XFlow Focus
Legal

Privacy Policy

How we handle your personal data under GDPR and Czech law.

Last updated: 6 May 2026

XFlow Trading s.r.o. ("we", "us") respects your privacy. This policy explains what personal data we collect, why we collect it, who we share it with, and what rights you have under Regulation (EU) 2016/679 (GDPR) and Act No. 110/2019 Coll. (Czech Personal Data Processing Act).

1. Data controller

XFlow Trading s.r.o., IČO 24101524, DIČ CZ24101524, registered seat Nemocniční 1916/13, 466 01 Jablonec nad Nisou, Czech Republic.

Contact for any privacy matter: support@xflowtrading.com.

2. What data we collect

When you place an order or subscribe, we collect the data you enter into the checkout form and the technical metadata produced by your purchase:

  • Name and surname
  • Delivery address (street, city, postcode, country)
  • Phone number and email address
  • Order details (product, quantity, total amount, payment method)
  • Optional courier note
  • For card / subscription payments: a Stripe customer identifier and (for subscriptions) a subscription identifier — we DO NOT receive or store full card numbers, CVC codes, or PINs; that data is held only by Stripe.
  • An idempotency key generated by your browser to prevent duplicate orders
  • If you are an authenticated XFlow trading platform user at the time of purchase: your XFlow user identifier, linking the order to your account
  • Server logs of your visit (IP address, user agent, timestamp), for security and abuse prevention

3. Why we process your data and on what legal basis

  • **Order fulfilment** (Art. 6(1)(b) GDPR — performance of the purchase contract): name, address, phone, email, order details, payment identifiers.
  • **Subscription billing** (Art. 6(1)(b) GDPR — performance of the subscription contract): Stripe customer/subscription identifiers, recurring charge events.
  • **Tax and accounting obligations** (Art. 6(1)(c) GDPR — legal obligation under Act No. 563/1991 Coll. on Accounting and Act No. 235/2004 Coll. on VAT): we are required to retain order and invoice documents for 10 years.
  • **Customer support** (Art. 6(1)(f) GDPR — legitimate interest): we use your contact details to answer your questions and resolve disputes.
  • **Fraud prevention and security of the website** (Art. 6(1)(f) GDPR — legitimate interest): server logs, idempotency tracking, abuse signal monitoring.
  • **Cross-product personalisation for XFlow trading users** (Art. 6(1)(f) GDPR — legitimate interest): when you are an authenticated XFlow user at the time of purchase, we link the order to your account so you can see your supplement orders alongside your trading account. You may object to this linking at any time.

4. Recipients of your data (processors)

We share your data only with parties that need it to fulfil your order or operate the service. Each processor is bound by a written processor agreement under Art. 28 GDPR.

  • **Shipmall (Comgate s.r.o., Czech Republic)** — our fulfilment partner, processes your delivery address and order details to ship the package and to communicate status updates back to us.
  • **The carrier you select** (e.g. GLS, Zásilkovna / Packeta) — receives only the data needed to deliver and contact you (name, address, phone, email, package number).
  • **Stripe Payments Europe, Limited (Ireland), and Stripe, Inc. (United States)** — payment processor for card and subscription payments. Receives the personal data needed to process the payment (name, email, billing address, payment method) and stores card data on its own infrastructure as a separate controller for fraud prevention. Standard contractual clauses (SCCs) apply for any transfer to the United States.
  • **Supabase, Inc. (United States)** with infrastructure hosted in the EU — database storage for orders, subscriptions, and audit logs. SCCs apply.
  • **Resend, Inc. (United States)** — transactional email delivery (order confirmation, shipping updates). Receives your email address and the rendered email content. SCCs apply.
  • **Vercel, Inc. (United States)** — hosting and edge delivery for the website. Processes server logs (IP, user agent, request path) for security and operational monitoring. SCCs apply.
  • **Our accountant** — receives invoice data for tax purposes only.

5. International transfers

Some processors listed above are based in or operate from the United States. Transfers to the United States are made under the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. We do not transfer your data to other third countries beyond what these processors require to operate.

You may obtain a copy of the safeguards applied to your data on request at support@xflowtrading.com.

6. Retention period

  • Order and invoice data: 10 years from the end of the calendar year of purchase, as required by Czech accounting law (§ 31 zákona č. 563/1991 Sb.).
  • Subscription metadata (active subscriptions, billing history): for the duration of the subscription plus 10 years for accounting purposes.
  • Customer support correspondence: 4 years from the last message in a thread.
  • Server logs: 90 days, longer only if needed for active investigation of a security incident.
  • Marketing-related data (only if you sign up — currently we do not run marketing): until you withdraw consent.
  • After the retention period expires, we delete or anonymise the data.

7. Your rights

Under Art. 15–22 GDPR you have the right to:

  • Access your personal data and obtain a copy (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data, where the legal basis allows (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability — receive your data in a machine-readable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21) — including the cross-product linking described in § 3
  • Withdraw any consent at any time, without affecting prior lawful processing
  • Not be subject to a decision based solely on automated processing, including profiling (Art. 22) — we do not currently make any such decisions

To exercise any of these rights, write to support@xflowtrading.com. We respond within 30 days.

8. Right to lodge a complaint

You have the right to lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů — ÚOOÚ), which is the supervisory authority for our processing: https://www.uoou.cz.

9. Cookies and similar technologies

We describe our use of cookies and browser storage in our separate Cookie Policy.

10. Changes to this policy

We may update this policy to reflect changes in law, our processors, or our practices. The latest version is always available on this page; the date at the top reflects the last revision. For material changes affecting active subscribers, we notify by email.

Contact

Questions about this policy? Email support@xflowtrading.com.