymized statistics

Retained indefinitely (cannot be traced to individuals or businesses)

Website visitor data (analytics, cookies)

24 months from collection

Client account data (name, email, billing)

For the duration of the business relationship, plus any period required by law (e.g., tax retention requirements)

Form submissions (Webflow/Make.com)

As long as necessary to fulfill the purpose of the inquiry, or as required by law

Notwithstanding the above, Ecomflows may retain personal data for longer periods where necessary to establish, exercise, or defend legal claims.

After the applicable retention period expires, personal data is permanently deleted or irreversibly anonymized.

13. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption at rest: OAuth tokens encrypted using AES-256-GCM; database encryption provided by Google Cloud SQL
  • Encryption in transit: All data transmitted via TLS
  • Access controls: Identity and Access Management (IAM) policies restrict data access to authorized personnel only
  • Infrastructure security: Hosted on Google Cloud Platform with SOC 2 Type II and ISO 27001 certified infrastructure
  • Error monitoring: Sentry is configured to exclude personally identifiable information (PII) from error reports
  • API access restrictions: API access is restricted to authorized applications only
  • Breach notification: In the event of a personal data breach affecting your data, Ecomflows will notify affected shops without undue delay and within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where feasible, the notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

14. Data Deletion Requests

a) For Connected Shops (Platform Users)

You may request deletion of all data associated with your shop by:

  1. Disconnecting your Klaviyo account through the Platform interface — this triggers automatic deletion of all associated data within 30 days
  2. Emailing legal@ecomflows.io with your deletion request

b) For End-Consumers

If you are an end-consumer whose data has been processed through the Platform, please contact the shop (Data Controller) that collected your data. The shop may then instruct Ecomflows to delete your data, and we will comply within 30 days.

c) For Website Visitors and Direct Contacts

You may request deletion of your personal data by emailing legal@ecomflows.io. We will process your request within 30 days.

15. Your Rights

Depending on your location, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion (right to erasure)
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (without affecting lawfulness of prior processing)
  • Request data portability (receive your data in a structured, machine-readable format)
  • Restrict processing in certain circumstances
  • Lodge a complaint with a supervisory authority (for EEA residents, the relevant data protection authority in your country of residence)

Requests can be submitted to: legal@ecomflows.io

We will respond to all rights requests within 30 days. If a request is particularly complex, we may extend this by a further 60 days, and will notify you accordingly.

16. Children’s Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

17. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website. We will provide at least 30 days’ notice of material changes by email or through the Platform.

18. Contact

For questions or concerns regarding this Privacy Policy, please contact:

legal@ecomflows.io

Flows Marketing Solutions LLC

Operating as Ecomflows

Website: https://ecomflows.io

Ecomflows’ lead supervisory authority for GDPR purposes is the Irish Data Protection Commission (DPC), reachable at www.dataprotectioncommission.ie.

For data protection inquiries from EEA residents, you may also contact us at the above address. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority or the Irish DPC.

Get in touch
hello@ecomflows.io
+31612400797
Stay on top of our latest updates!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Solutions for
DropshippingBrandsEnterprise
Product & services
Email AutomationsEmail CampaignsSMS Automations
Pricing
Dropshipping packagesBrands packages
Compare
Ecomflows vs. AgencyEcomflows vs. In-house teamEcomflows vs. Freelancer
Company
About usPartnershipsAffiliate program
Job posts
We're hiring
Contact
Resources
Case studiesResultsDesignsBlog
Academy
New
Updates
Legal
Terms & ConditionsPrivacy PolicyRefund PolicyData Processing Agreement
Trusted by 2,000+ stores, $150M+ generated
©2026 Ecomflows - Flows Marketing Solutions - All rights reserved.