HomeProductPricingOrchestrationAboutContact
WhatsApp Demo
WhatsApp Demo
GDPR COMPLIANCE

GDPR Compliance for Flowmatix - Automation

This page summarizes how Flowmatix - Automation supports GDPR-compliant operations for clinic workflows. Last updated: February 18, 2026

Clinic = Controller Flowmatix = Processor (where applicable)

Flowmatix provides an automation layer for clinic communication and booking workflows (e.g., WhatsApp routing, qualification, reminders, and CRM sync). This page is a practical overview for customers and partners. For legal terms, always refer to the Privacy Policy and your contractual agreements.

✓
Data minimization by design: Medical photos and medical decision-making should remain within the clinic. Flowmatix is designed to automate workflows — not to act as a long-term medical data repository.

1. Roles & responsibilities

In typical clinic deployments:

  • Clinic (customer): acts as the Data Controller for patient data and determines purposes and means of processing.
  • Flowmatix: acts as a Data Processor where we process data on behalf of the clinic (Art. 28 GDPR).
  • Third parties: may act as independent controllers or processors (e.g. WhatsApp/Meta, Stripe), depending on the service.

Exact role allocation depends on the chosen setup and contractual scope.

2. Typical data categories

Depending on the workflow, we may process:

  • Contact data (e.g., name, phone number, email)
  • Conversation metadata (timestamps, delivery status, routing events)
  • Content provided by the patient (messages, appointment preferences)
  • Optional: attachments (e.g., photos) if the clinic enables that workflow

Special categories of data (Art. 9 GDPR) can occur in medical context. Clinics must ensure an appropriate legal basis and patient information/consent where required.

3. Data flow overview

A typical deployment looks like this:

  • Patient contacts clinic via WhatsApp
  • Flowmatix automation routes and structures the conversation
  • Relevant information is forwarded into the clinic’s systems (e.g., CRM, scheduling)
  • Clinic staff reviews and takes clinical decisions where applicable

Recommendation: store medical data and patient documents in the clinic’s compliant infrastructure.

4. Legal bases & documentation (clinic side)

Clinics (as controllers) are responsible for selecting the appropriate legal basis (e.g., Art. 6 GDPR and for health data Art. 9 GDPR) and providing patient information (privacy notices) as required.

  • Provide transparent information about WhatsApp communication
  • Collect consent where required (especially for marketing messages)
  • Maintain records of processing activities (RoPA, Art. 30 GDPR)

5. Data Processing Agreement (DPA / AVV)

If Flowmatix processes personal data on behalf of a clinic, an Art. 28 GDPR DPA/AVV is required. We provide a DPA as part of onboarding or upon request.

Add your process here: “DPA available via onboarding portal / email request / contract appendix”.

6. Sub-processors & third-party services

Flowmatix may rely on sub-processors to operate the service. Typical examples:

  • Hosting / infrastructure: e.g., Hetzner (Germany/EU) (adapt to your actual setup)
  • Messaging platform: Meta / WhatsApp
  • Payments: Stripe
  • Optional integrations: Google (Calendar/Drive/Sheets), CRM tools, AI APIs

Replace this list with your real sub-processor list and link to a “Sub-processor list” if you maintain one.

7. International transfers

Some third-party providers may process data outside the EU/EEA (e.g., Meta/WhatsApp, Stripe, certain analytics). Where applicable, safeguards such as Standard Contractual Clauses (SCCs) and/or participation in recognized frameworks may apply.

Keep this aligned with your Privacy Policy and your actual vendor terms.

8. Security measures (TOMs)

We implement technical and organizational measures appropriate to risk, including:

  • Encrypted transport (HTTPS/TLS)
  • Access controls and least-privilege permissions
  • Environment separation (where applicable)
  • Monitoring and logging for security and diagnostics
  • Backups and recovery procedures (scope depends on plan/setup)

If you have a TOM annex, link it here or mention it’s included in the DPA.

9. Retention & deletion

Flowmatix retains personal data only as long as necessary to provide the service, meet security needs, and comply with legal obligations. Clinics define their retention policies for patient data in their own systems.

10. Support for data subject requests

Clinics (controllers) handle data subject requests (access, deletion, etc.). Where Flowmatix acts as a processor, we support clinics in fulfilling these requests within the scope of the DPA.

11. Contact

For GDPR/compliance questions, contact: info@flowmatix.io

If you have a DPO or specific compliance contact, add it here.

Need the full legal stack?

Recommended next: Imprint, Privacy Policy, and Terms

Privacy Policy Imprint →

FLOWMATIX - Automation

WhatsApp AI automation built specifically for clinics. Convert inquiries into booked patients — automatically.

Navigation

  • Home
  • Product
  • Pricing
  • Orchestration
  • About
  • Contact

Legal

  • Privacy Policy
  • Cookie Policy
  • Imprint
  • Terms of Service

Policies

  • Refund Policy
  • GDPR Compliance

Contact

  • info@flowmatix.io
  • 📍 Oldenburg, Germany
© 2026 Flowmatix. All rights reserved. WhatsApp is a trademark of Meta Platforms, Inc.