Kallflow LogoKallflow

Privacy Policy

This is the current service privacy policy.

Last updated: 19/02/2026

This Privacy Policy describes how BASELINK, SL (the "Controller", "we") processes personal data when you visit the website kallflow.com, use the account/billing portal (the "Portal") and/or interact with our forms (waitlist, support, sales contact, feedback).

Important: this project includes self-hosted software. In general, we do not process the content of calls, audio, transcripts, or end-user data from your self-hosted voice agents. If you are an end user of a voice agent operated by a Customer, the data controller for your personal data will be the Customer operating that agent.

1) Controller details (legal information)

  • Legal entity: BASELINK, SL
  • Tax ID: B75885491
  • Address: Carrer Puig Sureda, 36
  • Contact email (privacy): contact@baselinksl.com
  • Legal email: contact@baselinksl.com

2) Applicable regulations (EU and Spain)

This processing is governed, among others, by:

  • Regulation (EU) 2016/679 (GDPR) (EUR-Lex: https://eur-lex.europa.eu/eli/reg/2016/679/oj).
  • Organic Law 3/2018 (LOPDGDD) (BOE: https://boe.es/buscar/act.php?id=BOE-A-2018-16673&tn=2).
  • Law 34/2002 (LSSI-CE) for commercial communications and cookies/similar technologies (BOE: https://boe.es/buscar/act.php?id=BOE-A-2002-13758&tn=2).
  • Directive 2002/58/EC (ePrivacy) (especially art. 5.3) (EUR-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058).
  • Authority guidance and criteria (e.g. AEPD - Cookie guide (11/07/2023): https://www.aepd.es/guias/guia-cookies.pdf).

3) Who this policy applies to (scope)

It applies when you:

  • visit the website and browse public pages,
  • create an account and sign in,
  • purchase (checkout) and manage subscriptions/payments in the Portal,
  • join the waitlist and confirm your subscription,
  • send support or sales contact requests,
  • send feedback through our channels.

It does not govern processing carried out by third parties we link to (e.g. Stripe) beyond our responsibility as Controller.

4) Personal data we may process (categories)

Depending on your usage, we may process:

4.1. Account and authentication data

  • account email,
  • password hash (if you use local login),
  • session metadata (tokens, expiration) and sign-in records.

4.2. Billing and contracting data

  • first and last name and/or business name/company,
  • billing address, city, postal code, country,
  • VAT number (if applicable),
  • account and license identifiers (e.g. internal codes/ids),
  • subscription history, payment attempts and status.
Payment data: card details and other payment credentials are handled by our payment provider (e.g. Stripe). We do not store the full card number.

4.3. Communications data (forms)

  • sales contact: email, subject and message,
  • support: email, subject and message, and optionally attachments (images/documents) if you send them,
  • feedback: description, type, email (optional) and minimally necessary metadata.

4.4. Waitlist data

  • email,
  • IP, user-agent (browser/device) and language/locale,
  • technical confirmation/unsubscribe tokens (for double opt-in and subscription management).

4.5. Technical and security data

  • IP address (directly or via headers like x-forwarded-for),
  • user-agent,
  • technical rate limiting and abuse prevention logs,
  • errors and technical logs (minimized).

4.6. Analytics data (if you accept)

  • pseudonymous visitor/session identifiers (e.g. DataFast),
  • navigation and conversion events (e.g. purchase completion), with limited and sanitized parameters.

4.7. Cookies and similar technologies data

  • language preference (cookie NEXT_LOCALE when you change language),
  • consent status (cookie kallflow_cookie_consent),
  • authentication session cookie (cookie kf_auth_session).

Full details: see the Cookie Policy.

5) Processing purposes and legal basis

We process data for the following purposes (with GDPR legal basis):

5.1. Create and manage the account, sign in and maintain the session

  • Purpose: access the Portal and related features.
  • Legal basis: performance of a contract or pre-contractual measures (art. 6(1)(b) GDPR).
  • Data: email, credentials and session cookie.

5.2. Purchasing, billing, taxes and subscription management

  • Purpose: issue invoices, apply taxes, manage renewals/cancellations, handle payment incidents.
  • Legal basis: performance of a contract (art. 6(1)(b)) and compliance with legal obligations (art. 6(1)(c)) (e.g. tax/accounting obligations).
  • Data: billing details, subscription history, order/invoice identifiers.

5.3. Handle support requests and sales contact

  • Purpose: reply to messages, manage incidents and provide requested commercial information.
  • Legal basis: pre-contractual measures/contract (art. 6(1)(b)) and/or legitimate interest (art. 6(1)(f)) for customer support.
  • Data: email, message, attachments (if any).

5.4. Waitlist and related communications (double opt-in)

  • Purpose: manage your signup, confirm it and allow unsubscribe.
  • Legal basis: typically consent (art. 6(1)(a)) when you subscribe, and legitimate interest to keep proof of consent/anti-fraud (art. 6(1)(f)) in a proportionate manner.
  • Data: email, confirmation/unsubscribe tokens, IP and user-agent.

5.5. Fraud, abuse and security prevention (rate limiting, anti-spam)

  • Purpose: prevent automated submissions and protect forms and the service.
  • Legal basis: legitimate interest (art. 6(1)(f)) and, when strictly necessary, compliance with legal obligation or network/security requirements.
  • Data: IP, user-agent, request metadata, technical tokens.

5.6. Website analytics (DataFast), only if you accept it

  • Purpose: measure usage and conversions to improve the product and website.
  • Legal basis: consent (art. 6(1)(a) GDPR) + ePrivacy/LSSI requirements to store/access information on the device.
  • Data: pseudonymous identifiers and events.

5.7. Compliance and defense against claims

  • Purpose: keep minimally necessary evidence (e.g. terms acceptance, purchase confirmations) and defend rights in proceedings.
  • Legal basis: legitimate interest (art. 6(1)(f)) and/or legal obligation (art. 6(1)(c)).

6) Recipients and processors (vendors)

We may share data with:

6.1. Data processors (they process data on our behalf, under an art. 28 GDPR agreement), such as:

  • payment/billing processor (e.g. Stripe),
  • email provider (SMTP) to send confirmations, support and notifications,
  • hosting/infrastructure (cloud, CDN, logging) if applicable.

6.2. Third-party controllers when you interact with them directly:

  • e.g. when you complete a payment with Stripe, it may act as controller for certain data under its own policy.

6.3. Public authorities if we are required by law (legal, tax or judicial requirements).

Recommended: complete this section with a table of real vendors (name, service, policy, countries) for maximum transparency.

7) International transfers (outside EU/EEA)

Some vendors may process data outside the EU/EEA. When this happens, we apply appropriate safeguards under the GDPR (art. 44 et seq.), such as:

  • adequacy decisions (art. 45), or
  • Standard Contractual Clauses (SCCs) (art. 46), and additional measures when required.

In particular:

  • global vendors (e.g. payments, anti-abuse) may operate infrastructure outside the EU/EEA under their terms.

8) Retention periods (criteria)

We retain data for as long as necessary depending on purpose and obligations:

8.1. Account and billing

  • while the account is active and/or legal obligations apply (e.g. tax/accounting) and applicable limitation periods.

8.2. Authentication sessions

  • the cookie and session have a technical expiration (e.g. up to 30 days), but may be revoked earlier (logout).

8.3. Waitlist

  • pending records: until you confirm or it is canceled/cleaned for security and hygiene reasons.
  • confirmed records: until you unsubscribe or request erasure, subject to necessary retention.

8.4. Support and contact

  • the time needed to handle the request and, if needed, keep reasonable history for follow-up and proof, minimal and proportionate.

8.5. Logs and security

  • for short and proportionate periods aimed at detecting abuse/incidents and ensuring security.

8.6. Analytics (if you accept)

  • according to tool configuration and its identifier/cookie model. Details: Cookie Policy.

9) Data subject rights (GDPR)

You can exercise the rights recognized in arts. 15-22 GDPR:

  • access,
  • rectification,
  • erasure ("right to be forgotten"),
  • restriction of processing,
  • data portability,
  • objection,
  • not to be subject to automated decision-making (if applicable).

9.1. How to exercise them

  • Write to: contact@baselinksl.com
  • Include: the right you want to exercise, the account email and the information needed to identify you.

9.2. Response timeframe

  • Generally, 1 month (extendable in complex cases under the GDPR).

9.3. Withdraw consent

  • When processing is based on consent (e.g. analytics), you can withdraw it at any time, without affecting prior lawfulness.

10) Complaints to the supervisory authority

If you believe your rights have not been properly addressed, you can lodge a complaint with:

  • AEPD (Spain): https://www.aepd.es/

If you are in Catalonia, you may also consider APDCAT in the public sector: https://apdcat.gencat.cat/

11) Security (technical and organizational measures)

We apply reasonable measures according to risk (art. 32 GDPR), such as:

  • HttpOnly cookies for authentication sessions,
  • rate limiting and anti-bot protections (e.g. reCAPTCHA on forms),
  • log data minimization and format/length validations,
  • internal access controls and least privilege principle.

12) Changes to this policy

We may update this Policy for legal or operational reasons. We will indicate the "Last updated" date and, if the change is material, we may notify it through reasonable channels (website/Portal/email).