Privacy Policy

1. Introduction

Flux ("we", "us", "our") operates goflux.dev and the Flux macOS application (collectively, the "Service"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights regarding it.

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree with any part of this policy, you must discontinue use of the Service.

This policy applies to all users worldwide. Where specific rights apply based on your jurisdiction (such as GDPR for EEA residents or CCPA for California residents), those are addressed in dedicated sections below.

2. Information We Collect

Account Information. When you create a Flux account, we collect your name, email address, and authentication credentials. If you sign in via a third-party OAuth provider (Google or Discord), we receive only the profile information that provider explicitly shares with us (typically name, email, and profile photo).

Usage & Credit Data. We record credit consumption (Flux Credits used per session), feature engagement events, and session metadata (timestamps, session duration, app version). This helps us operate the credit system accurately and improve the product. We do not log the full content of your prompts or AI responses on our servers.

AI Interactions. Your prompts and conversation messages are transmitted to third-party AI model providers for processing and to generate responses. These transmissions are ephemeral — we do not persistently store conversation content on our servers beyond what is necessary to maintain session continuity within the active session.

Device & Diagnostic Information. We may collect basic device metadata (macOS version, hardware model, app version, crash reports) to diagnose technical issues and ensure compatibility. This data is pseudonymised wherever possible.

Payment Information. Subscription and top-up payments are processed by our third-party payment processor. We do not store your full card number, CVV, or banking details. We retain only a tokenised payment reference, the last four digits of your card, card brand, and transaction metadata (amount, date, plan, description) necessary for billing records.

Communications. If you contact us via email or other channels, we retain those communications to help resolve your inquiry and improve our support.

Cookies & Local Storage. Our web dashboard uses essential cookies and browser local storage for authentication (session tokens) and preference persistence. We do not use third-party advertising cookies or tracking pixels. You may disable cookies in your browser settings, but doing so may prevent you from using certain features of the Service.

3. How We Use Your Information

Providing the Service. To create and manage your account, process payments, allocate and track Flux Credits, authenticate API key requests, and deliver AI-powered features.

Billing & Financial Records. To charge for subscriptions, top-ups, and pay-as-you-go usage; to issue invoices; to maintain accurate billing history; and to comply with financial record-keeping requirements.

Communications. To send transactional emails (account creation, payment receipts, credit alerts, security notices), product update announcements, and responses to your support enquiries. You may opt out of non-essential communications at any time.

Security & Fraud Prevention. To detect, investigate, and prevent fraudulent transactions, abuse, chargeback fraud, unauthorised access, and other harmful or illegal activity.

Product Improvement. To analyse anonymised and aggregated usage patterns to understand how users interact with the Service, identify bugs, and prioritise features. We do not use the content of your AI conversations for this purpose.

Legal Compliance. To comply with applicable laws, regulations, court orders, or governmental requests.

4. AI Processing & Third-Party Providers

AI Model Providers. To generate AI responses, your messages are transmitted to one or more third-party AI model providers. These providers process your input on their servers in accordance with their own terms of service and privacy policies. We encourage you to review the privacy practices of these providers. We select providers that offer enterprise-grade data handling and do not use user data for model training without explicit consent.

Infrastructure. Our backend, database, and edge functions are hosted on Supabase (running on Amazon Web Services). Your account data and billing records are stored on these services with encryption at rest (AES-256) and in transit (TLS 1.3).

Payment Processing. Payments are handled by a PCI-DSS compliant third-party payment processor. Your full payment card details are transmitted directly to the processor and never pass through or are stored on our servers.

Authentication Providers. If you use Google or Discord sign-in, those providers will process your authentication in accordance with their own privacy policies. We receive only the information necessary to create and maintain your account.

Analytics. We may use a privacy-focused analytics service to collect anonymised, aggregated data about how the web dashboard is used (page views, feature clicks). This data does not include personally identifiable information.

5. Data Retention

Account Data. We retain your account information for as long as your account is active. If you request account deletion, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law (e.g., financial records).

Billing Records. We retain billing history and transaction records for a minimum of 7 years to comply with tax and accounting obligations. This data is kept securely and is not used for any other purpose.

AI Conversation Data. Conversation content is not persistently stored on our servers beyond active session needs. Any ephemeral in-session data is discarded when the session ends.

Anonymised Analytics. Anonymised, aggregated usage data that cannot be used to identify you may be retained indefinitely for product improvement purposes.

Support Communications. Records of support interactions are retained for up to 3 years to improve our support quality and resolve recurring issues.

6. Data Security

We implement industry-standard security measures to protect your personal information, including: AES-256 encryption at rest; TLS 1.3 for all data in transit; row-level security policies on our database so users can only access their own data; hashed storage of API keys (we store only a SHA-256 hash of the full key — the full key is shown only once at creation and never stored by us); regular security reviews; and access controls limiting who on our team can access user data.

Despite these measures, no method of electronic storage or internet transmission is completely secure. We cannot guarantee the absolute security of your data. In the event of a data breach that poses a significant risk to your rights, we will notify affected users and relevant authorities as required by applicable law, without undue delay.

You are responsible for maintaining the security of your account password and API keys. Do not share your credentials with anyone. We will never ask for your password via email or support channels.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at support@goflux.dev.

Access. You may request a copy of the personal data we hold about you.

Correction. You may request correction of inaccurate or incomplete personal data.

Deletion. You may request deletion of your personal data. Note that we may be required to retain certain data for legal or financial compliance purposes.

Data Portability. Where technically feasible, you may request your data in a structured, machine-readable format.

Objection & Restriction. You may object to or request restriction of certain processing activities.

Withdrawal of Consent. Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

We will respond to valid rights requests within 30 days. We may need to verify your identity before processing the request.

8. EEA & UK Users (GDPR)

If you are located in the European Economic Area or the United Kingdom, the following applies in addition to the above.

Legal Basis for Processing. We process your personal data on the following legal bases: (a) Contract — processing necessary to provide the Service you have subscribed to; (b) Legitimate Interests — fraud prevention, security, product improvement, and direct communications about your account; (c) Legal Obligation — retention of billing records as required by law; (d) Consent — for any optional communications you have opted into.

International Transfers. Your data may be transferred to and processed in countries outside the EEA, including the United States. Where such transfers occur, we rely on appropriate safeguards (such as Standard Contractual Clauses) to ensure an adequate level of protection.

Data Controller. Flux is the data controller responsible for your personal data.

Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have processed your personal data unlawfully.

9. California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.

Right to Delete. You may request deletion of personal information we have collected, subject to certain exceptions.

Right to Correct. You may request correction of inaccurate personal information.

Right to Opt Out of Sale/Sharing. We do not sell or share your personal information with third parties for cross-context behavioural advertising. You do not need to opt out.

Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

To exercise your rights, contact us at support@goflux.dev. We will respond within 45 days.

10. Children's Privacy

The Service is not directed to children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@goflux.dev and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date, and where appropriate by sending an email to your registered address.

Your continued use of the Service after any changes constitutes your acceptance of the revised policy. If you do not agree to the changes, you must stop using the Service.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at support@goflux.dev. We aim to respond to all inquiries within 5 business days.