Website Privacy Policy

1. Introduction

1.1 Important information and who we are

Welcome to ZENPASS Ltd's Privacy and Data Protection Policy, operating under the brand name Fluum (referred to as "Fluum", "we", "us", or "our").

At ZENPASS Ltd (trading as Fluum), a company registered in England and Wales (Company No. 15193625), we are committed to protecting and respecting your privacy and personal data in compliance with the United Kingdom General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and all other mandatory data protection laws and regulations applicable in the United Kingdom.

This Privacy Policy explains how we collect, process, and keep your data safe. It outlines your privacy rights, how the law protects you, and the responsibilities of our employees and team members in handling personal data in line with legal obligations and internal protocols.

The individuals from whom we collect and process data include:

Clients who engage Fluum for B2B outbound prospecting and introduction services

Prospects contacted by Fluum on behalf of its Clients

Network Partners: C-suite executives and decision-makers who are part of the Fluum introduction network

Website visitors

Partners, vendors, and suppliers

and any other people that the organisation has a relationship with or needs to contact.

This Privacy Policy applies to all our employees and staff members and all Personal Data processed at any time by us.

1.2 Your Data Controller and Data Protection Officer

ZENPASS Ltd (trading as Fluum) is your Data Controller and responsible for your Personal Data.

We have appointed a data protection officer ("DPO") who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights surrounding your Personal Data, please contact the DPO using the details set out below:

Name: Loan Alouache Email: contact@fluum.ai

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

1.3 Processing data on behalf of a Controller and processors' responsibility to you

In discharging our responsibilities as a Data Controller we have employees who will deal with your data on our behalf (known as "Processors"). The responsibilities below apply to the organisation as a whole. The Data Controller and our Processors have the following responsibilities:

Ensure that all processing of Personal Data is governed by one of the legal bases laid out in the GDPR (see 2.2 below for more information).

Ensure that Processors authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of Personal Data.

Obtain the prior specific or general authorisation of the Controller before engaging another Processor.

Assist the Controller in the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights.

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Maintain a record of all categories of processing activities carried out on behalf of a Controller.

Cooperate, on request, with the supervisory authority in the performance of its tasks.

Ensure that any person acting under the authority of the Processor who has access to Personal Data does not process Personal Data except on instructions from the Controller.

Notify the Controller without undue delay after becoming aware of a Personal Data Breach.

2. Legal Basis for Data Collection

2.1 Types of data / Privacy policy scope

"Personal Data" means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We collect, use, store and transfer different kinds of Personal Data about you which we have grouped together below. Not all of the following types of data will necessarily be collected from you but this is the full scope of data that we collect and when we collect it from you:

Profile/Identity Data: This is data relating to your first name, last name, job title, and company name.

Contact Data: This is data relating to your phone number, addresses, email addresses, LinkedIn profile URLs.

Professional Data: This is data relating to your employer, industry, company size, job function, and seniority level. This data is collected from publicly available government and regulatory databases, professional networking platforms, and company websites when we process Prospect Data on behalf of our Clients.

Network Partner Data: This is data relating to C-suite executives and decision-makers who are part of the Fluum introduction network, including contact details, professional background, industry expertise, company information, and introduction preferences. This data is collected directly from Network Partners during onboarding and throughout their participation in the network.

Marketing and Communications Data: This is your preferences in receiving marketing information and other information from us.

Technical and Usage Data: Data collected through analytics and tracking tools when you visit our website, including:

Google Analytics (GA4): session statistics, usage data, trackers

AWS: hosting, infrastructure, usage data

Stripe: billing address, email address, payment info, purchase history

Supabase: email and hashed password of users

We also collect, use and share Aggregated Data such as campaign performance metrics, total number of prospects contacted, response rates, and meeting conversion rates. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity.

2.2 The Legal Basis for Collecting That Data

There are a number of justifiable reasons under the GDPR that allow collection and processing of Personal Data. The main avenues we rely on are:

"Consent": Certain situations allow us to collect your Personal Data, such as when you tick a box that confirms you are happy to receive email newsletters from us, or "opt in" to a service.

"Contractual Obligations": We require certain information from you in order to fulfil our contractual obligations and provide you with the promised service. For Network Partners, we process their data to deliver introductions and facilitate connections as agreed during onboarding.

"Legal Compliance": We're required by law to collect and process certain types of data, such as fraudulent activity or other illegal actions.

"Legitimate Interest": We need to collect certain information to be able to meet our legitimate interests. For B2B outreach conducted on behalf of our Clients, we process Prospect Data (professional contact details sourced from publicly available sources and professional networking platforms) under legitimate interest, where the Client has a legitimate interest in marketing its products or services to relevant business contacts. Both Fluum and the Client cooperate to ensure a valid legal basis exists for the processing. All outreach includes an opt-out mechanism, and we maintain suppression lists to honour opt-out requests. For Network Partner data, we process their information under legitimate interest to match them with relevant prospects and facilitate introductions that align with their stated interests and expertise.

2.3 Third-Party Data Sources

When providing outbound prospecting services on behalf of our Clients, we source Prospect Data from:

Publicly available government and regulatory databases (including Companies House, SEC filings, and equivalent registries)

Professional networking platforms (including LinkedIn)

Company websites and professional directories

Other publicly accessible sources

This data is processed on behalf of our Clients, who act as the Data Controller. Fluum is responsible for conducting all processing and outreach activities in compliance with applicable Data Protection Laws and marketing regulations. If you believe your data has been processed in this way and wish to exercise your rights, please contact us at contact@fluum.ai or contact the relevant Client directly.

Network Partner data is not sourced from third parties. It is provided directly by the Network Partner to Fluum.

3. How We Use Your Personal Data

3.1 Our data uses

We will only use your Personal Data when the law allows us to. Our primary uses include:

Providing B2B outbound prospecting and introduction services to our Clients

Sourcing and enriching Prospect Data from publicly available sources and professional networking platforms

Conducting multi-channel outreach campaigns (email, LinkedIn, SMS, WhatsApp, Instagram) on behalf of Clients

Matching Prospects with relevant Network Partners based on industry, geography, and service fit

Facilitating introductions between Prospects and Network Partners

Pipeline management and campaign performance reporting

Client account management, invoicing, and service delivery

Website analytics and improvement

3.2 Marketing and content updates

You will receive marketing and new content communications from us if you have created an account and chosen to opt into receiving those communications. From time to time we will make suggestions and recommendations to you about goods or services that are of interest to you.

3.3 Change of purpose

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our Data Protection Officer.

If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

3.4 How Network Partner Data is shared

Fluum holds Network Partner profile information (professional background, industry expertise, company details, and introduction preferences) for the purpose of making introductions. This data is provided directly by the Network Partner. Limited profile information is shared with Clients and Prospects only in the context of a proposed introduction, and only to the extent necessary to facilitate that introduction. Network Partner data is not sold, rented, or shared with third parties for marketing purposes.

4. Your Rights and How You Are Protected by Us

4.1 Your legal rights

Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:

Right to be informed. You have a right to be informed about our purposes for processing your personal data, how long we store it for, and who it will be shared with. We have provided this information to you in this policy.

Right of access. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it (also known as a "data subject access request").

Right to rectification. You have a right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.

Right to erasure. You have the right to ask us to delete or remove personal data where there is no good reason for us continuing to process it, where you have successfully exercised your right to object to processing, where we have processed your information unlawfully, or where we are required to erase your personal data to comply with local law.

Right to object. You can object to the processing of personal data we hold about you. This effectively allows you to stop or prevent us from processing your personal data. This right applies where we are processing your personal data for direct marketing purposes, or where we are relying on a legitimate interest.

Right to restrict processing. You have the right to request the restriction or suppression of your personal data in certain circumstances.

Right to data portability. You have the right to request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.

If you are a Prospect who has been contacted by Fluum on behalf of one of our Clients, you have the right to opt out of further communications at any time. We honour all opt-out requests and maintain suppression lists to prevent re-contact.

If you are a Network Partner, you have the right to update, correct, or request deletion of your profile data at any time by contacting us at contact@fluum.ai.

If you wish to make a request under any of these rights, please contact us at contact@fluum.ai.

4.2 Your Control Over How Fluum Uses Your Personal Data

You can request deletion of your data at any time by contacting us at contact@fluum.ai. For Client account holders, you can access information associated with your account by logging into your account. Your account information will be protected by a password for your privacy and security.

Network Partners can request to be removed from the Fluum network at any time. Upon removal, Fluum will cease facilitating introductions and will delete their profile data within 30 days, unless retention is required by law.

4.3 How Fluum Protects Personal Data

We are concerned with keeping your data secure and protecting it from inappropriate disclosure. We implement a variety of security measures to ensure the security of your Personal Data on our systems, including:

Encryption for data transmission (TLS 1.2 or higher) and storage

Role-based access controls to limit data access to authorised personnel only

Multi-factor authentication for systems containing Personal Data

Regular security reviews and vulnerability assessments

Staff training on data protection obligations

Any Personal Data collected by us is only accessible by a limited number of employees who have special access rights to such systems and are bound by obligations of confidentiality. If and when we use subcontractors to store your data, we will not relinquish control of your Personal Data or expose it to security risks that would not have arisen had the data remained in our possession.

4.4 Opting out of marketing promotions

You can ask us to stop sending you marketing messages at any time by unsubscribing from the Fluum newsletter or by contacting us at contact@fluum.ai.

Where you opt out of receiving these marketing messages, we will continue to retain other Personal Data provided to us as a result of interactions with us not related to your marketing preferences.

4.5 How to request your data and the process for obtaining it

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). If your request is clearly unfounded, we could refuse to comply with your request.

We need to request specific information from you to help us confirm your identity and ensure you have the right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.

5. Third-Party Processors and Sub-processors

Fluum engages third-party service providers who process personal data on our behalf. These include:

Lemlist (outreach automation)

Prosp.ai (LinkedIn automation)

LinkedIn (professional networking and outreach)

AWS / cloud hosting providers (infrastructure and data storage)

Stripe (payment processing)

Google Workspace (internal communications and document management)

Google Analytics (website analytics)

All third-party processors are required to comply with data protection regulations and are bound by contractual obligations that impose data protection standards no less protective than those set out in this Privacy Policy.

Fluum also sources Prospect Data from publicly available government and regulatory databases (including Companies House and SEC filings), professional networking platforms, and company websites. These are public data sources, not sub-processors, and no personal data is shared with them by Fluum.

6. How Long We Retain Your Data

Prospect Data (processed on behalf of Clients): retained for the duration of the Client's engagement and for 12 months following termination, after which it is securely deleted unless retention is required by law. Suppression lists are retained indefinitely to prevent re-contact.

Network Partner Data: retained for the duration of the Network Partner's participation in the Fluum network and for 12 months following departure, after which it is securely deleted unless retention is required by law.

Client Account Data: retained as required for service provision, legal compliance, tax, and audit purposes for up to 7 years following termination.

Website Visitor Data: retained in accordance with the retention periods of our analytics providers. Google Analytics data is retained for 14 months.

7. Age Limit for Our Users

You must not use Fluum unless you are aged 18 or older. If you are under 18 and you access Fluum by lying about your age, you must immediately stop using Fluum.

This website is not intended for children and we do not knowingly collect data relating to children.

8. International Transfer of Data

Fluum is based in the United Kingdom. Your information is stored and processed primarily on UK and EEA servers. Where data is transferred to countries outside the UK that do not benefit from an adequacy decision, we ensure appropriate safeguards are in place, including:

The UK International Data Transfer Agreement (UK IDTA) for transfers from the UK.

Standard Contractual Clauses (SCCs) for transfers from the EEA.

The EU-US Data Privacy Framework, where applicable.

Some of our third-party processors (including AWS and Stripe) process data in the United States. These transfers are governed by the safeguards listed above.

9. Notification of Changes and Acceptance of Policy

We keep our Privacy Policy under review and will place any updates here. This version is dated April 29, 2026.

By using Fluum, you consent to the collection and use of data by us as set out in this Privacy Policy. Continued access or use of Fluum will constitute your express acceptance of any modifications to this Privacy Policy.

10. Interpretation

All uses of the word "including" mean "including but not limited to" and the enumerated examples are not intended to in any way limit the term which they serve to illustrate. Any email addresses set out in this policy are to be used solely for the purpose for which they are stated to be provided, and any unrelated correspondence will be ignored.

Our staff are not authorised to contract on behalf of Fluum, waive rights or make representations (whether contractual or otherwise). If anything contained in an email from a Fluum address contradicts anything in this policy, our terms or any official public announcement on our website, or is inconsistent with or amounts to a waiver of any Fluum rights, the email content will be read down to grant precedence to the latter. The only exception to this is genuine correspondence expressed to be from the Fluum legal department.