Privacy Policy

Data Controller

Floriane Woodley Illustration
Floriane Woodley
Vogelloh 36
80997 München
Germany
Email: flo@designsbyflow.com
Phone: +49 163 383 2717

Introduction and Overview

We have written this Privacy Policy (version 10.06.2026) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (referred to as "data") we as the data controller — and the processors commissioned by us (e.g. providers) — process, will process in the future, and what lawful options you have. The terms used are to be understood in a gender-neutral way.

In short: we inform you comprehensively about the data we process about you.

Privacy policies are usually very technical and use legal terminology. This Privacy Policy is intended to describe the most important things as simply and transparently as possible. Where transparency is aided by it, technical terms are explained in a reader-friendly way and links to further information are provided. We therefore communicate in clear and plain language that we only process personal data in the course of our business activities when there is a corresponding legal basis for doing so.

If you still have questions, please contact the responsible person listed in our imprint, follow the links provided, and look at further information on third-party sites.

Scope

This Privacy Policy applies to all personal data we process within our company, and to all personal data processed by companies (processors) we commission. By personal data we mean information as defined in Art. 4 No. 1 GDPR, such as a person's name, email address, and postal address. Processing personal data allows us to offer and invoice our services and products, both online and offline. The scope of this Privacy Policy covers all online presences (websites, online shops) we operate, our social media presences and email communication, and mobile apps for smartphones and other devices.

In short: the Privacy Policy applies to all areas in which personal data is processed in a structured way via the channels mentioned. Should we enter into legal relationships with you outside these channels, we will inform you separately if necessary.

Legal Bases

In the following Privacy Policy we provide you with transparent information about the legal principles and regulations — i.e. the legal bases of the General Data Protection Regulation — that allow us to process personal data. With regard to EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016, available at EUR-Lex.

We only process your data if at least one of the following conditions applies:

  1. Consent (Art. 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose.
  2. Contract (Art. 6(1)(b) GDPR): We process your data to fulfil a contract or pre-contractual obligations with you.
  3. Legal obligation (Art. 6(1)(c) GDPR): We are required to process your data to comply with a legal obligation — for example, retaining invoices for accounting purposes.
  4. Legitimate interests (Art. 6(1)(f) GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data — for example, to operate our website securely and efficiently.

In addition to the EU Regulation, national laws also apply. In Germany this is the Federal Data Protection Act (BDSG). Where further regional or national laws apply, we will inform you in the relevant sections.

Your Rights under GDPR

Under Article 13 GDPR you have the following rights to ensure fair and transparent processing of data:

If you believe that the processing of your data violates data protection law, you can lodge a complaint with the supervisory authority. As this business is based in Bavaria, the responsible authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) at www.lda.bayern.de.

In short: you have rights — don't hesitate to contact the responsible party listed in our imprint!

Storage Duration

It is our general principle to only store personal data for as long as is strictly necessary for the provision of our services and products. This means we delete personal data as soon as the reason for the data processing no longer exists. In some cases we are legally obliged to retain certain data even after the original purpose has ceased — for example for accounting purposes.

Should you request the deletion of your data or revoke your consent to data processing, the data will be deleted as quickly as possible, provided there is no obligation to retain it.

Communication

Summary: Persons affected: anyone who communicates with us by phone or email · Data processed: e.g. phone number, name, email address, form data · Purpose: handling communication with customers and business partners · Storage duration: duration of the business transaction and as required by law · Legal bases: Art. 6(1)(a), (b) and (f) GDPR

When you contact us by phone, email, or online form, personal data may be processed in order to handle and respond to your enquiry and the related business transaction.

Phone: When you call us, call data is stored in pseudonymised form on the respective device and by the telecommunications provider. Data such as name and phone number may be sent by email and stored to respond to the enquiry. Data is deleted once the business transaction is concluded and legal requirements permit.

Email: When you communicate with us by email, data may be stored on the respective device and on the email server. Data is deleted once the business transaction is concluded and legal requirements permit.

Online Forms: The contact form on this website is processed via Forminit (Forminit, forminit.com). When you submit the form, your data (name, email, message) is transmitted to Forminit's servers and forwarded to our email address. For more information, see Forminit's Privacy Policy. Data is deleted once the business transaction is concluded and legal requirements permit.

Spam Protection: The contact form is protected by hCaptcha (Intuition Machines, Inc., 2211 Selig Drive, Los Angeles, CA 90026, USA). hCaptcha may process technical data such as your IP address and browser information to distinguish human visitors from automated bots. This processing is based on our legitimate interest in protecting the website from spam and abuse (Art. 6(1)(f) GDPR). hCaptcha is a US-based service — data may be transferred to and processed in the United States under Standard Contractual Clauses. For more information, see hCaptcha's Privacy Policy and Terms of Service.

Legal bases: Art. 6(1)(a) GDPR (consent to store and use data for the business transaction); Art. 6(1)(b) GDPR (fulfilment of a contract or pre-contractual activities); Art. 6(1)(f) GDPR (legitimate interests in conducting professional customer and business communication).

Social Media

This website contains links to our profiles on Instagram, TikTok, LinkedIn, YouTube, and Behance. These links are indicated by the respective platform icons in the footer. Clicking a link will take you to the relevant platform's website, at which point that platform's own privacy policy and data processing practices apply. We have no influence over the data collected by these platforms. We recommend reviewing the privacy policy of each platform before interacting with our profiles.

The legal basis for including these links is our legitimate interest in presenting our work and maintaining a professional online presence (Art. 6(1)(f) GDPR).

Web Hosting

Summary: Persons affected: website visitors · Purpose: professional hosting and securing website operation · Data processed: IP address, time of visit, browser used, and further details · Storage duration: usually 2 weeks · Legal basis: Art. 6(1)(f) GDPR

This website is hosted via GitHub Pages, a service of GitHub Inc. (a subsidiary of Microsoft Corporation, 88 Colin P Kelly Jr St, San Francisco, CA 94107, USA). When you visit the site, GitHub automatically records data including your IP address, browser type, operating system, referrer URL, and date and time of access. This data is stored in server log files and as a rule deleted after two weeks. We do not share this data, but cannot rule out that it may be viewed by authorities in the event of unlawful behaviour.

Please note that GitHub Pages is a US-based service, meaning data may be transferred to and processed in the United States. GitHub is certified under the EU–US Data Privacy Framework, which provides an adequate level of data protection. For more information, see GitHub's Privacy Statement.

The lawfulness of this processing arises from Art. 6(1)(f) GDPR (legitimate interests), as professional hosting is necessary to present the business securely and user-friendlily online.

Cookies

Summary: Persons affected: visitors to the contact page only · Purpose: bot protection · Storage duration: session · Legal basis: Art. 6(1)(f) GDPR (legitimate interests)

This website does not use cookies. We do not set any cookies ourselves — no tracking, no analytics, no preferences, and no advertising cookies.

The only exception is the contact page, where the hCaptcha bot-protection widget may set cookies as part of its security process. These are strictly necessary to protect the form from spam and are set only when you visit the contact page. For details, see hCaptcha's Privacy Policy.

Legal basis: Art. 6(1)(f) GDPR (legitimate interests in protecting the website from spam and abuse).