top of page

Privacy Policy

Last Updated: April 17, 2026

This policy describes how Lemon Flow collects, processes, and protects personal data in accordance with the EU General Data Protection Regulation (GDPR) (2016/679).

1. Data Controller

  • Name: Lemon Flow / Essi Myllylä

  • Business ID: 3617855-6

  • Address: Residential address (available upon request)

  • Email: essi@lemon-flow.com

2. Legal Basis for Processing

We process personal data based on the following legal grounds:

  • Contract (GDPR Art. 6.1 b): Execution of services (such as audits, automation development, and maintenance), providing quotes, and billing.

  • Legitimate Interest (GDPR Art. 6.1 f): Managing B2B customer relationships, communication, direct marketing, and service development.

  • Consent (GDPR Art. 6.1 a): Email marketing, newsletters, and cookie-based advertising targeting and analytics.

  • Legal Obligation (GDPR Art. 6.1 c): Compliance with statutory accounting and tax obligations.

3. Types of Data Collected

We collect data directly from the user (via forms and email) and automatically through our website:

  • Basic Information: Name, company, business ID, and professional title.

  • Contact Details: Email address and phone number.

  • Technical Data: IP address, cookies, and website usage behavior (e.g., pages visited).

4. Cookies, Profiling, and Targeted Advertising

We use tracking and targeting technologies (such as Meta Pixel, Google Ads, and LinkedIn Insight Tag) on our website.

  • Profiling: We use data for targeted advertising (retargeting) to display relevant ads for Lemon Flow’s services on LinkedIn, Facebook, Instagram, and Google networks. This is based on voluntary consent provided by the user via the cookie banner.

5. Joint Controllership

Meta Platforms Inc., Google LLC, and LinkedIn Corporation act as joint controllers with Lemon Flow to the extent that data is collected and transferred through their advertising tools. Users can manage these consents via our cookie banner or the respective services' own ad settings.

6. Data Transfers Outside the EU/EEA

We utilize trusted subcontractors who may transfer data to the United States. These transfers are primarily based on the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCC) approved by the European Commission.

  • Primary Partners: Klaviyo, Google, Meta, LinkedIn, and UKKO.fi (billing and accounting services).

7. Data Retention Period

  • Customer Data: For the duration of the customer relationship + 10 years as required by the Finnish Accounting Act.

  • Marketing Data: Retained until the data subject withdraws their consent (e.g., via the unsubscribe link at the bottom of a message).

8. Data Security

Data is stored electronically in systems secured by passwords and, where possible, Multi-Factor Authentication (MFA). Access to data is restricted only to authorized personnel at Lemon Flow.

9. Rights of the Data Subject

Data subjects have the right to access, rectify, delete, or transfer their own data. They also have the right to object to profiling and withdraw marketing consent. Requests should be sent to the email address provided in Section 1. Data subjects also have the right to lodge a complaint with the Office of the Data Protection Ombudsman.

10. Lemon Flow as a Data Processor

Lemon Flow acts as a Data Processor when implementing email marketing automations and audits on behalf of a client.

  • Responsibility: The client (Data Controller) is responsible for ensuring the lawfulness of the marketing consents of their end customers.

  • Commitment: Lemon Flow processes data only within the scope of the service agreement and adheres to Lemon Flow’s standardized Data Processing Agreement (DPA).

bottom of page