Privacy Policy
In accordance with EU Regulation 2016/679 (General Data Protection Regulation — GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD), the following information is provided regarding the processing of personal data of Fluximage users.
2.1 Data Controller
Data Controller | Miquel Costa |
|---|---|
VAT / ID Number | 46961041D |
Address | c/ vilassar 14, baixos 2 08014 Barcelona |
GDPR contact email | hello@fluximage.io |
2.2 Data Collected, Purposes and Legal Bases
The following categories of personal data are processed for the purposes and on the legal bases set out below:
Category | Data | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|---|
Identification | Name, email, profile picture (Google OAuth) | Authentication and account management | Performance of a contract (6.1.b) |
Billing | Email, payment history, Stripe customer ID | Subscription and billing management | Performance of contract + legal obligation (6.1.b and 6.1.c) |
Service usage | Compressions, credits used, access dates | Plan limits control and internal statistics | Legitimate interest (6.1.f) |
Uploaded images | Image files for processing | Compression and optimisation. Deleted after 15 minutes | Performance of a contract (6.1.b) |
Analytics | Visits, page views (Umami, cookie-free) | Product improvement | Legitimate interest (6.1.f) |
Waitlist | Email (voluntary) | Launch notification | Consent (6.1.a) |
2.3 Data Retention Periods
- User account data: for the duration of the contractual relationship and up to 5 years thereafter for tax and legal obligations.
- Billing data: 5 years (tax obligation under Spanish General Tax Law, Art. 66).
- Uploaded images: automatically deleted 15 minutes after processing. Fluximage does not retain them permanently.
- Waitlist data: until the user unsubscribes or up to 1 year from the date of collection.
- Analytics data (Umami): aggregated and anonymised data, no deletion deadline.
2.4 Recipients and Data Processors
Fluximage uses third-party service providers acting as data processors under Art. 28 GDPR, with adequate technical and organisational safeguards in place:
Provider | Purpose | Country | Legal mechanism |
|---|---|---|---|
Vercel | Web application hosting | USA | Standard Contractual Clauses (SCC) |
Supabase | Database (users, credits, history) | EU (Ireland) | Within EEA |
Cloudflare R2 | Temporary image storage | EU (Europe) | Within EEA |
Clerk | User authentication and Google OAuth | USA / EU | SCC / EU infrastructure |
Stripe | Payment and subscription processing | USA / EU | Data Privacy Framework (DPF) |
OpenAI | AI alt text generation (GPT-4o mini) | USA | DPF + SCC |
Resend | Transactional email delivery | USA | SCC |
Crisp | Customer support and ticket system | France (EU) | Within EEA |
Google Cloud | Authentication via Google OAuth | USA | DPF + SCC |
2.5 International Data Transfers
Several of Fluximage's providers are located outside the European Economic Area (EEA), primarily in the United States. International data transfers are carried out in accordance with the legal mechanisms provided for in Chapter V of the GDPR:
- EU-US Data Privacy Framework (DPF): Stripe, OpenAI and Google hold valid DPF certification, providing an adequate level of protection for EU-US transfers.
- Standard Contractual Clauses (SCC): approved by the European Commission (Decision 2021/914), applicable to Vercel, Clerk, Resend and other US-based providers.
Note on OpenAI: When a user activates the AI alt text generation feature, images are transmitted to OpenAI's API for processing in the USA. Under OpenAI's API terms, data sent via the API is not used to train OpenAI's models. Images are transmitted solely to generate the description and are not retained by OpenAI beyond the time required to process the request.
2.6 User Rights
Users may exercise the rights recognised under the GDPR at any time by sending an email to hello@fluximage.io with the subject line "GDPR Rights Request", attaching a copy of their identity document. The response time is 30 calendar days.
- Access (Art. 15): obtain confirmation of whether personal data is being processed and access to it.
- Rectification (Art. 16): request the correction of inaccurate or incomplete data.
- Erasure / Right to be forgotten (Art. 17): request the deletion of personal data.
- Restriction of processing (Art. 18): request restriction of processing.
- Data portability (Art. 20): receive personal data in a structured, machine-readable format.
- Objection (Art. 21): object to processing based on legitimate interest.
If unsatisfied with the response received, users have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD): www.aepd.es
2.7 Minors
The Fluximage Service is not directed at persons under the age of 16. Under Article 7 of the LOPDGDD, the processing of data of persons under 16 requires the authorisation of a parent or legal guardian. If Fluximage detects that a user is under 16 years of age, their data will be deleted immediately and their account will be closed.
2.8 Data Security
Fluximage implements appropriate technical and organisational measures to ensure the security of personal data in accordance with Art. 32 GDPR, including:
- Encrypted data transmission via HTTPS/TLS.
- Access control to systems and data by authorised personnel only.
- Automatic deletion of processed images 15 minutes after processing.
- Data stored on servers located within the EU (Supabase Ireland, Cloudflare R2 Europe).
2.9 Changes to this Privacy Policy
Fluximage reserves the right to update this Privacy Policy to reflect legislative or regulatory changes. In the event of substantial changes, users will be informed by email or via a prominent notice on the website at least 30 calendar days in advance.