Data protection

Data Protection

Last updated: 10 May 2026

Scope

This page summarises how Flowrest approaches GDPR and data protection for guests and venue partners. It is intended as an operational summary alongside the Privacy Policy, not a substitute for legal advice.

Roles

Flowrest acts as controller for Flowrest accounts, discovery, preferences, booking records, and platform operations. Venue partners may act as independent controllers for how they use guest information after receiving it for session fulfilment.

Processors

Current infrastructure processors include Supabase for backend, authentication, storage, and Edge Functions; Cloudflare for hosting, DNS, routing, and security; Expo/EAS for mobile build infrastructure; and a transactional email provider once production SMTP is configured.

Data subject requests

Access, correction, deletion, restriction, and portability requests can be sent to privacy@flowrest.co.uk. Include the email address linked to your Flowrest account so we can verify and locate the relevant records.

Venue partner DPA

If a venue partner needs a signed data-processing agreement before onboarding, email privacy@flowrest.co.uk. The agreement should be reviewed before any partner imports existing customer lists, CRM records, or marketing audiences into Flowrest.