Privacy Policy

Last updated: April 1, 2026

1. Introduction

FlukeBase ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the FlukeBase platform (the "Service").

2. Information We Collect

2.1 Account Information

When you register, we collect:

  • Name and email address
  • Authentication credentials (hashed passwords or OAuth tokens from Google)
  • Account preferences and settings

2.2 Usage Data

We automatically collect:

  • AI agent session metadata (timestamps, duration, tool calls, session status)
  • Task and project activity (creation, updates, completion)
  • Memory entries you create through AI agent interactions
  • MCP tool invocation logs (tool name, timing, success/failure status)
  • Browser type, IP address, and device information for security purposes

2.3 Payment Information

Payments are processed by Stripe. We do not store credit card numbers. Stripe provides us with a payment token, last four digits, and billing address. Bitcoin Lightning payments are processed by Blink API.

2.4 Content You Store

The Service stores content you create or upload, including:

  • Project configurations and source code references
  • AI agent memories, session transcripts, and task descriptions
  • Email templates, articles, and marketing campaigns
  • Files uploaded to project storage
  • Git repositories hosted on the platform

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Process payments and manage subscriptions
  • Send transactional emails (account confirmations, security alerts, billing receipts)
  • Provide AI agent context (memories, conventions, session history) within your account
  • Generate aggregated, anonymized analytics to improve platform performance
  • Detect and prevent fraud, abuse, and security threats

We do not:

  • Sell your personal information to third parties
  • Use your content or data to train AI models
  • Share your data with advertisers
  • Access your project content except to operate the Service or as required by law

4. Data Storage and Security

Your data is stored on infrastructure we operate:

  • PostgreSQL database with pgvector for semantic search, hosted on our VPS
  • Redis for caching and background job queues
  • S3-compatible object storage (iDrive e2) for file uploads
  • All data encrypted in transit via TLS 1.2+
  • Database connections use encrypted channels
  • Passwords hashed with bcrypt; JWT tokens for session management

5. Data Retention

  • Account data: Retained while your account is active, deleted within 30 days of account termination
  • Session data: Session metadata retained indefinitely for analytics; session transcripts retained for 90 days
  • Memories: Retained until you archive or delete them; archived memories preserved for version history
  • Audit logs: Change history retained for 1 year for compliance
  • Payment records: Retained as required by applicable tax and financial regulations

6. Third-Party Services

We use the following third-party services that may process your data:

  • Stripe — Payment processing (Privacy Policy)
  • Google OAuth — Authentication (Privacy Policy)
  • Cloudflare — DNS and CDN (Privacy Policy)
  • Let's Encrypt — SSL certificates
  • Blink API — Bitcoin Lightning payments
  • iDrive e2 — Object storage

7. Cookies and Tracking

We use minimal cookies:

  • Session cookie — JWT token for authentication (essential, not optional)
  • Dark mode preference — localStorage, not transmitted to server
  • Project selection — Cookie for remembering your active project context

We do not use third-party tracking cookies, analytics scripts, or advertising pixels.

8. Email Communications

We send emails for:

  • Account verification and security alerts (cannot be opted out)
  • Billing receipts and subscription changes (cannot be opted out)
  • Product updates and newsletters (opt-out via unsubscribe link)
  • Marketing campaigns (opt-out via unsubscribe link)

Email tracking (open/click) is used only for campaign analytics and can be disabled in your account settings.

9. Your Rights

You have the right to:

  • Access your personal data through the dashboard or API
  • Export your data (projects, memories, sessions) via MCP tools or dashboard
  • Correct inaccurate personal information in your account settings
  • Delete your account and all associated data
  • Object to processing for marketing purposes
  • Restrict processing in certain circumstances

To exercise these rights, contact privacy@flukebase.me or use the GDPR data purge tools in your account settings.

10. Self-Hosted Instances

If you self-host FlukeBase, you are the data controller for all data stored on your instance. This Privacy Policy applies only to the managed FlukeBase service at flukebase.me. Self-hosted operators are responsible for their own privacy compliance.

11. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us to have it removed.

12. International Data Transfers

Our servers are located in Germany (Contabo VPS). If you access the Service from outside Germany, your data will be transferred to and processed in Germany. We ensure appropriate safeguards are in place for international transfers.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The "Last updated" date at the top indicates the most recent revision.

14. Contact

For privacy-related inquiries: