MarkFlow
Features Pricing News FAQ
Sign in Start now
PRIVACY GDPR-compliant · Hosted in the EU

Privacy Policy

How we collect, use, store and protect your data. We don't sell it, we don't share it with advertisers, and we keep it on EU servers in Frankfurt.

Effective: April 27, 2026 · Last updated: April 27, 2026
On this page
  1. Introduction
  2. Data controller
  3. What data we collect
  4. Legal basis (GDPR)
  5. How we use your data
  6. Google API policy
  7. Meta platform compliance
  8. Storage & security
  9. Sub-processors
  10. Data retention
  11. Cookies
  12. Your GDPR rights
  13. Data deletion
  14. International transfers
  15. Children's privacy
  16. Changes to this policy
  17. Contact
01

Introduction

Welcome to MarkFlow. This Privacy Policy explains how SIA MarkFlow (“MarkFlow,” “we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you use our marketing analytics platform accessible at dashboard.markflow.eu and related services.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and Latvian data protection law.

02

Data controller

EntitySIA MarkFlow
Reg. number40203677928
AddressPriežu iela 6-15, Grobiņa, Dienvidkurzemes novads, LV-3430, Latvia
Contacthello@markflow.eu
Privacy emailprivacy@markflow.eu
Websitemarkflow.eu

For all privacy-related inquiries, data subject requests, or complaints, please contact us at privacy@markflow.eu.

03

What data we collect

3.1 Account information

  • Full name
  • Email address
  • Password (stored as a cryptographic hash, never in plain text)
  • Company name (optional)
  • Language and display preferences

3.2 Data from connected platforms

When you connect third-party platforms to MarkFlow via OAuth, we access:

From Google:

  • Basic profile information (name, email, profile picture)
  • Google Ads campaign data (campaigns, ad groups, ads, keywords, performance metrics)
  • Google Analytics 4 data (sessions, users, page views, conversions, traffic sources)
  • Google Business Profile information and insights

From Meta (Facebook and Instagram):

  • Basic profile information
  • Facebook Pages you manage (Page insights, posts, engagement metrics)
  • Instagram Business account data (followers, media, insights)
  • Meta Ad Account data (campaigns, ad sets, ads, performance metrics: spend, impressions, clicks, conversions, CTR, CPC, CPM, ROAS)
  • Business Manager information

From other supported platforms (TikTok, Twitter/X, LinkedIn): analogous analytics and campaign data as authorized by you.

3.3 Technical data

  • IP address (anonymized for analytics)
  • Browser type and version
  • Operating system
  • Pages visited within MarkFlow
  • Session duration and interaction logs
  • Error logs (for debugging)

3.4 Cookies and similar technologies

See section 11 (Cookies) below.

04

Legal basis for processing (GDPR)

Under the GDPR, we process your personal data based on the following legal bases:

  • Contract performance (Art. 6(1)(b)) — to provide the MarkFlow service you signed up for
  • Consent (Art. 6(1)(a)) — for marketing emails, optional integrations, and cookies
  • Legitimate interest (Art. 6(1)(f)) — for service improvement, security, and fraud prevention
  • Legal obligation (Art. 6(1)(c)) — for tax records, accounting, and compliance with applicable laws

You may withdraw consent at any time by contacting privacy@markflow.eu or through your account settings.

05

How we use your data

We use your personal data solely to:

  • Provide and maintain the MarkFlow platform
  • Display your marketing performance data in the dashboard (marketing analytics)
  • Generate reports and insights based on your connected accounts
  • Plan, create, and schedule marketing content for your connected channels (content planning)
  • Create, manage, and optimize advertising campaigns where you grant the necessary permissions (advertising management)
  • Send service-related notifications (account security, billing, service updates)
  • Respond to your inquiries and support requests
  • Improve the MarkFlow platform based on aggregated, anonymized usage patterns
  • Comply with legal obligations

We do NOT:

  • Sell your personal data to third parties
  • Share your data with advertisers
  • Use your connected platform data for any purpose other than providing the MarkFlow services to you
  • Allow employees to read your data except for security investigations, legal compliance, or anonymized operational purposes
06

Google API Services User Data Policy

MarkFlow's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only use Google user data to provide or improve user-facing features that are prominent in the MarkFlow user interface.
  • We do not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets (with notice to you).
  • We do not allow humans to read Google user data unless we have your affirmative consent for specific items, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations where the data has been aggregated and anonymized.

Google OAuth scopes requested

When you connect your Google account to MarkFlow, we request the following OAuth scopes:

  • openid, email, profile — to identify you and create your account
  • auth/adwords — read-only access to your Google Ads campaigns and performance metrics
  • auth/analytics.readonly — read-only access to your Google Analytics 4 properties
  • auth/business.manage — read-only access to your Google Business Profile information and insights

All scopes are used strictly for displaying analytics data within the MarkFlow dashboard. We do not create, modify, or delete any data in your Google accounts.

You can disconnect your Google account at any time from Settings → Integrations in your MarkFlow dashboard, or revoke MarkFlow's access directly at myaccount.google.com/permissions.

07

Meta platform compliance

MarkFlow complies with Meta's Platform Terms and Developer Policies. We only access and use data from Meta platforms (Facebook and Instagram) for the specific purposes authorized by you during the Facebook Login for Business OAuth consent flow.

Meta permissions we request

  • public_profile, email — your basic Facebook account information
  • pages_show_list, pages_read_engagement — to list and read insights for the Facebook Pages you manage
  • instagram_basic, instagram_manage_insights — to read Instagram Business account information and insights
  • ads_read, ads_management — to read your Meta Ad Account performance data
  • business_management — to access your Business Manager for multi-account organization
  • read_insights — to access aggregate analytics data

How we use Meta data

With your authorization through the Facebook Login for Business consent flow, we use Meta Platform Data to:

  • Display your Facebook and Instagram performance data (Pages, posts, audience and ad metrics) in your MarkFlow dashboard — marketing analytics.
  • Help you plan, create, and schedule content for your connected Facebook and Instagram accounts — content planning.
  • Help you create, manage, and optimize advertising campaigns, ad sets, and ads in your connected Meta Ad Accounts — advertising management.

In doing so, we commit that we:

  • Take any content-publishing or ad-management action only on your explicit instruction — never automatically or without your authorization.
  • Do not share your Meta Platform Data with third parties.
  • Do not use Meta Platform Data for any purpose other than providing the MarkFlow services you requested.
  • Comply with Meta's Data Deletion requirements — you can delete your Meta data at any time by removing MarkFlow from your Facebook settings, which automatically triggers deletion (see section 13.5 below).

You can revoke MarkFlow's access to your Meta account at any time:

  • From Settings → Integrations in your MarkFlow dashboard
  • From Facebook at facebook.com/settings
08

Data storage and security

8.1 Where your data is stored

  • Primary hosting: DigitalOcean, Frankfurt datacenter (Germany, European Union)
  • Backups: Encrypted snapshots stored in the same EU region
  • Email delivery: Twilio SendGrid (USA, under Standard Contractual Clauses)

8.2 Security measures

  • Encryption in transit: TLS 1.3 for all connections between your browser and our servers
  • Encryption at rest: AES-256 for database volumes and backups
  • OAuth token protection: All OAuth access and refresh tokens are encrypted using Fernet symmetric encryption before storage
  • Access controls: Multi-factor authentication for MarkFlow staff; principle of least privilege
  • Network security: Firewalls, intrusion detection, regular security audits
  • Software updates: Regular patching of dependencies and infrastructure

8.3 Data breach notification

In the event of a personal data breach, we will notify the Latvian Data State Inspectorate within 72 hours and notify affected users without undue delay if the breach poses a high risk to your rights and freedoms, as required by GDPR Article 33-34.

09

Sub-processors

MarkFlow uses the following trusted sub-processors to deliver our services. All sub-processors are bound by data processing agreements (DPAs) and adhere to equivalent privacy and security standards.

Sub-processorPurposeLocation
DigitalOcean, LLCCloud hosting and infrastructureFrankfurt, Germany (EU)
Twilio SendGrid, Inc.Transactional email deliveryUSA (SCCs)
Google LLCOAuth authentication, Google API services, and website analytics (Google Analytics — only if you accept analytics cookies)EU/USA
Meta Platforms, Inc.Facebook/Instagram OAuth authenticationEU/USA
Hostinger International Ltd.Marketing website hostingLithuania (EU)
Let's Encrypt (ISRG)SSL/TLS certificate issuanceUSA (nonprofit)

We will notify users of any changes to our sub-processor list via email and by updating this Privacy Policy. Data transfers outside the EU/EEA are protected by Standard Contractual Clauses (SCCs) and technical safeguards.

For a Data Processing Agreement (DPA) tailored to your business, contact privacy@markflow.eu.

10

Data retention

We retain your personal data only as long as necessary to provide the service and comply with legal obligations.

Data typeRetention period
Active account dataWhile your account is active
Connected platform data (cached)Up to 90 days (cache expires automatically)
OAuth tokensUntil you disconnect the account
Deleted account dataPermanently erased within 30 days after deletion request
Billing records10 years (Latvian Accounting Law)
Email logs90 days
Server access logs30 days
Analytics logs (anonymized)24 months
11

Cookies

MarkFlow uses cookies and similar technologies to provide and improve our service.

11.1 Types of cookies

  • Strictly necessary cookies — required for authentication, security, and session management. Cannot be disabled.
  • Preference cookies — remember your settings (language, theme). Optional.
  • Analytics cookies — Google Analytics (GA4), to help us understand how our website is used. Optional: these are only set if you choose "Accept" on the cookie banner, and nothing is loaded or stored if you decline.

11.2 Managing cookies

You can manage cookies:

  • Through the cookie consent banner displayed on first visit
  • At any time via the "Cookie preferences" link in the website footer, where you can change or withdraw your choice
  • In your browser settings (see your browser's help documentation)
  • At any time by revisiting your account privacy preferences

If you withdraw consent, we stop analytics processing and remove the analytics cookies already stored in your browser.

Disabling strictly necessary cookies may impair MarkFlow functionality.

12

Your rights under GDPR

As a data subject, you have the following rights:

  • Right to access (Art. 15) — request a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data
  • Right to erasure (Art. 17) — “right to be forgotten”; request deletion of your data
  • Right to restrict processing (Art. 18) — limit how we use your data
  • Right to data portability (Art. 20) — receive your data in a machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent
  • Right to lodge a complaint (Art. 77) — file a complaint with the Latvian Data State Inspectorate or your local supervisory authority

12.1 How to exercise your rights

  • Email privacy@markflow.eu with your request
  • Most requests can be fulfilled through Settings → Account in your dashboard
  • We will respond within 30 days (or notify you of any extension as allowed by GDPR)
13

Data deletion

13.1 Self-service deletion

You can delete your MarkFlow account and associated data at any time:

  1. Log in to dashboard.markflow.eu
  2. Go to Settings → Account
  3. Click "Delete Account"
  4. Confirm deletion

13.2 Request via email

Send a deletion request to privacy@markflow.eu from the email address associated with your account. We will verify your identity and delete your data within 30 days.

13.3 What is deleted

  • All account data (profile, preferences, settings)
  • All connected platform data (cached analytics, OAuth tokens)
  • All chat/AI interaction history
  • All campaign planning data

13.4 What is retained

  • Billing records (10 years, Latvian law)
  • Anonymized, aggregated analytics logs (24 months)
  • Legal compliance records as required

13.5 Meta (Facebook & Instagram) data deletion

To delete the data MarkFlow obtained from Facebook or Instagram, open your Facebook Settings & privacy → Settings → Apps and Websites, then remove MarkFlow. This automatically notifies MarkFlow, which deletes your Facebook and Instagram data and the associated OAuth tokens, and returns a confirmation code and a status page so you can track the request.

Technically, removing the app sends a signed callback from Facebook to our automated data-deletion endpoint (https://dashboard.markflow.eu/api/data-deletion/meta/), which processes the deletion. You can also email privacy@markflow.eu to request deletion. Verified requests are completed within 30 days.

14

International data transfers

Your data is primarily processed within the European Union (Frankfurt, Germany). Limited transfers to the United States occur for:

  • Email delivery (SendGrid)
  • OAuth authentication with Google and Meta

All such transfers are protected by Standard Contractual Clauses (SCCs) adopted by the European Commission, ensuring adequate safeguards for your data.

15

Children's privacy

MarkFlow is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact privacy@markflow.eu so we can delete it.

16

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or new features. Material changes will be communicated to you by:

  • Email notification to your registered email address
  • Prominent notice on our website
  • In-app notification in the MarkFlow dashboard

The “Last updated” date at the top of this document indicates when this policy was last revised.

17

Contact information

General
hello@markflow.eu
General inquiries
Privacy
privacy@markflow.eu
Response within 5 business days
Data Authority
dvi.gov.lv
Datu valsts inspekcija (Latvia)
DPA Email
pasts@dvi.gov.lv
Elijas iela 17, Rīga

SIA MarkFlow · Priežu iela 6-15, Grobiņa, Dienvidkurzemes nov., LV-3430, Latvia

We process your data in the EU, on EU servers. We never sell it. You can delete it any time.
MarkFlow

All your marketing, finally in one flow. Built in the EU for teams that ship.

Product

  • Features
  • Pricing
  • News

Company

  • About
  • Contact
  • FAQ

Legal

  • Privacy
  • Terms
  • Cookie preferences
SIA "MarkFlow"
Reg. number: 40203677928
Priežu iela 6 - 15, Grobiņa,
Dienvidkurzemes nov., LV-3430
© 2026 SIA MarkFlow. All rights reserved. Built by Polaroaks