Waterfall → Iterative → Agentic: Our new handbook on AI Systems Engineering

Privacy & Cookie Policy

Last updated May 20, 2026

How Flow Engineering (TRC Space Ltd) collects, uses, and protects personal data, and how we use cookies.

1. Introduction

Flow Engineering is committed to safeguarding privacy for website visitors, service users, and customers.

This policy applies where the company acts as a data controller determining purposes and means of personal data processing.

The site uses cookies; non-essential cookies require user consent upon first visit.

"We," "us," and "our" refer to TRC SPACE LTD.

2. The Personal Data That We Collect

This section outlines general categories of personal data processed and sources of data not obtained directly from users.

Contact data

Includes name, email, telephone, postal address, and social media identifiers from you or your employer.

Account data

Includes identifiers, name, email, business name, job title, account dates, settings, and preferences from you, your employer, or generated by the website.

Customer relationship data

Covers name, business/employer name, job title, contact details, classifications, and communication records.

Service data

Encompasses information entered into or generated by the hosted service platforms.

Transaction data

Includes name, contact details, payment information, and transaction details from you or payment providers.

Communication data

Contains content and metadata from communications sent to or from the company.

Usage data

Includes IP address, location, browser type, operating system, referral source, visit duration, page views, and navigation patterns from analytics systems.

Users should not supply other persons' personal data unless prompted.

3. Purposes of Processing and Legal Bases

This section outlines processing purposes and legal bases under applicable data protection law.

EEA and UK law requires a "legal basis" for each data collection purpose.

Processing occurs for website operation, order fulfillment, payment processing, and billing based on contract necessity, legitimate interests, consent, and legal compliance requirements.

Personal data is processed for relationship management, communications (excluding direct marketing), support, and complaints based on contractual necessity, legitimate interests, consent, and legal requirements.

Personalization of website content relies on service operation necessity, legitimate interests in improving user experience, consent, and legal compliance.

Direct marketing communications use legitimate interests in business promotion and consent as legal bases.

Website and services research and analysis relies on operational necessity, legitimate interests, consent, and legal requirements.

Database creation and maintenance is based on operational necessity and legitimate interests in efficient business operations.

Security and fraud prevention processing uses contractual obligations, legitimate interests in protection, consent, and legal requirements.

Insurance coverage and risk management processing relies on contractual obligations and legitimate interests in business protection.

Legal claim establishment, exercise, or defense processing uses contractual obligations and legitimate interests in legal rights protection.

Compliance with legal obligations or protection of vital interests uses contractual obligations and legitimate interests.

4. Automated Decision-Making

Personal data is used for automated decision-making to identify users likely to benefit from services.

This involves analyzing job title and company alongside non-personal company data compared to historical data.

Consequences include targeted or reduced marketing communications based on likely service benefit.

5. Providing Your Personal Data to Others

Personal data may be disclosed to insurers and professional advisers for insurance and risk management purposes.

Website and services databases are stored on Amazon Web Services servers.

Personal data may be disclosed to third-party services integrated directly by users.

Payment providers receive transaction data only as necessary for payment processing and complaint handling.

Disclosure occurs when required for legal compliance or vital interest protection, or for legal claims.

Personal data may be disclosed to The Rocket Science Group LLC for mailing list maintenance and marketing.

Mixpanel UK Ltd. receives data for analyzing user behavior within services.

Google LLC receives data for analyzing user behavior within services.

Twilio Limited receives data for data collection, sorting, and transfer to third-party processors.

Google API usage adheres to "Google API Services User Data Policy" including Limited Use requirements.

6. International Transfers of Your Personal Data

This section addresses circumstances for transferring personal data to third countries under UK/EU law.

Data may transfer between the EEA and UK or between UK and EEA during adequacy periods.

UK hosting facilities benefit from adequacy decisions; transfers outside UK use standard contractual clauses.

US data analytics suppliers benefit from adequacy determinations; transfers use standard contractual clauses.

Users acknowledge that published personal data may be available worldwide via the internet.

7. Retaining and Deleting Personal Data

This section outlines data retention policies ensuring legal compliance with retention obligations.

Personal data is retained only as long as necessary for processing purposes.

Retention periods:

  • Contact data: minimum 48 months, maximum 10 years from last contact
  • Account data: minimum 2 months, maximum 2 years from account closure
  • Customer relationship data: minimum 48 months, maximum 10 years from relationship end
  • Service data: minimum 48 months, maximum 10 years from contract end
  • Transaction data: minimum 48 months, maximum 10 years from transaction
  • Communication data: minimum 48 months, maximum 10 years from communication
  • Usage data: 10 years from collection

Published personal data under license may be retained beyond specified periods per license terms.

Data may be retained longer for legal obligation compliance or vital interest protection.

8. Security of Personal Data

Appropriate technical and organizational precautions secure personal data against loss or misuse.

Facility access controls include security cards, keys, electronic locks, and surveillance systems.

Data system protections include secure passwords, automatic blocking, two-factor authentication, and encryption.

Internal access controls include authorization concepts, need-based access rights, and system access logging.

Electronic transfer protections include encryption, VPNs, and electronic signatures.

Verification controls include logging and document management for data changes.

Loss prevention includes backup strategies, uninterruptible power, virus protection, firewalls, and contingency planning.

Third-party data processing occurs with contractual arrangements, formalized management, provider controls, and pre-evaluation.

Passwords and cardholder data are stored encrypted.

Data from browsers and web servers is protected using encryption technology.

Users acknowledge that unencrypted internet transmission is inherently insecure.

Users are responsible for maintaining password confidentiality; the company will not request passwords.

9. Your Rights

This section summarizes data protection rights; users should review relevant laws for full explanations.

Principal rights include: access, rectification, erasure, processing restriction, objection to processing, data portability, complaint to supervisory authorities, and consent withdrawal.

Users have rights to confirm data processing and access personal data with additional information. First copies are free; additional copies may incur reasonable fees. Access is available via help@flowengineering.com.

Users may request rectification of inaccurate data and completion of incomplete data.

Erasure rights apply when data is unnecessary, consent is withdrawn, processing is objected to, processing is for direct marketing, or processing was unlawful. Exclusions include freedom of expression, legal obligations, and legal claim establishment.

Processing restriction applies when data accuracy is contested, processing is unlawful but erasure is opposed, data is no longer needed but legal claims require it, or processing is objected to pending verification.

Users may object to processing based on particular situations when legal basis involves public task performance or legitimate interests. The company must cease processing unless compelling legitimate grounds override interests or processing establishes legal claims.

Users may object to direct marketing processing; the company will cease this processing upon objection.

Users may object to scientific, historical, or statistical research processing based on particular situations.

For consent-based or contract performance processing via automated means, users have rights to receive personal data in "structured, commonly used and machine-readable format," except where this affects others' rights.

Users may lodge complaints with supervisory authorities in their jurisdiction for alleged infringements.

Users may withdraw consent at any time without affecting lawfulness of prior processing.

Rights may be exercised by written notice or email to help@flowengineering.com.

10. Third-Party Websites

The website includes hyperlinks to third-party websites.

The company is not responsible for third-party privacy policies and practices.

11. Personal Data of Children

Services are targeted at persons over 18 years old.

Personal data of persons under 18 will be deleted if discovered.

12. Updating Information

Users should notify the company of corrections or updates needed to personal information.

13. About Cookies

Cookies are files containing identifiers sent by web servers to browsers and stored by browsers.

Persistent cookies remain valid until expiry or deletion; session cookies expire when the browser closes.

Cookies may not contain identifying information, but stored personal data may be linked to cookie information.

14. Cookies That We Use

Cookie purposes include:

  • Authentication and status: Log In status cookies for Flow services
  • Personalization: Preference Settings cookies for Flow services
  • Analysis: Analytics Cookies for Flow Services
  • Cookie consent: Cookie Preference Cookie for Flow Website

15. Cookies Used by Our Service Providers

Service providers' cookies may be stored on users' computers when visiting the website.

Google Analytics gathers website usage information via cookies for reports. More information is available in Google's privacy policy.

Segment analyzes website and services users using cookies for repeat visit recognition. Privacy policy available via Twilio.

16. Managing Cookies

Browser-specific cookie management instructions are available for Chrome, Firefox, Opera, Internet Explorer, Safari, and Edge.

Blocking all cookies negatively impacts website usability.

Cookie blocking prevents use of certain website features.

17. Amendments

The policy may be updated by publishing a new version on the website.

Users should check the page occasionally for policy changes.

18. Our Details

The website is owned and operated by TRC Space Ltd.

Registration: England and Wales, number 10407202; Registered office: Flow Engineering, Northwest House, 119 Marylebone Road, London, NW1 5PU.

Principal place of business: Flow Engineering, Northwest House, 119 Marylebone Road, London, NW1 5PU.

Contact options: postal address above or help@flowengineering.com.