Introduction
SerenX Consulting Limited ('we', 'us', 'our') operates the FlowHire platform, accessible at www.flowhire.uk. FlowHire is an outfit hire management system designed for gents outfitters and occasion wear hire businesses across Scotland and the United Kingdom.
We are committed to protecting the privacy and personal data of all individuals who interact with our platform. This Privacy Statement explains how we collect, use, store, share and protect personal data in accordance with:
- The UK General Data Protection Regulation (UK GDPR)
- The Data Protection Act 2018 (DPA 2018)
- The Privacy and Electronic Communications Regulations 2003 (PECR)
- Any other applicable UK data protection legislation
By using the FlowHire platform or website, you acknowledge that you have read and understood the contents of this Privacy Statement.
Who We Are — Data Controller Details
For the purposes of UK GDPR, the Data Controller responsible for your personal data is:
If you have any questions about how we handle your personal data, or wish to exercise your rights, please contact us at privacy@flowhire.uk.
Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Account Holders (Outfitter Businesses and Their Staff)
- Full name
- Business name and address
- Email address and phone number
- Log-in credentials (username and encrypted password)
- Billing and payment information
- IP address and device/browser information
- Usage data and activity logs within the platform
3.2 End Customers (Hire Customers Entered by Outfitters)
FlowHire allows outfitters to record data about their own customers as part of managing hire bookings. This may include:
- Full name and contact details (email, phone, postal address)
- Body measurements (chest, waist, height, seat, inside leg, collar, and similar garment-fitting measurements)
- Outfit preferences and style notes
- Hire booking history and event dates
- Garment assignments and return records
- Event details (e.g. wedding date, graduation date, event type)
- Notes on garment condition relating to the customer's hire
FlowHire acts as a Data Processor in respect of end customer data entered by outfitters. The outfitter (our customer) is the Data Controller for their customers' personal data. Outfitters are responsible for ensuring they have an appropriate lawful basis for collecting and entering this information.
3.3 Website Visitors
- Cookies and tracking data (see Section 11)
- IP address and browser/device information
- Pages visited, time on site, referral source
- Any information submitted via contact or enquiry forms
How We Collect Personal Data
We collect personal data through the following means:
- Directly from you when you register for a FlowHire account, complete a form, or contact us
- When you or your staff use the FlowHire platform to manage bookings and customer records
- Automatically through cookies and similar technologies when you visit www.flowhire.uk
- From third-party payment processors when you purchase a subscription
- From email correspondence and support interactions
Legal Basis for Processing
Under UK GDPR, we must have a lawful basis for processing personal data. We rely on the following bases:
5.1 Contract (Article 6(1)(b))
Processing is necessary to fulfil our contract with you — providing the FlowHire platform, managing your account, processing payments, and delivering customer support.
5.2 Legitimate Interests (Article 6(1)(f))
We process certain data on the basis of our legitimate interests, including improving the FlowHire platform, ensuring platform security, preventing fraud, and sending service-related communications. We have carried out a Legitimate Interests Assessment and are satisfied that our interests are not overridden by your rights and freedoms.
5.3 Legal Obligation (Article 6(1)(c))
We process data where necessary to comply with a legal obligation, such as maintaining financial records for HMRC purposes or responding to lawful requests from public authorities.
5.4 Consent (Article 6(1)(a))
Where we send marketing communications or deploy non-essential cookies, we do so on the basis of your freely given, specific and informed consent. You may withdraw consent at any time without detriment to the services you receive.
How We Use Your Personal Data
We use personal data for the following purposes:
- Creating and managing your FlowHire account
- Providing access to the FlowHire platform and its features
- Processing subscription payments and managing billing
- Providing technical support and responding to your enquiries
- Sending transactional communications (booking confirmations, system notifications, security alerts)
- Sending service updates and product improvement communications
- Improving and developing the FlowHire platform through anonymised usage analytics
- Detecting and preventing fraud, abuse, and security threats
- Complying with legal and regulatory obligations
- Enforcing our Terms of Service
We will not use your personal data for automated decision-making that produces legal or similarly significant effects, nor will we use it for purposes incompatible with those stated above without first informing you.
Who We Share Your Data With
We do not sell personal data to third parties. We may share data with the following categories of recipients:
7.1 Sub-Processors (Service Providers)
We use third-party service providers to help operate the FlowHire platform. These act as data processors under our instruction and are contractually bound to process data only as directed and to maintain appropriate security standards. Sub-processors may include providers of cloud hosting and infrastructure, payment processing, email delivery, analytics and error monitoring, and customer support software.
A current list of sub-processors is available upon request by contacting privacy@flowhire.uk.
7.2 Legal and Regulatory Authorities
We may disclose personal data to law enforcement, regulatory bodies, or courts where we are required to do so by law, or where we believe in good faith that disclosure is necessary to protect our legal rights, prevent fraud or harm, or comply with a judicial proceeding or legal process.
7.3 Business Transfers
In the event of a merger, acquisition, or sale of all or part of our business assets, personal data held by us may be transferred to the relevant third party. We will take reasonable steps to ensure that privacy protections are maintained and will notify you before data is transferred and becomes subject to a different privacy policy.
International Transfers of Personal Data
FlowHire is operated from the United Kingdom. We endeavour to process and store all personal data within the UK or the European Economic Area (EEA) wherever possible.
Where we use sub-processors that transfer data outside the UK or EEA, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including:
- Adequacy decisions issued by the UK Government
- Standard Contractual Clauses (SCCs) approved for use under UK data protection law
- The UK International Data Transfer Agreement (IDTA) or UK Addendum where applicable
You may request further information about our international transfer safeguards by contacting privacy@flowhire.uk.
How Long We Retain Your Data
We retain personal data only for as long as necessary for the purposes for which it was collected, in line with our legal obligations. Our standard retention periods are as follows:
| Data Type | Retention Period |
|---|---|
| Account data (active accounts) | Duration of account plus 12 months after closure |
| Billing and payment records | 7 years (HMRC statutory requirement) |
| Customer hire records entered by outfitters | Duration of outfitter account plus 12 months after closure, unless earlier deletion is requested |
| Customer measurement records | As above |
| Website visitor analytics (anonymised) | 26 months from date of collection |
| Support and correspondence records | 3 years from last interaction |
| Consent records | Until consent is withdrawn, plus 3 years thereafter |
Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised in a manner that prevents re-identification.
Your Rights Under UK GDPR
Under UK GDPR, you have the following rights in relation to your personal data. These rights are subject to certain exemptions and conditions under applicable law:
Right of Access
Request a copy of the personal data we hold about you. We will respond within one calendar month of receiving a valid request.
Right to Rectification
Request that we correct any inaccurate or incomplete personal data we hold about you without undue delay.
Right to Erasure
Request deletion of your personal data in certain circumstances. This right is not absolute and may be subject to legal obligations.
Right to Restriction
Request that we restrict the processing of your personal data in certain circumstances, such as while a dispute about accuracy is resolved.
Right to Portability
Receive your personal data in a structured, machine-readable format and request that we transmit it to another controller where technically feasible.
Right to Object
Object at any time to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
Rights re: Automated Decisions
Not to be subject to decisions made solely by automated processing that produce legal or significant effects. FlowHire does not currently use such processes.
Right to Withdraw Consent
Withdraw consent at any time where we rely on consent as our lawful basis. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of the above rights, please contact us at privacy@flowhire.uk. We will respond within one calendar month. We may need to verify your identity before processing your request. There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive.
Cookies and Tracking Technologies
FlowHire uses cookies and similar technologies on www.flowhire.uk in accordance with PECR 2003 and UK GDPR. Cookies are small text files placed on your device that help websites function correctly, improve performance, and provide information to site owners.
| Cookie Type | Consent Required? | Purpose |
|---|---|---|
| Strictly Necessary | Not Required | Essential for the website and platform to function. Cannot be disabled without affecting core functionality. |
| Functional | Required | Remember your preferences and settings to improve your experience across visits. |
| Analytics | Required | Help us understand how visitors use the site so we can improve it. Data is anonymised where possible. |
| Marketing | Required | Track visits for the purposes of relevant advertising. We do not currently serve advertising through the FlowHire platform. |
You can manage your cookie preferences at any time through our cookie consent banner or your browser settings. Please note that disabling strictly necessary cookies may prevent you from using parts of the website or platform.
Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, alteration or disclosure. Our security measures include:
- Encryption of personal data in transit using TLS (Transport Layer Security)
- Encryption of personal data at rest
- Access controls and role-based permissions within the FlowHire platform
- Regular security reviews and vulnerability assessments
- Staff data protection awareness training
- Secure password hashing — we do not store plain-text passwords
- Automatic session timeouts to reduce the risk of unauthorised access
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, and where required, we will inform affected individuals without undue delay.
Children's Data
FlowHire is a business-to-business platform intended for use by adults operating legitimate hire businesses. We do not knowingly collect personal data from individuals under the age of 18 through our marketing website.
Outfitters may, in the course of their business, record hire data relating to young people — for example, in connection with school prom, graduation, or other formal occasion attire. In such cases, the outfitter, as Data Controller for their customers' data, is responsible for ensuring they have an appropriate legal basis for processing this information in compliance with applicable data protection law.
Third-Party Links
Our website may contain links to third-party websites, products or services. This Privacy Statement applies only to www.flowhire.uk and the FlowHire platform. We are not responsible for the privacy practices of any third-party websites and recommend that you review their privacy policies before providing any personal data to them.
Changes to This Privacy Statement
We may update this Privacy Statement from time to time to reflect changes in our practices, technology, legal requirements or other factors. Where we make material changes, we will notify you by email (if you have an active account) and/or by displaying a prominent notice on our website prior to the changes taking effect.
The 'Last Reviewed' date at the top of this page indicates when this Privacy Statement was most recently updated. We encourage you to review it periodically to stay informed about how we protect your personal data.
How to Complain
If you are unhappy with how we have handled your personal data, or believe we have failed to comply with applicable data protection law, we ask that you contact us first so that we can investigate and attempt to resolve the matter:
If you remain dissatisfied with our response, you have the right to lodge a complaint directly with the UK supervisory authority:
Information Commissioner's Office (ICO)
Contact Us
For any questions, concerns or requests relating to this Privacy Statement or the way we handle personal data, please get in touch with our team: