Privacy Policy

Last updated: February 2026

1.Controller

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

Christian Fecke
Berrenrather Str. 471
50937 Cologne
Germany
Email: contact@flnt.work
Phone: +49 221 75997803

2.Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing.

Types of data processed:

–Master data (e.g. name, email address)
–Usage data (e.g. pages visited, access times)
–Content data (e.g. project inputs, messaging angles, campaign briefs)
–Metadata / communication data (e.g. IP addresses, browser information)

Categories of data subjects:

–Users of the application
–Third parties whose data is entered by users as part of campaign projects

Purposes of processing:

–Provision and operation of the application
–Authentication and account management
–AI-assisted content generation
–Analysis and improvement of the service
–Security and abuse prevention

3.Legal Bases

We process personal data on the following legal bases:

Art. 6(1)(a) GDPR– Consent (e.g. for non-essential cookies and analytics)

Art. 6(1)(b) GDPR– Performance of a contract (e.g. providing the service after registration)

Art. 6(1)(c) GDPR– Legal obligation (e.g. statutory retention requirements)

Art. 6(1)(f) GDPR– Legitimate interests (e.g. security and abuse prevention)

4.Registration and User Account

When you register, we collect the following data:

–Email address
–Name (display name)
–Time of registration

This data is processed for the performance of a contract pursuant to Art. 6(1)(b) GDPR. Authentication is handled via Supabase Auth (see Section 8.2).

5.Project Data and Content Data

When using the application, users create projects that may contain product descriptions, target audience analyses, messaging angles, and creative briefs. This content is stored in our database.

Note regarding third-party data: If users enter personal data of third parties (e.g. descriptions of end consumers) as part of campaign projects, they are themselves responsible for the lawfulness of such input. We recommend not entering directly identifying data that is not necessary for campaign planning purposes.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

6.AI-Assisted Processing (Anthropic Claude API)

The application uses the Claude API provided by Anthropic, PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA, to generate AI-assisted content.

Project content entered by users (e.g. product descriptions, pain points, target audiences) is transmitted to Anthropic's servers in the United States in order to generate AI suggestions.

Third-country transfer: The transfer to the USA is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

Important notice: A Data Processing Agreement (DPA) with Anthropic pursuant to Art. 28 GDPR is currently being finalized. Until this agreement is in place, users should avoid processing sensitive personal data through the AI features. Users will be informed once the DPA has been concluded.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 49(1)(b) GDPR (temporarily, until DPA is concluded).

7.Hosting and Infrastructure

7.1 Vercel (Hosting)

The application is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA.

Vercel processes technical access data (IP addresses, request timestamps, browser information) for the purpose of providing the service. A Data Processing Agreement is in place with Vercel. Transfers to the USA are based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

Further information: vercel.com/legal/privacy-policy

7.2 Supabase (Database and Authentication)

Database and authentication services are provided by Supabase Inc., 970 Toa Payoh North, #07-04, Singapore 318992.

Supabase stores user accounts, project data, and all application-related content. A Data Processing Agreement is in place with Supabase. Data is stored by default in the EU West region (Frankfurt).

Further information: supabase.com/privacy

8.Analytics and Tracking

8.1 General

We use analytics tools to understand how our application is used and to improve the service. Non-essential analytics cookies are only used on the basis of your consent pursuant to Art. 6(1)(a) GDPR.

8.2 Analytics Tool

[PLACEHOLDER – Analytics tool not yet determined]
Once a specific analytics tool has been selected, this section and the cookie policy will be updated accordingly. You will be informed of any changes.

You can withdraw your consent at any time via our cookie settings.

9.Cookies

9.1 Technically Necessary Cookies

We use technically necessary cookies that are required for the operation of the application (e.g. session cookies for authentication). These cookies do not require consent.

9.2 Non-Essential Cookies (Analytics)

We only set analytics cookies after your explicit consent. You can withdraw your consent at any time via the “Cookie Settings” link in the footer of this page.

Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25 TTDSG (German Telecommunications-Telemedia Data Protection Act).

10.Your Rights as a Data Subject

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR)

You may request information about the data we process about you.

Right to rectification (Art. 16 GDPR)

You may request the correction of inaccurate data.

Right to erasure (Art. 17 GDPR)

You may request the deletion of your data, provided no statutory retention obligations apply.

Right to restriction of processing (Art. 18 GDPR)

You may request that processing be restricted.

Right to data portability (Art. 20 GDPR)

You may receive your data in a structured, machine-readable format.

Right to object (Art. 21 GDPR)

You may object to processing based on legitimate interests.

Right to withdraw consent (Art. 7(3) GDPR)

You may withdraw any consent you have given at any time with effect for the future.

To exercise your rights, please contact: contact@flnt.work

10.1 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for North Rhine-Westphalia is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Postfach 20 04 44
40102 Düsseldorf
Germany
Website: www.ldi.nrw.de

11.Data Security

We implement technical and organizational measures to protect your data against loss, manipulation, and unauthorized access. These include encrypted transmission (TLS/HTTPS), database-level access control (Row Level Security via Supabase), and regular security reviews.

12.Retention Periods

Personal data is only stored for as long as necessary for the respective purpose or as required by statutory retention obligations:

Account dataUntil the user account is deleted

Project dataUntil deleted by the user or upon account deletion

Server logsGenerally 7–30 days

Tax-relevant data10 years pursuant to § 147 of the German Fiscal Code (AO)

13.Changes to this Privacy Policy

We reserve the right to update this Privacy Policy if the service or legal requirements change. The current version is always available at this URL. In the event of material changes, registered users will be notified by email.