Compliance & Data Protection

FlutraBlue is a kindergarten-management platform operated by a Kosovo-registered company and used by kindergartens in Kosovo, Albania, and North Macedonia. Wherever we operate, we are committed to handling personal data responsibly and in full compliance with the applicable national data-protection law.

All three countries have adopted data-protection legislation that is closely aligned with the European Union's General Data Protection Regulation (EU GDPR). Kosovo is governed by Law No. 06/L-082 on Protection of Personal Data; Albania by Law No. 124/2024 on the Protection of Personal Data; and North Macedonia by the Law on Personal Data Protection (Official Gazette No. 42/2020). Each law establishes the same core principles — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality — and grants individuals the same fundamental rights over their data.

FlutraBlue operates with a dual role depending on the type of data involved. We are the data controller for account data we collect directly — for example, the contact details and billing information of the kindergarten as our customer. We are the data processor for the personal data that kindergartens enter into the platform — for example, information about children, parents, and staff — and in that capacity we act exclusively on the documented instructions of the kindergarten, which is the controller.

This page explains, in plain language, how we meet our legal obligations and what you can do if you have concerns.

We maintain a comprehensive data-protection programme that covers the full lifecycle of personal data. The measures below are not exhaustive; our full technical and organisational security measures are described in our Data Processing Agreement.

• Documented processor relationship: every kindergarten that uses FlutraBlue signs a Data Processing Agreement (DPA) that sets out the purposes, duration, nature, and categories of processing, our obligations as processor, and the rights and obligations of the kindergarten as controller.
• Data minimisation: we collect only the personal data that is necessary for each specific purpose. We regularly review our data collection practices and remove fields that are no longer needed.
• Technical and organisational security measures: data in transit is encrypted with TLS 1.2 or higher; data at rest is encrypted using AES-256. Access to personal data is restricted to authorised personnel on a need-to-know basis. We conduct regular security assessments and maintain an information security policy.
• Personal data breach procedures: we maintain a documented breach-response procedure. In the event of a personal data breach likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where the risk is high, notify affected individuals without undue delay.
• Retention limits: we retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our retention schedule is documented and reviewed annually.
• Support for data-subject rights: our systems are designed to allow us to respond efficiently to requests from individuals to access, correct, delete, restrict, or export their personal data. We assist kindergartens (as controllers) in fulfilling data-subject rights requests that relate to data they control.
• Sub-processor management: we use a limited number of carefully selected sub-processors (such as cloud infrastructure providers and email-delivery services). Each sub-processor is bound by a data-processing agreement that imposes obligations at least equivalent to those in our DPA. Our current sub-processor list is published in Annex III of the DPA.

If you believe that FlutraBlue or a kindergarten using our platform has handled your personal data unlawfully, you have the right to lodge a complaint with the data-protection supervisory authority in your country. The three relevant authorities are listed below.

Complaints about data processed by FlutraBlue as a controller should be directed to the authority in Kosovo, where FlutraBlue is registered. Complaints about data processed by a kindergarten as controller may alternatively be directed to the authority in the country where the kindergarten is established.

Depending on the applicable national law and the role FlutraBlue plays with respect to your data, you may have all or some of the following rights. In every case we will tell you clearly who can best help you exercise each right.

• Right of access — you can ask whether we (or a kindergarten, where they are the controller) hold personal data about you and, if so, receive a copy together with information about how it is used.
• Right to rectification — if your personal data is inaccurate or incomplete, you can ask for it to be corrected or completed.
• Right to erasure ('right to be forgotten') — in certain circumstances you can ask for your personal data to be deleted, for example when it is no longer necessary for the purpose it was collected or when you withdraw consent and there is no other legal basis for processing.
• Right to restriction of processing — you can ask us to restrict how we use your data while a dispute is being resolved, for example if you contest its accuracy.
• Right to data portability — where processing is based on your consent or on a contract, and is carried out by automated means, you can ask to receive your personal data in a structured, commonly used, machine-readable format, or to have it transmitted directly to another controller where technically feasible.
• Right to object — you can object to processing based on legitimate interests or carried out for direct-marketing purposes. Where you object to direct marketing we will stop immediately.
• Right to withdraw consent — where processing is based solely on your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that took place before the withdrawal.
• Right to lodge a complaint — if you believe your rights have been violated, you can lodge a complaint with the supervisory authority in your country (see the Supervisory Authorities section above). You also have the right to an effective judicial remedy.

How you exercise your rights depends on what kind of data is involved and who is the controller for that data.

For data that FlutraBlue controls directly — primarily account and billing data belonging to the kindergarten as our customer — please contact us at the address or email given in the Data Protection Contact section below. We will respond within the timeframe required by the applicable law (generally 30 days, with a possible extension of a further two months for complex requests).

For data about children, parents, or staff that a kindergarten has entered into the platform — such as profile information, attendance records, meal preferences, or communications — the kindergarten is the data controller and FlutraBlue is only the processor. In these cases you should contact the kindergarten directly. We will assist the kindergarten in fulfilling your request as required by our Data Processing Agreement.

FlutraBlue also provides built-in features to help you exercise your rights without needing to contact anyone:

• Data export — from within the app you can request a machine-readable export of the personal data held in your account. This satisfies the right of access and, where relevant, the right to data portability.

• Account deletion — you can request deletion of your account directly from the app settings. This triggers our erasure workflow, which removes your personal data from our live systems subject to any retention obligations we are required to honour (for example, financial records that must be kept for statutory audit periods).

All requests, whether submitted through the app or in writing, will be handled free of charge unless they are manifestly unfounded or excessive.

FlutraBlue takes its data-protection obligations seriously. You can reach our data-protection contact point at:

Email: info@flutra-blue.com

We have not appointed a dedicated Data Protection Officer, as one is not mandatory for our processing under applicable law; all data-protection matters are handled by the contact point above.

If you have a question about how a specific kindergarten handles your data, we recommend contacting that kindergarten directly in the first instance. If you are unsatisfied with the response, you can escalate to the supervisory authority in your country (see the Supervisory Authorities section above).

For full details of how we collect, use, and protect personal data, please refer to the documents below.