Privacy Policy for Flonk

1. Controller within the meaning of the General Data Protection Regulation

The controller for data processing on this website and through the Flonk application is MedConnect GmbH, located at Bayernstraße 10, D-30855 Langenhagen, Germany. The company is registered in the commercial register of the Hannover District Court under number HRB 226358 and is represented by managing director oec. Michael MANSHOLD. You can reach us by email at info@medconnect.gmbh or by phone at 0511 94 27 41 45. We will provide the VAT identification number according to §27 a VAT Act upon justified request.

2. Data Protection Officer

Due to the large-scale processing of biometric data, we have appointed a data protection officer whom you can reach at the above contact details with the addition "Attn: Data Protection Officer." The data protection officer is available to answer all questions regarding data protection.

3. Purpose and Legal Basis of Data Processing

Flonk is a Software-as-a-Service application for digital identity verification, accessible via the website https://flonk.id. The application serves the secure and reliable verification of persons' identities by comparing identity documents with biometric facial features and conducting liveness checks. This processing is carried out exclusively on behalf of our business customers who require identity verification for their own business purposes.

The processing of your personal data, including the particularly sensitive biometric data according to Art. 9 Para. 1 GDPR, is based on your explicit consent according to Art. 9 Para. 2 lit. a GDPR. You provide this consent before beginning the identification process through active confirmation in the Flonk application. Additionally, we base the processing on Art. 6 Para. 1 lit. b GDPR for fulfilling the data processing agreement with our respective business customer who requires identity verification for contract initiation or fulfillment with you.

4. Types of Data Processed

Within the framework of identity verification, we process the following categories of personal data: First, we capture data from your identity document (ID card, passport, or similar official documents), which includes your full name, date of birth, place of birth, nationality, document number, issuance date, and validity period. Furthermore, we process biometric data in the form of facial images, which are both extracted from the identity document and created through live recording with your device's camera. This biometric data is processed exclusively for the purpose of identity verification through algorithmic comparison and serves the unique identification of your person according to Art. 4 No. 14 GDPR.

The liveness check is performed through analysis of short video sequences or special recordings that demonstrate that it involves a living person and not a photo or other reproduction. Additionally, we capture technical metadata such as verification timestamps, device used, IP address at the time of verification, and the result of identity verification (successful or unsuccessful). All this data is processed exclusively to fulfill the identification purpose and to document proper implementation.

5. Data Processing Agreement and Data Transfer

MedConnect GmbH acts as a data processor within the meaning of Art. 28 GDPR when using Flonk for its business customers, who serve as data controllers commissioning identity verification for their own purposes. We conclude a data processing agreement with each business customer that fully meets the requirements of Art. 28 Para. 3 GDPR and ensures your rights as a data subject.

The technical infrastructure of Flonk is hosted via Railway, an infrastructure service headquartered in San Francisco, California (548 Market St PMB 68956, San Francisco, California 94104, USA). However, data processing takes place in data centers in Amsterdam, Netherlands, and thus remains within the scope of the GDPR. Railway acts as a technical service provider and sub-processor, with whom corresponding data processing agreements have been concluded. Since Railway Corp. is a US corporation, we have implemented additional protective measures: Railway is certified under the EU-US Data Privacy Framework, which was recognized as an adequate level of data protection through the European Commission's adequacy decision of July 10, 2023.

6. Storage Duration and Deletion

Your personal data is stored encrypted in European data centers and is generally retained for a period of ten years. This retention period results from legal requirements for documenting identity verifications, particularly applicable in regulated industries such as finance or anti-money laundering prevention. The data is protected throughout the entire storage period with state-of-the-art encryption methods both during transmission and at rest.

However, the commissioning business customer has the option to initiate early anonymization of your data, making it unrecognizable and preventing any conclusions about your person. After the retention period expires or upon early anonymization, all personal data including biometric data is irrevocably deleted. Deletion occurs both in production systems and in all backup systems according to recognized IT security standards.

7. Your Rights as a Data Subject

You have the right to information about your personal data at any time according to Art. 15 GDPR. This includes information about processing purposes, categories of processed data, recipients or categories of recipients, planned storage duration, and the existence of your other rights. Furthermore, you have the right to rectification of incorrect data according to Art. 16 GDPR, insofar as this is technically possible without impairing the integrity of the identification process.

You may request deletion of your personal data according to Art. 17 GDPR if the requirements of Art. 17 Para. 1 GDPR are met and no exceptions according to Art. 17 Para. 3 GDPR apply. Since processing is based on your consent, you can withdraw it at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal. However, withdrawal is only possible for future processing operations, as already conducted identity verifications must be documented for legal security.

You also have the right to restriction of processing according to Art. 18 GDPR if requirements are met, as well as the right to data portability according to Art. 20 GDPR. Furthermore, you can file a complaint with a data protection supervisory authority at any time, with the authority responsible for us being the State Commissioner for Data Protection of Lower Saxony (Prinzenstraße 5, 30159 Hannover).

8. Data Security and Technical Measures

We have implemented comprehensive technical and organizational measures to protect your personal data from unauthorized access, loss, destruction, or manipulation. Data transmission occurs exclusively via encrypted connections (TLS 1.3 or higher), and all data is protected both during transmission and at rest with state-of-the-art encryption algorithms. Access to personal data is strictly limited to authorized employees who are subject to special confidentiality obligations.

Our systems are regularly reviewed by external security experts, and we conduct continuous security monitoring measures. The data centers of our hosting partner Railway in Amsterdam meet the highest international security standards and are appropriately certified. Additionally, we have established procedures for immediate reporting of data breaches to competent supervisory authorities and, if applicable, to affected persons.

9. Use of Cookies and Similar Technologies

On the website https://flonk.id, we use technically necessary cookies that are required for providing and securing the application. These cookies serve exclusively for the proper functioning of the identification process and maintaining the session during the verification process. The legal basis for this is Art. 6 Para. 1 lit. f GDPR, as the use of these cookies is necessary to safeguard our legitimate interests in a secure and functional application.

Furthermore, we may collect anonymized analysis data to improve application performance and user experience, but only after your explicit consent. You can configure your browser settings to be informed about cookie placement and allow cookies only in individual cases, exclude cookie acceptance for certain cases or generally, and activate automatic deletion of cookies when closing the browser.

10. Special Notes on Biometric Data Processing

The processing of biometric data is subject to special protection provisions according to Art. 9 GDPR, as it involves particularly sensitive personal data. We process biometric data exclusively for the purpose of identity verification and only based on your explicit consent. Biometric features are extracted from facial recordings through specialized algorithms and used exclusively for comparison with identity document data.

The raw biometric data is not permanently stored after verification, but only the metadata and results necessary for documenting the conducted identity check. We use exclusively proven and data protection-compliant methods for biometric analysis that correspond to the current state of technology and are regularly reviewed for accuracy and data protection compliance. Use of biometric data for purposes other than identity verification is excluded.

11. Withdrawal of Consent

You can withdraw your consent to the processing of your personal data, including biometric data, at any time with effect for the future. You can submit the withdrawal informally by email to info@medconnect.gmbh or in writing to our postal address. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Please note that already conducted and completed identity verifications must continue to be documented for legal security and to fulfill legal retention obligations. However, withdrawal prevents future processing of your data for new identity verifications. After withdrawal, you can no longer use the Flonk application, as processing your biometric data is absolutely necessary for the application's functionality.

12. Currency and Changes to the Privacy Policy

This privacy policy corresponds to the current state of law and our data processing practices (as of: October 2025). Due to the development of our application or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy. The current privacy policy can always be accessed on the website https://flonk.id.

We will notify you of significant changes in a timely manner, insofar as we have your contact details or notification through our business customer is possible. For changes requiring new consent, we will obtain this before further processing. We recommend that you regularly review this privacy policy to stay informed about the protection of your personal data.