Last updated: 17 March 2026
Legal OS GmbH (trading as "Flank", "we," "our," or "us") is committed to protecting the privacy of our customers and their users. This Privacy Policy explains our practices regarding the collection, use, and disclosure of personal data when you use our product and services.
This policy applies to users of the Flank SaaS platform. It does not apply to visitors of our website, who are covered by our Website Privacy Policy.
Legal OS GmbH (trading as Flank) Köpenickerstraße 145 10997 Berlin, Germany E-Mail: legal@flank.ai Website: www.flank.ai
Flank acts as a data processor on behalf of its customers (who are the data controllers) for personal data submitted to or processed through the platform. For personal data relating to our own customers' account and contact information, Flank acts as a data controller.
We collect and process the following categories of personal data:
Account and user data (collected directly):
Usage and platform data (collected automatically):
User-generated content:
We do not collect special category data (e.g. health, financial, or political data) as part of the standard platform. If your use of the platform involves special category data, please contact us to discuss appropriate safeguards.
We process personal data on the following legal bases under Art. 6 EU GDPR:
| Purpose | Data | Legal Basis |
|---|---|---|
| Providing and operating the platform | Account data, usage data | Art. 6(1)(b) GDPR — performance of a contract |
| Account security and authentication | Email, login data | Art. 6(1)(b) GDPR — performance of a contract |
| Service communications (e.g. updates, notifications) | Email address | Art. 6(1)(b) GDPR — performance of a contract |
| Analysing usage to improve the product | Anonymised usage data | Art. 6(1)(f) GDPR — legitimate interests in improving our services |
| Compliance with legal obligations | As required | Art. 6(1)(c) GDPR — legal obligation |
| Processing data submitted by users on behalf of customers | User-generated content | Art. 6(1)(b) GDPR — performance of contract with customer (as processor) |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by the rights and freedoms of data subjects.
We do not sell or rent personal data. We may share personal data with the following categories of third parties:
Sub-processors — third-party service providers who assist us in operating our platform. A full and up-to-date list of sub-processors is maintained in our Data Processing Agreement (DPA). We will provide customers with reasonable notice of any changes to our sub-processors in accordance with our DPA.
Tools we use as data controller — separately from our sub-processors, we use certain third-party tools to manage our own business relationships with customers and prospects. In these cases we act as a data controller, deciding what data to collect and how to process it. These tools include:
| Tool | Purpose | Location |
|---|---|---|
| HubSpot, Inc. | CRM and customer relationship management | USA (SCCs in place) |
| Grain Intelligence Inc. | Recording and transcription of sales demos, onboarding, and customer calls | USA (SCCs in place) |
| Google Meet (Google Ireland Limited) | Video conferencing for sales and customer calls | EU / USA (SCCs in place) |
| Microsoft Teams (Microsoft Ireland Operations Limited) | Video conferencing for sales and customer calls | EU / USA (SCCs in place) |
| Slack Technologies, LLC | Internal communications, including notifications relating to customer and prospect activity | USA (SCCs in place) |
These tools are governed by our agreements with each provider and are not covered by our customer-facing DPA, which applies only to our processing activities as a data processor on behalf of customers.
Legal disclosures — we may disclose personal data if required by law or in response to valid requests from public authorities (e.g. courts or government agencies).
Business transfers — in the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify affected users in advance where possible.
Some of our sub-processors are located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred to a country without an EU adequacy decision, we rely on:
Details of the transfer mechanisms in place for each sub-processor are set out in our Data Processing Agreement (DPA), available at https://www.flank.ai/legals/dpa.
We implement appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, loss, alteration, or disclosure, in accordance with Art. 32 GDPR. These include encryption in transit and at rest, access controls, and regular security reviews. Further detail is available on our Trust page at trust.flank.ai.
No method of transmission over the internet is entirely secure. In the event of a personal data breach, we will notify affected customers and, where required, the relevant supervisory authority in accordance with our legal obligations.
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. After these periods, data is securely deleted or anonymised. Customers may also request earlier deletion in accordance with our DPA.
Under EU GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, please contact us at legal@flank.ai. We will respond within one month as required under Art. 12 GDPR. Please note that where we act as a data processor (i.e. processing data on behalf of a customer), requests should be directed to the relevant customer as data controller in the first instance.
If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with our supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) Friedrichstr. 219, 10969 Berlin Website: www.datenschutz-berlin.de
We would appreciate the opportunity to address your concerns first — please contact us at legal@flank.ai.
We have appointed a Data Protection Officer (Datenschutzbeauftragter) to oversee our compliance with data protection law. You can contact our DPO directly at: dpo@flank.ai.
For customers who use Flank to process personal data on their behalf, a Data Processing Agreement is available at https://www.flank.ai/legals/dpa. The DPA governs the terms under which we process personal data as a processor on your behalf and sets out our obligations in that capacity.
We may update this Privacy Policy from time to time. We will notify customers of material changes by email or via an in-product notification. The latest version will always be available at www.flank.ai/legals/privacy-policy, with the date of the last update noted at the top.
For any questions about this Privacy Policy or your personal data:
Legal OS GmbH (trading as Flank) Köpenickerstraße 145, 10997 Berlin, Germany E-Mail: legal@flank.ai DPO contact: dpo@flank.ai
We've updated our Privacy Policy (effective 17 March 2026). Key changes include: clearer detail on the legal bases we rely on to process your data, information about sub-processors and third-party tools we use, specific data retention periods, and updated supervisory authority information. We've also added detail on how we handle our communications with you. You can access the previous version of the Product Privacy Policy here.