Privacy Notice

Last updated: March 2026

1. Who We Are

Lemonflow Technologies GmbH
Kreittmayrstraße 3, 80335 Munich, Germany
Email: info@lemonflow.ai

Lemonflow provides AI-powered customer support solutions for electric vehicle (EV) charging operators. This notice explains how we handle personal data in two capacities:

  • As a data controller — for our website visitors, business contacts, and demo users (Section 2).
  • As a data processor — for personal data processed on behalf of our customers through the Lemonflow platform (Section 3).

Lemonflow has not appointed a Data Protection Officer (DPO), as the company does not meet the thresholds under Art. 37 GDPR. For all data protection inquiries, please contact us at info@lemonflow.ai.

2. Data We Collect as Controller

2.1 Website Visitors

DataPurposeLegal BasisRetention
IP address, browser details, pages visited, timestampsServer operation, security, and technical diagnosticsLegitimate interest (Art. 6(1)(f))30 days (server logs)
Aggregated visit statisticsUnderstanding which pages are useful (Cloudflare Web Analytics)Legitimate interest (Art. 6(1)(f))Aggregated, no personal data retained

We do not set tracking, marketing, or preference cookies. Cloudflare Web Analytics operates entirely without cookies or personal profiling. No cookie banner is required.

2.2 Demo Callers

DataPurposeLegal BasisRetention
Phone number (caller ID)Call routingLegitimate interest (Art. 6(1)(f))90 days
Voice recording and transcriptProduct demonstration, quality improvement, diagnosticsLegitimate interest (Art. 6(1)(f))90 days

The phone number on our website connects to an automated voice AI demonstration. No human agent participates. If you prefer not to be recorded, please contact us by email instead.

2.3 Business Contacts

DataPurposeLegal BasisRetention
Name, email, company, job titleResponding to inquiries, sales communicationLegitimate interest (Art. 6(1)(f)) or consent (Art. 6(1)(a))Duration of business relationship + 2 years
Communication historyRelationship managementLegitimate interest (Art. 6(1)(f))Duration of business relationship + 2 years

2.4 Job Applicants

DataPurposeLegal BasisRetention
CV, cover letter, contact details, interview notesRecruitment and hiring decisionsPre-contractual steps (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f))6 months after decision (or longer with consent)

3. Data We Process as Processor (Platform Services)

When our customers (EV charging operators) use the Lemonflow platform, we process personal data on their behalf and under their instructions. In this context:

  • The EV charging operator is the data controller.
  • Lemonflow is the data processor.
  • The relationship is governed by a Data Processing Agreement (DPA) between Lemonflow and the customer.

3.1 What We Process

Data CategoryExamplesProcessing Purpose
Voice interaction dataCall recordings, transcripts, caller phone numberAI-powered customer support delivery
Email / chat / WhatsApp interaction dataMessage content, email addresses, phone numbers, IP addressesAI-powered customer support delivery
Interaction metadataTimestamps, duration, contact reason, resolution outcomeService delivery, quality assurance, reporting
CRM and case dataExisting case information, customer details, interaction history retrieved from customer CRM systemsContextual AI support; retrieved on-demand during interactions
Charger interaction dataCharger ID, connector ID, location, error codesIssue diagnosis and remote resolution
SMS notification dataRecipient phone number, technical case summaryAlerting on-duty staff of critical escalations; recipients are pre-authorised by the customer
Customer employee dataNames, email addresses, login credentials (hashed)Platform access management (Hub portal, SSO)

3.2 How We Protect This Data

  • EU data residency: All data is stored and processed exclusively within the EU (Google Cloud, Belgium and Netherlands).
  • Per-tenant isolation: Each customer's data is stored in a dedicated database. No cross-customer data access.
  • Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • PII redaction: Sensitive data mentioned by callers (credit card numbers, licence plates, RFID tags) is automatically removed from transcripts before storage.
  • No model training: Customer interaction data is never used to train or improve AI models.
  • Retention: Defined per customer in the applicable DPA. Data is securely deleted upon expiry or contract termination.
  • SMS opt-out: Recipients of SMS notifications may reply STOP at any time to opt out. SMS is only sent to employer-authorised staff members.

If you are an EV driver whose interaction was handled by the Lemonflow platform: your data controller is the EV charging operator you contacted. Please refer to their privacy notice for information about how they use your data, or contact them directly to exercise your data protection rights. Lemonflow will assist the controller in fulfilling your request.

3.3 Automated Processing

The Lemonflow platform uses AI to process customer interactions. This includes automated categorisation of contact reasons, escalation level classification (L0–L3), ticket routing, and charger fault diagnosis. These automated processes support human decision-making by the customer's staff and do not produce legal or similarly significant effects on individuals. No fully automated decisions with legal effect are made under Art. 22 GDPR.

4. Sub-Processors

We share personal data with the following categories of service providers, all of which are bound by data processing agreements and process data exclusively within the EU:

  • Cloud infrastructure — hosting, databases, storage, and logging
  • AI / language models — conversational AI processing (real-time, no data retention)
  • Voice, telephony & SMS — speech synthesis, speech recognition, SIP telephony, and SMS notifications
  • Email delivery — transactional email
  • Website analytics — privacy-preserving analytics (no cookies, no personal profiling)

A detailed list of sub-processors, including provider names and locations, is available upon request. Please contact us at info@lemonflow.ai.

5. International Transfers

All personal data is stored and processed within the European Union. We do not transfer personal data to countries outside the EU/EEA. Our infrastructure is deployed exclusively in Google Cloud's EU regions (europe-west1, Belgium and europe-west4, Netherlands).

In the event that a transfer outside the EU becomes necessary in the future (e.g., due to a sub-processor change), we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or an adequacy decision, before any transfer occurs.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

RightDescription
Access (Art. 15)Request a copy of the personal data we hold about you.
Rectification (Art. 16)Request correction of inaccurate personal data.
Erasure (Art. 17)Request deletion of your personal data, subject to legal retention requirements.
Restriction (Art. 18)Request that we limit the processing of your data in certain circumstances.
Data portability (Art. 20)Receive your data in a structured, machine-readable format.
Objection (Art. 21)Object to processing based on legitimate interests.
Withdraw consent (Art. 7(3))Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at info@lemonflow.ai. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority. In Germany, this is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) for private-sector matters.

7. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Role-based access control with multi-factor authentication
  • Regular access reviews and audit logging
  • Incident response procedures with defined SLAs
  • Annual security reviews and penetration testing

Further details on our security measures are available to customers and prospective customers upon request.

8. Changes to This Notice

We review this notice periodically to ensure it remains accurate and compliant. Material changes will be published on our website. The "Last updated" date at the top of this page indicates when the most recent revision was made.

© 2026 Lemonflow Technologies GmbH. All rights reserved.