Privacy Policy

Last updated: March 2026

1. Information We Collect

When you create an account on Fluxgate AI, we collect the following information:

  • Account information: Your name, email address, and hashed password.
  • Organization data: Organization name and workspace settings you configure.
  • Usage data: API calls, agent configurations, and platform feature usage for service delivery and analytics.
  • Technical data: IP address, browser type, and access timestamps for security and rate limiting.

2. How We Use Your Information

  • Service delivery: To provide, maintain, and improve the Fluxgate AI platform.
  • Authentication: To verify your identity and secure your account.
  • Communication: To send transactional emails (verification, password reset, alerts).
  • Security: To detect and prevent fraud, abuse, and unauthorized access.
  • Analytics: To understand usage patterns and improve the platform (aggregated, non-personal).

3. Data Storage and Security

Your data is stored securely on cloud infrastructure. We use industry-standard security measures including encrypted connections (TLS), hashed passwords (bcrypt), hashed API keys (SHA-256), and role-based access controls. Database backups are encrypted and retained for disaster recovery.

4. Data Sharing

We do not sell your personal information. We may share data only in these circumstances:

  • Service providers: Third-party services that help us operate (email delivery, error tracking, hosting).
  • Legal compliance: When required by law, regulation, or legal process.
  • Safety: To protect the rights, property, or safety of our users and the public.

5. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law. Aggregated, anonymized data may be retained indefinitely for analytics purposes.

6. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and associated data.
  • Export your data in a machine-readable format.

7. Cookies

We use essential cookies and local storage for authentication (JWT tokens). We do not use third-party tracking cookies or advertising cookies.

8. GDPR Compliance (EU/EEA Users)

If you are in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to Access (Art. 15): Request a copy of all personal data we process about you via Settings > Profile > Export Data.
  • Right to Rectification (Art. 16): Update your personal information at any time via your Profile settings.
  • Right to Erasure (Art. 17): Request deletion of your account and all associated data via Settings > Profile > Delete Account. Processing takes up to 30 days.
  • Right to Data Portability (Art. 20): Export your data in machine-readable JSON format via the GDPR Data Export API endpoint.
  • Right to Restrict Processing (Art. 18): Contact us to restrict processing of your data in specific circumstances.
  • Right to Object (Art. 21): Object to processing of your data for analytics purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw at any time.

Legal Basis for Processing: We process your data based on: (a) contractual necessity for service delivery, (b) legitimate interest for security and fraud prevention, (c) consent for optional analytics and communications.

Data Processing Agreement (DPA): Enterprise customers can request a DPA by contacting legal@withfluxgate.com.

Data Protection Officer: For GDPR-related inquiries, contact our DPO at dpo@withfluxgate.com.

9. CCPA Compliance (California Users)

California residents have the right to: (a) know what personal information is collected, (b) request deletion, (c) opt-out of the sale of personal information. We do not sell personal information to third parties. To exercise your CCPA rights, contact us at privacy@withfluxgate.com.

10. Data Retention Schedule

  • Agent run logs: 365 days
  • LLM call records: 90 days
  • Event bus events: 30 days
  • Access logs: 90 days
  • Secret access logs: 365 days (immutable audit trail)
  • Cost routing decisions: 90 days
  • Account data: Duration of account + 30 days after deletion request

11. International Data Transfers

Data is processed on servers located in Asia Pacific (Mumbai, India). For EU/EEA users, we ensure adequate safeguards for international data transfers through Standard Contractual Clauses (SCCs) as approved by the European Commission.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify users of significant changes via email or platform notification.

13. Contact Us

If you have questions about this privacy policy or your data, please contact us at privacy@withfluxgate.com.