Last updated: April 2026
The General Data Protection Regulation (GDPR) is a data protection law that came into force across the European Union on 25 May 2018. The UK retained an equivalent law — the UK GDPR — following its departure from the EU. Together, these laws give individuals in the EU and UK strong rights over how their personal data is collected, used, and stored.
At Flento, we believe data privacy is a right — not a checkbox. Regardless of where you are in the world, we are committed to handling your personal data with transparency, security, and respect. This page explains how Flento complies with the GDPR and what it means for you as a user.
For full details on how we collect and use your data, please read our Privacy Policy.
Yes. Even though Flento Inc. is not based in the EU or UK, the GDPR applies to us because we offer services to individuals and businesses located in the EU and UK and monitor their behaviour online. This means we are legally required to comply with the GDPR for all EU and UK users.
Depending on the context, Flento acts in two different roles under the GDPR:
Data Controller: When we collect and use your personal data directly — for example, when you create an account, subscribe to a plan, or receive marketing from us — Flento acts as the Data Controller. This means we determine the purposes and means of processing your personal data.
Data Processor: When you use Flento to manage data relating to your own customers or clients — for example, when an agency uses Flento to manage Google Business Profile listings for their clients — Flento acts as a Data Processor on your behalf. In this case, you (the Registered User or Agency User) are the Data Controller, and Flento processes that data only on your instructions and in accordance with our Terms and Conditions.
Under the GDPR, we must have a valid lawful basis before processing your personal data. Flento relies on the following lawful bases:
Performance of a contract: We process your personal data where it is necessary to deliver the Services you have signed up for — for example, creating your account, processing your payment, and providing access to the Flento platform.
Legitimate interests: We process certain data where we have a genuine business interest that does not override your rights — for example, improving our platform, preventing fraud, and sending relevant product updates to existing customers.
Consent: We process your data on the basis of consent where required — for example, when sending marketing emails or placing non-essential cookies on your device. You can withdraw your consent at any time.
Legal obligation: We process certain data where we are required to do so by applicable law — for example, retaining financial transaction records for tax purposes.
If you are located in the EU or UK, you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us at legal@flento.io. We will respond within 30 calendar days of receiving your request (we may extend this by a further two months for complex or multiple requests, in which case we will notify you).
You have the right to request a copy of the personal data we hold about you and information about how we use it. This is commonly known as a Data Subject Access Request (DSAR). To submit a DSAR, email legal@flento.io with the subject line "Data Subject Access Request" and your full name and account email address. We will verify your identity before processing your request.
You have the right to request that we correct any personal data we hold about you that is inaccurate or incomplete. You can update most of your account information directly in your Flento account settings, or contact us at legal@flento.io for anything else.
You have the right to request that we delete your personal data where:
Please note that we may not always be able to fulfil an erasure request — for example, where we are required to retain data by law (such as financial records). We will inform you of any such limitations at the time of your request.
You have the right to request that we suspend the processing of your personal data in certain circumstances — for example, if you contest the accuracy of the data, or if you have objected to processing and we are verifying whether our legitimate grounds override yours.
You have the right to receive a copy of personal data you have provided to us in a structured, commonly used, machine-readable format (such as CSV or JSON), and to transmit that data to another controller. This right applies where processing is based on consent or contract, and is carried out by automated means.
You have the right to object to processing of your personal data where we rely on legitimate interests as our lawful basis. We will stop processing your data unless we can demonstrate compelling legitimate grounds that override your rights, or where processing is necessary for legal claims.
You also have an absolute right to object to your personal data being used for direct marketing purposes at any time. We will stop immediately upon receipt of your objection.
Where we rely on consent as the lawful basis for processing (for example, for marketing emails or non-essential cookies), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal.
To withdraw consent for marketing, click "Unsubscribe" in any email or contact legal@flento.io. To withdraw consent for cookies, update your preferences via the Cookie Settings link in our website footer.
Flento does not make any decisions about you based solely on automated processing that produce legal or similarly significant effects. You will always have a human involved in any decision that materially affects you.
As Flento Inc. is not established in the EU or UK but offers services to EU and UK users, the GDPR requires us to appoint a representative in the EU and/or UK. We are in the process of formally appointing an EU and UK Representative. This page will be updated with their details once appointed.
In the meantime, all GDPR-related enquiries should be directed to our DPO at legal@flento.io. We will respond fully and in accordance with GDPR timelines regardless of our representative status.
Flento has appointed a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and ensuring compliance with the GDPR.
If you have any concerns about how Flento handles your personal data, we encourage you to contact our DPO first. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (see below).
Protecting your personal data is a core part of how we build and operate Flento. Our security measures include:
Encryption in transit: All data transmitted between your browser and the Flento platform is encrypted using TLS (Transport Layer Security / HTTPS). This means your data is protected from interception when it travels over the internet.
Encryption at rest: Personal data stored on our servers is encrypted at rest, meaning it is protected even if the underlying storage were ever compromised.
Access controls: We operate strict role-based access controls. Only authorised Flento personnel with a legitimate business need can access personal data, and all such personnel are subject to confidentiality obligations.
Infrastructure security: The Flento platform is hosted on Amazon Web Services (AWS) and Vercel — two industry-leading cloud infrastructure providers. Both maintain robust security frameworks and industry certifications (including SOC 2 and ISO 27001 for AWS).
Payment security: All payment processing is handled by Stripe. Flento does not store raw payment card data. Stripe is certified to PCI DSS Level 1 — the highest level of payment security certification available.
Vulnerability management: We conduct regular internal security reviews and maintain an incident response plan to address any identified vulnerabilities promptly.
Breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by Article 33 GDPR), and will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights (as required by Article 34 GDPR).
As a Data Controller, Flento uses a number of trusted third-party service providers (sub-processors) to help deliver the Services. All sub-processors are bound by data processing agreements and are only permitted to process personal data on Flento's instructions.
Our current sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and data storage | United States (with global infrastructure) |
| Vercel | Frontend hosting and deployment | United States |
| Stripe | Payment processing | United States |
| Google Analytics | Website traffic analytics | United States |
| Meta Pixel | Advertising measurement | United States |
| Google Business Profile API | GBP listing management | United States |
International transfers: As our sub-processors are primarily based in the United States, your personal data may be transferred outside the EEA/UK. We ensure all such transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK Extension to the EU-US Data Privacy Framework.
We will update this table as we add or remove sub-processors. You have the right to object to the use of a new sub-processor — see our Terms and Conditions for details.
Flento maintains a documented data breach response process. In the event of a suspected or confirmed personal data breach, we will:
If you believe your data may have been compromised, please contact us immediately at legal@flento.io.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting obligations. Our retention periods are:
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of account + 6 years after closure |
| Payment and transaction records | 7 years (legal / tax obligation) |
| Marketing consent records | Until consent is withdrawn |
| Support communications | Up to 3 years |
| Google Analytics data | 26 months (default retention setting) |
When data is no longer required, we securely delete or anonymise it. You may also request erasure of your data at any time (subject to legal retention obligations) by contacting legal@flento.io.
If you are not satisfied with how Flento has handled your personal data or responded to a rights request, you have the right to lodge a complaint with your local data protection supervisory authority.
EU users: Contact your national Data Protection Authority. A full list is available at edpb.europa.eu.
UK users: Contact the Information Commissioner's Office (ICO) at ico.org.uk or by phone at 0303 123 1113.
India users: Contact the Data Protection Board of India once operational under the DPDP Act 2023.
We would, however, always appreciate the opportunity to resolve your concern directly before you contact a supervisory authority. Please reach out to us first at legal@flento.io.
We will update this GDPR compliance page as our practices evolve or as regulatory requirements change. The "Last updated" date at the top of this page reflects the most recent revision.
For any GDPR-related questions, data subject rights requests, or privacy concerns:
This page should be read alongside our Privacy Policy, Terms and Conditions, and Cookie Policy.
