Privacy Policy
Last updated: 16 February 2026
This document is provided for transparency and is not a substitute for professional legal advice.
1. Introduction
Fluxopus ("we", "us", "our") is a workflow-assessment and automation-tracking platform. This Privacy Policy explains how we collect, use, store and share your personal data when you use our website and services (collectively, the "Service").
2. Data Controller
The data controller responsible for your personal data is:
- Name: Fluxopus
- Email: privacy@fluxopus.eu
3. Data We Collect
Account data
Email address, first and last name, role within your company, company affiliation, and (optionally) your hourly rate.
Work data
Tasks, time logs, notes, questionnaire responses, goals and any content you create within the Service.
AI-processed data
When you use AI features we may send task or note text to third-party AI providers to generate automation recommendations, embeddings, workflow blueprints and task analyses.
OAuth & connection data
When you connect third-party tools we store OAuth tokens (encrypted with AES-256-GCM), scopes and connection status.
Technical data
Push-notification subscription keys, API-key hashes, and (optionally) your browser user-agent string.
4. Why We Process Your Data
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide & maintain the Service | Performance of contract (Art. 6-1-b) |
| Account authentication & security | Performance of contract (Art. 6-1-b) |
| AI-powered analysis & recommendations | Performance of contract (Art. 6-1-b) |
| Third-party tool connections (OAuth) | Consent (Art. 6-1-a) |
| Push notifications | Consent (Art. 6-1-a) |
| Usage analytics & product improvement | Legitimate interest (Art. 6-1-f) |
| Legal obligations | Legal obligation (Art. 6-1-c) |
5. Cookies
We only use strictly necessary session cookies for authentication. We do not use any tracking or analytics cookies.
| Cookie | Purpose | Duration |
|---|---|---|
sb-*-auth-token | Session JWT | Session (refreshed per request) |
sb-*-auth-token-code-verifier | OAuth PKCE verification | Temporary |
sb-*-auth-token.2 | Refresh token | Session |
We also store a pwa-install-dismissed flag in localStorage to remember your install-banner preference. This is not a cookie and contains no personal data.
6. Third-Party Processors
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | EU |
| Vercel | Hosting, edge functions | US / EU |
| OpenAI | Text embeddings | US |
| OpenRouter | AI task analysis | US |
| Anthropic (Claude) | Skill execution | US |
| OAuth providers (Google, Slack, etc.) | Token exchange for integrations | Varies |
7. International Data Transfers
Some of our processors (OpenAI, OpenRouter, Anthropic, Vercel) are based in the United States. Where personal data is transferred outside the European Economic Area we rely on:
- The EU-US Data Privacy Framework, where the provider is certified;
- Standard Contractual Clauses (SCCs) approved by the European Commission; or
- Your explicit consent where neither of the above applies.
8. Data Retention
| Data category | Retention period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Work data (tasks, logs, notes) | Duration of account + 30 days after deletion |
| AI-generated content | Same as associated task or note |
| OAuth tokens | Until disconnected or account deleted |
| Session cookies | Browser session |
After termination, we retain your data for a 30-day grace period to allow data export. After that, data is permanently deleted from our active systems. Backups may retain encrypted copies for up to 90 days before automatic purge.
9. Your Rights (GDPR)
Under the General Data Protection Regulation and the Dutch Uitvoeringswet AVG, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Data portability — receive your data in a structured, machine-readable format (CSV export is available in-app).
- Objection — object to processing based on legitimate interest.
- Restriction — request that we limit how we use your data.
- Withdraw consent — where processing is based on consent (e.g. push notifications, OAuth connections) you can withdraw at any time.
To exercise any of these rights, email us at privacy@fluxopus.eu. We will respond within 30 days as required by the GDPR.
If you believe we are not handling your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
10. Security
We take reasonable technical and organisational measures to protect your data, including:
- AES-256-GCM encryption for stored OAuth tokens
- HTTPS for all data in transit
- Bcrypt hashing for API keys
- Row-Level Security (RLS) in our database
- Role-based access controls (admin vs. user)
11. Children
Fluxopus is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice in the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.
13. Contact
For any privacy-related questions or requests, please contact us at:
- Email: privacy@fluxopus.eu