Privacy Policy
This Privacy Policy explains how personal data is processed in connection with the Flexas/Doory platform, including coworking bookings, memberships, access management, support, billing, communications, and related building operations.
1. Scope
For a specific booking, membership, or account, the controller is the entity identified on the checkout page, invoice, agreement, account communication, or other service communication for the relevant building or service.
2. Categories of personal data
- Identity and contact data, such as name, email address, phone number, company name, and billing details.
- Account and authentication data, such as user account identifiers, session and login metadata.
- Booking and membership data, such as selected building, plan, booking date, renewal status, credits, and service history.
- Access and building-operation data, such as building scope, credential issuance, access events, and security logs.
- Payment and invoicing data, such as invoice identifiers, payment status, VAT number, debtor identifiers, and billing address.
- Communication data, such as support requests, service notes, notifications, and transactional emails.
- Technical and device data, such as IP-derived security data, browser metadata, and audit records.
3. Purposes and legal bases
Personal data is processed to enter into and perform the Agreement, manage bookings and memberships, enable access, handle billing and support, secure the Buildings and platform, comply with legal obligations, prevent fraud, send transactional communications, and maintain platform reliability.
The legal bases generally include performance of a contract, compliance with legal obligations, legitimate interests in running and securing the services, and consent where consent is specifically required.
4. Sources of data
Data may be collected directly from you, from your employer or company administrator, from service providers involved in the services, and from building-operation and system audit logs generated during service use.
5. Recipients and processors
The Operator may share personal data where necessary with service providers including billing and invoicing providers such as WeFact and connected payment providers, communication providers, access-control providers such as iLOQ, e-signature providers such as Scrive, hosting providers, and legal, accounting, security, or regulatory advisors.
6. International transfers
Some providers may process data outside the European Economic Area. Where this occurs, the Operator will use an appropriate transfer mechanism required by applicable law.
7. Retention
The Operator retains personal data only as long as necessary for the relevant purpose, including active service records for the duration of the relationship, billing and tax records for the legally required period, and limited retention of security and audit records proportionate to those purposes.
8. Security
The Operator uses technical and organizational measures designed to protect personal data, including access controls, scoped authorization, audit logging, secrets management, transport security, and role-based permissions.
9. Your rights
Subject to applicable law, you may have rights of access, correction, deletion, restriction, objection, portability, and withdrawal of consent where consent is the legal basis.
You may also lodge a complaint with the Dutch Data Protection Authority (`Autoriteit Persoonsgegevens`).
10. Cookies and similar technologies
The platform uses necessary cookies and similar technologies for authentication, security, session continuity, and service operation. Any non-essential cookie use should be described in a separate cookie notice where applicable.
11. Updates
This Privacy Policy may be updated from time to time. A new version will be published where material changes are made.
12. Contact
Privacy requests, complaints, or questions should be sent to the contact channel identified on the relevant website, checkout flow, invoice, or account communication for the applicable building or service.