Privacy policy

1. Data controller

Flow XP BV, a Belgian private limited company with registered office at Wit Kapelleke 26, 1652 Beersel, Belgium, registered with the Crossroads Bank for Enterprises under number BE 0669.982.661, represented by Loïc Eylenbosch.

Contact for any data-related question: admin@flowxp.eu.

Within the Flow XP audit service, Flow XP BV acts as a data processor on behalf of the contracting Club (data controller). A Data Processing Agreement (DPA) is signed at contract signature.

2. Data collected

Depending on your interaction with the website and service, we process:

• Identification data — first name, last name, professional email, club name, role (president, technical director, coach, board member, mental performance specialist), country, sport (collected via the Mini-Audit Tally and the invitation flow).
• Declarative data (Mini-Audit Tally) — club size, athlete age range, dominant sport, current state of mental performance work, decision-making role, planning horizon, self-assessment Likert score.
• Psychometric audit responses (Article 9 — sensitive data) — answers to peer-reviewed instruments (TOPS-2, ACSI-28, SMS-II, CART-Q, LSS, CBS-S, MSCEIT, EDMCQ-C, PCDEs), computed scores, baseline progression. These are mental performance assessments and qualify as health-related data under GDPR Article 9.
• Booking data — slot, time zone (when you reserve a demo call via Cal.com).
• Technical data — truncated IP, browser type, pages consulted (aggregated and anonymised Netlify Analytics).

3. Purposes and legal bases

• Mini-Audit Tally qualification and demo call scheduling — legal basis: performance of pre-contractual measures at your request (Art. 6.1.b GDPR).
• Delivery of the audit service (questionnaires, scoring, AI-generated reports) — legal basis: performance of the contract between the Club and Flow XP (Art. 6.1.b); for Article 9 sensitive data, explicit consent obtained from each adult athlete (Art. 9.2.a) and from the legal guardian for minors under 16 (Art. 8 + Art. 9.2.a).
• Educational follow-up communications — legal basis: explicit consent given at sign-up (Art. 6.1.a), withdrawable at any time.
• Service security and fraud prevention — legal basis: legitimate interest (Art. 6.1.f).
• Compliance with legal obligations (accounting, invoicing) — legal basis: legal obligation (Art. 6.1.c).

4. Minors — strict regime

Audited athletes may be aged 12 to 30. For all athletes under 16, Flow XP applies:

• Mandatory double parental consent— the parent / legal guardian receives a dedicated consent request by email and must explicitly confirm acceptance of (a) personal-data processing, (b) sharing of results with the club's coach, (c) their status as parent or legal guardian. No audit is sent to the athlete before parental confirmation.
• Audit content adapted — psychometric instruments are calibrated for adolescents and exclude any sensitive private question outside the strict sports psychology scope.
• Right to withdraw consent at any time — the parent may withdraw consent through the dedicated data-deletion procedure, immediately interrupting all future audits and triggering full deletion of past responses within 30 days.

For athletes aged 16 and over, consent is given directly by the athlete on their first connection to the platform.

5. Recipients and processors

Your data is accessible only to authorised Flow XP staff and to the technical processors listed below, each governed by a Data Processing Agreement compliant with Article 28 GDPR:

• Netlify, Inc. (USA) — landing-page hosting, CDN, aggregated analytics.
• Supabase, Inc. (EU region — Frankfurt, Germany) — application database (audit responses, reports, user accounts). All sensitive data stay in the EU.
• Tally B.V. (Netherlands, EU) — Mini-Audit qualification form.
• Cal.com, Inc. (USA) — booking of demo calls with Loïc Eylenbosch.
• n8n GmbH (Germany, EU) — workflow orchestration (lead processing, reminder sequences).
• Notion Labs, Inc. (USA) — internal CRM (DB LEADS).
• Google LLC (USA) — email sending (Gmail Workspace, sender admin@flowxp.eu), Google Fonts.
• Resend, Inc. (USA, EU options) — transactional emails (sender audit@flowxp.eu).
• Anthropic PBC (USA) — AI report generation (Claude API). No prolonged storage per Anthropic Enterprise terms.

6. Transfers outside the EEA

Some processors are established in the United States. These transfers are framed by:

• The EU-US Data Privacy Framework adequacy decision (July 2023) when the processor is certified.
• Otherwise, Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021, supplemented by transfer impact assessments (TIA).

On request to admin@flowxp.eu, we provide the current list of guarantees applicable to each processor.

7. Retention periods

• Lead data and Mini-Audit responses — 36 months from the last contact, then deletion or anonymisation.
• Audit responses and reports (Article 9 sensitive data) — 3 years after the last activity of the athlete on the platform, then anonymisation.
• Client data (orders, invoices) — 7 years from the end of the service (Belgian accounting obligation).
• Audience cookies — 13 months maximum.
• Technical logs — 12 months maximum.

8. Your rights

In accordance with Articles 15 to 22 GDPR, you have the following rights, exercisable at any time by email to admin@flowxp.eu:

• Right of access and copy of your data
• Right of rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent at any time
• Right to define directives regarding the retention, deletion and communication of your data after your death

You may also lodge a complaint with the Belgian Data Protection Authority: dataprotectionauthority.be, Rue de la Presse 35, 1000 Brussels, or any other competent supervisory authority in your Member State.

9. Cookies and trackers

The website uses a minimal number of cookies:

• Strictly necessary cookies — site operation, display preferences. No consent required (Art. 129 Belgian Electronic Communications Act).
• Anonymised audience measurement (Netlify Analytics) — no cookie deposited on the browser, no individual user tracking. Exempt from prior consent under DPA guidelines.
• Tally and Cal.com — these services deposit their own functional cookies when you interact with their forms / widget. See their policies: Tally · Cal.com.

No advertising cookie or marketing third-party tracker is deposited by mental.flowxp.eu.

10. Sub-processing for AI report generation

Anonymised audit responses are sent to Anthropic's Claude API to generate personalised reports (athlete / coach / club). The following safeguards apply:

• Anonymisation gateway — names, emails, phone numbers, addresses, dates of birth and any directly identifying field are stripped from the payload before transmission. The API receives only psychometric scores and structural team context.
• Output validation — generated reports are validated against a strict schema before being stored. Any non-conforming response is rejected.
• No model training — Anthropic Enterprise terms prohibit use of submitted data for model training.
• Audit log — every AI call is logged (timestamp, model, latency, status) for accountability.

11. Security

The website is served over HTTPS (Let's Encrypt) with strict security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). Critical processors (Supabase, Tally, Cal.com, Anthropic) apply equivalent or superior security standards (SOC 2, ISO 27001).

12. Modifications

This policy may be updated to reflect changes in processing activities, processors or regulations. The last-updated date is shown at the top of this page. In the event of a substantial change, affected users are notified by email.

13. Contact

Any question, request to exercise rights, or complaint should be sent to admin@flowxp.eu.