Skip to content
  • Home
  • Contact
  • Blog
  • IPMFlow Desktop
IPMFlow
IPMFlow
  • Home
  • Contact
  • Blog
  • HU
IPMFlow
IPMFlow

IPMFlow Desktop – Privacy Notice

Version: 2026-07-18-en-v8
Service Provider: Trapshop Kft. (Ltd.)

1. Introduction and Definitions

The purpose of this Privacy Notice is to explain what personal data Trapshop Kft. (the “Service Provider” or “we”) processes during the sale, licensing, support, and limited online technical functions of the software.

This document distinguishes between:

  1. the Service Provider’s own data processing activities, and
  2. the Customer’s local use of IPMFlow Desktop on the Customer’s own device or environment.

For the general browsing of our website (ipmflow.com), cookie management, web analytics, website security services, and any separate cloud-based services, the Service Provider’s website privacy materials apply.

2. Data Controller Details (for Sales and Support Data)

  • Name: Trapshop Kft.
  • Registered office: 34 Fo utca, Batyk 8797, Hungary
  • E-mail: [email protected]
  • Phone: +36 30 220 9884
  • Website: https://ipmflow.com

3. Software Operation Principles and Data Controller Allocation

  • Local operation: IPMFlow Desktop is an installed, primarily local application. Data entered into the software, such as documents, analyses, generated workflow content, and local records, is stored in the Customer’s own environment.
  • No routine provider access: The Service Provider does not routinely access, view, or centrally store the Customer’s local business records created inside the desktop software.
  • Customer as controller: For local business content and any personal data the Customer decides to place into the software, the Customer acts as data controller. The Service Provider provides the software tool.

3.1 Shared Knowledge Base and Historical Analysis Copies

The software may include an optional shared reference library (“Knowledge Base”) maintained locally by the Customer’s authorized users.

  • Knowledge Base materials are stored locally in the Customer’s own environment.
  • If the Customer enables multi-user use within the same deployment, active Knowledge Base items may be visible to other authorized users of that same organization.
  • When a Knowledge Base item is selected for an analysis, the software may keep a run-linked historical copy of the selected material so that earlier analyses remain understandable, auditable, and reproducible.
  • These historical copies are also stored locally as part of the Customer’s records.

If Knowledge Base materials contain personal data, confidential business information, or trade secrets, the Customer remains responsible for deciding whether such inclusion is lawful, necessary, and proportionate.

3.2 Optional Mobile Risk PWA Companion

The product may include an optional, separate web-application companion (“Mobile Risk PWA”) for field capture of risk-assessment data.

  • On-device encrypted storage: Business and field data entered into the companion stays on the Customer’s device in an encrypted (AES-GCM) browser vault.
  • File-only transfer: Data moves to and from IPMFlow Desktop solely through user-controlled, encrypted files. The companion performs no server-side synchronization and uses no telemetry, analytics, crash reporting, mobile AI, photo, or attachment handling.
  • No provider access to field data: The Service Provider does not access, view, or store the business or field data captured in the companion; the Customer acts as data controller for it.
  • Hosting and technical connection data: The companion is served as static web assets from a hosting provider. When the application is loaded or updated, the hosting provider processes only technical connection data (such as IP address and request logs) to deliver the assets — the same category as an ordinary website visit. No business or field data is transmitted to the hosting provider.
  • Hosting provider: Vercel Inc. (Registered office: 340 S Lemon Ave #4133, Walnut, CA 91789, USA; website: www.vercel.com).
  • International transfers: Because IPMFlow Desktop and its companion are made available to customers worldwide, the hosting provider may process the above technical connection data in the United States or other countries. Such processing and any transfers are carried out in accordance with the data protection laws applicable from time to time and, where required, under appropriate transfer safeguards (for example, where the EU General Data Protection Regulation [GDPR] applies, the European Commission’s Standard Contractual Clauses [SCC]).

4. Scope of Data Processed by the Service Provider

4.1 Quotation, Ordering, Licensing, and Invoicing

Before local use of the software begins, the Service Provider processes the Customer’s data for ordering, licensing, invoicing, and delivery.

  • Processed data may include: company name, contact person’s name, address, tax number or EU VAT number, e-mail address, and IP address.
  • Purpose: order processing, contract performance, invoicing, payment handling, and sending the license file.
  • Legal basis: GDPR Article 6(1)(b) (performance of a contract) and Article 6(1)(c) (compliance with legal obligations, such as accounting obligations).
  • Retention period: invoicing and accounting records are retained for the period required by applicable law.

Data processors used for sales and finance may include:

  • Hosting provider: Rackhost Zrt. (website operation)
  • Invoicing system: Billingo Technologies Zrt. (electronic invoicing and invoice storage)
  • Payment provider: Barion Payment Zrt. (online payment processing where applicable)
  • Accounting providers: Kutyavilag Kft. and Animado Kft. (accounting and tax administration)

4.2 Checking for Software Updates

Upon launch, the software may initiate a background query to check whether a newer version is available.

  • Processed data: technical connection data such as IP address and query time; no local business records, passwords, or local database contents are intentionally transmitted for this purpose.
  • Purpose: promoting secure operation and keeping the software up to date.
  • Legal basis: GDPR Article 6(1)(f) (legitimate interest).
  • Retention period: technical log files are typically retained only for a limited operational period.
  • Offline use: if no internet connection is available, the check may fail silently and the application continues to operate locally.

4.3 Customer Service and Support

  • Processed data: the content and attachments of support messages sent to [email protected], together with the sender’s name and e-mail address.
  • Purpose: troubleshooting, customer support, communication, and product improvement.
  • Legal basis: GDPR Article 6(1)(b) and, where applicable, Article 6(1)(a).
  • Retention period: up to 2 years from the last support interaction, unless longer retention is required by law or necessary to resolve a dispute.
  • Processor used for support communications: Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) for Google Workspace e-mail and related business communication tooling used to receive and manage support messages.

Important practical note: The Customer should avoid sending unnecessary personal data, full confidential files, or entire document libraries to support. Redaction and data minimisation are recommended wherever possible.

5. AI Features and Third-Party Providers (OpenRouter or Other Buyer-Selected AI Services)

  • BYOK model: To use cloud AI features, the Customer provides and manages its own API key. If the Customer configures a local AI provider, the Customer controls that local endpoint and its data handling.
  • Direct routing: AI-related inputs are transmitted from the Customer’s own environment to the AI provider selected in the application settings. For the OpenRouter cloud option, requests are sent to OpenRouter and may then be routed onward to the selected model provider. The Service Provider does not operate a mandatory cloud relay for those AI calls.
  • AI Privacy Shield for OpenRouter requests: Before a cloud call, the application replaces the real values of known structured identity fields with reversible, run-isolated placeholder tokens. Covered fields are the provider and client company names, provider licence/contact/address, client address and e-mail, site name, expert/current-user name, and responsible party in hazard rows; recognizable e-mail addresses also receive limited text-level masking. Tokens preserve the semantic category and within-run identity relationship, and the application restores real values locally in a successful response. Requests routed to a local AI provider do not use this cloud-protection layer.
  • Limited Privacy Shield guarantee: This is targeted pseudonymization, not a general DLP, NER, OCR, anonymization, or content-redaction system. Internal content of uploaded PDFs and images, including file_data and image data URLs, is sent unchanged to the selected provider. Masking of known values and recognizable e-mails inside selected Knowledge Base documents is best-effort and not guaranteed to be complete. Unknown person or company names in arbitrary free text, spreadsheet cells, file content, or prior AI text may not be recognized. The Customer remains responsible for data minimization, any necessary redaction, and the lawfulness of sending such content to a cloud provider.
  • What may be transmitted: subject to the targeted pseudonymization and limitations above, prompts and free-text instructions, uploaded file contents (including tabular files, PDFs, and images), site-related data entered by the Customer, generated intermediate analysis context needed for the workflow, and any Knowledge Base reference materials actively selected by the user for that specific analysis.
  • Possible data categories: Depending on what the Customer enters or uploads, AI inputs may include business records, site names or addresses, pest activity observations, employee or contact names, photos or document text, commercially confidential information, trade secrets, and personal data. The software cannot automatically know whether an uploaded file contains personal or confidential data.
  • Provider roles and terms: OpenRouter and any downstream model provider process AI submissions under their own terms, privacy notices, retention rules, and security commitments. The Customer is responsible for reviewing those provider terms before use, including any international transfer implications.
  • No routine Service Provider visibility: The Service Provider does not routinely inspect or store the content of AI submissions for its own purposes. The local application may store analysis history, selected Knowledge Base snapshots, and generated outputs on the Customer’s device or environment so the workflow remains auditable and reproducible.
  • Customer responsibility and legal basis: If the Customer includes personal data, confidential information, or trade secrets in AI inputs, the Customer is responsible for ensuring there is an appropriate legal basis, necessary notices or permissions, and internal authorization for doing so.
  • Minimisation recommendation: The Customer should include only data that is necessary for the task and should remove, redact, or anonymise unnecessary personal data, full document libraries, credentials, and unrelated confidential content before upload or prompt submission.

6. Data Security

  • Service Provider systems: We apply appropriate technical and organizational measures in the systems we control, such as account protection, endpoint protection, and reasonable access controls.
  • Customer systems: Because the software’s working data mainly resides on the Customer’s own machine or environment, the Customer is responsible for local access control, device security, backup, retention, and internal permission management.

7. Data Subject Rights

With respect to personal data processed by the Service Provider, data subjects may have rights of access, rectification, erasure, restriction, portability, and objection, subject to applicable law.

Where retention is required by legal obligation, certain deletion requests may need to be refused or partially limited.

Complaints may be submitted to the competent supervisory authority, including the Hungarian National Authority for Data Protection and Freedom of Information (NAIH): https://www.naih.hu/

8. Changes to This Document

If the legal or technical operation of the product changes materially, the Service Provider may update this document and publish the revised version in the application, on the website, or by other appropriate means.

IPMFlow

Trapshop Kft.
H-8797 Batyk, Fo utca 34.
HU32050547
[email protected]

INFORMATIONS

  • Home
  • Contact
  • Cookie Policy
  • Privacy Policy
  • Legal Disclaimer

LINKS

  • Blog
  • IPMFlow Desktop license
  • Audit-Ready Reports & Trend Analysis in Minutes

PAYMENT METHODS

Copyright © 2026 IPMFlow - Trapshop Kft.

IPMFlow
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}