Onflexa Privacy Policy

Last updated: November 11, 2025

Onflexa ("us", "we", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application and related services (collectively, the "Service").

This policy is provided in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Italian legislation (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018).

Data Controller

The Data Controller is [Insert Company Name/Owner Name], with registered office in [Insert Full Address], email: [Insert Privacy Email].

Types of Data Collected

Among the Personal Data collected by Onflexa, independently or through third parties, there are:

• Data provided voluntarily by the User: Registration data (email, first name, last name, company name), as well as all data voluntarily entered into the CRM (e.g., data of contacts, accounts, tasks, notes, opportunities, calls).
• Usage Data and Logs: Information on how the Service is used, IP addresses, browser type, pages visited.
• Data from Third-Party Services (Google and IMAP): Data that the User authorizes us to access, as described in the following section.

Purposes of Processing

User Data is collected to allow us to:

• Provide the Service and its features (core business of the CRM).
• Manage User accounts.
• Synchronize data with third-party services (Google, IMAP) at the User's request.
• Send notifications related to the Service (task deadlines, new emails).
• Comply with legal and tax obligations.
• Improve the Service and monitor usage.

Guarantees on Google (Gmail, Contacts, Calendar) and IMAP Synchronization

We understand the importance and sensitivity of the data from your Google and IMAP accounts. Our integration is designed with the highest priority for security and privacy.

• Limited Access: Onflexa will access your Google and IMAP data (emails, contacts, calendar events) only after your explicit authorization (OAuth2 for Google) and only for the purposes strictly necessary to provide the Service's synchronization features.
• Use of Data: The use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The data will not be used for other purposes, such as selling to third parties or advertising.
• Encryption: To ensure maximum confidentiality, all emails, their contents, and attachments synchronized from your Gmail or IMAP accounts and stored on our servers are encrypted "at-rest" (on disk). We use robust encryption algorithms to protect this information from unauthorized access.
• No Sharing: The contents of your synchronized emails, calendar events, and contacts will never be shared with third parties, except to comply with legal obligations or for the technical operation of the Service (e.g., cloud infrastructure providers, bound by confidentiality agreements).
• User Control: You can revoke Onflexa's access to your Google data at any time through your Google account's security settings.

Legal Basis for Processing

We process your Personal Data if one of the following conditions applies:

• The User has given consent for one or more specific purposes.
• Processing is necessary for the performance of a contract with the User and/or for any pre-contractual obligations.
• Processing is necessary to comply with a legal obligation to which the Controller is subject.
• Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party.

Location and Method of Processing

Data is processed at the Controller's operating offices and in any other places where the parties involved in the processing are located. Data is processed on servers located within the European Union or in countries that guarantee an adequate level of protection.

Processing is carried out using computers and/or IT-enabled tools, with organizational procedures and modes strictly related to the purposes indicated, adopting appropriate security measures.

Retention Period

Data is processed and stored for the time required by the purposes for which it was collected. Therefore:

• Personal Data collected for purposes related to the performance of a contract between the Controller and the User will be retained until such contract has been fully performed.
• Personal Data collected for purposes related to the Controller's legitimate interests will be retained as long as needed to fulfill such purposes.

At the end of the retention period, Personal Data will be deleted.

User Rights (GDPR)

Users may exercise certain rights regarding their Data processed by the Controller. In particular, the User has the right to:

• Withdraw consent at any time.
• Access their Data.
• Verify and seek rectification.
• Obtain restriction of processing.
• Obtain the erasure or removal of their Personal Data (right to be forgotten).
• Receive their Data and have it transferred to another controller (portability).
• Object to the processing of their Data.
• Lodge a complaint with the competent data protection supervisory authority.

To exercise their rights, Users can direct a request to the Controller's contact details provided in this document.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.