• For candidate data provided to recruiters (such as CVs, pre-screening responses, interview responses, videos, and other related materials), Flowmingo acts both as a processor (on behalf of recruiters) and as a controller of its own copy of that data which it retains for platform operation and compliance purposes.

  • In its processor role, Flowmingo processes candidate data strictly on recruiter instructions.

  • In its controller role, Flowmingo may retain and process its own copy of candidate data for limited and clearly defined purposes (e.g., platform security, quality assurance, legal compliance) and will honor candidate requests under GDPR for that copy.

  • Where recruiters are the controllers (e.g., evaluation reports generated for recruiters), Flowmingo will forward Data Subject Access Requests (DSARs) and enforce follow-up through internal escalation if recruiters fail to act.

• In limited cases where Flowmingo and recruiters may jointly determine specific purposes, such as co-developing interview models, the parties may act as joint controllers. Where this applies, Flowmingo will ensure that the essence of the arrangement under Art. 26 GDPR is accessible to candidates upon request. In most other cases, Flowmingo’s roles as controller (for its own copy of data) and processor (for recruiter-owned data) are clearly separated as described above.

• For candidate-paid services (evaluation reports or assessment tests purchased directly by candidates), Flowmingo acts as a controller.

• For recruiter account and billing data, Flowmingo acts as a controller to manage accounts, billing, and service provision.

Candidate data (examples include, but are not limited to):

• CV details (name, email, work/education history, contact details).

• Pre-screening question responses.

• Written and video/audio interview responses.

• AI evaluation reports/assessment test results purchased directly by candidates (Flowmingo is the controller).

• AI evaluation reports generated for recruiters (Flowmingo is a processor; recruiter is the controller).

• Other information voluntarily provided by candidates during interviews or assessments (e.g., references, portfolio links, or additional documentation).

Recruiter data (examples include, but are not limited to):

• Account details and login credentials.

• Billing and payment information.

• Recruiter AI evaluation activity logs.

• Candidate CVs or information uploaded directly by recruiters.

Stored interview questions and interview sets created by recruiters.

Technical data (examples include, but are not limited to):

• Device information, IP addresses, browser/device identifiers, cookies, cache, and diagnostic logs.

• AI-generated reports may be used by recruiters, but final hiring decisions rest with humans.

• Candidates have rights to:

  • Request human intervention by contacting Flowmingo at compliance@flowmingo.ai. Flowmingo will escalate internally if recruiters fail to respond to forwarded DSARs.

  • Express their views or contest automated assessments (requests will be forwarded and tracked).

  • Opt-out of AI model improvement uses.

• Personal data may be transferred outside the EEA (e.g., GCP, Cloudflare, Stripe, HitPay).

• Transfers rely on Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIAs).

• Flowmingo publishes summaries of TIAs and safeguards.

• Supplementary safeguards include encryption in transit and at rest, access minimisation, and regional split-processing.

• Recruiter-owned candidate data: Flowmingo acts as a processor. Data is retained as long as required by the recruiter (controller) and will be deleted when instructed by the recruiter or when the recruiter account is closed and inactive for more than 2 years. Flowmingo’s controller copy of candidate data (limited to security, QA, and compliance purposes) will be deleted in accordance with statutory obligations or upon validated data subject request.

• Candidate-paid reports/tests: retained for 2 years by default, unless renewed or deleted at the candidate’s request.

• Recruiter accounts: retained for 2 years post-closure.

• Billing/payment records: retained up to 7 years (legal obligation).

• Flowmingo uses trusted service providers for hosting, payment, and analytics.

• Current examples: GCP, Cloudflare, Stripe, HitPay, Google Analytics.

• Flowmingo ensures subprocessors are bound by contractual agreements that require GDPR compliance. Material changes will be communicated where appropriate, and clients may raise objections consistent with Art. 28.

• Encryption and pseudonymisation of sensitive data.

• Role-based access limited to minimum necessary (CEO, CTO, designated engineers, QA/support).

• Access is logged and reviewed quarterly.

• Regular penetration testing and monitoring.

• Breach notifications to authorities within 72 hours where required (Art. 33).

• Flowmingo uses a Consent Management Platform (CMP) with granular choices:

  • Essential cookies (required for service).

  • Analytics cookies.

  • Personalisation cookies.

  • Marketing cookies.

• Consent is recorded and can be withdrawn anytime.

• Marketing communications will only be sent where a lawful basis (such as consent or, where applicable, soft opt-in for existing customers) is in place.

• Flowmingo services are not directed at children under 16.

• While we do not actively collect age information at signup, users are required to confirm eligibility through acceptance of the Terms of Service, which include an age restriction clause. For higher-risk services, Flowmingo may apply additional verification measures to comply with Art. 8 GDPR.

• This Policy may be updated.

• Material changes will be notified via email or in-app.

• Flowmingo will maintain an archive of prior versions for accountability (Art. 5(2)).

For any privacy inquiries or to exercise GDPR rights:

• Email: compliance@flowmingo.ai

• Address: 966 Hougang Ave 9 #12-596, Singapore 530966