TRUST CENTER

Updated: 01.01.2025

Last updated: 28 May 2025

Welcome to the Flutch AI Trust Center — your one‑stop hub for security, privacy, reliability and compliance information. We created this page to make vendor due‑diligence easy for security teams and to provide full transparency for our users.

1 Security Overview

Control	Details
Encryption	TLS 1.2+ for data in transit; AES‑256‑GCM for data at rest (AWS EBS, S3, MongoDB Atlas).
Access Control	SSO/SAML for internal apps, MFA enforced, least‑privilege roles in AWS IAM & MongoDB.
Network Security	VPC segmentation, private subnets, security groups, CloudFront WAF with OWASP rules.
Vulnerability Management	Automated daily dependency scanning (Dependabot, Snyk), quarterly external pentest, 24 h SLA for critical CVEs.
Secret Management	AWS Secrets Manager with rotation; no secrets in code or CI logs.
Incident Response	24×7 on‑call; documented IRP, post‑incident RCA published in Status Page.

1.1 Responsible Disclosure

We operate a bug‑bounty programme via HackerOne (private invite). Security researchers can also email [email protected] with a PGP‑encrypted report. We aim to reply in 24 hours and remediate critical issues within 7 days.

2 Compliance & Certifications

Framework	Scope	Status	Evidence
ISO 27001:2013	Company‑wide ISMS	In progress (audit scheduled Q4 2025)	Letter of Engagement (PDF)
SOC 2 Type II	Platform & APIs	Completed — report period Jan–Mar 2025	NDA‑protected report (request below)
GDPR / UK GDPR	Data processing	Compliant	DPA template & Sub‑processor list
PCI‑DSS SAQ A	Card data handled by Stripe	Compliant	Stripe Attestation of Compliance

Request reports: Email [email protected] from a company domain, sign our NDA, and specify which report you need (SOC 2, pentest, ISO audit letter).

3 Sub‑Processors

We use carefully‑vetted vendors. Changes are announced 30 days before enforcement.

Category	Vendor	Region	Notes
Cloud IaaS	Amazon Web Services	London, EU‑West‑1	Data at rest in UK
Managed DB	MongoDB Atlas	London	TLS & disk encryption
Payments	Stripe	Global	PCI DSS L1
GenAI API	OpenAI, Anthropic	USA	SCCs + encryption
Analytics	PostHog Cloud EU	Frankfurt	EU residency
Email	SendGrid	USA	TLS & SPF/DMARC
Consent	Ketch	EU	CMP + GDPR scripts

Download CSV version [here](link‑to‑csv — placeholder).

4 Data Protection

Data residency: primary storage in UK (London). Model requests may transit the U.S. (OpenAI, Anthropic).
SCCs & UK Addendum in place with every U.S. vendor.
Data retention: see Privacy Policy §3.
User‑controlled deletion: delete chats or agents anytime → hard‑delete within 30 days.

5 Availability & Status

Metric	Target	Last 30 days
Platform API uptime	99.9 %	99.94 %
Latency (p50)	<300 ms	210 ms

Live status 24×7: status.flutch.ai (RSS & email alerts available).

6 Policies & Legal Docs

Document	Link
Terms of Use	/legal#terms
Privacy Policy	/legal#privacy
Acceptable Use Policy	/legal#aup
DMCA & Copyright	/legal#dmca
Cookie Policy	/legal#cookies

7 Contact

Purpose	Email
General security	[email protected]
Compliance reports	[email protected]
Data protection	[email protected]
Responsible disclosure PGP	/trust/pgp.asc

TERMS OF USE

Updated: 01.01.2025

Last updated: 28 May 2025

PLEASE READ THESE TERMS OF USE CAREFULLY. BY CREATING AN ACCOUNT OR USING THE PLATFORM YOU AGREE TO BE BOUND BY THEM. IF YOU DO NOT AGREE, DO NOT USE THE PLATFORM.

1. Definitions

"Company", "we", "our", "us" — Flutch AI Ltd., incorporated in England & Wales (Company No. [TO BE REGISTERED]) with its registered office at _______ United Kingdom.
"Platform" — the Flutch AI platform including web interface, API and other services that let Users access, configure and interact with AI agents.
"User" / "you" — any natural or legal person who accesses or uses the Platform, whether with a registered account or as a Guest User under §4.
"Organisation" — an optional workspace on the Platform that can contain multiple User seats under a single billing entity and is the only entity permitted to create and publish Agents. An Organisation may be registered by an individual acting as a sole proprietor or by a legal entity and is governed by a separate Partner Agreement presented at the time of Organisation signup.
"Agent" — an AI workflow ("langgraph") published on the Platform. Agents are:
- Corporate Agents — visible only to Users within the same Organisation;
- Public Agents — visible Platform‑wide and optionally monetised via a separate subscription.
"Subscription Plan" — any recurring paid plan (e.g. Premium, Pro, Max or other tiers shown on the pricing page) that increases usage limits and/or unlocks additional features.
"Paid Agent" — a Public Agent that requires its own subscription fee set by the Author.
"Author" — the Organisation that creates and publishes an Agent.

2. Eligibility

The Platform is intended only for persons aged 18 or older.
By using the Platform you confirm that you have the legal capacity to enter into this agreement under the laws of your jurisdiction.

3. User Accounts

You may browse certain Public Agents without creating an account (see §4 Guest Usage). To save conversation history across devices or subscribe to paid services you must register an account with a verified email address.
If you additionally create an Organisation you will be asked to review and accept the Partner Agreement, which governs publishing and monetising Agents. These Terms continue to apply to your personal use of the Platform.
Keep your login credentials confidential; you are responsible for all activities under your account.

4. Guest Usage (Unregistered Users)

Selected Public Agents may be accessed without registration. We assign a random UUID stored in your browser's local storage to meter usage and store conversation history.
Guest chat history is retained for 90 days or until you clear local‑storage — whichever occurs first. Clearing browser data permanently removes access to prior chats.
Guest usage is subject to small daily message limits displayed on the Agent page.
These Terms (including the Acceptable Use Policy, Disclaimers and Liability sections) apply equally to Guest Users.

5. Services Overview & Key Digital Functionality

5.1 Free Tier

Registered Users on the Free Tier may send up to the daily message limit displayed on each relevant Agent page. Once that limit is reached, access is paused until 00:00 UTC the following day when limits automatically reset.
A separate monthly usage cap (tokens) also applies. Your current monthly token cap is shown in your Account Dashboard and may be adjusted periodically. Ordinary use under the daily message limit should not exhaust the monthly token cap.

5.2 Subscription Plans

We offer several paid Subscription Plans. Each plan includes:
- Fixed platform benefits: Increased daily message limits, priority access, additional features
- Variable model costs: Actual AI processing costs based on current provider rates
Platform subscriptions are billed monthly or annually in advance through Stripe
Model costs are calculated based on actual usage and current provider rates
Cancel or pause anytime via the subscription‑management page; platform benefits remain active until the end of the current billing period

5.3 Paid Agents

Paid Agents require a separate fee consisting of: (a) the Author's commission, and (b) underlying model costs
Author Commission: Fixed monthly/annual fee set by the Author
Model Costs: Variable based on current AI provider rates, displayed before each usage
The Author defines usage limits and restrictions, displayed on the Agent page
The Company provides first‑line support for Paid Agents (§10) but does not guarantee their outputs (see §11)

5.4 Platform Compatibility & Functionality

Feature	Description	Requirements
Web Interface	Full-featured chat interface with Agent selection	Modern browser (Chrome 90+, Firefox 88+, Safari 14+, Edge 90+)
API Access	RESTful API for programmatic access	API key (available for registered users)
Mobile Support	Responsive web interface	iOS 14+ Safari, Android 10+ Chrome
Accessibility	We aim to provide an accessible interface	Screen reader compatibility where possible
Model Pricing	Current AI model costs per usage	Real-time display before each interaction
Usage Tracking	Token consumption and cost breakdown	Available in account dashboard
Price Transparency	Total cost = Platform fee + Model cost	Always shown before confirmation

6. Billing & Payments

Pricing Structure: Fees consist of two components:
- Base Model Cost: Set by AI providers (OpenAI, Anthropic, etc.) and subject to change at any time
- Platform Fee: Our fixed commission displayed on the pricing page
Price Changes:
- Platform Fee changes: We'll give at least 30 days' notice before any increase applies to renewals
- Model Cost changes: May fluctuate based on provider pricing without advance notice. Current rates are always displayed before usage
All fees are stated in GBP and include UK VAT (20%) where applicable. For EU customers, VAT will be charged according to your country's rate unless a valid VAT number is provided.
Payments are processed by Stripe; we do not store full card numbers.
You authorise us to charge your chosen payment method for all fees, including recurring subscriptions.
Failed or disputed payments may result in suspension until resolved.

7. Acceptable Use Policy (AUP)

You agree not to:

Use the Platform or any Agent for unlawful, infringing, harmful or fraudulent purposes;
Upload, generate or disseminate content that is illegal, defamatory, hateful, harassing, violent or otherwise objectionable;
Attempt to disrupt, exploit or compromise the Platform, circumvent usage limits or reverse‑engineer its code;
Violate the usage policies of our AI providers (OpenAI Usage Policies, Anthropic Acceptable Use Policy);
Misrepresent your identity or affiliation.

Enforcement: We may issue warnings, temporarily suspend access, or terminate accounts depending on the severity and frequency of violations. We aim to be fair and proportionate in our response.

We may remove content, disable Agents, suspend or terminate accounts and/or report unlawful conduct.

8. Intellectual Property

We own all rights in the Platform. You retain the rights you hold in prompts or other content you submit.
Outputs: Subject to applicable law and the upstream provider terms, you own the rights (if any) in outputs you lawfully generate. Note that AI providers may retain certain rights as detailed in their terms: OpenAI Terms, Anthropic Terms.
Licence to Us: By submitting content (e.g., prompts, file uploads) you grant us a non‑exclusive, worldwide licence to host, display and use that content solely to operate, secure and improve the Platform.
Optional Data‑Sharing for Model Improvement: We will not use your content or outputs for commercial purposes unrelated to your use of the Platform, or for training our own or third‑party AI models, unless you have explicitly opted‑in through a setting in your Account Dashboard. You may withdraw such consent at any time; withdrawal will not affect prior processing already performed on the basis of your consent.

9. Privacy & Data Protection

Processing of personal data is governed by our Privacy Policy, which lists our sub‑processors:

AI Providers: OpenAI (USA), Anthropic (USA)
Analytics: PostHog (USA)
Payments: Stripe (Ireland/USA)
Infrastructure: MongoDB Atlas (USA), AWS (various regions)
Support: Intercom (USA)

The Policy also describes cross‑border transfers (Standard Contractual Clauses), security measures (ISO 27001 controls, SOC 2 alignment) and your rights including data export.

10. Service Levels & Support

The Platform is provided on an "as‑is" basis; we target 99% uptime on a calendar-month basis but do not guarantee uninterrupted service.
Unified Support: All support requests (including issues with Paid Agents) should be directed to [email protected] or in‑app chat.

11. Allocation of Responsibilities for Paid Agents

The Company operates and maintains the underlying infrastructure, hosting environment and payment rails that allow Agents to execute. We are responsible for Platform uptime and availability as described in §10.
Each Author is responsible for (a) the design and configuration of their Agent, including prompts, workflows, retrieval chains and knowledge bases, and (b) ensuring that their Agent complies with law and the Platform's policies.
Outputs are generated in real time by third‑party large‑language‑model providers (e.g. OpenAI, Anthropic). While Authors control prompts and retrieval pipelines, neither the Author nor the Company performs continuous human review of every output.
To the maximum extent permitted by law:
- the Company disclaims liability for the substantive content of any Agent output; and
- Authors disclaim liability for service availability, which is covered by the Company's infrastructure commitments.
If you encounter content that is unlawful or violates these Terms, report it via the in‑app "Report" feature or at [email protected]. We may temporarily disable the Agent, request modifications from the Author, escalate to the model provider, or take other appropriate action.

12. Refund & Cancellation Policy

12.1 Subscription Plans

Cooling‑off (EU/UK consumers): You may cancel within 14 days of first purchase for a refund. We will deduct a proportionate amount based on actual usage (tokens consumed) during this period, calculated as: (Tokens Used / Monthly Token Limit) × Subscription Price.
Cancel or pause anytime from your account to stop future renewals; service remains active until the current billing period ends.

12.2 Paid Agents

Fees for Paid Agents are non‑refundable once access is granted, except where (a) the Agent is permanently removed within 30 days of purchase, or (b) the Agent is manifestly defective and the Author does not remedy within a reasonable time after notification.

12.3 Chargebacks

Initiating a chargeback may result in account suspension while the dispute is investigated.

13. Disclaimers

Outputs are generated autonomously by third‑party AI models (e.g. OpenAI, Anthropic) based on your prompts and may be inaccurate, incomplete or inappropriate. They do not constitute legal, medical, financial or other professional advice. Except where prohibited by law, the Platform and all content are provided "as is" without warranties of any kind.

14. Limitation of Liability

Nothing in these Terms limits liability for death, personal injury, fraud or other liability that cannot be limited by law. Subject to that, our total liability to you for any claim arising out of the Platform will not exceed (a) £100 or (b) the total fees you paid us in the preceding 6 months, whichever is greater. This limitation is standard industry practice and permissible under English law.

15. Indemnity

You agree to indemnify us for losses arising from your breach of these Terms or misuse of the Platform.

16. Suspension & Termination

We may suspend or terminate access for material breach, legal requirement or unresolved payment failure.
You may delete your account at any time.
Data Export: Upon termination, we will make reasonable efforts to allow data export for 30 days. After this period, all data will be deleted in accordance with our Privacy Policy.

17. Governing Law & Mandatory Arbitration

Governing Law. These Terms are governed by and construed in accordance with the laws of England & Wales, without regard to conflict‑of‑law principles.
Small‑Claims Exception. Either party may bring an individual action in a court of competent jurisdiction for matters that fall within the monetary limit of the small‑claims track of the County Court (or an equivalent small‑claims court in your jurisdiction).
Binding Arbitration. Any other dispute, controversy or claim arising out of or relating to these Terms or the breach thereof shall be finally settled by binding arbitration under the Rules of the London Court of International Arbitration (LCIA), which are deemed to be incorporated by reference into this clause. The seat of arbitration shall be London, United Kingdom; the language of the proceedings shall be English; the tribunal shall consist of a single arbitrator appointed in accordance with the LCIA Rules.
No Class or Representative Actions. Where permitted by law, the arbitration shall be conducted only on an individual basis, and not in a class, collective or representative action. The arbitrator may award declaratory or injunctive relief only in favour of the individual party seeking relief.
Opt‑Out. You may reject this arbitration agreement by emailing [email protected] with subject line "Arbitration Opt‑Out" within 30 days of first acceptance of these Terms. Your opt‑out will not affect prior agreements to arbitrate disputes.
Prevailing‑Party Fees. The arbitrator may award reasonable legal fees and costs to the prevailing party, consistent with the LCIA Rules.

18. Changes to Terms

We may amend these Terms; material changes will be notified at least 30 days before they take effect through available channels.

19. Miscellaneous

Entire Agreement: These Terms constitute the entire agreement between you and us regarding the Platform.
Severability: If any provision is found unenforceable, the remainder shall continue in effect.
No Waiver: Our failure to enforce any right or provision shall not constitute a waiver.
Assignment: You may not assign these Terms without our consent. We may assign our rights to any affiliate or successor.

20. Contact

Flutch AI Ltd.
Company Registration No. [TO BE REGISTERED]
______, UK
Email: [email protected]
Support: [email protected]

End of Terms

COPYRIGHT & DMCA NOTICE-AND-TAKEDOWN POLICY

Updated: 01.01.2025

Last updated: 28 May 2025

Flutch AI Ltd. ("Company", "we") respects intellectual property rights. This Policy explains how to report allegedly infringing material on the Flutch AI Platform ("Platform").

We follow procedures under:

U.S. Digital Millennium Copyright Act (17 U.S.C. §512)
UK Copyright, Designs and Patents Act 1988

This Policy forms part of our Terms of Use.

1. Designated Copyright Agent

Copyright Agent
Flutch AI Ltd.
10 Finsbury Square, London EC2A 1AF, United Kingdom
Email: [email protected]

Please use email only for copyright matters.

2. Reporting Copyright Infringement

To report alleged infringement, email us with:

Your information — Name, email, and contact details
Your copyrighted work — Description of the original work
Location of alleged infringement — URL, Agent name, or specific reference
Good faith statement — "I believe in good faith that this use is not authorised"
Authority statement — "I am the copyright owner or authorised representative"
Accuracy statement — "The information in this notice is accurate"
Signature — Physical or electronic

We'll acknowledge receipt within 2 business days where possible.

3. Our Response

For valid notices, we will typically:

Remove or disable access to the content, OR
Temporarily disable the Agent if content cannot be separated

We'll notify the content creator and may share your notice (with personal details redacted).

4. Counter-Notice (Disputing a Takedown)

If you believe content was removed in error, send us:

Your information — Name, address, phone, email
Identification — What was removed and where it appeared
Statement under penalty of perjury — "I believe in good faith the material was removed by mistake or misidentification"
Consent to jurisdiction — Choose one:
- US residents: "I consent to jurisdiction of the Federal District Court for my district"
- Non-US residents: "I consent to jurisdiction of the courts where Flutch AI is located"
Signature — Physical or electronic

Unless the original complainant files a lawsuit within 10 business days, we may restore the content.

5. Repeat Infringers

Users who repeatedly infringe copyrights may have their accounts terminated. We track valid notices but apply this policy proportionately.

6. False Claims

Knowingly false notices or counter-notices violate the law and our Terms. We may suspend accounts that abuse this process.

7. Privacy

We redact personal information when forwarding notices unless legally required to provide full details.

8. International Rights Holders

For non-US/UK copyright holders, we accept notices meeting the above requirements and will respond according to applicable law.

9. Updates

We may update this Policy. Changes will be posted on our website.

End of Policy

ACCEPTABLE USE POLICY (AUP)

Updated: 01.01.2025

Last updated: 28 May 2025

This AUP forms part of the Terms of Use for the Flutch AI Platform. Capitalised terms have the meanings set out in the Terms. By accessing or using the Platform you agree to comply with this AUP. Violations may trigger actions under §16 of the Terms, including account suspension or termination.

1. Guiding Principles

Legality: The Platform must not be used for any activity that violates applicable law or regulation.
Safety & Dignity: We prohibit content that exploits, endangers or harms individuals or groups.
Integrity: Users must not compromise the security, performance or availability of the Platform, nor attempt to deceive other users.
Intellectual Property: Respect the copyrights, trademarks and other rights of third parties.

2. Prohibited Content and Activities

The following are always disallowed on the Platform:

Category	Examples (non‑exhaustive)
Illegal activities	Facilitation of money laundering, terrorism, human trafficking, or sale of illegal weapons/drugs.
Sexual exploitation or abuse	Any content involving minors; non‑consensual, exploitative, or non‑consensually shared intimate content.
Harassment & hate	Threats of violence, doxxing, promotion of extremist ideology, or dehumanising language toward a protected group.
Violence & self‑harm	Instructions to commit violent acts; graphic descriptions intended to shock; encouragement of suicide or self‑harm.
Fraud & deception	Phishing, deepfakes used to defraud, impersonation of government officials.
IP infringement	Distribution of copyrighted material without authorisation; trademark violations.
Personal data abuse	Uploading or generating sensitive personal data about real individuals without consent.
Malware & hacking	Distribution of malware, instructions for unauthorised system access, creation of exploits.
Spam & commercial abuse	Bulk unsolicited messages, excessive self-promotion, platform manipulation.

3. Restricted Content (Requires Care)

You may create or discuss the following, provided you include appropriate disclaimers and comply with applicable law:

Category	Required Disclaimer/Condition
Medical / legal topics	Must clearly state that content is for informational purposes only and not professional advice.
Political content	Must not promote violence or hatred; paid political content requires disclosure.
Financial topics	Must state that information is not personalised investment advice.
Adult content	Legal content only; no minors; must implement appropriate age verification for Public Agents.

4. Technical Restrictions

Respect limits: Do not attempt to circumvent usage limits or quotas.
Fair use: No automated activity that degrades service quality for others.
Security: Report vulnerabilities responsibly to [email protected]. Do not publicly disclose security issues.

5. Third‑Party Policies

Content processed through our AI providers must also comply with their policies:

OpenAI: https://openai.com/policies/usage-policies
Anthropic: https://www.anthropic.com/legal/aup

When multiple policies apply, the most restrictive rule prevails.

6. Enforcement & Reporting

We aim to be fair and proportionate in our response to violations. Actions may include:

Content removal or editing
Warning or temporary suspension
Account termination (for severe or repeated violations)
Reporting to authorities (when legally required)

How to Report

Email: [email protected]
In-app: Use the "Report" button on any Agent or message

We prioritise reports involving immediate safety risks or illegal content.

7. Appeals

If you believe we made an error, you may appeal by emailing [email protected] with:

Your username
Date of the action
Why you believe it was in error

We'll review appeals as resources permit and respond when possible.

8. Updates

We may update this policy as our service evolves. Significant changes will be announced via the Platform.

End of AUP

COOKIE POLICY

Updated: 01.01.2025

Last updated: 28 May 2025

This Cookie Policy explains how Flutch AI Ltd. ("Flutch AI", "we", "us") uses cookies and similar technologies on the Flutch AI Platform (the "Platform"). It should be read together with our Privacy Policy.

You can change or withdraw your cookie consent at any time via the Ketch Preference Center (cookie banner → "Manage settings" or via the cookie icon in the bottom-left corner).

1. What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They enable core functionality (e.g. login), help us analyse site traffic and can support marketing. We categorise cookies as Strictly Necessary, Analytics/Performance, Functional (preferences), and Marketing.

2. How We Use Cookies

Below is a list of cookies and similar technologies currently in use. We update this table when we add or remove cookies.

Category	Cookie/Storage	Provider	Type	Purpose	Expiry
Strictly Necessary	`flutch_session`	Flutch AI	1st-party	Maintains authenticated user session.	1 day
	`csrf_token`	Flutch AI	1st-party	Protects against cross‑site request forgery.	2 hours
	`__stripe_mid`, `__stripe_sid`	Stripe	3rd-party	Enables secure payment checkout.	365 days / 30 minutes
	`_ketch_consent`	Ketch	3rd-party	Stores your cookie preferences.	12 months
Analytics / Performance	`_posthog_csrf`, `_posthog_session`	PostHog EU	3rd-party	Collects anonymised usage metrics (page views, feature adoption). IP addresses are truncated, no cross-site tracking.	365 days / 30 minutes
Local Storage	`guest_uuid`	Flutch AI	1st-party	Meters guest usage for unregistered users.	Persistent until cleared
Functional	—	—	—	We do not currently set functional cookies.	—
Marketing / Targeting	—	—	—	We do not currently set marketing cookies.	—

Legal Basis

Strictly Necessary cookies: These are essential for contract performance and our legitimate interest in providing secure services (no consent required).
Analytics cookies: We process these based on your explicit consent (Article 6(1)(a) GDPR).
Marketing cookies: When implemented, these will require explicit consent.

3. Consent & Control

Strictly Necessary cookies are required for the Platform to function and are always active.
For Analytics and Marketing cookies we request explicit consent the first time you visit. You may adjust consent at any time via the Ketch banner (bottom‑left cookie icon) or in Settings → Privacy → Cookie Preferences.
We honour "Do Not Track" browser settings for analytics cookies.

Deleting or blocking cookies may impact Platform functionality (e.g. loss of login or checkout capability).

4. Browser Settings

Most browsers allow you to refuse or delete cookies. Guidance:

Browser	Manage cookies
Chrome	Settings → Privacy & Security → Cookies and other site data
Firefox	Settings → Privacy & Security → Cookies and Site Data
Safari	Preferences → Privacy → Manage Website Data
Edge	Settings → Cookies and site permissions → Manage and delete cookies

5. Updates

We may update this Cookie Policy to reflect changes in technology or applicable law. Check the "Last updated" date. Material changes will be announced via the cookie banner with at least 30 days' notice where feasible.

6. Contact

Questions? Email [email protected].

End of Cookie Policy

PRIVACY POLICY

Updated: 01.01.2025

Last updated: 28 May 2025

Flutch AI Ltd. ("Company", "we", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose and safeguard personal data when you use the Flutch AI Platform ("Platform").

Data Controller: Flutch AI Ltd.
Address: ______, London, _____ UK
Company No: ________
Email: [email protected]

1. Personal Data We Collect

Category	Examples	Source
Account Data	Name, email, password hash	User registration
Organisation Data	Company name, VAT ID, billing address	Organisation setup
Guest Identifier	Random UUID in browser	Automatic
Usage Data	Prompts, conversation history, Agent interactions	User activity
Payment Data	Last 4 card digits, billing contact	Stripe
Device Data	IP address (truncated), browser type, timezone	Automatic
Cookies	Session, analytics, preferences	See Cookie Policy

Special Category Data: We don't intentionally collect sensitive data (health, beliefs, etc.). If included in your prompts:

It's processed only to provide your requested AI response
Not used for training or analytics
Automatically deleted within 90 days

2. How We Use Your Data

Purpose	Legal Basis (GDPR)
Provide the Platform and process payments	Contract - necessary to provide service
Enforce usage limits and security	Contract - essential for service
Platform analytics and improvement	Legitimate Interests - service quality
Marketing emails (existing customers)	Legitimate Interests - with opt-out
Marketing emails (new subscribers)	Consent - opt-in required
Legal compliance (tax, court orders)	Legal Obligation
Model training (if enabled by you)	Consent - opt-in via Settings

3. Data Retention

Data Type	Retention Period
Guest data	90 days or until browser cleared
Account data	While account active + 6 years
Conversations	2 years after last activity
Payment records	7 years (legal requirement)
Analytics logs	12 months

Data is automatically deleted when retention periods expire.

4. Who We Share Data With

We share data only as necessary to operate the Platform:

Infrastructure: AWS, MongoDB Atlas
AI Providers: OpenAI, Anthropic, Google
Payments: Stripe
Analytics: PostHog (EU servers)
Support: Email providers

We maintain a current list of sub-processors at flutch.ai/privacy.

5. International Transfers

Your data may be transferred outside the UK/EEA. We ensure protection through:

Standard Contractual Clauses (SCCs)
Adequate security measures
Vendor certifications (ISO 27001, SOC 2)

6. Your Rights

Under GDPR/UK data protection law, you have rights to:

Access your personal data
Correct inaccurate data
Delete your data ("right to be forgotten")
Restrict processing
Port your data to another service
Object to processing
Withdraw consent at any time

To exercise rights: Email [email protected] with your request. We'll respond within 30 days.

Complaints: You may complain to the UK Information Commissioner's Office (ico.org.uk) or your local data protection authority.

7. Security

We implement industry-standard security:

Encryption in transit (TLS) and at rest
Access controls and monitoring
Regular security reviews
Incident response procedures

If you suspect unauthorized access, immediately change your password and contact [email protected].

8. Cookies

We use cookies for functionality and analytics. See our Cookie Policy for details and control options.

9. Children

Our service is for users 18+. We don't knowingly collect data from children. If we discover a user is under 18, we'll delete their account and data.

10. Marketing

Existing customers: We may send service updates and similar product offers. You can opt-out anytime.

Email subscribers: We only send marketing with your explicit consent.

Control options: Unsubscribe link in emails or email [email protected].

11. California Privacy Rights

California residents have additional rights under CCPA:

Know what personal information we collect
Delete personal information
Opt-out of "sale" (we don't sell data)
Non-discrimination for exercising rights

12. Changes to This Policy

We'll notify you of material changes 30 days before they take effect. Minor updates will be posted with an updated date.

13. Contact Us

Privacy inquiries: [email protected]
Security issues: [email protected]
Legal/DPA requests: [email protected]

Flutch AI Ltd.
United Kingdom