1. Introduction
FlukeBase ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the FlukeBase platform (the "Service").
2. Information We Collect
2.1 Account Information
When you register, we collect:
- Name and email address
- Authentication credentials (hashed passwords or OAuth tokens from Google)
- Account preferences and settings
2.2 Usage Data
We automatically collect:
- AI agent session metadata (timestamps, duration, tool calls, session status)
- Task and project activity (creation, updates, completion)
- Memory entries you create through AI agent interactions
- MCP tool invocation logs (tool name, timing, success/failure status)
- Product-usage and interaction analytics (page views, clicks, scroll depth, heatmaps, and session replays) collected via our analytics provider — see Section 7
- Browser type, IP address, and device information for security purposes
2.3 Payment Information
Payments are processed by Stripe. We do not store credit card numbers. Stripe provides us with a payment token, last four digits, and billing address. Bitcoin Lightning payments are processed by Blink API.
2.4 Content You Store
The Service stores content you create or upload, including:
- Project configurations and source code references
- AI agent memories, session transcripts, and task descriptions
- Email templates, articles, and marketing campaigns
- Files uploaded to project storage
- Git repositories hosted on the platform
3. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Service
- Process payments and manage subscriptions
- Send transactional emails (account confirmations, security alerts, billing receipts)
- Provide AI agent context (memories, conventions, session history) within your account
- Generate aggregated analytics and product-usage insights to improve platform performance
- Detect and prevent fraud, abuse, and security threats
We do not:
- Sell or rent your personal information to third parties or data brokers
- Use your content or data to train AI models
- Run advertising or analytics cookies without your consent (see Section 7)
- Access your project content except to operate the Service or as required by law
4. Data Storage and Security
Your data is stored on infrastructure we operate:
- PostgreSQL database with pgvector for semantic search, hosted on our VPS
- Redis for caching and background job queues
- S3-compatible object storage (iDrive e2) for file uploads
- All data encrypted in transit via TLS 1.2+
- Database connections use encrypted channels
- Passwords hashed with bcrypt; JWT tokens for session management
5. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account termination
- Session data: Session metadata retained indefinitely for analytics; session transcripts retained for 90 days
- Memories: Retained until you archive or delete them; archived memories preserved for version history
- Audit logs: Change history retained for 1 year for compliance
- Payment records: Retained as required by applicable tax and financial regulations
6. Third-Party Services
We use the following third-party services that may process your data:
- Stripe — Payment processing (Privacy Policy)
- Google OAuth — Authentication (Privacy Policy)
- Google Tag Manager — Manages and deploys the consent-gated analytics and marketing tags below (Privacy Policy)
- Plerdy — Website analytics, click heatmaps, and session replay; loaded only after you consent (Privacy Policy)
- Meta (Facebook) Pixel — Advertising and conversion measurement on our marketing pages; loaded only after you consent (Privacy Policy)
- Cloudflare — DNS and CDN (Privacy Policy)
- Let's Encrypt — SSL certificates
- Blink API — Bitcoin Lightning payments
- iDrive e2 — Object storage
7. Cookies and Tracking
We use the following categories of cookies and similar technologies:
7.1 Essential (always active)
- Session cookie — JWT token for authentication
- Project selection — Cookie for remembering your active project context
- Dark mode preference — Stored in localStorage, not transmitted to our server
7.2 Analytics & Marketing (consent-based)
We deploy analytics and marketing tags through Google Tag Manager under Google Consent Mode v2. Non-essential (analytics and advertising) storage defaults to denied — nothing that stores analytics or advertising data runs until you accept via our cookie banner. Your choice is remembered in an fb_consent cookie for 180 days; if you decline, no non-essential tags load.
When you consent, the following may run:
- Plerdy (all pages, including the dashboard) — product analytics, click heatmaps, scroll depth, and session replays, to improve usability and conversion. Plerdy sets its own cookies. See its Privacy Policy.
- Meta (Facebook) Pixel (marketing pages only — e.g. the public site and sign-in pages) — measures the effectiveness of our advertising and may share limited event data (such as page views and sign-ups) with Meta. See its Privacy Policy.
We also collect first-party product-usage analytics (see Section 2.2) — such as feature and tool-usage metrics — to measure and improve platform performance.
If you submit a lead form (for example, requesting the AI Governance Blueprint or joining the waitlist), we may associate the anonymous product-usage analytics from your visit with your contact record, so we can gauge interest and tailor follow-up. This association only applies to visitors who have consented to analytics, and you can object at any time by contacting privacy@flukebase.me.
We do not sell your personal information. To withdraw consent, decline in the cookie banner or clear the fb_consent and analytics/marketing cookies via your browser; you may also object to analytics processing by contacting privacy@flukebase.me (see Section 9).
8. Email Communications
We send emails for:
- Account verification and security alerts (cannot be opted out)
- Billing receipts and subscription changes (cannot be opted out)
- Product updates and newsletters (opt-out via unsubscribe link)
- Marketing campaigns (opt-out via unsubscribe link)
Email tracking (open/click) is used only for campaign analytics and can be disabled in your account settings.
9. Your Rights
You have the right to:
- Access your personal data through the dashboard or API
- Export your data (projects, memories, sessions) via MCP tools or dashboard
- Correct inaccurate personal information in your account settings
- Delete your account and all associated data
- Object to processing for marketing purposes
- Restrict processing in certain circumstances
To exercise these rights, contact privacy@flukebase.me or use the GDPR data purge tools in your account settings.
10. Self-Hosted Instances
If you self-host FlukeBase, you are the data controller for all data stored on your instance. This Privacy Policy applies only to the managed FlukeBase service at flukebase.me. Self-hosted operators are responsible for their own privacy compliance.
11. Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us to have it removed.
12. International Data Transfers
Our servers are located in Germany (Contabo VPS). If you access the Service from outside Germany, your data will be transferred to and processed in Germany. We ensure appropriate safeguards are in place for international transfers.
13. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The "Last updated" date at the top indicates the most recent revision.
14. Contact
For privacy-related inquiries: