Privacy Policy
How Fluxer handles personal data, what we do not do with it, and the controls and rights you have.
Last updated April 18, 2026
Effective date: 2026-04-25
The short version
Fluxer is a chat service run by Fluxer Platform AB, a Swedish company based in Stockholm County. This policy explains how we handle your data. It is binding under EU consumer protection law and is part of our Terms of Service, so you can hold us to it.
We do not sell or rent your personal data, and we do not grant licences over it. We have no advertising partners and no dealings with data brokers. Our revenue comes from Fluxer Plutonium, our optional premium subscription.
AI does not read what you share on Fluxer. We do not run AI or LLM inference over your messages, files, or voice and video calls, and none of your content is used to train or fine-tune AI models. The only automated content check is a local image classifier that helps respect explicit-content preferences.
We do not track you around the web. There are no tracking cookies, no analytics SDKs, and no browser fingerprinting on Fluxer.
You can export your data, delete your messages, and close your account whenever you like.
Most account data currently lives on servers in Piscataway, New Jersey. US law, including the CLOUD Act, applies there. Section 6 explains why we use US hosting, the privacy trade-offs, and the direction we are evaluating.
The details follow.
1. Who we are
Fluxer Platform AB is a Swedish limited liability company, organisation number 559537-3993. Our office is in Stockholm County, Sweden.
We operate Fluxer and related services. For GDPR purposes, we are the data controller for your personal data when you use the service, meaning we decide what data is processed and why. That places us under the General Data Protection Regulation as implemented in Sweden, supervised by the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, known as IMY).
Privacy contact: Hampus Kraft, Founder and CEO
Email: privacy@fluxer.app
Postal address: Fluxer Platform AB, Norra Kronans Gata 430, 136 76 Brandbergen, Stockholm County, Sweden
Hampus handles privacy and data protection matters for us, including data subject requests and questions about this policy.
We keep under review whether a formal Data Protection Officer (DPO) should be appointed under GDPR Article 37. The assessment considers the scale of the service, safety and abuse-prevention work, access eligibility checks, security and operational logging, and current regulatory guidance. We have not appointed one yet, and will update this section if that changes.
A UK representative under UK GDPR Article 27 is also under consideration as Fluxer grows in the UK. In the meantime, UK residents can direct any data protection enquiry to privacy@fluxer.app.
2. What we collect, and what we do not
This splits three ways: what you give us, what we collect automatically, and what we receive from other sources.
2.1 What you give us
Creating an account requires an email address, a username, a password, and your date of birth. Your password is stored using Argon2id, a memory-hard hashing algorithm, so even we cannot read it. Phone verification may be requested when registration triggers anti-spam checks, because it is currently the only functioning way to prevent large-scale registration abuse in that situation. Phone numbers used for verification are not linked to your account. Completing phone verification stores only an account flag saying that verification happened.
Content is what you do on Fluxer: messages, files, images, voice and video calls where supported, Community data, reactions, and profile details such as your avatar, bio, and display name. It also covers any Communities you create or administer. All of it belongs to you.
Support correspondence passes through Intercom. When you write to us for help, Intercom handles the message body, attachments, and anything else you choose to share, along with the basic technical details (IP address, browser type) needed for support to work.
Payments are handled by Stripe, not by us. If you buy Fluxer Plutonium or anything else premium, Stripe processes the card, and we receive only what is needed to record and manage the purchase: billing country, the last four digits and expiry of the card, payment status, and timestamps.
Some of the above is necessary to create your account, namely email, date of birth, and password. Without those, we cannot sign you up. The rest is optional, including your avatar and bio. SMS-based 2FA is not available for accounts registered on or after 25 April 2026.
We do not ask for special-category personal data such as health, religion, race, ethnic origin, sexual orientation, political views, or trade union membership. If you choose to share any of that in a message or on your profile, it will not be used to profile you, target you, or treat you differently.
2.2 What we collect automatically
Running the service creates some technical and usage records.
Technical data covers the IP address you connect from, your browser type and version, operating system, device type and identifiers, language settings, and other similar details.
Usage information is aggregate and does not identify you. It covers which features get used and how often (voice calls started, files uploaded, reactions used), which pages and screens are visited, timestamps, session durations, and crash reports and performance metrics. Message content is not read to produce any of this. When a metric counts "messages sent", it counts the event, and nothing more about the message.
Security and operational logs are what our systems generate in the ordinary course of keeping Fluxer running and safe: login attempts and authentication events, account setting changes, rate-limit triggers, API and system errors, and IP-based signals relating to spam, abuse, or unusual behaviour.
What we do not collect is as important as what we do. Fluxer has no advertising trackers, third-party analytics SDKs, browser fingerprinting, or cross-site tracking pixels. We do not build behavioural profiles or track which other sites you visit before or after using Fluxer.
2.3 What we receive from other sources
Some data originates outside your direct interactions.
Other users generate data about your account when they interact with you. Someone mentioning you, adding you to a Community, or sending you a message all involve identifiers (your username and user ID), the content of the interaction, and metadata such as timestamps.
Our service providers relay limited operational information. Sweego tells us whether transactional emails were delivered and when. Twilio tells us whether SMS verification succeeded. Stripe reports payment status and risk signals. Intercom carries support conversations and resolution status. For IP data, Fluxer prefers fully local geolocation databases wherever they are sufficient. IPinfo is used for registration and abuse-prevention checks that require IP network signals a local database cannot reliably provide, such as VPN provider, commercial proxy, Tor exit-node, or residential-proxy signals. Our infrastructure providers send alerts when they detect abuse or anomalies on the network.
For phone verification, Twilio processes the number needed to send or receive the SMS. Inside Fluxer, the number is not written to your account and the internal marker does not contain your user ID or any account reference. We keep only an encrypted, short-lived marker for about 30 days, solely to allow the same phone number to verify at most twice in that period when suspicious registrations need this anti-spam check. The encryption key for these markers is rotated roughly every 30 days.
Occasionally we receive security information from public sources, or fraud signals from Stripe during payment. Those might be a reputation signal about a particular IP, or a risk score attached to a transaction.
This is combined with what we collect directly and automatically only to run, secure, and maintain Fluxer.
3. How we use your information, and how we do not
What we use it for
The bulk of your data is used to operate Fluxer. Concretely, that means creating and managing your account, routing your messages to the right recipients, and keeping the features working end to end.
A portion goes into security and abuse prevention: blocking unauthorised access, investigating abuse, fraud, and spam, and enforcing our Terms of Service and Community Guidelines.
A smaller amount is needed for the service communications we owe you as a user: security alerts, service updates, and the administrative emails your account needs to function.
Payments are a category of their own. If you buy Plutonium or anything else premium, the relevant data is used to process the payment, manage the subscription, and handle the transaction.
Aggregate metrics are used to maintain and improve the service. They show which features are used, how performance is holding up, and where bugs occur. The data involved is error rates and feature counts, not message or file content.
The remainder is processed because the law requires it, or because we need it to respond to valid legal requests and to protect the safety, rights, and property of our users, the public, and Fluxer.
What we do not use it for
Your messages, files, voice or video calls, and anything else you create or share on Fluxer will never be used for any of the following:
- advertising, targeted or otherwise
- training, fine-tuning, or evaluating AI or machine learning models
- building profiles of you for ad targeting, marketing, or behavioural analysis
- sale, rental, or granting a licence to any third party for their own purposes
- mining or aggregating for commercial gain beyond operating the service
3.1 Lawful bases for processing (GDPR)
For readers in the EEA, the UK, or any other jurisdiction that requires a lawful basis for data processing, the mapping below sets out how we justify each category.
Contract necessity (Article 6(1)(b)). Processing required to deliver the service you signed up for: delivering messages, running Communities, managing your account, processing payments, providing support. Without this processing, there is no service.
Legitimate interests (Article 6(1)(f)). Processing that rests on our legitimate interests, balanced against your rights and expectations. Each activity has a documented three-part assessment covering the purpose, the necessity (no less intrusive alternative), and the balance between our interests and your rights. This covers platform security, fraud prevention, service reliability and performance, aggregate feature-use analysis, and writing to you about changes to our services or policies.
As a concrete example: account security and abuse prevention. The interest is protecting users and the service from suspicious logins, spam, fraud, and other misuse. The data involved is technical and account-security data: IP signals, login events, device metadata, rate-limit triggers, and aggregate reliability telemetry. Those risks cannot be meaningfully spotted or addressed without that data. Balancing against your rights: the signals are used only for security, reliability, and administration, never for advertising or behavioural profiling; access is restricted to authorised staff; and routine security and usage logs are kept for up to 90 days under normal conditions. You can object to processing based on legitimate interests at any time, as described in Section 10.
Legal obligations (Article 6(1)(c)). Processing driven by legal requirements, including accounting, tax, and bookkeeping under Swedish law, responses to lawful requests from public authorities, and compliance with applicable data protection, security, and consumer laws.
Consent (Article 6(1)(a)). A smaller set of processing relies on your consent, such as optional communications or specific cookie uses on our marketing site where local law requires consent. Consent can be withdrawn at any time through your settings or by writing to us. Withdrawal does not affect processing that was lawful before it was withdrawn.
3.2 IP address geolocation
Your IP address is used to determine approximate location (city, region, country) for a defined set of reasons:
- alerting you to logins from new or unusual locations
- showing you where your account is currently signed in, for security monitoring
- spotting fraud and abuse
- determining regional age requirements and access eligibility under local laws
- meeting legal obligations relating to export control and sanctions
We prefer a fully local geolocation database for these lookups whenever it can answer the question.
Registration and abuse-prevention checks need additional IP network signals that a local geolocation database generally cannot provide. For those checks, we use IPinfo to identify signals such as VPN provider, commercial proxy, Tor exit-node status, residential-proxy use, and related risk indicators.
When we query IPinfo, the only thing sent is the IP address. No account identifier, no user identifier, no session token, no device information, no other context. IPinfo sees the IP in the same way any internet-facing server does when a connection is opened, which means the lookup cannot be linked back to your Fluxer account.
Every IPinfo response is cached on our own servers. An IP is sent to IPinfo once per cache window, no matter how many registration or abuse-prevention checks need that signal during the window. Residential IPs tend to be stable and are cached for longer. Proxy-pool IPs rotate more often and are cached for less time.
These IP network signals are used for security and abuse prevention only, including account registration checks and, in some cases, rejecting Tor or residential-proxy traffic at the API edge before it reaches the rest of the service. These signals are not used for advertising, profiling, or personalisation.
Automated regional access decisions. Where local law requires platforms to verify user age, we rely on automated regional restrictions driven primarily by IP geolocation instead of asking for government ID uploads or biometric scans. Those methods are more invasive than we are willing to require for general access. This approach can affect whether you can use Fluxer, or specific features, from a given region.
The approach is imperfect. Travel, VPNs, proxies, and unusual network setups can all produce the wrong outcome. If you believe your access has been restricted in error, write to privacy@fluxer.app. We acknowledge within five business days, conduct a human review of the decision, and keep your account in its current state while we look at it. You will receive the outcome with the reasoning, and you can put your point of view at any stage. Where applicable data protection law gives you rights around automated decision-making (GDPR Article 22, for instance), those rights are honoured per Section 10.
Current regional restrictions, their basis, and their effect are listed in our Regional restrictions help article.
4. Who we share data with, and who we do not
Your personal data is not sold, rented, traded, or licensed to any third party. Sharing is limited to the situations below.
4.1 Sharing you initiate
Ordinary use of Fluxer involves sharing. Messages go to the recipients you send them to. Posts in a Community are visible to its members. Profile details you make visible are visible. Integrations you connect can access the data you grant them.
Once content has been shared in those ways, other users can save it or redistribute it outside Fluxer. As with any communications platform, be deliberate about what you share and with whom.
4.2 Our service providers (processors)
A small, carefully chosen set of third parties processes data on our behalf. Each has been reviewed for privacy and security and is bound by a data processing agreement under GDPR Article 28.
Infrastructure and storage. Vultr provides our primary hosting. The main store for account data (messages, Communities, profiles, and other persisted content) is in Piscataway, New Jersey, and the object storage for user-uploaded files runs in the same region. Voice and real-time communication infrastructure also runs on Vultr across multiple regions worldwide, so calls can be routed near you for latency. Bunny.net operates our content delivery network, with edge nodes worldwide, for user-generated content on the fluxerusercontent.com domain.
Security and safety. IPinfo provides IP network signals for registration and abuse prevention, including VPN provider, commercial proxy, Tor, and residential-proxy signals, under the conditions set out in Section 3.2. hCaptcha provides CAPTCHA challenges for bot detection.
Third-party content. Google provides YouTube embeds and GIF search (Tenor). KLIPY provides additional GIF search. Traffic to Tenor and KLIPY is proxied through our servers, so your IP address and device identifiers never reach them, whether for searches or for the GIFs themselves. For YouTube, metadata is fetched server-side, and a YouTube iframe only loads from your device if you actually press play.
Payments and communications. Stripe handles payment processing. Sweego, hosted in the EU, handles transactional email. Twilio handles SMS-based account verification. Intercom runs our customer support platform. Phone numbers used for verification are not linked to Fluxer accounts; Fluxer keeps only an encrypted marker with no user ID for about 30 days, used solely to allow at most two verifications in that period. When you contact us through support, Intercom handles your messages, your email address, and the basic technical information needed to respond, acting under our instructions and not for its own purposes.
Error monitoring and observability. Our observability stack (metrics, logs, and traces) runs on infrastructure we control. No application errors or crash data are sent to any third-party monitoring service.
Data processing agreements are in place with Vultr, Bunny.net, IPinfo, hCaptcha, Stripe, Sweego, Twilio, and Intercom.
A few providers act as independent controllers when you interact with them directly: Google for YouTube embeds, and hCaptcha for challenge completion. In those specific interactions their own terms and privacy policies apply alongside ours.
Additions or replacements to this list are reflected here, and material changes are noted in our changelog.
4.3 When law or safety requires disclosure
Disclosure outside Fluxer happens only in a narrow set of circumstances:
- compliance with a valid legal obligation, legal process, or enforceable governmental request
- enforcement of our Terms of Service or other agreements
- protection of the safety, rights, or property of users, the public, or Fluxer
- detection, prevention, or remediation of fraud, security, or technical issues
Where the law allows it, and where notice would not create a safety, security, or legal-process risk, we try to notify affected users before disclosing data in response to a legal request, particularly when the request concerns an account or its content.
4.4 Business transfers
If Fluxer Platform AB is part of a merger, acquisition, reorganisation, sale of assets, or similar transaction, personal data may need to be transferred. In that event:
- Affected users will receive at least 30 days' advance notice, where legally permitted, before personal data is transferred to a new entity.
- The acquiring entity is bound by this Privacy Policy for as long as it holds your data, unless it obtains your affirmative consent to a new policy.
- You will have the opportunity to delete your account and request deletion of your data before the transfer takes effect, and clear instructions on how to do so.
- Data will not be transferred to any entity that does not agree to honour these protections.
5. Content safety
Fluxer does not run AI on your content. We do not execute AI or LLM inference over your messages, files, voice calls, or video, and nothing you share is used to train, fine-tune, or evaluate AI or machine learning models, ours or anyone else's.
What we run instead is a small set of automated safety measures, plus limited human review in defined circumstances.
5.1 Explicit-content classification
For an explicit-content opt-out to work, we need to know which uploaded images and video thumbnails are likely to contain nudity. We use OpenNSFW2, an open-source image classifier, running on our own servers.
OpenNSFW2 is a small pretrained classifier, not a generative AI system or LLM. Given an image, it returns a single number representing the probability that the image contains pornographic content. It cannot read text, generate output, retain memory across calls, or learn from what it sees.
Because the classifier runs entirely on our infrastructure, your media is not sent to any third party for this purpose, and no external API is called. We use the pretrained open-source weights as published, without fine-tuning them on your uploads, and no classifier output enters a training pipeline, ours or anyone else's.
The classifier creates a per-image "likely explicit" flag. We use that flag to respect the preferences of recipients who have opted out of explicit content, for example when you send a media attachment in a DM or post in a Community. The aim is to help people avoid unsolicited nudity.
Being flagged is not a determination about your rights. The flag enables delivery to respect recipient preferences; there are no further consequences. The media is not banned, the account is not disabled, and no report is filed.
5.2 Other automated safety measures
Beyond the explicit-content classifier, narrowly-scoped automated systems operate on metadata and patterns rather than on message content. They are there to:
- block known malware, phishing links, and spam patterns
- detect and mitigate harassment, raiding, and coordinated abuse
- flag suspicious login attempts and account-takeover patterns
- enforce Terms of Service and Community Guidelines when they have been breached
These systems look at data such as message frequency, link structure, account age, and IP reputation. They do not read message content and do not feed advertising or behavioural profiles.
5.3 Human review
Authorised staff may examine specific content when needed to investigate a user report, enforce policy, or respond to a credible safety issue. Access is controlled by role-based permissions and recorded in an audit log, so each access is attributable and reviewable internally.
5.4 Data Protection Impact Assessments
Where processing may create a high risk to people's rights and freedoms, we carry out Data Protection Impact Assessments (DPIAs), as GDPR Article 35 requires. Two DPIAs are complete to date: one covering the explicit-content classifier (Section 5.1), and one covering IP-based automated access decisions (Section 3.2). Each examines necessity and proportionality, identifies risks, and documents the technical and organisational measures used to reduce them. DPIAs are revisited when we introduce new processing, materially change existing processing, or on a regular schedule, whichever comes first.
6. Where your data lives
6.1 Storage locations
Your data is stored in a few places, depending on what it is.
Our primary servers are at Vultr, in Piscataway, New Jersey. Your main data (account information, messages, Communities, and other persisted content) is stored there, together with the object storage for user-uploaded files. Voice and real-time communication traffic also runs on Vultr across multiple regions worldwide, so calls can be routed near you.
Encrypted off-site backups of our databases exist for disaster recovery. The encryption keys are held only by us, so the backup provider cannot read, index, or otherwise process your data. That is why the backup provider is not treated as a sub-processor of your personal data under GDPR Article 28. User-generated content is delivered and cached through Bunny.net edge locations worldwide (for content on fluxerusercontent.com).
6.1.1 Why our primary hosting is in the United States
Our main application data currently sits in data centres on the US East Coast. At our present scale, those locations offer a reasonable balance of connectivity, reliability, and latency for a global service. The choice is operational rather than privacy-driven, and alternatives are kept under review.
The trade-off matters. Storing primary data in the United States brings it within reach of lawful access requests under US law, including the Clarifying Lawful Overseas Use of Data Act (the "CLOUD Act"). Under the CLOUD Act, a provider of electronic communication service or remote computing service subject to US jurisdiction can be required to produce data in its possession, custody, or control, even if that data is stored outside the United States. US hosting, and the use of providers subject to US jurisdiction, therefore carries a foreign-government access exposure that some other setups do not.
That exposure is factored into our transfer impact assessments, provider reviews, and legal request procedures in Sections 6.2 and 14. We treat it as a real privacy matter.
6.1.2 Regional hosting under evaluation
Reducing our reliance on US-hosted primary infrastructure is under active evaluation. One option is a separate EU region, where accounts and Communities could be hosted in Europe.
Regional hosting could keep data and Community operations closer to the legal and technical environment they are intended for. Depending on the architecture and providers involved, it could reduce foreign-government access exposure, though not eliminate it entirely. This is an active evaluation, not a dated roadmap commitment. If regional hosting ships, we will explain what it changes, what it does not, and which legal regimes still apply.
6.2 International data transfers
Because we operate globally and use providers in multiple countries, your data may be transferred to and processed in countries other than your own, including the United States and Canada. Those countries may have different data protection laws.
Where the law requires it (under GDPR, for instance), appropriate safeguards are in place. Our data processing agreements include Standard Contractual Clauses approved by the European Commission or UK authorities, and SCCs are maintained as a safeguard even where other adequacy mechanisms may apply. Transfer Impact Assessments are carried out for each destination, covering the legal framework in the recipient country and the practical ability of authorities there to access data. Supplementary measures are currently contractual, organisational, and technical: encryption in transit and at rest, strict access controls, audit logging of access to user data, and contractual limits on provider use.
The limits of these measures are important. We do not currently rely on jurisdiction-specific key separation, customer-controlled encryption keys, or an architecture that would make server-side data inaccessible to a provider served with a lawful order. For data we need to process on our servers to run Fluxer, these measures reduce transfer and access risk, but do not eliminate it.
Your data is not transferred to any third party for that party's independent advertising or marketing purposes. For more detail on our transfer safeguards, see Section 16.
7. Data retention
Your personal data is kept only as long as needed for the purposes described in this policy, to meet legal obligations, resolve disputes, and enforce our agreements. Retention periods are reviewed, and data that is no longer needed is deleted or anonymised.
7.1 Active accounts
For as long as your account is active, we hold your personal data, messages, Communities, and other content, so the service can function. You can delete specific content yourself at any time.
7.2 Attachments and expiry
Attachments may remain available only for a limited time. How long depends on factors such as file size, age, and access frequency. Items saved to Saved Media are treated separately and are not subject to the same expiry. Current details are in our help article on attachment expiry.
7.3 Phone verification markers
Phone numbers used for account verification are not stored on your Fluxer account. When verification succeeds, your account stores only has_verified_phone: true.
To prevent repeated reuse during suspicious registrations, we keep an internal encrypted marker for the phone number for about 30 days. The marker does not contain your user ID or any account reference, so it cannot be linked to an individual Fluxer account. It is used only to allow the same phone number to verify at most twice during that period, and for nothing else. It is not used for SMS 2FA, recovery, advertising, profiling, contact discovery, or linking accounts together. The encryption key for these markers is rotated roughly every 30 days with a short primary/secondary rollover period so existing markers can expire naturally.
7.4 Deleted content
When content is deleted, removal follows a specific path.
Database records (messages, account data) leave active systems quickly, typically within minutes. They may persist for a limited period in encrypted backup systems, up to 30 days, before being permanently removed.
Media attachments leave active storage, typically within hours. As a short disaster-recovery safeguard against accidental deletion, the object storage behind our user-content bucket retains a non-visible copy of each deleted attachment for up to 24 hours before final erasure. During that window the attachment is invisible to you, to other users, and to our CDN. Only authorised operators acting on a genuine disaster-recovery scenario, such as recovery from a bad bulk delete, can restore it. After the 24-hour window and CDN cache purging, the attachment is gone. Media attachments are not included in our long-term encrypted backup system. Bunny.net's cache purge API is used to invalidate CDN-cached attachments as soon as possible after deletion, though short delays can occur due to rate limits and global propagation.
If you exercise your right to erasure under GDPR Article 17, the 30-day backup retention period is treated as a documented technical limitation. During that window, deleted data remains in encrypted backups that are not used for active processing and are subject to scheduled purging. Your erasure request is completed once the data has been removed from both active systems and backup cycles.
Longer retention applies only where the law requires it (for example, for tax or legal compliance).
7.5 Deleted Communities and channels
Deleting a Community (guild) or channel starts a 14-day grace period. During that window, the Community or channel and all its contents (messages, attachments, roles, settings, and other associated data) are hidden from users and inaccessible through the API, media proxy, search, data exports, and bulk-deletion operations. They remain in our systems to allow recovery from accidental or unauthorised deletions. After 14 days, the Community or channel and all its data are permanently deleted via the procedures for deleted content above.
Content inside a Community or channel in a grace period is excluded from user data exports requested during that period. Bulk message deletions also skip messages in Communities or channels in a grace period.
Restoration can be requested through support during the 14-day window. Once the period elapses and permanent deletion has occurred, restoration is no longer possible.
7.6 Inactive accounts
Accounts may be scheduled for deletion after 2 years of inactivity. Advance notice is sent to the registered email address before deletion proceeds. The inactivity definition, notice schedule, and deletion process are in the guide to deleting or disabling an account.
Once deletion completes, the account can no longer be signed into, and its remaining data is inaccessible. Messages posted in Communities or direct messages may still be visible to other users unless you deleted them first.
7.7 Payment and transaction data
Transaction records are kept for at least seven years, as required by Swedish bookkeeping law (Bokföringslag 1999:1078), and for as long thereafter as is needed for legal compliance, dispute resolution, or fraud prevention. Retention is reviewed periodically. Full payment card numbers are not stored.
7.8 Logs and security data
Security and usage logs are kept for up to 90 days under normal conditions, then deleted or anonymised. Some logs may be retained beyond 90 days where needed for an active security investigation, a specific legal obligation, or an ongoing dispute, and are deleted once the reason for keeping them ends.
Audit logs (records of administrative actions, enforcement decisions, and account changes) are kept for as long as needed for accountability, appeals, dispute resolution, and legal compliance, and are reviewed periodically.
7.9 Reported content snapshots
When someone uses the in-app report feature to flag a message, user, Community, or invite, we take a snapshot of the reported item so there is a stable record for investigation, action, and any appeal. A reported message snapshot typically includes the message itself, a short window of surrounding messages for context, any attachments in the report, and metadata about who reported it and why.
Report snapshots live in a separate object-storage bucket, isolated from the main user-content bucket. They are not served to end users, included in data exports, or indexed for search. Access is limited to authorised trust-and-safety and engineering staff who need them for report review, and every access is recorded in an audit trail.
Snapshots are kept for up to one year (365 days) from the report date, after which an automated storage-lifecycle rule deletes them permanently. Deletion of the original message, attachment, account, or Community does not remove the snapshot during this window because it preserves the record needed for investigation and appeals. Once the retention period expires, the snapshot is deleted. In rare cases where specific evidence must be kept longer to meet a binding legal obligation, only what the law requires is retained, and the rest is deleted on the usual schedule.
7.10 Retention at a glance
| Data category | Retention period |
|---|---|
| Account information | While your account is active |
| Phone verification reuse markers | About 30 days; encrypted; no user ID; used only to allow at most two verifications per phone |
| Messages and user content | While your account is active, unless you delete them earlier |
| Deleted messages (database records) | Removed from active systems within minutes; removed from encrypted backups within 30 days |
| Deleted media attachments | Removed from active systems within hours; recoverable for up to 24 hours for disaster recovery; not backed up |
| Deleted Communities and channels | 14-day grace period, then permanently deleted per the above procedures |
| Report snapshots (in-app reports) | Up to 1 year (365 days); access limited to authorised staff and audit-logged |
| Security and usage logs | Up to 90 days (longer only for active investigations or legal obligations) |
| Audit logs | Kept as needed; reviewed periodically |
| Payment and transaction records | At least 7 years (Swedish bookkeeping law); reviewed periodically after that |
| Inactive accounts | Scheduled for deletion after 2 years of inactivity, with advance notice |
8. Your controls
8.1 Privacy dashboard
Your Privacy Dashboard and account settings give you direct control over several things.
Data export is available from the Data Export tab. Exports are currently provided as a ZIP archive of machine-readable JSON files, covering account data, per-channel message history, payment history, and security data, along with profile assets where applicable. Message attachments are not bundled into the standard export; the export includes CDN URLs for downloading them while they remain available. Messages in Communities or channels in a deletion grace period are excluded. Current details are in the help article on exporting your account data.
Attachments can be downloaded using the URLs in your export, which is useful for keeping copies before you delete messages or before they expire.
Individual message deletion is available in-app. Deleting a message also deletes any attachments on it.
Bulk deletion of all your messages is available from the Data Deletion tab in the Privacy Dashboard. Messages in Communities or channels in a grace period are skipped. The operation runs in the background and can take some time for large accounts. See the article about requesting data deletion.
Account deletion can be scheduled from settings. It proceeds after a grace period, unless you sign back in to cancel. The guide to deleting or disabling an account has the full details.
8.2 Requests by email
If you want to remove or correct a specific piece of data rather than delete everything, write to privacy@fluxer.app from the address associated with your Fluxer account. Tell us clearly what you want us to do, and we may ask for more information to verify your identity.
If you want a copy of your data before deleting messages or your account, request an export first and wait for it to complete.
9. Security
Technical and organisational measures protect your personal data against accidental or unlawful destruction, loss, alteration, disclosure, and unauthorised access.
The current measures include:
- standard encryption for data in transit (TLS)
- strong encryption for data at rest on our servers and backups
- professionally managed data centres with physical security
- security updates, patch management, and infrastructure hardening
- rate limiting and protections against abuse and attacks
- access controls restricting user data to authorised staff with a demonstrated need
- regular encrypted backups for disaster recovery
- audit logging of access to user data
A note on encryption. Nothing on Fluxer is currently end-to-end encrypted. Your data is encrypted in transit between your device and our servers, and encrypted at rest on our servers and backups. Because the service relies on server-side processing to function, message content is technically accessible to our systems while it is being handled.
The same holds for real-time voice and video at present. RTC servers run on Vultr across multiple regions (see Section 6.1), and that traffic is encrypted in transit. In practical terms, you are trusting Fluxer and our hosting provider to protect that traffic along that service path.
Opt-in end-to-end encryption is planned for Personal Notes, DMs, Group DMs, and voice chats. Until that feature exists and you choose to enable it for a supported surface, content and call media are not end-to-end encrypted on Fluxer.
Responsible disclosure. Security vulnerabilities can be reported through our Security bug bounty page. Responsible disclosure is appreciated and may be acknowledged publicly with your consent.
9.1 Data breaches
In the event of a personal data breach, we will investigate and take appropriate remedial steps. Our notification obligations are:
- The relevant supervisory authority (IMY) will be notified within 72 hours of our becoming aware of a breach that is likely to pose a risk to your rights and freedoms, as required by GDPR Article 33.
- Affected users will be notified without undue delay where a breach is likely to pose a high risk to their rights and freedoms, as required by GDPR Article 34.
- Other applicable breach notification obligations will be met.
Notifications will explain what happened, what data is likely affected, the likely consequences, and what you can do to protect yourself.
10. Your rights
Depending on where you live, you may have rights over your personal data. We honour those rights promptly and in good faith.
10.1 Under GDPR (EEA and UK)
Right of access. Confirmation of whether we process your personal data, and if so, a copy of it.
Right to rectification. Correction of personal data that is inaccurate or incomplete.
Right to erasure (the "right to be forgotten"). Deletion of your personal data where it is no longer needed for the purposes it was collected for, or in other circumstances the law recognises.
Right to restriction. Restriction of processing in certain circumstances, such as while accuracy is being verified or an objection is being assessed.
Right to object. Objection to processing based on legitimate interests. Processing will stop unless there are compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
Right to data portability. A copy of your personal data in a structured, commonly used, machine-readable format, or transmission to another controller where technically feasible. Self-service exports are currently provided as a ZIP archive of JSON files, with download URLs for message attachments and certain related assets where applicable.
Right to withdraw consent. Withdrawal of consent for processing that is based on consent, at any time. Withdrawal does not affect the lawfulness of processing carried out beforehand.
Rights relating to automated decision-making. Where automated decisions significantly affect you (such as regional access eligibility), you can request human review, put your point of view, and contest the decision.
10.2 Under CCPA/CPRA (California residents)
California residents have the following rights:
- to know what personal information is collected, used, disclosed, and shared
- to delete personal information in certain circumstances
- to correct inaccurate personal information
- to opt out of the sale or sharing of personal information (no such sale or sharing occurs)
- to limit the use and disclosure of sensitive personal information
- to be free from discrimination for exercising any of the above
Additional California-specific disclosures are in Section 17.
10.3 Exercising your rights
Several of these rights can be exercised directly through your Privacy Dashboard and account settings.
Requests can also be sent to privacy@fluxer.app. Identity verification may be needed, for instance by asking you to reply from your registered email or provide additional details. Responses are returned within the timeframe required by applicable law, usually within 30 days, or up to 45 days where permitted. If we cannot fully comply, for example due to legal obligations or the rights of others, we will explain why and what options remain.
You can authorise an agent to submit requests on your behalf, where the law permits; proof of authorisation may be requested.
10.4 Complaints to supervisory authorities
You have the right to lodge a complaint with your local data protection authority if you believe your rights have been infringed. In Sweden, the relevant authority is the Swedish Authority for Privacy Protection (IMY) at imy.se. In the UK, it is the Information Commissioner's Office (ICO) at ico.org.uk. The authority in your country of residence is also an option.
You can also raise concerns with us first, so we have an opportunity to resolve them directly.
11. Children's privacy
Extra protections apply to younger users on Fluxer and are designed with children's privacy in mind.
11.1 Minimum age
Meeting the minimum age requirement in your region is a condition of using Fluxer. The general minimum, including in Sweden, is 13, though some countries set it higher. The full list is in our help article on minimum age requirements.
Users above the minimum age but below the age of legal majority (for example, under 18) may use Fluxer, but our Terms require a parent or guardian to review and agree to them on the user's behalf.
11.2 Protections for younger users
Eligibility is determined from approximate geographic location and self-reported information. Users identified as under 18 may have stricter safety features enabled by default, including tighter privacy defaults and restrictions on age-restricted features. Minors are not profiled for advertising or commercial purposes. Because no user is profiled for advertising or commercial purposes on Fluxer, this protection covers everyone.
Invasive verification methods such as government ID uploads or biometric scans are not used for general access. Where a legal framework would require methods we do not support, access is restricted as described in Section 3.2 and on the Regional restrictions page.
11.3 If a child below the minimum age is identified
Personal information is not knowingly collected from children below the minimum age for their region. In the United States, personal information is not knowingly collected from children under 13, in line with the Children's Online Privacy Protection Act (COPPA). If information from a child below the minimum age reaches us, we take steps to delete it and, where appropriate, the account.
A parent or legal guardian who believes their child has used Fluxer without consent, or does not meet the minimum age, should write to privacy@fluxer.app from the child's registered email or with sufficient proof of guardianship to request deletion of the account and data.
12. Cookies and similar technologies
12.1 Approach
Third-party advertising and tracking cookies are not used anywhere on Fluxer. There are no advertising trackers, analytics SDKs, or fingerprinting technologies. Operational logging and limited feature-usage telemetry live server-side and are not used for advertising or cross-site profiling.
12.2 Cookies we set
A small number of cookies are set, all strictly necessary for operation and security. Under the ePrivacy Directive, strictly necessary cookies do not require consent. The current first-party cookies are:
| Cookie name | Purpose | Duration | Scope |
|---|---|---|---|
| locale | Remembers your language preference | 1 year | Marketing site (fluxer.app) |
| csrf_token | Protects against cross-site request forgery (CSRF) attacks | 24 hours | Marketing site |
| __flx_sudo or __flx_sudo_<user_id> | Verifies your identity during sensitive account operations | 5 minutes | Fluxer application |
Sudo-mode cookies tied to a specific account have the user ID appended to the cookie name.
12.3 Client-side storage
The Fluxer application does not use cookies for authentication or session management. It uses your browser's local and session storage for preferences such as theme, media volume, and playback settings. That data stays on your device and is not sent to our servers.
12.4 Third-party cookies
Embedded third-party content may set its own cookies when you interact with it.
hCaptcha may set cookies during CAPTCHA challenge completion, for bot detection, governed by hCaptcha's privacy policy. YouTube may set cookies when an embedded video is played. Video metadata is fetched server-side, so YouTube is only contacted if you actually press play. YouTube cookies are governed by Google's privacy policy.
12.5 Managing cookies
Cookies can be controlled through your browser settings. Because all Fluxer cookies are strictly necessary, disabling them may stop some features from working. If non-essential cookies are ever introduced, for example analytics cookies, this section will be updated and consent obtained before they are set.
12.6 Opt-out preference signals
Browser-level opt-out preference signals such as Global Privacy Control (GPC) are honoured. Because we do not sell or share personal information for advertising, these signals do not change underlying processing, though they are recognised as valid opt-out requests as required by the CCPA.
Do Not Track (DNT) browser signals are not treated differently because industry consensus on DNT interpretation is absent. In practice, Fluxer already reflects the intent behind DNT: users are not tracked across third-party sites.
13. Third-party services and links
Fluxer may include links to, or integrations with, third-party services. The notes below describe how each interacts with your data.
GIF search (Tenor, KLIPY). Search queries and GIF embedding are both proxied through our servers. These providers never see your IP address or device identifiers.
Links posted in chat. Sending a URL in a chat message may cause our backend to fetch that URL to generate a rich embed or embedded media. Such requests identify themselves with a User-Agent string containing Fluxerbot. Site operators who prefer Fluxer not to fetch their pages for this purpose can block requests whose User-Agent contains Fluxerbot. Doing so will prevent rich embeds and embedded media from appearing in Fluxer when someone links to the site.
YouTube links. Video metadata is fetched server-side from the YouTube API so previews can be rendered without your device contacting YouTube. Playing an embedded video loads content directly from YouTube, and YouTube may collect information under its own privacy policy.
Other third-party content. Embedded third-party content may load directly from that third party upon interaction, with information collected under the third party's own terms.
Third-party services operate under their own privacy policies and data practices. When you use them, those policies apply alongside ours.
14. Law enforcement and legal requests
Every legal request for user data receives careful review, with the privacy and security of the people involved as the primary consideration.
Requests should be directed to legal@fluxer.app and must identify the requesting authority, legal basis, and scope of data requested. Overbroad, legally invalid, or inconsistent requests may be narrowed or refused. Where the law allows, and where notice would not create a safety, security, or legal-process risk, affected users are notified before disclosure so they have an opportunity to object. In genuine emergencies, disclosure may occur without prior notice where reasonably necessary to prevent harm, protect safety, or respond to an urgent situation, in line with applicable law.
15. Changes to this policy
This policy may be updated to reflect changes in our practices, services, or legal obligations. Material changes are accompanied by at least 30 days' advance notice, delivered through one or more of email, in-app notification, or a notice on our website. The effective date at the top of this policy will be updated, and within the app a persistent notice may link to the new version.
After the effective date, the updated policy applies to your continued use of Fluxer. You may be asked to review and acknowledge changes in the app so the updated notice can be recorded as shown.
If you disagree with an updated policy, you can export your data, delete your messages, and delete your account at any time, using the tools described in Section 8.
A changelog is maintained for reference.
16. Contact
Privacy and data protection
Email: privacy@fluxer.app
Person: Hampus Kraft, Founder and CEO
General support
Email: support@fluxer.app
Website: https://fluxer.app/
Postal address
Fluxer Platform AB
Norra Kronans Gata 430
136 76 Brandbergen
Stockholm County, Sweden
Organisation number: 559537-3993
For account-related requests, writing from the email address associated with your Fluxer account, where possible, makes identity verification easier and protects the account.
17. Additional information for California residents
This section sets out the further disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, "CCPA"). It applies only to California residents and sits alongside the rest of the policy.
17.1 Categories of personal information collected
| CCPA category | Examples we collect | Sources |
|---|---|---|
| Identifiers | Username, email address, user ID, IP address, device identifiers | You; automatic collection; service providers |
| Customer records (Cal. Civ. Code § 1798.80(e)) | Billing country, partial payment card details (via Stripe) | You; Stripe |
| Internet or other electronic network activity | Pages visited, features used, session timestamps, crash reports, browser type, OS | Automatic collection |
| Geolocation data | Approximate location (city/region/country) derived from IP address | Automatic collection |
| Audio, electronic, visual, or similar information | Voice and video communications (where supported), uploaded images and files | You |
| Inferences | Approximate region for eligibility checks, spam/abuse risk signals | Automatic collection |
Biometric information, professional or employment information, and education information are not collected.
17.2 Sensitive personal information
Of the categories of "sensitive personal information" defined by the CCPA, only account log-in credentials (email address combined with password) are collected, for the purposes of running the service and securing the account.
From 1 January 2026, the CPRA also classifies personal information of consumers under 16 as sensitive. Because Fluxer permits account creation from age 13 (depending on jurisdiction), information meeting that definition may be collected and processed. It is not used or disclosed beyond what is needed to run the service.
17.3 Business purposes for collection
Personal information is collected and used for the purposes described in Section 3: running the service, securing accounts, preventing abuse, processing payments, improving reliability, and meeting legal obligations.
17.4 Categories disclosed for a business purpose
| CCPA category | Recipients | Purpose |
|---|---|---|
| Identifiers | Infrastructure providers (Vultr, Bunny.net); payment (Stripe); communications (Sweego, Twilio); support (Intercom); registration and anti-abuse IP network signals (IPinfo) | Hosting, delivery, payments, support, registration checks, abuse prevention |
| Customer records | Stripe | Payment processing |
| Internet or electronic network activity | hCaptcha; IPinfo | Bot prevention, registration and abuse-prevention IP network signals |
| Geolocation data | IPinfo only for registration and abuse-prevention IP lookups when local databases are insufficient (IP address only, no account context; results cached) | Registration and abuse-prevention checks |
| Audio, electronic, visual, or similar information | Bunny.net | Content delivery |
17.5 Sale and sharing of personal information
Personal information is not sold. It is not "sold" or "shared" (using the CCPA's definitions of those terms) for cross-context behavioural advertising or any other purpose. This applies to all consumers, including those under 16.
17.6 Retention
Each category of personal information is retained for the periods set out in Section 7.
17.7 Your California rights
California residents have the rights listed in Section 10: to know, to delete, to correct, to opt out of sale or sharing (none occurs), and to be free from discrimination. These rights can be exercised by writing to privacy@fluxer.app or through the controls described in Section 8. An authorised agent may be designated.
17.8 Opt-out preference signals
Global Privacy Control (GPC) and similar signals are honoured, as described in Section 12.6.