Privacy Policy
Last updated: January 1, 2026 · Effective: January 1, 2026
Summary: We collect only what we need to run the service. We don't sell your data. We use third-party processors (OpenAI, Stripe, Reddit API) only to provide the service. You can delete your account and all data at any time.
1. Who we are
Flevo ("we", "our", "us") is a software-as-a-service platform that provides AI-powered lead generation tools. For the purposes of GDPR and applicable data protection laws, Flevo is the data controller for personal data you provide when creating an account and using our services.
Contact: privacy@flevo.io
2. Data we collect
2.1 Account data
- Email address (required for authentication)
- Password (stored as a bcrypt hash — we never see your password in plaintext)
- Account creation date
- Plan and billing status
2.2 Configuration data
- Agent settings: product description, target ICP, keywords, subreddits, tone settings
- API credentials you provide (Reddit API keys, SMTP settings, Hunter.io key) — stored encrypted at rest
2.3 Usage data
- Leads detected and processed by your agents
- Replies generated and sent on your behalf
- Usage counters (posts analyzed, emails sent) for billing
- Agent run logs (timestamps, success/failure status)
2.4 Billing data
Payment data (card numbers, billing address) is processed entirely by Stripe and never stored on our servers. We only store Stripe customer IDs and subscription status.
2.5 Third-party content
When your agents run, they process publicly available Reddit posts, emails, and news articles. This content is processed to generate replies on your behalf and stored temporarily in your lead database. None of this constitutes personal data that you have provided to us.
3. How we use your data
- Service delivery: to run your agents, generate replies, and display your lead dashboard
- Billing: to manage subscriptions and process payments via Stripe
- Usage limits: to enforce plan-based monthly quotas
- Service improvement: to understand how the platform is used in aggregate (no individual profiling)
- Security: to detect abuse and protect the service
- Legal compliance: to comply with applicable laws and regulations
4. Data sharing
We do not sell, rent, or trade your personal data to any third party. We share data only in the following circumstances:
- With processors: OpenAI (to generate AI content), Stripe (billing), Reddit API (to search and post), Hunter.io (email finding) — all under data processing agreements
- Legal requirements: if required by law, court order, or government authority
- Business transfer: if Flevo is acquired or merged, data may transfer to the new entity under the same terms
5. Third-party processors
| Processor | Purpose | Data sent |
|---|
| OpenAI | AI content generation | Post content, product description (no PII) |
| Stripe | Payment processing | Email, billing info |
| Reddit API | Post monitoring & replies | Search queries, reply text |
| Hunter.io | Email address finding | Target domain names |
6. Data retention
We retain your data for as long as your account is active. Upon account deletion:
- Account data is deleted within 30 days
- Lead data is deleted within 30 days
- Billing records are retained for 7 years as required by tax law
- Anonymized aggregate statistics may be retained indefinitely
7. Your rights (GDPR)
If you are located in the EU/EEA, you have the following rights under GDPR:
- Access: request a copy of all personal data we hold about you
- Rectification: correct inaccurate or incomplete data
- Erasure: request deletion of your data ("right to be forgotten")
- Portability: receive your data in a machine-readable format
- Objection: object to certain types of processing
- Restriction: request we restrict processing in certain circumstances
To exercise any of these rights, email privacy@flevo.io. We will respond within 30 days.
You also have the right to lodge a complaint with your national supervisory authority. In France, this is the CNIL (cnil.fr).
8. Security
- Passwords are hashed with bcrypt (work factor 12) — never stored in plaintext
- API credentials are encrypted at rest using AES-256
- All connections use TLS 1.2+
- Production infrastructure is hosted on Railway (EU region)
- Access to production systems is restricted to authorized personnel only
In the event of a data breach affecting your rights, we will notify you within 72 hours as required by GDPR.
9. Cookies
Flevo uses a minimal number of cookies:
- Authentication token: stored in localStorage to keep you signed in (not a cookie, but similar purpose)
- Stripe: may set cookies for fraud prevention during checkout
We do not use advertising cookies, tracking pixels, or behavioral analytics tools. See our Cookie Policy for more detail.
Data protection questions: privacy@flevo.io
General contact: hello@flevo.io
Response time: we aim to respond within 5 business days.