Date: October, 2025
This privacy policy (hereinafter, "Privacy Policy") has been drafted by " Freeflow Finance, S.A. DE C.V., S.A. DE C.V." (hereinafter, " Freeflow Finance" or the "Data Controller") in order to comply with the duty of transparency in the processing of personal data that may be carried out in its capacity as data controller, in accordance with the provisions and based on the best international practices in the matter, relating to the protection of natural persons, whether natural or legal, with regard to the processing of personal data and the free movement of such data (hereinafter referred to as "GDPR").
The information contained in this Privacy Policy allows you to consult the details of the different processing of your personal data that may be carried out by "Freeflow Finance" by virtue of the relationship with the owners of the personal data.
We inform you that mere access to the Website or any digital channel made available to you does not imply the obligation for you to provide any personal information.
However, the use of some services or functionalities of the Website or digital channels in general, do require you to provide certain personal data, indicated in the corresponding forms or contract models, and implies their processing for the purposes and legal bases indicated in this Privacy Policy.
Refusal to provide the data required in these cases may mean that it is impossible to provide you with some services or functionalities, or to process the requests or contracts made, especially in those cases in which they are identified as mandatory.
As the owner of the personal data, you will be responsible for ensuring that the data you provide us through the website or digital channels is true, accurate, complete and up-to-date. To this end, you will be responsible for the veracity of all the data you provide and you must keep the information requested duly updated, so that it corresponds to your real situation on the date you request some of the services or functionalities.
Likewise, you will be responsible for the false or inaccurate information you provide and for any damages, direct or indirect, whether material, legal or of any other nature that this causes to the Data Controller or to third parties that it hires for the processing of the data.
Under no circumstances may personal data corresponding to third parties be included in the form, unless you have previously obtained their consent, personally answering for the breach of this obligation. You may be required to provide documentation supporting this authorisation at any time.
Owner: "FREEFLOW FINANCE, S.A. DE C.V."E-mail: support@freeflow-fx.com
Below, we inform you of the details of the processing of personal data that may be carried out by Freeflow Finance.
In any case, you can request more information about the processing carried out by writing to the Data Protection Officer of Freeflow Finance at the email: support@freeflow-fx.com, in charge of ensuring the fair and transparent processing of your personal data.
For the purposes of this policy, the following definitions shall apply:
a. Informational self-determination: It is the power of every person to exercise the rights and activate the mechanisms that this policy grants on the personal information that concerns him/her, contained in public or private records, especially, but not exclusively or limited, to those stored by digital and computer means. That is, it is the ability of the individual to determine the disclosure and use of their personal data, control and determine what third parties could at any time know about their personal life.
b. Database or repository: Indistinctly, they designate the organized set of personal data that are subject to treatment or processing, electronic or not, regardless of the modality of their formation, storage, organization or access.
c. Data blocking: Temporary or permanent restriction of any access to or processing of stored data.
d. Consent: Free, specific, informed and unequivocal manifestation of the will of the owner of the data, through which he or she accepts, either through a declaration or a clear affirmative action, the processing of the data in cases where there is no other legal basis for its processing.
e. Cookie: this is a small piece of information sent by a website and stored in the user's browser, so that the website can consult previous browser activity, as well as create profiles on internet users by exploring their browsing habits.
f. Personal data: Information concerning an identified or identifiable natural person, understood as any person whose identity can be determined, directly or indirectly, and in particular any numerical, alphabetical, graphic, photographic, acoustic or any other type of information concerning identified or identifiable natural persons. Personal data is not processed if it does not allow a person to be identified or located.
g. Sensitive personal data (Sensitive personal data): These are personal data that refer to the characteristics, circumstances or information of individuals or to facts or circumstances of their private life or intimacy, which affect the most intimate and personal sphere of their owner and whose improper use may give rise to discrimination, seriously affect the right to honour, personal and family privacy and one's own image. By way of example but not limitation, they are generally those that reveal aspects such as religious beliefs and convictions, ethnic origin, political affiliation or ideologies, union membership, sexual preferences, physical and mental health, biometric information, genetics, moral and family situation, personal habits and other intimate information of a similar nature.
h. Dissociation or Anonymization: It is the irreversible procedure by which personal data cannot be attributable to its owner or allow, due to its structure, content or degree of disaggregation, the identification of the latter.
i. ARCOPOL Rights: are the very personal and independent rights of Access, Rectification, Cancellation, Opposition, Portability, Oblivion and Limitation, by means of which the owner of the personal data can exercise control over the processing of their personal data, and which must be safeguarded and guaranteed their execution by the data controller or data processors.
j. Data processor: Natural or legal person, public or private, who, alone or jointly with others, processes personal data on behalf of the data controller, as a result of the existence of a legal relationship that binds them to the data controller and delimits the scope of their action for the provision of a service. The processor therefore does not have the capacity to decide on the data it collects, the processing it carries out or the purpose for which it was destined.
k. Issuer of personal data: is the owner of the personal data bank or the person in charge of its processing in which, in accordance with the provisions of this policy, a transfer of personal data is carried out to another country or locally.
l. Publicly accessible sources: Those databases or repositories of public or private administration whose consultation can be carried out by provision of law by any person or means, without further demand, or where appropriate for the payment of a consideration or fee.
m. Limitation on the processing of personal data: it allows the owner, whose personal data are subject to processing, to request the data controller to apply measures on their personal data to prevent their modification, so that their data are rectified, or, where appropriate, their deletion or deletion.
n. Security Measures: Refers to the policies, actions or control procedures or group of controls that guarantee the protection of personal data, contained in records or physical or electronic files of unauthorized access, guaranteeing the security of the information.
o. Recipient of personal data: is any natural or legal person, public or private, who receives the data in the event of local or international transfer, either as a person responsible or in charge of personal data or as a third party.
p. Responsible: Natural or legal person, public or private, administrator of the database or repository, or who decides on the purpose, content and use of the processing of personal data with the express and informed consent of the owner of the data.
q. Processor: Natural or legal person, public or private, that alone in conjunction with another, processes personal data on behalf of the data controller.
r. Pseudonymization: It is the procedure for processing personal data in such a way that they can no longer be attributable or associated with the owner of the same without using additional information, as long as such additional information is separated, hidden, classified and safeguarded under technical, technological and organizational measures that guarantee that such personal data cannot be attributed to an identified or identifiable natural person.
s. Contingency Sites: It is an alternate or secondary place where data stored on physical or virtual computer servers that reside in a primary site is replicated continuously or discontinuously.
t. Owner: Any natural person whose data is subject to the processing referred to in this policy.
u. Data processing: Any operation or set of operations, carried out by automated or manual procedures and applied to personal data, such as the collection, recording, organization, structuring, storage, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination or any other form of access, comparison or interconnection, limitation, deletion or destruction of personal data.
v. Deletion or cancellation of data: the destruction of data stored in registers or databases, whatever the procedure used for this purpose.
w. Transfer of personal data: Any communication of personal data made to a person other than the controller or data processor, with the prior and informed consent of its owner.
The general principles for data protection are:
a. Principle of data accuracy: Personal data must be kept accurate, complete and updated as far as possible for the purposes of its processing, in such a way that its veracity is not altered. All reasonable steps will be taken to ensure that personal data that is inaccurate in relation to the purposes for which they are processed is deleted or rectified without delay. The data obtained directly from the owner will be presumed to be accurate and up-to-date.
b. Principle of loyalty: The controller will process the personal data in its possession, prioritizing the protection of the interests of the owner and refraining from processing or collecting them through fraudulent, unfair and illicit means.
c. Principle of consent and purpose: In the treatment, collection and storage of personal data, there must be a free, prior, express and informed consent of the owner, which establishes the purpose, purpose and period of storage and treatment.
d. Principle of data minimisation: The personal data collected and used must be sufficient, relevant and not excessive in relation to the specific and legitimate purpose.
e. Principle of quality: determines what data can be collected and for what purpose, and is based on two other principles, that of proportionality and that of purpose, by virtue of which the data will be accurate and updated at all times, stored in such a way as to allow the exercise of the right of access, unless they are legally cancelled.
f. Principle of Transparency: consists of informing the owner of the personal data of all the characteristics of the processing to which their data will be subjected and also requires that this information be provided in a concise, intelligible and easily accessible manner, with clear and simple language. It is forbidden to use long texts with technical or legal terminologies and small print.
g. Data Security Principle: It refers to guaranteeing the security, integrity, availability and confidentiality of personal data, in order to prevent its alteration, loss, consultation, disclosure or unauthorized treatment, as well as to detect deviations of information, intentional or not, whether the risks come from human action or the technical environment.
h. Principle of Lawfulness or Legality: The processing of personal data must be carried out in compliance with the provisions of current regulations, for which it must comply with one of the following conditions:The processing of data is based on the express consent granted by the interested party for one or more purposes.The processing is necessary for the performance of a contract, to which the data subject is a party, or for the execution of pre-contractual measures.The processing is necessary for the compliance of the data controller with any legal obligation.The processing is necessary to ensure the protection of the vital interests of the data subject or another affected person.The processing is necessary for the fulfilment of a purpose in the public interest or for the controller to be able to exercise the public powers conferred on him.The processing is necessary for the controller to be able to meet its legitimate interests, provided that those interests do not infringe the rights or freedoms of the individuals subject to processing.
i. Privacy principle: refers to guaranteeing the confidentiality of the owner's personal data, as well as everything related to the processing of said data and the purpose for which they have been collected, especially those of a sensitive nature.
j. Principle of temporality: the conservation of personal data must be limited to the period in which the purposes pursued for its processing will be achieved, and/or the period necessary to comply with any special regulations on the matter, and/or applicable legislation.
k. Principle of demonstrated responsibility: an entity that collects and processes personal data must be responsible for the effective compliance with the measures it implements to protect the privacy of its owners and to guarantee effective protection of personal data.
Any person, by himself or through his representative, will have the right to know if his personal data are being processed in order to obtain the rectifications of these, when this is appropriate, his cancellation or blocking may be requested when appropriate; to object to the processing of your data and to request that its processing be restricted in the future for uses other than those for which it was provided.
They will also have the right to obtain an intelligible reproduction of their personal data and to transfer them when they consider it appropriate.
In the case of the personal data of deceased persons, it will be up to their heirs or successors to exercise them, having to prove that nature with documentation that proves it.
The owner of your personal data has the right to know which public or private entities will safeguard your personal data. This also includes providers of third-party storage, cloud or other infrastructure services.
The information must be stored in such a way that the right of access by the owner of the information is fully guaranteed.
When personal data is collected, its owners must be informed in advance, in an express, precise and unequivocal manner, of the following:
a. The purpose or purpose for which they will be collected and processed, as well as who their recipients may be or class of recipients.
b. The existence of the database or repository, as well as the backups and contingency sites, in question and the identity and address of its responsible.
c. The identity, address, email, telephone number and any information provided by contacting the data controller or, where appropriate, its representative.
d. The mandatory or optional nature of the personal data to be provided.
e. The mechanisms for exercising the rights of access, rectification, updating, opposition, cancellation or deletion, portability, oblivion and limitation of data.
f. The protection and security measures and mechanisms that the controller or the person in charge of the processing has taken and keeps active to safeguard the information.
The information provided in accordance with the previous paragraph, in addition to being free, can be satisfied by the publication of privacy policies in physical and electronic form, which must be easily accessible and identifiable.
When data processing is planned other than that for which they were collected, the owner will be provided with information on this ulterior purpose and any other relevant additional information. The owner will have the right to revoke the authorization initially granted and must issue a new authorization for their data to be processed in accordance with the new purpose.
In any case, the parties must be notified of the effects of providing them, of the refusal to do so or of their inaccuracy.
The owner of personal data or his representative will have the right to obtain all the information about him or her in public or private databases. This right of access will be exercised free of charge in accordance with the provisions of this policy.
The personal information to which access will be granted must:
a. Be provided in a clear and unencoded manner, which must be accompanied by an explanation of the terms used, as well as who has consulted the information and for what purpose.
b. Be provided in full, provided that it has not been pseudonymised or dissociated, in which case such circumstances will be recorded. In no case may the report reveal data belonging to third parties, even if they are linked to the data subject.
c. It may be obtained by simply consulting its owner, after identifying the identity of the data that it intends to know by means of its visualization, or it may also be obtained by indicating the data that are processed by electronic means or by any other means that technology allows in a legible and intelligible form, without using keys or codes that require the use of specific mechanical devices, images or any other means suitable for this purpose.
d. Be obtained through the mere request of the owner in a public or private institution, in which he or she requires to know with which institutions the digital exchange of his or her personal information has been carried out.
The owner will have the right to request the rectification or correction of their personal data, when they are inaccurate, incomplete or not updated. In addition, the Data Controller may request the rectification of personal data and their updating when they have been processed in breach of the provisions of this policy, in particular due to the incomplete or inaccurate nature of the data, or have been collected without the Owner's authorisation or are included in a database.
The owner must provide documentation that proves that the rectification of their personal data is appropriate or may inform the location where the information is stored or registered, which verifies that it is appropriate to make the rectification of their personal data.
The data controller must comply with the request of the owner or his representative free of charge, and resolve in the corresponding sense within twenty working days, counted from the receipt of the request. Failure to comply with this obligation within the specified period will entitle the interested party to initiate the action for the protection of personal data provided for in this policy.
During the verification process to rectify personal data information, the person responsible for the database, database, repository, or manual or computer systems, will block those that are being analyzed for rectification, making it known that it is under review or update, as requested.
By virtue of the rights of access to personal data, rectification or deletion of these and the right of the owner to consent to the transfer of his or her data, the person responsible for the database must comply with the request free of charge and resolve in accordance with the provisions of the third paragraph of this article.
The owner of the personal data or their representatives may request the data controller to delete the personal data concerning them without undue delay.
The owner will have the right to request the deletion of personal data in the following cases:
a. When the personal data are no longer necessary in relation to the purposes for which they were processed.
b. When the interested party withdraws their consent, provided that such consent has been the case that has legitimised the processing of said data by the controller, and its processing is not based on another case of lawfulness established in this policy.
c. The data subject opposes the processing having the right to do so, and no other legitimate reasons for the processing prevail.
d. The personal data have been obtained or processed unlawfully.
e. Personal data must be deleted in order to comply with a legal obligation applicable to the data controller.
f. The personal data has been obtained in connection with the provision of the above-mentioned information society services, in the case of a direct offer to children.
g. When the personal data has been obtained in connection with the offer of services from public or private institutions.
Personal data may not be deleted in the following cases:
a. When they cause damage to the rights or legitimate interests of third parties, provided that there is a court decision or administrative order to keep the data.
b. If it contravenes the provisions of a legal obligation or a mission carried out in the public interest or in the exercise of public powers conferred on the person responsible.
c. When they are necessary to exercise the right to freedom of expression, information and the press. The data used in these cases must comply with the principle of accuracy, i.e. personal data that is inaccurate, incomplete or outdated may not be used or disseminated.
d. When the personal data have been subject to dissociation.
e. When they are for scientific, historical or statistical research purposes, provided that the personal data have been pseudonymised or, where appropriate, dissociated.
f. For archival purposes in the public interest; or for the formulation, exercise or defence of claims.
The interested party may also exercise the right to be forgotten about their personal data, when they have been published in the electronic environment, and the controller must inform other data controllers of their personal data so that they can be removed from the links, copies or replicas that contain them. This right also includes the right to request the removal from Internet search engines of lists of results obtained by performing a search on the basis of his or her name, of published links containing information relating to that person when they are inadequate, inaccurate, irrelevant, outdated or excessive or have become such over time, taking into account the purposes for which they were collected or processed, the time elapsed and the nature and public interest of the information.
The right to erasure or cancellation of personal data may lead to the blocking of personal data, which will only be kept at the disposal of the Public Administration, Judges and Courts in the strict exercise of their functions, for the attention of possible liabilities arising from the processing, within the periods established for safeguarding according to the applicable laws.
It is the right of the interested party to state the legitimate causes or the specific situation that entitles them to request the cessation of the processing of their personal data, indicating, in addition, the damage or prejudice that the persistence of the processing would cause or caused them, or, where appropriate, the specific purposes for which they need to exercise the right of opposition.
The right to object may also be exercised:
a. When the processing of personal data is necessary for the fulfilment of a mission carried out in the public interest or in the exercise of powers conferred on the data controller;
b. When the processing of personal data is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that those interests or fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail over those interests, in particular when the data subject is a child.
c. Where the processing of personal data is for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him/her, including profiling insofar as it is related to such marketing, and the personal data shall cease to be processed for such purposes.
The owner of the personal data or his/her representative shall have the right to request the controller to limit the processing of his/her data when any of the following conditions are met:
a. The owner of the personal data or his/her representative contests the accuracy of the personal data, for a period that allows the controller to verify the accuracy of the personal data;
b. The processing is unlawful and the data subject objects to the erasure of the personal data and instead requests the restriction of its use.
c. The controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of claims against that controller or any other controller or authority;
d. The owner of the personal data or his/her representative has objected to the processing of the personal data while it is verified whether the legitimate reasons expressed by the controller prevail over those of the owner.
It is the right of the data subject to receive his/her personal data that he/she has provided to the controller, in a structured, commonly used, machine-readable and interoperable format, and the right to transmit them to another controller if he/she so wishes.
The exercise of this right requires two requirements: that the processing is based on the consent of the data subject and that such processing is carried out by automated means. To facilitate this process, it is necessary to motivate interoperability between services.
It is the obligation of the data controllers to carry out all the procedures for the migration of the data from the user to another data controller, in a structured, commonly used and easy-to-read format, when requested by the data controller.
Freeflow Finance has appointed a personal data protection officer, who will be responsible for managing and processing requests for the exercise of ARCOPOL rights. The delegate appointed can be contacted at the following email: support@freeflow-fx.com
The delegate has the following powers:
· To receive, process and resolve applications for the exercise of ARCOPOL rights.
· Assist and guide the responsible party in the activities that require it in relation to the exercise of the right to personal data protection.
· Establish mechanisms to ensure that personal data is only delivered to its duly accredited owner or representative.
· Propose internal procedures that ensure and strengthen more efficiently the management of applications for the exercise of ARCOPOL rights.
· To advise the areas on personal data protection.
· Carry out training activities for the institution's staff.
· Publish the privacy notice of the public institution on the Transparency Portal of the respective institution.
The owner or his/her representative may request the data controller, in the cases established in this policy, to access, rectify, delete, oppose, portability, oblivion and limitation of the processing of his/her personal data that illegitimately affect his/her rights.
The requirements that the application must contain are the following:
· The name of the owner or his representative and his address or any other means of receiving notifications;
· Documents that prove the identity of the holder and, where appropriate, of the person representing him/her.
· If possible, the responsible area that processes the personal data and to which the request is submitted;
· The clear and precise description of the personal data with respect to which one of the ARCOPOL rights is sought to be exercised, except in the case of the right of access;
· The description of the ARCOPOL right that is intended to be exercised, or what the owner requests;
· Any other element or document that facilitates the location of personal data, if applicable.
· Signature of the owner or the person representing him.
The application for ARCOPOL rights must be submitted, as the case may be, to the personal data protection officer.
In the case of a request for access to personal data, the owner must indicate the manner in which he or she prefers that the data be reproduced. The delegate or the person designated for the protection of personal data must respond to the request in the manner required by the owner, unless there is a physical or legal impossibility that limits him or her from reproducing the personal data in said modality, in which case he or she must offer other methods of delivery of the personal data justifying and motivating such action.
In the event that the data protection request does not comply with any of the requirements referred to in this article, the delegate or the person designated for the protection of personal data must carry out the respective prevention on a single occasion, so that the omissions can be corrected within a period of ten days from the day following the notification. If the interested party does not carry out the required action within the established period or does so without taking into account the precautions carried out, his or her letter will be filed without further processing and his or her right to submit a new request will be preserved.
If, after verifying the request for ARCOPOL rights, the personal data protection officer notices that the data controller is not competent to deal with it or notices that the request corresponds to a right other than those provided for in this policy, he or she must inform the owner and return the request within five working days of receipt.
In applications for ARCOPOL rights, the delegate must deliver the respective response to the holder or his representative within twenty working days, and this period may be extended for another twenty days at the latest.
The obligation of access to information will be considered fulfilled when the personal data is made available to the owner through the issuance of simple copies, certified copies, direct consultation, electronic documents or any other similar means.
During the process of rectification of personal data, the delegate for the protection of personal data of the database or processing, in the event of a request from third parties to access reports on them, must state that said information is subject to a rectification process.
In the event of communication or transfer of data, the delegate or the person designated for the protection of personal data from the database or the processing must notify the applicant of the rectification, update or deletion within the fifth working day of the data being processed.
The personal data protection officer may deny access to personal data, or to carry out the rectification, cancellation, portability, oblivion or grant opposition or limitation or limitation to the processing of these, in the following cases:
a. When the applicant is not the owner of the personal data, or the representative is not duly accredited to do so.
b. When the applicant's personal data is not found in its database.
c. When the rights and legitimate interests of a third party are harmed.
d. Notorious error on the part of the applicant with respect to the identification of personal data or falsehood of the facts described by the applicant that would supposedly enable the exercise of the ARCOPOL rights.
e. When there is a legal impediment, or the resolution of a competent authority, that restricts access to personal data, or does not allow the rectification, deletion or opposition of these.
f. When the cancellation or opposition has been previously made;
g. When the person responsible is not competent;
h. In all other cases set forth in this policy and other applicable laws.
The refusal referred to in this paragraph may be partial, in which case the responsible party will access, rectify, cancel or delete, oppose, portability, forget or limit only the data that I consider appropriate to modify.
In all the above cases, the responsible party must notify the reasons for its decision by means of a reasoned resolution and communicate it to the owner, or where appropriate, to the representative, within the deadlines established for this purpose. The notification must be made by the same means indicated by the interested party, accompanied, where appropriate, by the evidence and any documentation that was taken into account at the time of issuing its pronouncement.
The exercise of ARCOPOL rights is free of charge and only reproduction, certification or shipping costs may be charged.
The reproduction and sending of the information, if applicable, will be borne by the applicant, its value may not exceed that of the materials used and the costs of submission. The person responsible must publish or communicate the costs of reproduction and shipping.
In the case of magnetic or electronic copies, if the interested party provides the medium in which the information will be stored, the reproduction will be free of charge. In any case, electronic shipping will be free of charge.
The privacy notice is the physical, electronic or digital document through which the responsible party, prior to the processing and collection of data, informs the owner about the terms under which their personal data will be processed.
This notice must be consistent with the privacy policy that must be prepared by the data controller for this purpose.
This privacy notice must contain at least:
· The name and address of the data controller;
· The personal data that will be subject to processing, identifying those that are sensitive;
· The legal basis that empowers the controller to carry out the processing;
· The purposes of the processing for which the personal data are obtained, distinguishing those that require the consent of the owner;
· The mechanisms, means and procedures available to exercise the ARCOPOL rights; and mechanisms for revoking consent;
· Indication of the name of the delegate or person designated for the protection of personal data and place or means to submit the application for ARCOPOL rights.
· The means by which the controller will notify the owners of changes to the privacy notice.
· The contact details of the subcontracted entity in charge of the processing of personal data, if any.
· Mention of the existence of a Cookies Policy, which is the owner of the data may be accessed through a link or copy that must be physically published by the data controller.
· Accreditation of the private or public legal entities with which the transfer of data could be carried out locally or internationally.
The privacy notice may be disseminated by physical or electronic means to the owner of the personal data, and must be written and structured in a clear and simple manner. In no case may the responsible party be exempt from the obligation to communicate it in writing to the interested party at the time that he/she grants his/her informed consent for his/her data to be processed.
When the responsible party becomes aware of a security breach of personal data occurring at any stage of the processing, understood as any damage, loss, alteration, destruction, illegitimate access, and in general, any illicit or unauthorized use of personal data, even if it occurs accidentally, it will notify the competent authority in the field of data protection, and to the affected owners said event, for which a maximum period of seventy-two hours is established from the time the security breach was known.
Within this same period, the person responsible must initiate an exhaustive review process to determine the magnitude of the impact, and the corresponding corrective and preventive measures, as well as the updating of the security policies of the person responsible for the database to avoid new breaches.
The notification made by the controller to the competent authority shall be written in clear and simple language and shall contain at least the following information:
a. The nature of the incident.
b. The personal data compromised.
c. General corrective actions taken immediately.
d. Recommendations to the owner on the measures that he or she may adopt to protect his or her interests.
e. The means available to the owner for more information on this matter. The notification addressed to the affected owners must only contain the provisions of paragraphs a., b., d. and e.
Likewise, the controller shall document any breach that causes a risk to the security of personal data that occurs at any stage of the processing, identifying, including but not limited to, the date on which it occurred, the reason for the breach, the facts related to it and its effects, and the corrective measures implemented immediately and definitively. which will be available to the competent authority in matters of personal data protection.
In the event that you provide your personal data through the contact form, telephone number or email provided on the website, your data will be processed for the purpose of managing your requests for information, resolving your doubts, answering your queries or processing your complaints.
The legitimacy of the processing is the consent, expressly given when filling out the contact form, calling us or writing to us. In this way, the processing is necessary to allow the proper processing of your requests for information, resolution of your doubts, response to your queries or the processing of your reported complaints and to verify the operation of the service in accordance with the established procedures, as well as to obtain evidence of the content of the requests received and the reason for the processing of the personal data that you may provide.
You have the right to withdraw consent at any time by sending an email to support@freeflow-fx.com.
Finally, we inform you that the withdrawal of consent will not affect the lawfulness of the processing based on consent prior to its withdrawal.
In the event that you provide your CV through the contact form or email made available to you on any of the digital channels made available to you by Freeflow Finance, to participate in selection processes, your data will be processed for the purpose of assessing and managing the job application and, where appropriate, carry out the necessary actions for selection and hiring when Freeflow Finance has a vacancy to fill that fits your profile. Likewise, the data will be processed for the purpose of making communications related to these selection processes and, where appropriate, for your incorporation into the candidate pool in order to take into account the candidacy in future processes.
The legitimacy of the processing is the consent, expressly given when you send your job application, either through the employment section enabled on the Website or through email.
You have the right to withdraw consent at any time by sending an email support@freeflow-fx.com.
Finally, we inform you that the withdrawal of consent will not affect the lawfulness of the processing based on consent prior to its withdrawal.
When you give your consent for the processing of your data provided, through the installation of data storage and retrieval devices for statistical purposes when you access the website and other electronic channels, these may be used to make aggregate data reports by Freeflow Finance.
The legitimacy of the processing described is consent, which you have the right to withdraw at any time by sending an email support@freeflow-fx.com.
Finally, we inform you that the withdrawal of consent will not affect the lawfulness of the processing based on consent prior to its withdrawal.
In the event that you give consent for the processing of your data for commercial purposes through the contact form or email made available to you on the website or any electronic channel, Freeflow Finance will process the personal data collected for the purpose of sending you, by any means of communication: postal, telephone or electronic (including WhatsApp, e-mail, SMS, etc.), offers and commercial information related to the products and services offered on the Website, which may include the preparation and sending of a quote in accordance with the information provided for its calculation, monitoring of the same and any communication related to the quote sent. The legitimacy of the processing described is consent, which you have the right to withdraw at any time by sending an email to support@freeflow-fx.com.
Likewise, we inform you that the withdrawal of consent will not affect the lawfulness of the processing based on consent prior to its withdrawal.
Likewise, in the event that you are already a customer, Freeflow Finance may send you commercial communications about products or services similar to the previous contracts, basing the legitimacy of the processing on the legitimate interest of Freeflow Finance, in promoting its image through commercial communications. In any case, we remind you that you may object at any time to processing based on legitimate interest, in accordance with the provisions of the "Rights of the data subject" section of this Privacy Policy.
When you enter into a contract with Freeflow Finance, your personal data will be processed for the purpose of formalising, managing, maintaining, developing, supervising and controlling the provision of services and the operation of the products contracted, including, where appropriate, technical assistance and/or maintenance services; as well as compliance with legal obligations regarding the identification and validation of identity that is required.
In addition, in order to satisfy the legitimate interests of Freeflow Finance, your data may be processed to assess your satisfaction, so it may ask you for your assessment of its products and services. This processing also contributes to increasing the quality of the products and services offered by the person responsible for the Treatment. Although opinions will be collected on an individual basis, their analysis will be carried out in a general way, by means of statistics, without identifying specific users. In any case, you can refuse to give your assessment, as well as communicate your opposition to being contacted for this purpose, in accordance with the provisions of the "Rights of the data subject" section of this Privacy Policy.
The use of some services or functionalities of any of the digital channels used by Freeflow Finance requires you to provide certain personal data, indicated in the corresponding forms, and implies its processing for the purposes indicated in each case.
In each form you will be told which are the required fields. Refusal to provide this data means that it is impossible to process the requests made.
As a general rule, the categories of data to be processed will be the following:
The data processed as a result of contacting Freeflow Finance are:
• Identification data: name.
• Contact details: email address.
• Other data (if applicable): subject and message.
The data processed within the framework of the selection processes for jobs are:
• Identification data: name, surname, as well as any other data included in the CV.
• Contact details: postal address, email address, phone number, blog, social media account, etc.
• Data on personal characteristics: date of birth, gender, etc.
• Employment data: previous jobs.
• Other data (if applicable): any information you provide for the processing of your application.
The data processed for the sending of commercial communications are:
• Identification data: name and surname.
• Contact details: email address.
• Data relating to commercial information: products in which you are interested.
By virtue of the contractual relationship, Freeflow Finance may process the following types of personal data:
· Identification data: name, surname, tax identification number, signature.
· Contact details: postal address, email address, telephone number.
· Contract data: contract number, billing, payments, general and particular conditions, user and/or customer identification.
· Financial/bank details: current account number.
The personal data subject to processing will be kept for the time necessary to comply with the purposes informed, as indicated below.
In the event of deletion, the data controller will keep your data blocked until any liabilities arising from their processing expire, after which they will be permanently deleted.
Without prejudice to the foregoing, the Data Controller will keep for a period of FIFTEEN YEARS, all data derived from contractual relationships and all transactions arising from them, and must document them by printed, digital or electronic means, which cover said information.
The personal data provided through the contact form will be kept for the time necessary for the proper management of your request for information, resolution of your doubts, response to your queries or the processing of your complaint, or until you withdraw your consent.
The personal data you provide as a result of sending your CV for a vacancy will be processed as long as you do not revoke your consent, for a maximum period of 1 year from the time you applied for the vacancy.
The personal data provided for the sending of commercial communications will be kept until you withdraw your consent or object to receiving this type of commercial communication, provided that the Data Controller has not previously decided to delete them for any other reason.
Personal data relating to customers will be kept for the duration of the contractual relationship and, at the latest, for the period of limitation of the corresponding legal actions, unless you authorise their processing for a longer period.
In the case of processing based on legitimate interest, it will be kept for the time necessary to comply with the purpose reported or until you object to its processing (unless the interests of the Data Controller prevail).
As a general rule, the personal data processed will not be communicated to third parties, except in the case of third parties involved in the provision of the services and to the extent that such communication is necessary for the fulfilment of the purposes indicated above or, where appropriate, to the relevant Bodies and Authorities, when legally required.
When it is essential to hire a third party, Freeflow Finance will ensure that they comply with the applicable regulations and, if necessary, will sign the corresponding contract for the processing order.
It is not planned to communicate your personal data to recipients who are not part of the companies that are part of Freeflow Finance in the world.
In the event that the intervention of any of the data controller's suppliers involved in the provision of the services may involve an international transfer of data, this will be duly regularised and informed in this Privacy Policy, adopting the appropriate guarantees for its realisation.
Your personal data will be treated in an absolutely confidential manner and maintaining the mandatory duty of secrecy with respect to them, in accordance with the provisions of the applicable regulations, adopting for this purpose the necessary technical and organisational measures to guarantee the security of the data and prevent their alteration, loss, treatment or unauthorised access. taking into account the state of the technology, the nature of the data stored and the risks to which they are exposed.
The data controller reserves the right to modify this Privacy Policy in order to adapt it to its needs or any new legislation that may be appropriate. In such cases, it will announce the changes made and publish them on this website, so that you can access them at any time and easily.
Need assistance? Our team is here to help