Legal

GDPR & Your Data Rights

Last updated: May 16, 2026 · Applies to users in the EU/EEA and UK

Your data belongs to you. We are committed to full compliance with the General Data Protection Regulation (GDPR). This page explains your rights and how to exercise them. For full details on how we process data, see our Privacy Policy.

Your rights under GDPR

📋

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including what data, why we have it, and who we share it with.

✏️

Right to Rectification (Art. 16)

Ask us to correct any inaccurate or incomplete personal data we hold about you without undue delay.

🗑️

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten") when it's no longer necessary for the purpose it was collected.

⏸️

Right to Restriction (Art. 18)

Ask us to suspend processing of your data while a dispute is resolved or pending verification of accuracy.

📦

Right to Portability (Art. 20)

Receive your personal data in a structured, machine-readable format (JSON/CSV) to transfer to another service.

🚫

Right to Object (Art. 21)

Object to processing based on our legitimate interests, including profiling. We will stop unless we have compelling legitimate grounds.

🔕

Withdraw Consent (Art. 7)

Withdraw consent for any consent-based processing (e.g., marketing emails) at any time. Withdrawal does not affect prior lawful processing.

🤖

Automated Decisions (Art. 22)

Request human review of any decision made solely by automated processing that significantly affects you.

How to exercise your rights

To exercise any of the rights above, send an email to [email protected] with the subject line "Data Rights Request" and tell us which right(s) you wish to exercise.

We will respond within 30 days of receiving your request. In complex cases, we may extend this by a further two months and will notify you accordingly.

We may need to verify your identity before processing your request to protect against unauthorized access.

Legal basis for processing

Processing activity	Legal basis
Account creation & authentication	Contract (Art. 6(1)(b)) — necessary to provide the service
Content generation & brand analysis	Contract (Art. 6(1)(b)) — core service delivery
Billing & payment processing	Contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c))
Security & fraud prevention	Legitimate interests (Art. 6(1)(f))
Product updates & marketing emails	Consent (Art. 6(1)(a)) — you can opt out at any time
Analytics & service improvement	Legitimate interests (Art. 6(1)(f))
Legal compliance & record-keeping	Legal obligation (Art. 6(1)(c))

Data transfers outside the EU

Some of our subprocessors operate in the United States (Supabase, OpenAI, Stripe, Vercel). All cross-border data transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Data Processing Agreements (DPAs) with each subprocessor.
Adequacy decisions where applicable.

You can request a copy of the relevant SCCs or DPAs by emailing [email protected].

Data retention

Account & brand data: retained while your account is active.
Generated content: retained until you delete it or close your account.
Server logs: maximum 90 days.
Billing records: 7 years (legal obligation).
After deletion: all personal data permanently erased within 30 days.

Cookies

We use strictly necessary cookies for authentication, session and preferences, plus optional Google Analytics 4 cookies loaded under Google Consent Mode v2. Analytics cookies are denied by default — until you explicitly accept via our cookie banner, Google only receives "cookieless pings" with no identifiers. We do not use advertising, profiling, or cross-site tracking cookies.

Data Protection Officer

Fluxary is a small company and does not currently appoint a dedicated DPO. All data protection enquiries are handled directly by our team. Contact us at [email protected].

Right to lodge a complaint

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with your local data protection authority:

EU: your national supervisory authority (e.g., AEPD in Spain, CNIL in France, BfDI in Germany).
UK: the Information Commissioner's Office (ICO) at ico.org.uk.

We always encourage you to contact us first at [email protected] so we can try to resolve any concerns directly.