Privacy Policy

Fluiq is a developer infrastructure product. Our core purpose is to help engineering teams instrument, monitor, and improve their AI pipelines — not to monetise user data. We collect the minimum information needed to operate the service and we never sell your data or your users' data to third parties.

We are a US-incorporated company. We store data primarily in the United States and process it under applicable law including GDPR for European users and CCPA for California residents.

We collect information in three categories:

Account & identity

• Name and email address when you register or log in via GitHub/Google OAuth
• Password hash (bcrypt) — we never store plaintext passwords
• Organization name and your role within it
• Billing contact details if you subscribe to a paid plan (processed by Stripe; we store only Stripe customer IDs)

Usage & product telemetry

• API key metadata (name, prefix, creation date) — not the raw key value after creation
• Dashboard page views and feature interactions for product analytics
• Errors and performance metrics from the Fluiq web application itself
• Timestamps of logins and session activity

Infrastructure & logs

• IP addresses in server access logs, retained for 30 days
• HTTP request metadata for security and abuse prevention

The primary data you send to Fluiq via our SDK is LLM trace data — the requests and responses flowing through your AI pipelines. This is the most sensitive data type we handle, and we apply the following principles to it:

• Trace data is stored under your organization's namespace and is never mixed with another organization's data.
• Traces are transmitted over TLS and stored encrypted at rest using AES-256.
• We access trace content only when required to operate the service (e.g. rendering it in your dashboard, running your configured eval prompts, or performing security scans you have enabled).
• We do not use your trace data to train any AI model — ours or a third party's — without your explicit written consent.
• If your traces contain personal data about your end-users, you are the data controller for that data and Fluiq is the data processor. You are responsible for ensuring you have the appropriate legal basis to share that data with us.

Our security scanning feature (fluiq.secure()) sends prompt content to our classification service. The classification runs on infrastructure we control; prompt content is not forwarded to any external AI provider for the scan itself.

We use the information we collect to:

• Provide, operate, and improve the Fluiq platform and SDK
• Authenticate you and maintain session security
• Render trace data, evaluations, and analytics in your dashboard
• Run security scans and guardrail checks when you enable fluiq.secure()
• Send transactional emails (password resets, plan confirmations, usage alerts)
• Detect and prevent abuse, fraud, or violations of our Terms of Service
• Comply with legal obligations
• Send product updates and announcements — you can opt out at any time

We do not use your data for advertising, we do not build ad profiles, and we do not share data with advertising networks.

We do not sell your personal data. We share it only in these limited circumstances:

• Service providers: cloud infrastructure (AWS), payment processing (Stripe), error monitoring (Sentry), and email delivery (Resend). Each is bound by a data processing agreement.
• Within your organization: members of your Fluiq organization can view shared resources such as traces and API key metadata.
• Legal requirements: we may disclose data if required by law, court order, or to protect the rights and safety of Fluiq or others.
• Business transfers: if Fluiq is acquired or merges with another company, your data may transfer as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

• Account data: retained for the lifetime of your account and deleted within 90 days of account closure.
• Trace data: retained according to your plan (Free: 30 days rolling; Team: 90 days; Growth: 1 year; Enterprise: configurable). You can delete traces at any time via the API or dashboard.
• Security scan results: retained alongside trace data and subject to the same retention schedule.
• Audit log: retained for 1 year on all plans. The audit log is append-only and cannot be modified.
• Server access logs: 30 days.
• Backups: encrypted backups are retained for up to 30 days after the active record is deleted.

We implement industry-standard controls to protect your data:

• All data in transit is encrypted with TLS 1.2 or higher
• All data at rest is encrypted with AES-256
• API keys are hashed; the raw key is shown only once at creation
• Audit logs are HMAC-SHA256 signed for tamper detection
• Access to production systems is restricted to authorized personnel via MFA-protected accounts
• We undergo periodic security reviews and respond to responsible disclosure reports

No security measure is perfect. If you discover a vulnerability, please report it to security@getfluiq.com. We aim to respond within 48 hours.

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Correction: ask us to correct inaccurate data
• Deletion: request deletion of your account and associated data
• Portability: request an export of your data in a machine-readable format
• Restriction: ask us to pause processing of your data in certain circumstances
• Objection: object to processing based on legitimate interest
• Opt-out of marketing: unsubscribe from non-transactional emails at any time

To exercise any of these rights, email privacy@getfluiq.com. We will respond within 30 days. For EU/EEA residents, you also have the right to lodge a complaint with your local data protection authority.

California residents may additionally request disclosure of the categories of personal information shared with third parties for their direct marketing purposes in the preceding calendar year. We do not share personal information for direct marketing.

We use a minimal set of cookies:

• Session cookie: a signed, HttpOnly cookie used solely to maintain your authenticated session. Expires when you sign out or after 30 days of inactivity.
• Preference cookie: stores your UI theme (light/dark). No personal data.

We do not use third-party tracking pixels, advertising cookies, or behavioral analytics cookies. Our product analytics are self-hosted and do not share data with external analytics providers.

Fluiq is headquartered in the United States. If you access the service from the European Economic Area, United Kingdom, or Switzerland, your data is transferred to the US under Standard Contractual Clauses (SCCs) adopted by the European Commission. A copy of the applicable SCCs is available on request.

The Fluiq platform is a professional developer tool and is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us at privacy@getfluiq.com and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes we will notify registered users by email at least 14 days before the change takes effect and display a notice in the dashboard. Continued use of the service after that date constitutes acceptance of the updated policy.

The version date at the top of this page always reflects the most recent update. Previous versions are available on request.

For privacy-related questions, data subject requests, or concerns about our practices, please contact: