Legal

Privacy Policy

Last updated: May 16, 2026 · Effective date: May 16, 2026

Short version: We collect only what we need to run Fluxary, we never sell your data, and you can delete everything at any time. Read on for the full details.

1. Who we are

Fluxary ("we", "us", or "our") is a SaaS platform that helps solo founders automate their social media content. Our service is operated by Fluxary and is accessible at fluxary.app. For any privacy-related questions, contact us at [email protected].

2. Information we collect

2.1 Information you provide directly

Account data: email address, name, and password (or OAuth token if you sign in with Google).
Brand data: website URLs, brand descriptions, product information, and content preferences you configure in your brand kit.
Payment data: billing information is handled entirely by Stripe — we never see or store your card number.

2.2 Information collected automatically

Usage data: pages visited, features used, and actions taken within the app (e.g., content generation, approvals).
Device & log data: IP address, browser type, operating system, and timestamps.
Cookies and analytics: essential authentication and preference cookies. We also use Google Analytics 4 with Consent Mode v2 — analytics cookies are denied by default and only set if you accept via our cookie banner. We do not run advertising or cross-site tracking cookies.

2.3 Information from third parties

If you use Google OAuth, we receive your name and email from Google.
When you enter a website URL for brand analysis, our scraper fetches publicly available content from that URL.

3. How we use your information

To provide, maintain, and improve the Fluxary service.
To generate branded content based on your brand kit configuration.
To send transactional emails (account confirmations, invoices, alerts).
To communicate product updates and feature announcements (you can opt out at any time).
To prevent fraud, abuse, and ensure platform security.
To comply with legal obligations.

We do not use your data to train AI models, nor do we sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal basis for processing (GDPR)

Contract: processing necessary to provide the service you signed up for.
Legitimate interests: security, fraud prevention, and service improvement.
Consent: marketing communications (you can withdraw at any time).
Legal obligation: where required by applicable law.

5. Data sharing and subprocessors

We share data only with trusted subprocessors necessary to operate the service:

Supabase — authentication and database hosting.
Railway — backend API infrastructure.
Stripe — payment processing.
OpenAI / Anthropic — AI content generation (only brand-related prompts are sent; no personal user data).
Vercel — frontend hosting and CDN.

All subprocessors are contractually required to protect your data and comply with applicable privacy laws.

6. Data retention

We retain your account data for as long as your account is active. Generated content and brand data are retained until you delete them or close your account. Log data is retained for up to 90 days. After account deletion, all personal data is permanently deleted within 30 days.

7. International transfers

Our infrastructure is primarily based in the United States and EU. If you are located in the EU/EEA, data transfers to the US are covered by Standard Contractual Clauses (SCCs) or adequacy decisions as applicable.

8. Your rights

Depending on your location, you may have the following rights:

Access: request a copy of the data we hold about you.
Rectification: correct inaccurate or incomplete data.
Erasure: request deletion of your data ("right to be forgotten").
Portability: receive your data in a machine-readable format.
Restriction: limit how we process your data.
Objection: object to processing based on legitimate interests.
Withdraw consent: for any consent-based processing.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. See our GDPR page for more details.

9. Cookies and analytics

We use two categories of cookies:

Strictly necessary: authentication, session and preference cookies required to operate the service. These cannot be disabled.
Analytics (optional): Google Analytics 4 to understand which pages and features are used. Loaded under Google Consent Mode v2 with analytics_storage set to denied by default — Google receives only "cookieless pings" until you accept via the cookie banner shown on first visit. You can change your choice at any time by clearing the consent.v1 entry in your browser storage.

We do not run advertising, cross-site tracking, or profiling cookies. You can also manage cookies through your browser settings.

10. Security

We implement industry-standard security measures including TLS encryption in transit, encrypted storage at rest, and access controls. However, no system is 100% secure — please use a strong, unique password and enable any available 2FA options.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

Questions or concerns about this policy? Contact us at [email protected] or visit our Contact page. You also have the right to lodge a complaint with your local data protection authority.