Website Privacy Policy

Last updated: 20 March 2026

Flank ("we," "our," or "us") respects your privacy and is committed to protecting your personal information.

This Privacy Policy explains how we collect, use, and share information when you visit our website flank.ai (the "Site"). It applies only to visitors of our website. It does not apply to users of our SaaS platform or to Flank employees, who are covered by separate policies.

Our Impressum provides further company and contact details in accordance with German law.

1. Who We Are

Legal OS GmbH (trading as Flank) Köpenickerstraße 145 10997 Berlin, Germany E-Mail: legal@flank.ai Website: www.flank.ai

We are the data controller for personal data collected through this website.

2. Information We Collect

We collect only limited information from visitors, for specific, stated purposes and with transparency.

Information you provide directly: When you contact us (e.g. through a form or email), we collect your name, email address, and any information you include in your message.

When you book a demo through our website, your name, email address, and any other details you provide are collected via a form powered by HubSpot (HubSpot, Inc.), which acts as a data processor on our behalf. This data is stored in our HubSpot CRM and used to manage your booking and follow up with you. HubSpot's privacy practices are described in their Privacy Policy. Our use of HubSpot is governed by a Data Processing Agreement.

When you subscribe to our newsletter, your name and email address are collected via Substack (Substack, Inc.). Substack manages the subscription and delivery of our newsletter on our behalf. Please note that by subscribing you will also be subject to Substack's own Privacy Policy, as Substack independently processes certain account data. You can unsubscribe at any time via the link included in every newsletter.

Information collected automatically: When you browse our Site, we may use cookies and analytics tools (only if you consent) to collect non-identifiable information such as:

  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on each page
  • Referring website or source
  • Approximate geographic location (derived from IP address)

We do not use cookies that personally identify you or track you across other websites without your consent.

3. Cookies and Consent Management

We use cookies and similar technologies on our website. In Germany, the use of non-essential cookies is governed by §25(1) TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) in addition to the GDPR.

Types of cookies we use:

Essential cookies — required for the website to function (e.g. session management, security). These are set without consent as they are strictly necessary.

Analytics cookies — help us understand how visitors use our Site. These are only set if you actively consent via our cookie banner. We use Google Analytics (Google Ireland Limited) for this purpose.

HubSpot tracking script — our website includes a HubSpot tracking script that supports our demo booking forms and CRM. This may set cookies to track visitor activity. It is only activated after you give consent via our cookie banner.

When you visit our Site, you can choose whether to allow non-essential cookies. Your preferences are stored and can be changed at any time via the "Cookie Settings" link in the Site footer. You may withdraw consent at any time — this will not affect any processing that took place prior to withdrawal.

4. Legal Bases for Processing

Purpose Data Legal Basis
Responding to contact form enquiries Name, email, message content Art. 6(1)(f) GDPR — legitimate interests (responding to communications)
Newsletter subscription and delivery Name, email address Art. 6(1)(a) GDPR — your consent
Website functionality and security Session data, IP address Art. 6(1)(f) GDPR — legitimate interests in ensuring website operation
Analytics (traffic and usage analysis) Anonymised browsing data Art. 6(1)(a) GDPR + §25(1) TDDDG — your consent
Compliance with legal obligations As required Art. 6(1)(c) GDPR — legal obligation

5. Data Sharing

We do not sell or rent personal data. We may share limited data with:

  • Service providers who operate or support our website, including:
    • Webflow, Inc. — website hosting and content delivery; data may be transferred to the US under SCCs
    • Google Ireland Limited (Google Analytics) — usage analytics (consent-dependent); data may be transferred to the US under SCCs
    • HubSpot, Inc. — demo booking forms, CRM, and website tracking script (consent-dependent); data transferred to the US under SCCs
    • Anthropic PBC — we use Claude, Anthropic's AI assistant, to support our sales and marketing activities; data transferred to the US under SCCs
    • Slack Technologies, LLC — notifications of demo bookings are sent to our internal Slack workspace; data transferred to the US under SCCs
    • Substack, Inc. — newsletter subscription management and delivery; data transferred to the US under SCCs. Note that Substack also processes subscriber data under its own privacy policy as an independent controller
  • Authorities or regulators, when required to comply with applicable law or to protect our legal rights

All service providers are contractually bound to handle data securely and only for specified purposes, and where applicable have signed Data Processing Agreements with us.

6. International Data Transfers

Some of our service providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure an adequate level of protection through:

  • Standard Contractual Clauses (SCCs) under Art. 46 GDPR, and/or
  • Transfers to countries covered by an EU adequacy decision

We will not transfer your personal data to a third country without an appropriate safeguard in place.

7. Data Retention

We retain personal data only as long as necessary to fulfill the purpose for which it was collected:

Data Type Retention Period
Contact form enquiries 12 months from last correspondence
Analytics data (Google Analytics) Up to 26 months
Cookie consent records 3 years
Server logs (Webflow) 30 days

After these periods, data is securely deleted or anonymised.

8. Your Rights Under the GDPR

As a data subject under EU GDPR, you have the following rights, which you may exercise at any time:

  • Right of access — to obtain a copy of the personal data we hold about you
  • Right to rectification — to correct inaccurate or incomplete data
  • Right to erasure — to request deletion of your personal data ("right to be forgotten")
  • Right to restriction — to ask us to pause processing in certain circumstances
  • Right to data portability — to receive your data in a structured, machine-readable format
  • Right to object — to processing based on legitimate interests
  • Right to withdraw consent — at any time, for any consent-based processing (including cookies)

To exercise any of these rights, please contact us at legal@flank.ai. We will respond within one month as required under Art. 12 GDPR. In complex cases we may extend this by a further two months, in which case we will notify you.

9. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with our supervisory authority:

Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) Friedrichstr. 219 10969 Berlin Website: www.datenschutz-berlin.de

We would, however, appreciate the opportunity to address your concerns before you contact the authority — please reach out to us first at legal@flank.ai.

10. Data Protection Officer (DPO)

We have appointed a Data Protection Officer (Datenschutzbeauftragter) to oversee our compliance with data protection law. You can contact our DPO directly at: dpo@flank.ai

11. Security

We implement appropriate technical and organisational measures (TOMs) to protect your data from unauthorised access, alteration, disclosure, or destruction, in accordance with Art. 32 GDPR. Our security practices are reviewed regularly and independently audited against standard frameworks.

12. Children's Privacy

Our website is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at legal@flank.ai and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, features, or legal requirements. The latest version will always be available at www.flank.ai/legals/website-privacy-policy, with the date of the last update noted at the top. Where changes are material, we will take reasonable steps to notify you.

14. Contact Us

For any questions about this Privacy Policy or your personal data:

Legal OS GmbH (trading as Flank) Köpenickerstraße 145, 10997 Berlin, Germany

E-Mail: legal@flank.ai or dpo@flank.ai

We've updated our Website Privacy Policy (effective 20 March 2026). Key changes include: a full list of the third-party tools we use on our website, clarification of which cookies we use and when they are set, specific data retention periods, updated supervisory authority information, and details on how we manage newsletter subscriptions via Substack. You can access previous versions of the Website Privacy Policy here:

4 November 2025 here
17 March 2026 here

Legal
DPA
Impressum
Product Privacy Policy
Website Privacy Policy