Back to Home

Privacy Policy

Last updated: February 2026

1. Data Controller

The data controller responsible for the processing of your personal data is:

Stefan Anhalt

Oflow Trading

Randowstr. 46, 13057 Berlin, Germany

E-Mail: [email protected]

Phone: +49 162 3512589

2. Information We Collect

Personal Information (provided by you at checkout):

  • First name, last name, and email address
  • Phone number and company name (optional)
  • Country and city
  • Payment information (processed exclusively by Stripe)
  • Consent timestamps and version tracking

License and Activation Data:

  • License key
  • Machine fingerprint (SHA-256 hashed hardware identifier for license validation)

Automatically Collected Data:

  • IP address (processed by Cloudflare for security purposes)
  • Browser type and operating system (standard HTTP headers)

3. Purposes and Legal Basis of Processing

We process your personal data for the following purposes:

  • Purchase processing and license delivery. Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • License validation and activation. Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Customer support. Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Transactional email communication (purchase confirmation, license key delivery). Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Fraud prevention and security. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting our services)
  • Compliance with legal obligations (e.g., tax records). Legal basis: Art. 6(1)(c) GDPR (legal obligation)

4. Third-Party Services and Data Transfers

We use the following third-party services to provide our product. Where data is transferred outside the EU/EEA, appropriate safeguards are in place.

Stripe (Payment Processing)

Stripe, Inc. acts as our payment processor. Stripe processes your name, email address, billing address, and payment information (PCI-DSS compliant). Stripe is based in the US. Data transfers are covered by the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). See: Stripe Privacy Policy.

Keygen (License Management)

Keygen is our data processor for license management. Keygen processes your email address, license key, and SHA-256 hashed machine fingerprints. Keygen is US-based and applies GDPR protections globally. Data transfers are covered by Standard Contractual Clauses (SCCs). See: Keygen Privacy Policy.

Cloudflare (Hosting, CDN & Security)

Cloudflare is our hosting and security provider. Cloudflare processes IP addresses for DDoS protection and may set strictly necessary security cookies (see Section 8). Cloudflare is US-based and certified under the EU-US Data Privacy Framework (DPF). A Data Processing Addendum is included in their terms of service. See: Cloudflare Privacy Policy.

Resend (Transactional Email)

Resend is our data processor for transactional emails (purchase confirmations, license key delivery). Resend processes recipient email addresses and message content. Resend is US-based and certified under the EU-US Data Privacy Framework (DPF). A Data Processing Addendum is automatically binding upon acceptance of their terms. See: Resend Privacy Policy.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. All data transmissions are encrypted using SSL/TLS. We do not store payment card details on our servers. All payment data is processed exclusively by Stripe. Machine fingerprints are stored as SHA-256 hashes, not as raw hardware identifiers. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected individuals without undue delay, as required by Art. 33-34 GDPR.

6. Data Retention

We retain personal data only as long as necessary for the respective purpose:

  • Account and license data: For the duration of your active license, plus 30 days after deletion request
  • Transaction records: 10 years (German tax retention obligations under AO ยง 147)
  • Email communication logs: 90 days
  • Server logs (IP addresses): Up to 30 days (Cloudflare)

You may request deletion of your data at any time by contacting us (see Section 10). We will process your request within 30 days, subject to any legal retention obligations.

7. Your Rights under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15 GDPR): obtain a copy of your personal data
  • Right to rectification (Art. 16 GDPR): correct inaccurate data
  • Right to erasure (Art. 17 GDPR): request deletion of your data
  • Right to restriction (Art. 18 GDPR): restrict processing of your data
  • Right to data portability (Art. 20 GDPR): receive your data in a machine-readable format
  • Right to object (Art. 21 GDPR): object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3) GDPR): withdraw consent at any time without affecting the lawfulness of prior processing
  • Right regarding automated decisions (Art. 22 GDPR): license validation involves automated comparison of device fingerprints. If your license activation is rejected, you have the right to request human review by contacting us

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

8. Cookies

We use only strictly necessary cookies required for the website to function properly. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

Cookies that may be set:

  • __cf_bm: Cloudflare bot management cookie (strictly necessary, 30 minutes)
  • cf_clearance: Cloudflare security challenge cookie (strictly necessary, up to 24 hours)

These cookies are classified as strictly necessary for the security and operation of the website and do not require consent under Section 25(2) TDDDG. No personal data is collected through these cookies for marketing or tracking purposes.

9. Obligation to Provide Data

The provision of your name, email address, country, and city is required to fulfill the purchase contract and deliver your license. Without this data, we cannot process your order. The provision of phone number and company name is voluntary and not required for contract performance.

10. Age Requirement

Our services are intended for individuals aged 18 and over. We do not knowingly collect personal data from minors. If we become aware that personal data of a person under 18 has been collected, we will take steps to delete such data promptly.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. The competent supervisory authority for our business is:

Berliner Beauftragte fuer Datenschutz und Informationsfreiheit

Friedrichstr. 219, 10969 Berlin, Germany

Phone: +49 30 13889-0

Website: www.datenschutz-berlin.de

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes that affect how we process your data, we will provide notice via email where possible.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at: [email protected]