Privacy Policy
Last updated: 27 March 2026
1. Data Controller
The controller of your personal data is:
Kamil Zwarycz, conducting business under the name LogicLoom Kamil Zwarycz
Registered in the Central Registration and Information on Business (CEIDG)
NIP: 5871749235 | REGON: 540001576
Kalinowa 6L lok. 3, 81-198 Kosakowo, Poland
Email: legal@budiflow.com
Public register: biznes.gov.pl
This Privacy Policy explains how we collect, use, store, and protect personal data in connection with the BudiFlow platform, and describes your rights under Regulation (EU) 2016/679 (GDPR), the Polish Act on Personal Data Protection, and the Act on the Provision of Electronic Services.
We have not appointed a Data Protection Officer (DPO), as we do not meet the thresholds requiring mandatory DPO appointment under Article 37 GDPR. Privacy queries may be directed to legal@budiflow.com.
2. Our Dual Role: Controller and Processor
BudiFlow operates in two distinct data protection roles, and it is important to understand the distinction:
Role 1 — Data Controller (for Subscriber account data):
When you register and use BudiFlow, we determine the purposes and means of processing your personal data (name, email address, billing information, usage data). In this capacity we are your data controller and this Privacy Policy applies fully.
Role 2 — Data Processor (for your end-customers' data):
When you connect your Instagram Business account to BudiFlow, we receive and process the direct messages, story replies, and story mentions your end-customers send you, in order to generate AI-assisted replies and route conversations to your inbox. You — the Subscriber business — are the data controller of that end-customer data. We process it solely on your behalf, under your instructions, as your data processor under Article 28 GDPR.
As your data processor, we:
• Process your end-customers' messages only as necessary to provide the Service (generating and sending replies, routing conversations, detecting when a human agent should take over), never for our own marketing or analytics purposes.
• Maintain confidentiality and implement appropriate technical security measures.
• Notify you promptly of any data breach affecting your end-customers' data.
• Delete or return all end-customer conversation data upon termination of your subscription.
You are responsible for ensuring you have a lawful GDPR basis to receive and process messages from your Instagram followers and customers through BudiFlow, and for your own Instagram Business Account's compliance with Meta's platform terms. If your end-customers are residents of the EU/EEA, you must ensure your own privacy notice (e.g. linked from your Instagram bio) discloses that an AI-assisted support tool may process their messages.
The Data Processing Agreement (DPA) embedded in our Terms of Service governs our processor relationship with you.
3. Personal Data We Collect
We collect and process the following categories of personal data about Subscribers (the businesses using BudiFlow, not their end-customers):
Account data: full name, business name (if applicable), email address, password (stored as a one-way cryptographic hash — we cannot recover your password), profile photo (optional).
Billing and payment data: billing name and address, invoice email, VAT number (if applicable). We invoice you directly and do not collect or store your payment card details ourselves — payment is made by bank transfer or however is agreed with your account manager.
Usage and technical data: IP address, browser type and version, device type, pages visited, features used, session duration, timestamps, error logs, and performance metrics. This data is collected automatically when you use the Service.
Communication data: the content of emails, support tickets, and chat messages you send to us.
Instagram account connection data: when you connect an Instagram Business account, we receive the account's basic profile information (username, profile picture, account ID) via Meta's Instagram Graph API, so we can correctly display and attribute the connected account in your inbox.
End-customer message data (processed as a data processor — see Section 2): as your data processor, we process the content of direct messages, story replies, and story mentions your Instagram followers and customers send to your connected account, for the sole purpose of generating and delivering replies and routing conversations. This data belongs to your end-customers and you, the Subscriber, are responsible for it.
We do not intentionally collect or process special categories of personal data (sensitive data) under Article 9 GDPR — such as health data, biometric data, or religious beliefs — about Subscribers. If any such data appears in end-customer messages routed through your connected Instagram account, you are responsible for ensuring a lawful basis exists.
4. Lawful Bases for Processing
We process your personal data on the following lawful bases under Article 6 GDPR:
Contract performance (Art. 6(1)(b) GDPR): Account data and billing data are processed to enter into and perform the subscription agreement with you — to provide access, manage your account, issue invoices, and provide support. Providing this data is a contractual requirement; without it we cannot provide the Service.
Legitimate interests (Art. 6(1)(f) GDPR): Usage and technical data are processed for our legitimate interests in: improving the Service and user experience, detecting and preventing fraud, abuse, and security incidents, and monitoring system performance. We have balanced these interests against your rights and concluded that our interests do not override yours, given the limited sensitivity of usage data.
Legal obligation (Art. 6(1)(c) GDPR): Billing records and invoices are retained to comply with Polish tax and accounting law (Ustawa o rachunkowości, Ordynacja podatkowa), which requires retention for 5 years.
Consent (Art. 6(1)(a) GDPR): Where we rely on consent — for example, for non-essential analytics cookies or for sending marketing communications — you may withdraw your consent at any time without affecting the lawfulness of prior processing. Withdrawal can be done via the cookie management panel or by emailing legal@budiflow.com.
5. How We Use Your Data
We use your personal data for the following purposes:
Service provision: to create and manage your account, connect your Instagram Business account, generate AI-assisted replies to your customers' messages, and ensure the Service functions correctly for you.
Billing and invoicing: to issue invoices, follow up on unpaid invoices, and maintain financial records.
Customer support: to respond to your support requests, troubleshoot issues, and improve our help documentation based on common issues.
Service communications: to send transactional emails essential to your use of the Service — account confirmation, password resets, subscription renewal notices, payment receipts, and important Service updates.
Service improvement and security: to monitor system performance, detect bugs, analyse usage patterns (in aggregated/anonymised form where possible), prevent fraud, and maintain the security and integrity of the Service.
Legal compliance: to fulfil our obligations under Polish and EU law, including tax, accounting, and data protection requirements.
Marketing (with consent only): if you have opted in, we may send newsletters, product update announcements, and promotional offers. You may unsubscribe at any time via the link in any marketing email or by contacting legal@budiflow.com.
We do not sell your personal data to third parties. We do not use your personal data for automated profiling that produces legal or similarly significant effects.
6. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this Policy:
Account data (name, email, profile): retained for the duration of your active subscription plus 30 days after account deletion. The 30-day period allows you to export your data before permanent deletion.
End-customer conversation data (Instagram messages processed on your behalf): retained for the duration of your active subscription so conversation history remains available in your inbox, then deleted within 30 days of account termination unless you request an earlier export/deletion.
Billing records and invoices: retained for 5 years from the end of the tax year in which the transaction occurred, as required by Polish tax law (Ordynacja podatkowa, Art. 70) and accounting law (Ustawa o rachunkowości).
Usage logs and technical data: retained for up to 12 months for security monitoring, fraud detection, and service improvement. Aggregated, anonymised analytics may be retained indefinitely.
Support communications: retained for 3 years from the date of resolution, to assist with follow-up issues and quality improvement.
Consent records: retained for the duration of your account plus 3 years, as evidence of consent for compliance purposes.
When data is no longer required, it is securely deleted using industry-standard methods or anonymised such that you can no longer be identified.
7. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
Right of access (Art. 15): Request a copy of all personal data we hold about you, including information on processing purposes, recipients, and retention periods.
Right to rectification (Art. 16): Request correction of any inaccurate or incomplete personal data.
Right to erasure / right to be forgotten (Art. 17): Request deletion of your personal data where: it is no longer needed for its original purpose; you withdraw consent (where consent was the legal basis); you object to processing based on legitimate interests and we have no overriding grounds; or the processing is unlawful.
Right to restriction of processing (Art. 18): Request that we temporarily limit how we use your data while a dispute about accuracy or lawfulness is resolved.
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller. This right applies to data processed on the basis of contract or consent.
Right to object (Art. 21): Object at any time to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to direct marketing.
Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
No automated decision-making: We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (Art. 22 GDPR).
How to exercise your rights: Email legal@budiflow.com with the subject line "GDPR Rights Request". We will verify your identity and respond within 30 days (extendable to 60 days for complex requests with notice). All requests are free of charge. We may need to retain certain data despite an erasure request where we have a legal obligation to do so.
8. Third-Party Processors
We engage the following trusted sub-processors who process personal data on our behalf. All are bound by written data processing agreements:
Meta Platforms, Inc. (USA) — Instagram Business platform. We use Meta's Instagram Graph API to receive your connected account's messages, story replies, and mentions, and to send replies on your behalf. Meta's own data practices for this data are governed by Meta's Platform Terms and Data Policy: developers.facebook.com/terms, facebook.com/privacy/policy.
AI inference provider — used to transcribe voice messages and generate reply text from message content. The content of a message is sent to the provider's API solely to produce a reply; it is not used by the provider to train models on our configuration. Current provider details are available on request at legal@budiflow.com and will be listed at budiflow.com/subprocessors.
Auth.js (NextAuth) v5 — open-source identity and authentication. Processes account credentials (email, hashed password), session tokens, and authentication events. The Auth.js library is self-hosted on our infrastructure (EU/EEA); we delegate sign-in to OAuth providers (Google, Apple, Microsoft Entra ID, Facebook, LinkedIn, X/Twitter) — only the providers enabled in the deployment are used. Auth.js documentation: authjs.dev.
Cloud hosting provider (EU/EEA) — application servers, databases, the Chatwoot-based inbox, and file storage. All primary data is hosted within the EU/EEA. Processes all categories of personal data stored in the Service, including end-customer conversation data.
An up-to-date list of all sub-processors is available at budiflow.com/subprocessors. We will notify Subscribers at least 14 days in advance of adding or replacing a sub-processor. Subscribers who object to a sub-processor change may terminate their subscription within that notice period with a pro-rata refund.
We do not sell your personal data to third parties.
9. International Data Transfers
Some of our sub-processors (Meta, Cloudflare, the OAuth identity providers we delegate to) are based in the United States, which is outside the European Economic Area (EEA). Personal data transferred to these processors is protected by the following safeguards:
Standard Contractual Clauses (SCCs): We rely on the SCCs approved by the European Commission under Implementing Decision (EU) 2021/914. These clauses create enforceable data protection obligations on the recipient.
EU-US Data Privacy Framework (DPF): Where applicable, we use processors certified under the DPF, which was recognised as providing adequate protection by the European Commission in its adequacy decision of 10 July 2023.
Your rights: You may obtain further details about the specific safeguards applied to transfers by contacting legal@budiflow.com. You have the right to request a copy of the applicable SCCs.
All data stored in our primary database and application infrastructure is hosted within the EU/EEA and is not subject to international transfer.
10. Cookies and Tracking Technologies
We use cookies and similar technologies in accordance with the Polish Act on Electronic Communications (Prawo komunikacji elektronicznej, PKE, Dz.U. 2024 poz. 1221, Arts. 399-400) and GDPR.
Strictly necessary cookies (no consent required):
These are essential for the Service to function and cannot be disabled. They include: authentication/session cookies required by Auth.js (NextAuth), security cookies (including CSRF protection), and our cookie-consent state cookies.
Current cookie model:
At this time, BudiFlow does not enable optional analytics, marketing, social, or personalization cookies through the consent panel. Optional categories are disabled by default and not actively used.
Your cookie choices:
• You can review the current cookie model at budiflow.com/cookies.
• You can reset your consent state from cookie settings in the app.
• You can also manage cookies through your browser settings, though this may affect Service functionality.
Cookie retention: session cookies are deleted when you close your browser. Consent-state cookies are retained for up to one year.
We do not use advertising or cross-site tracking cookies to serve targeted advertising.
11. Children and Minors
BudiFlow is a professional business tool intended for use by adults (18+) operating a business account. We do not knowingly collect personal data from individuals under the age of 18 as Subscribers.
Age of consent for digital services: Under Polish implementation of GDPR Article 8, the minimum age for providing consent for information society services is 16 years. Our Service is not directed at individuals under 18 as Subscribers.
If we become aware that we have collected personal data from someone under 18 without appropriate consent as a Subscriber, we will delete that data promptly. Please contact legal@budiflow.com if you believe we may have inadvertently collected data from a minor.
Regarding your end-customers' data: your connected Instagram account may receive messages from individuals under 16. As the data controller for your end-customers' data (see Section 2), you are responsible for ensuring you have a lawful basis to process messages from minors in accordance with applicable law. Our Terms of Service and DPA require you to ensure a lawful basis for all end-customer data processed through the Service.
12. Automated Decision-Making and Profiling
BudiFlow uses AI to generate suggested or automatic reply text to your end-customers' Instagram messages, and to detect when a conversation should be escalated to a human agent (for example, a high-value request, a question the AI cannot confidently answer, or an explicit request to speak to a person). This is an automated content-generation and routing process, not automated decision-making that produces legal or similarly significant effects on a data subject within the meaning of Article 22 GDPR — it does not grant or deny anyone access to a service, credit, employment, or any legal entitlement.
We also use automated systems for: fraud detection (to identify unusual account activity that may indicate unauthorised use or payment fraud) and spam filtering (to block malicious content). These systems flag cases for human review and do not make final binding decisions without human involvement.
Any analytics or usage analysis we perform is used only to improve the Service in aggregate and does not result in individual decisions affecting your rights or access to the Service.
13. Supervisory Authority
You have the right to lodge a complaint with the competent data protection supervisory authority if you believe we have processed your personal data in breach of GDPR.
The competent supervisory authority for Poland is:
Prezes Urzędu Ochrony Danych Osobowych (UODO)
President of the Office for Personal Data Protection
ul. Stawki 2, 00-193 Warszawa, Poland
Website: uodo.gov.pl
Telephone: +48 22 531 03 00
You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence or place of work. A directory of EU supervisory authorities is available at edpb.europa.eu.
We would appreciate the opportunity to address your concerns before you contact UODO. Please reach out to us first at legal@budiflow.com.
14. Contact Us
For all privacy-related enquiries, rights requests, or concerns:
Kamil Zwarycz, conducting business under the name LogicLoom Kamil Zwarycz
Kalinowa 6L lok. 3, 81-198 Kosakowo, Poland
NIP: 5871749235 | REGON: 540001576
Email: legal@budiflow.com
We will acknowledge your enquiry within 3 business days and provide a full response within 30 days (extendable to 60 days for complex requests, with prior notification).
This Privacy Policy was last updated on 26 March 2026. We will notify you of material changes by email and/or a prominent notice in the Service at least 30 days before the changes take effect. The current version is always available at budiflow.com/privacy.