Version 1.0.0 · In force · EU/EEA and, where the same or equivalent law applies, UK

Privacy policy

Sleinir ApS, Søledsvej 41, 4684 Toksværd, Denmark, is the controller for the personal data processing described in this policy for the Flywheel website, account, and (where you are not a controller) related operations. We, us, and our mean Sleinir ApS. Contact: see How to contact us below.

In force: 24 April 2026 · Version 1.0.0 · https://flywheel-mail.eu

We process data in a way that is consistent with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable national law in Denmark and the EU/EEA, and, where the same or equivalent law applies, the United Kingdom.

Table of contents

Who we are

Sleinir ApS (company registration in Denmark) operates Flywheel, a transactional email service for business customers. When you are our customer, we are often not the controller of your end users’ personal data in the content of the emails you send: that is usually your responsibility as controller; in that case our relationship is described in the DPA as processor on your instructions. This privacy policy still describes how we process account, billing, support, and service operation data about you and your users in our product.

What data we process and why

We process the minimum needed to run the product and meet legal obligations:

  • Account and sign-up: name and email, password, organisation details you give us, and similar account data — to open and maintain your access, to identify you, and to meet pre-contract and contract steps. Lawful bases: Article 6(1)(b) (contract) and, where we must keep certain records, (c) (legal obligation), and (f) (legitimate interests in security and abuse prevention), in line with a balancing test.
  • Billing and tax information you and our payment provider handle — to charge and comply with tax and accounting rules, Article 6(1)(b) and (c).
  • Email traffic metadata required to operate sending, reputation, bounce handling, and abuse prevention, and, where you request it, analytics in line with your settingsArticle 6(1)(b), (c), and, where we rely on it, (f).
  • Support and communication you send to us, including the content you choose to share — to help you and improve the service where appropriate — (b) and (f).
  • Server and security records where needed for integrity and incident response — (c) and (f).

We do not use the personal data in this notice to build unrelated profiling beyond what the service offers and you control.

How long we keep data

We keep account and contract data for the length of the relationship and, where required, a further period to meet accounting, tax, and legal claims limits. We delete or anonymise earlier where the law and our retention schedule allow. Bounce and delivery data may be kept in line with deliverability and abuse needs, then aggregated or deleted as the product and law require.

Recipients and transfers

Processors we use (for hosting, payment, infrastructure support, and similar) receive data only on our instructions and under Article 28-style contracts where the GDPR requires them. A current list of sub-processors is in the DPA and the sub-processors page. Transfers outside the EEA (for example, where a supplier is in a country without an adequacy decision) are made under Standard Contractual Clauses or other tools the GDPR accepts for your situation, as set out in our DPA and, where you need them, further transparency we provide in contract or in order.

Your rights

You have, where the GDPR gives them, access, rectification, erasure, restriction, portability (where technically feasible), objection (in particular to (f) processing you may object to under Article 21), and the right not to be subject to solely automated decisions with legal or similar significant effect, unless an exemption applies. You may withdraw consent where we rely on (a), where we use it. You may lodge a complaint with a supervisory authority — in Denmark, the Data Protection Agency (Datatilsynet) or, if you are elsewhere in the EEA, often your local lead authority or the authority of your habitual residence or work.

How to contact us and supervisory authorities

Sleinir ApS
Søledsvej 41
4684 Toksværd
Denmark

Use the contact details we publish on the service for data protection questions, including requests to exercise your rights under data protection law. We will respond in line with the one-month (and exceptionally extended) timetable the GDPR sets where it applies.

Danish supervisory authority: https://www.datatilsynet.dk/english (as updated from time to time).

Changes to this notice

We update this page when the way we process data or the law changes materially. The version and in-force date at the top and on the published legal pages in the app, and a durable summary in the product where the law asks for it, govern what you were told at a given time.

Terms of service · Data processing agreement · Sub-processors