Fluck Privacy Policy
Effective date: 2026-04-15 Last updated: 2026-04-15
This policy explains what information Fluck collects when you use our mobile app, website, and related services, what we do with it, and the rights you have over it. We've tried to keep it in plain English. If something isn't clear, email us at privacy@fluckai.com and we'll explain.
1. Who we are
Fluck is a social expense-sharing app operated by Fluck AI Ltd ("Fluck", "we", "us"), a company registered in England and Wales, United Kingdom at Innovation Centre, Knowledge Gateway, Boundary Road, Colchester, Essex, CO4 3ZQ, United Kingdom.
- Website: https://www.fluckai.com
- Privacy contact: privacy@fluckai.com
- Data Protection Officer: Not required under GDPR Art. 37 (Fluck does not conduct systematic large-scale monitoring or process special categories of data)
- Company registration: 15723506 (Companies House, England and Wales)
For users in the EU/EEA and UK, Fluck AI Ltd is the data controller for the personal data described below.
2. What data we collect
We only collect what we need to make the app work. The table below lists every category.
2.1 You give us
| Category | Examples | When |
|---|---|---|
| Identity | Name, date of birth | On signup and profile edit |
| Contact | Email address, phone number | On signup |
| Credentials | Password (hashed — we never see it in plaintext), OTP codes | On signup / login |
| Financial activity | Bill amounts, payment references, split details, IOUs | When you create or join a bill split |
| User-generated content | Group names, messages, notes, calendar events, receipt photos | When you use these features |
| Contacts (optional) | Names and phone numbers from your device contact book | Only if you grant contacts permission to invite friends |
| Calendar (optional) | Events you create in Fluck that we sync to your device calendar | Only if you grant calendar permission |
| Photos (optional) | Receipt images from your camera or photo library | Only if you grant camera/photo permission |
2.2 Collected automatically
| Category | Examples |
|---|---|
| Device | Device model, OS version, app version, language, timezone |
| Identifiers | Firebase installation ID (for push notifications), app-scoped user ID |
| Usage | Screens viewed, features used, approximate session duration |
| Diagnostics | Crash reports, performance traces, error logs (scrubbed of personal content) |
| Network | IP address (used transiently for request routing and abuse prevention) |
2.3 What we don't collect
- We do not access your bank accounts or card numbers.
- We do not collect precise GPS location.
- We do not track you across other apps or websites.
- We do not sell personal information (CCPA: "we do not sell").
3. How we use your data and why (legal bases)
Under GDPR Art. 6, every use of your data needs a lawful basis. Here's ours:
| What we do | Why | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Create and maintain your account | So you can log in and use Fluck | Contract (6(1)(b)) |
| Let you split bills, message groups, share calendars | Core product | Contract (6(1)(b)) |
| Send OTP + password-reset emails | Account security | Contract + legitimate interest (6(1)(f)) |
| Send push notifications about your activity | You asked us to via opt-in | Consent (6(1)(a)) — revocable in settings |
| Detect fraud and abuse | Keep the platform safe | Legitimate interest (6(1)(f)) |
| Improve the app (aggregated analytics) | Build better features | Legitimate interest (6(1)(f)) |
| Comply with the law | Tax, accounting, legal requests | Legal obligation (6(1)(c)) |
4. Who we share your data with
We use the following processors. Each is bound by a Data Processing Agreement.
| Processor | Purpose | Location | Policy |
|---|---|---|---|
| Google Firebase (Firebase Cloud Messaging) | Push notifications | US / EU | https://firebase.google.com/support/privacy |
| Brevo (formerly Sendinblue) | Transactional email (OTP, password reset) | EU | https://www.brevo.com/legal/privacypolicy/ |
| DigitalOcean (Spaces + Droplets) | Object storage for receipts; application hosting | EU region | https://www.digitalocean.com/legal/privacy-policy |
| Apple (App Store, APNs) | App distribution, iOS push delivery | Global | https://www.apple.com/legal/privacy/ |
| Google (Play Store) | App distribution on Android | Global | https://policies.google.com/privacy |
We do not share your data with advertisers. We do not sell your data.
We may disclose data if legally compelled (court order, valid subpoena) or to protect life, property, or the security of the service.
5. International transfers
Your data is processed primarily in the EU region of DigitalOcean (Frankfurt). Some processors (Firebase, Apple, Google) may process data in the United States. For transfers outside the EU/EEA/UK, we rely on:
- The European Commission's Standard Contractual Clauses (SCCs), and
- Supplementary measures including encryption in transit (TLS 1.2+) and at rest.
6. How long we keep your data
| Data | Retention |
|---|---|
| Active account data | For as long as your account is open |
| Deleted account — personal data | Purged or anonymised within 30 days of deletion request |
| Financial / bill-split records (required for tax and dispute) | Up to 7 years after deletion, anonymised where possible |
| Crash / diagnostic logs | 90 days |
| OTP codes | 10 minutes then permanently deleted |
| Backups | Rotated out within 35 days |
7. Your rights
7.1 If you're in the EU/EEA/UK (GDPR)
You have the right to:
- Access your data — request a copy (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data — the "right to be forgotten" (Art. 17)
- Restrict or object to processing (Art. 18, 21)
- Portability — receive your data in a machine-readable format (Art. 20)
- Withdraw consent at any time, without affecting past processing (Art. 7(3))
- Lodge a complaint with your supervisory authority (the UK Information Commissioner's Office (ICO) if you are in the UK, or your local EU supervisory authority)
7.2 If you're in California (CCPA/CPRA)
You have the right to:
- Know what personal information we collect and why
- Delete your personal information
- Correct inaccurate personal information
- Opt out of "sale" or "sharing" — Fluck does not sell or share personal information for cross-context behavioural advertising
- Non-discrimination for exercising your rights
7.3 How to exercise your rights
The fastest way: Profile → Delete account in the app (for erasure) or Profile → Export my data (for access).
Alternatively, email privacy@fluckai.com with your registered email address. We respond within 30 days.
8. Children
Fluck is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has signed up, contact privacy@fluckai.com and we will delete the account.
9. Cookies and similar technologies
The Fluck mobile app does not use cookies. Our website (www.fluckai.com) uses only strictly necessary cookies for session handling and CSRF protection. We do not use analytics or advertising cookies without your consent.
10. Security
We take security seriously:
- TLS 1.2+ for all data in transit
- Passwords hashed with bcrypt
- RSA-signed JWTs for authentication; access tokens are short-lived
- Tokens on device are stored in the platform secure enclave (iOS Keychain / Android EncryptedSharedPreferences)
- Access to production systems is restricted and logged
- Regular dependency and code security reviews
No system is perfectly secure. If you believe you've found a vulnerability, email security@fluckai.com.
11. Changes to this policy
If we make material changes, we will notify you in-app and by email at least 30 days before they take effect. The "Last updated" date at the top of this policy always reflects the most recent revision.
12. Contact
- Privacy questions: privacy@fluckai.com
- Security reports: security@fluckai.com
- Postal: Fluck AI Ltd, Innovation Centre, Knowledge Gateway, Boundary Road, Colchester, Essex, CO4 3ZQ, United Kingdom
<a id="deletion"></a>
How to delete your account
- Open the Fluck mobile app
- Tap the profile menu (top-right) → Delete account
- Confirm the deletion warning and enter your password to proceed
Your account is soft-deleted immediately (your data becomes invisible to other users) and permanently erased after a 30-day grace period. To cancel during the grace period, simply log back in with the same credentials and confirm reactivation.
If you cannot access the app, email privacy@fluckai.com from your registered email address and we will process the deletion manually within 30 days.
Publication status
All placeholders filled with Fluck AI Ltd's registered details (Companies House 15723506). Effective date 2026-04-15. Ready for publication at https://www.fluckai.com/privacy.
Mailboxes required on the domain before go-live:
privacy@fluckai.comsecurity@fluckai.com
