Privacy Policy

This Privacy Policy is published by FluxType ("FluxType," "we," "us," or "our"). FluxType operates the FluxType desktop application, the website at fluxtype.app, and all related accounts, billing flows, and services. For all privacy-related enquiries, requests, or notices, contact us through the contact form or by email at support@fluxtype.app.

This Privacy Policy explains what personal information FluxType collects, why we collect it, how we use and share it, how long we keep it, and what rights you have over it. It applies whenever you use the FluxType desktop app, visit our website, create an account, subscribe to FluxType Pro, use optional cloud transcription or FluxType-hosted AI, use bring-your-own-key provider integrations, or contact our support team. It should be read together with our Terms of Service.

FluxType is built around a local-first product promise. Core dictation runs on your device. Cloud features are used only for the specific capabilities you choose to enable. We do not process your audio or transcripts in the background or without your knowledge.

We aim to respond to all verified privacy requests within 30 days of receipt. For complex requests, we may extend this by a further 60 days (90 days total) and will notify you of the extension. For requests from California residents, the response period is 45 days, extendable by a further 45 days with notice.

We collect information in three ways: information you give us directly, information generated by your use of FluxType, and information collected automatically when you visit our website.

Information you provide directly includes your name, email address, account credentials, billing and payment details (processed by our payment provider), contact-form messages, waitlist sign-up submissions, support requests, beta feedback, and any content you choose to submit when using FluxType features.

Information generated by your use of FluxType includes authentication records, MFA factor metadata, subscription and entitlement status, selected feature settings (such as AI mode, provider selection, and Custom Instructions) synced to your account, aggregate usage summaries (such as word counts, session durations, model labels, and dates), operational app metadata (such as app version, release channel, platform, operating system version, anonymous installation ID, update status, and last-seen timestamps), and billing lifecycle events received from our payment provider.

Information collected automatically when you visit our website may include pages requested, referring URLs, approximate geographic location derived from your IP address, browser and device type, timestamps, and request metadata needed for hosting, security, and abuse prevention. This information is collected by our website hosting and security providers as described below.

When you use local dictation with a locally installed Whisper model, your audio is processed entirely on your device. No audio, transcript text, or microphone data is sent to FluxType servers during local dictation.

The app may create temporary files on your device while processing audio. These are cleaned up by the app after processing. Your operating system, security software, device backups, or device administrator may independently have access to files and activity on your device — this is outside FluxType's control.

FluxType does not embed silent telemetry, crash reporters, clipboard monitors, active-window trackers, API-key uploaders, or audio uploaders in the local dictation feature. What stays on your device stays on your device.

The desktop app stores transcription history, custom snippets, vocabulary entries, replacement rules, AI mode preferences, and other app settings locally on your device so the app works as expected across sessions.

Local transcription history entries may include transcript text, timestamps, Whisper model used, recording duration, word count, detected language, task type, AI mode label, and favourite status. You control how long history is kept: options include indefinite retention, 30 days, 7 days, 24 hours, or off. Favourited entries are exempt from automatic pruning unless you delete them manually.

You can delete individual history entries, clear all history, export your history, change your retention window, or disable history entirely from within the app. These controls are local and take effect immediately on your device.

FluxType processes your audio and transcript text differently depending on the feature you select. Local dictation keeps all processing on your device. Cloud transcription sends your audio to the selected cloud transcription provider. AI rewriting or formatting sends your transcript text and system prompt to the selected AI processing path.

FluxType-hosted AI providers may include Google Gemini, OpenAI, OpenRouter, or other configured AI providers depending on availability, routing, model selection, region, reliability, abuse controls, and service limits. FluxType-hosted AI features route transcript text and prompts through FluxType's server-side AI proxy using FluxType-managed API credentials. FluxType does not use your audio or transcript text to train FluxType's own models.

When you use a third-party AI or transcription provider through a BYOK integration or FluxType-hosted routing, that provider's own terms and privacy policy govern their handling of data you send them — including whether they use data to improve their models. We recommend reviewing each provider's documentation before enabling an integration.

AI and transcription outputs can be inaccurate, incomplete, or unsuitable for high-stakes use. Always review outputs before using them in legal, medical, financial, employment, safety-critical, or other consequential contexts.

FluxType supports bring-your-own-key integrations with providers including OpenAI, Google Gemini, Deepgram, OpenRouter, and other supported providers. When you use a BYOK integration, FluxType sends the audio, transcript text, prompts, model selections, and request metadata required for the feature directly to that provider.

Your provider's own terms of service, privacy policy, data-retention settings, model-training rules, security practices, usage quotas, and fees apply to all data you send them. FluxType does not control, mark up, or take responsibility for your BYOK provider's independent processing.

BYOK API keys are stored locally on your device using the operating system's secure credential storage where available. FluxType does not transmit BYOK API keys to FluxType servers and does not include them in account sync.

If you create a FluxType account, we store account identifiers, your email address, authentication records, plan status, subscription status, and the settings necessary to deliver signed-in features consistently across sessions.

For signed-in users, FluxType may sync selected app preferences — such as your AI mode, provider selection, feature toggles, and Custom Instructions — to your account so your settings are consistent across devices and reinstalls. BYOK API keys are never included in account sync.

FluxType may sync aggregate usage summaries for signed-in users. These summaries contain counts, durations, word totals, model or mode labels, and dates. They are used for plan enforcement, usage insights displayed to you, abuse prevention, and service reliability. Usage summaries do not include transcript text, audio recordings, clipboard contents, API keys, local file paths, active-window titles, or window content.

Authenticator app MFA is an optional account security feature. If you enable it, Supabase stores MFA factor metadata for your account, such as the factor identifier, factor type, friendly name, verification status, and timestamps needed to challenge and verify one-time codes.

When recovery codes are generated, FluxType stores hashed recovery codes linked to your account so we can verify a recovery code later without storing the displayed code. FluxType does not store recovery codes in plaintext. Recovery codes are shown only at generation time, and you are responsible for saving them somewhere secure.

MFA recovery attempts may be recorded with timestamps and counters so we can rate-limit guessing, detect abuse, and protect accounts. A successful recovery-code use consumes that code, removes verified authenticator factors from the account, and clears the remaining saved recovery-code set.

If you contact support because you lost access to both your authenticator app and recovery codes, we may process the information you provide to verify account ownership. We cannot guarantee account recovery when ownership cannot be verified or when recovery would create security, privacy, legal, or abuse risk.

FluxType collects required operational metadata to keep the app secure, compatible, and up to date. This may include a random installation ID, app version, release channel, platform, processor architecture, operating system version, update check status, update download or install status, sanitized update error codes, and last-seen timestamps.

For signed-out users, operational records are associated with the random installation ID generated by the app. For signed-in users, operational check-ins may also update your account profile with the last app version and last active timestamp so we can support release adoption, security notices, entitlement reliability, and abuse prevention.

Operational monitoring does not include transcript text, audio recordings, clipboard contents, API keys, prompts, local file paths, screenshots, active-window titles, or window content.

Paid FluxType subscriptions are sold and processed by Polar, our payment provider and merchant of record. When you purchase a subscription, Polar collects and processes your billing details, payment card information, tax identification where required, and transaction records. Polar's own privacy policy governs the information it collects as merchant of record.

FluxType receives subscription status, entitlement records, and billing lifecycle events (such as renewal, cancellation, and refund confirmations) from Polar. We use these to activate paid features, enforce plan entitlements, and respond to billing support requests. FluxType does not receive full payment card numbers from Polar.

Billing and financial records are retained in accordance with applicable financial and tax law. See the Retention section for specific periods.

The FluxType website uses cookies, browser local storage, and similar technologies. We use these technologies for the following purposes: to keep you signed in to your account (authentication cookies, which are strictly necessary), to measure aggregate website page views, engagement events, and browser performance (Cloudflare Web Analytics, Google Tag Manager, and Google Analytics), and to deliver bot-protection challenges on forms and sign-in pages (Cloudflare Turnstile).

FluxType does not use advertising cookies, does not track you across third-party websites, and does not share browser data with advertising networks. We do not use fingerprinting or behavioural profiling for marketing purposes.

Cloudflare Turnstile uses browser signals including cookies to determine whether a form submission or sign-in attempt is human. These challenges are required for security and abuse prevention and cannot be disabled without breaking protected forms.

You can control or disable non-essential cookies through your browser settings. Disabling authentication cookies will prevent you from remaining signed in. If your browser or device sends a Global Privacy Control (GPC) signal, we treat it as an opt-out from sale or sharing of personal information under applicable law, even though FluxType does not sell or share personal information for advertising purposes.

Our website is hosted through Cloudflare Pages. Cloudflare processes web request logs, IP addresses, and technical request metadata as part of serving the website and protecting it from abuse.

If Cloudflare Web Analytics is enabled, Cloudflare also processes browser page-view and performance measurements so we can understand aggregate website usage. We do not use this for cross-site advertising or behavioural profiling.

If Google Tag Manager and Google Analytics are enabled, Google processes website page views, interaction events such as downloads, pricing clicks, checkout clicks, signup or waitlist clicks, landing-section views, browser and device information, approximate location, referrers, and related measurement metadata so we can understand website traffic, engagement, leads, and sales funnel performance.

Forms and sign-in flows on fluxtype.app use Cloudflare Turnstile for bot protection. Cloudflare processes challenge tokens and technical browser signals to assess whether interactions are automated. Cloudflare's privacy policy governs data collected as part of this service.

Feedback submissions are user-initiated. When you submit feedback from within the app, you can review exactly what will be sent before confirming the submission.

Feedback submissions may include your message, optional contact details, app version, platform and operating system details, relevant settings, and diagnostic information. Feedback may include transcript text only if you explicitly choose to attach it. Feedback submissions do not intentionally include audio, clipboard contents, API keys, active-window titles, or window content.

Structured beta feedback surveys submitted through the app may be processed by PostHog for product analysis. Survey submissions are intended for short, structured responses and should not include transcripts, audio, API keys, clipboard contents, file paths, or active-window titles. PostHog's privacy policy governs their processing of submitted survey responses.

Support requests sent by email or through the contact form are retained to allow us to respond to your enquiry, track recurring issues, and improve product reliability.

FluxType uses the following third-party service providers. Each receives only the information necessary for their specific function and is subject to appropriate data processing obligations.

Supabase— authentication, database, and edge functions. Processes account identifiers, email addresses, authentication records, MFA factor metadata, hashed recovery codes, plan status, synced user settings, and aggregate usage summaries on FluxType's behalf.

Polar — subscription billing and payment processing (merchant of record). Processes payment card information, billing details, tax records, and subscription lifecycle data.

Cloudflare — content delivery network, DNS, Web Analytics, and Turnstile bot protection. Processes web request metadata, browser performance and page-view measurements, and browser challenge signals to protect forms and sign-in flows from automated abuse and understand aggregate website usage.

Google Tag Manager and Google Analytics — website tag management and analytics. Processes website page views, interaction events, browser and device information, approximate location, referrers, and related measurement metadata to help FluxType understand website traffic, engagement, leads, and sales funnel performance.

PostHog— product feedback and survey analysis. Processes structured beta feedback survey responses voluntarily submitted through the app's feedback feature.

Google Gemini — AI model provider for FluxType-hosted AI features and supported BYOK AI integrations. Processes transcript text, prompts, model selections, and request metadata required for the AI feature you choose.

OpenAI — AI model and cloud transcription provider for supported FluxType-hosted routes, OpenAI Whisper API cloud transcription, and BYOK integrations. Processes audio, transcript text, prompts, model selections, and request metadata required for the selected feature.

OpenRouter — AI model routing provider for supported FluxType-hosted routes and BYOK integrations. Processes transcript text, prompts, model selections, routing preferences, and request metadata required for the selected AI feature.

Deepgram — cloud transcription provider for supported BYOK transcription and realtime streaming features. Processes audio, selected language/model settings, and request metadata required for cloud transcription.

We will update this section if we add service providers that materially change how personal information is processed.

We use the information we collect to: provide and operate FluxType and its features; authenticate your account and manage your session; process and fulfil your subscription; enforce plan entitlements and usage allowances; route selected AI and cloud transcription features to the appropriate provider; deliver usage insights to your account dashboard; respond to support, billing, and privacy requests; investigate and prevent fraud, abuse, and security incidents; improve product reliability and performance; comply with our legal obligations; and communicate important product or account updates.

We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioural advertising. We do not use your local dictation audio or local transcript history to train FluxType models.

Where GDPR, UK GDPR, or equivalent data protection legislation requires us to identify a lawful basis for processing personal data, we rely on the following.

Performance of a contract (Article 6(1)(b)): We process your account information, subscription records, billing details, entitlement status, and the data necessary to deliver the features you request in order to perform the contract we have with you, or to take steps at your request before entering into a contract.

Legitimate interests (Article 6(1)(f)): We process data for security monitoring, fraud and abuse prevention, product reliability, product improvement, and maintaining internal business records where our legitimate interests in doing so are not overridden by your rights and interests. You have the right to object to processing on this basis by contacting us.

Legal obligation (Article 6(1)(c)): We process and retain certain data — including billing records, tax records, and responses to lawful government or regulatory requests — to comply with legal obligations that apply to us.

Consent (Article 6(1)(a)): Where a specific feature or applicable law requires consent before processing, we will seek it explicitly. You may withdraw consent at any time through the relevant product control or by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We share personal information with the service providers listed in the Named service providers section above, strictly as necessary for them to perform their services on our behalf. We do not authorise service providers to use your information for their own marketing purposes.

We may disclose your information if required to do so by applicable law, court order, or valid legal process; to respond to lawful requests from government authorities or regulators; to protect the rights, property, safety, or security of FluxType, our users, or the public; or to detect, prevent, or address fraud, security incidents, or technical problems.

If FluxType is involved in a merger, acquisition, financing, reorganisation, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction, subject to appropriate confidentiality obligations and notice to you where required by law.

When you connect a third-party BYOK provider, your content is processed by that provider under its own independent terms and privacy policy. FluxType is not responsible for those independent processing practices.

FluxType uses automated systems to enforce plan entitlements, apply usage allowances, enforce rate limits, and detect fraud, abuse, and security anomalies. These automated checks can affect whether a request is accepted, throttled, rejected, or flagged for review.

FluxType does not use solely automated processing to make decisions that produce legal or similarly significant effects on you within the meaning of Article 22 of the GDPR. Entitlement and abuse checks that affect your access to features always have a human review mechanism available on request.

If you believe an automated entitlement enforcement, billing, or abuse-prevention decision is incorrect, contact us at support@fluxtype.app and we will conduct a human review.

Local data — including transcription history, snippets, and app settings stored on your device — remains on your device until you delete it, change your retention settings, uninstall the app, or clear app data. Device backups or management systems outside FluxType's control may retain copies independently.

Account and authentication records are retained for the duration of your active account and for up to 3 years following account deletion, as required for security, fraud prevention, and legal record-keeping purposes.

Unused MFA recovery codes are retained while authenticator MFA remains enabled, until they expire, are regenerated, are consumed, are invalidated by disabling MFA, or are removed during account deletion. MFA recovery attempts and rate-limit records are retained for security and abuse prevention and are eligible for operational cleanup after 12 months.

Billing and financial transaction records are retained for a minimum of 7 years as required by applicable financial reporting and tax law.

Support and feedback communications are retained for up to 3 years after the matter is closed or the feedback is actioned.

Aggregate usage summaries are retained for the duration of your account and for up to 1 year following account deletion.

Security and access logs are retained for up to 12 months.

When you delete your account, we remove or disconnect your account profile and associated data in line with the above periods. We cannot delete data that we are legally required to retain, or that is part of an active dispute or investigation.

We implement technical and organisational security measures designed to protect your information against unauthorised access, disclosure, alteration, and loss. These include encrypted data transmission (TLS), access controls and authentication on our backend systems, encrypted local storage for BYOK API keys where the operating system provides it, rate limiting and abuse controls, and restricted server-side access.

No system, application, or transmission method is completely secure. You are responsible for maintaining the security of your device, operating system account, FluxType account credentials, provider accounts, API keys, and any exported data.

If you discover a security vulnerability in FluxType, please report it responsibly to support@fluxtype.app. Do not publicly disclose the vulnerability, attempt to exploit it, or access data that is not yours. We will acknowledge and investigate all responsible disclosures promptly.

Depending on where you live, you may have some or all of the following rights over your personal information: the right to access the personal information we hold about you; the right to have inaccurate information corrected; the right to request erasure of your personal information; the right to receive a portable copy of information you have provided to us in a structured, machine-readable format (data portability); the right to restrict certain processing; the right to object to processing based on legitimate interests; and the right to withdraw consent where processing is based on consent.

EEA and UK residents have the right to lodge a complaint with a data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO), reachable at ico.org.uk. In the EU, you may contact the data protection authority in your country of residence. You may do this at any time, including before contacting us directly.

You can exercise many of your choices directly within the app: adjust your local history retention window, delete individual or all history entries, export your history, manage your account settings, disconnect BYOK providers, and delete your account where that option is available. Where processing is based on consent, you may withdraw it through the relevant product control.

To submit a formal privacy request — for access, correction, deletion, portability, restriction, or objection — use the contact form or email support@fluxtype.app. We will respond within 30 days of verifying your identity and request. We may ask you to verify your identity before we act on a request.

FluxType does not sell personal information and does not share personal information for cross-context behavioural advertising. FluxType does not knowingly collect, sell, or share the personal information of children under 13.

The categories of personal information we collect about California residents include: identifiers (name, email address, account ID, IP address); billing and commercial information (subscription status, payment records held by our billing provider); internet or network activity (website pages visited, request metadata); device and application information; audio and transcript data you choose to process using FluxType features; support and feedback communications; and preferences and usage inferences used to deliver app settings and plan entitlements.

California residents have the right to know what personal information we collect and how we use it, to request deletion of personal information, to correct inaccurate information, to opt out of the sale or sharing of personal information (which we do not do), and to not be discriminated against for exercising these rights. Residents of Virginia, Colorado, Connecticut, Texas, Montana, and other states with comprehensive privacy legislation have similar rights under their respective state laws.

If your browser or device transmits a Global Privacy Control (GPC) opt-out preference signal, we will treat it as a request to opt out of the sale or sharing of personal information under applicable law, even though we do not engage in those practices.

FluxType and its service providers operate infrastructure in the United States and other countries. If you access FluxType from the European Economic Area, the United Kingdom, or Switzerland, your personal information may be transferred to and processed in countries that do not provide the same level of data protection as your home country.

For transfers of personal data from the EEA to countries without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the lawful transfer mechanism. For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or UK-addendum SCCs as applicable.

You may request a copy of the safeguards we have put in place for international transfers by contacting us at support@fluxtype.app.

FluxType is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. Children under 13 may not create accounts or use account-based FluxType services.

If you are a parent or guardian and believe that a child under 13 has provided personal information to FluxType, please contact us at support@fluxtype.app. We will investigate and, where confirmed, delete the information promptly.

We may update this Privacy Policy from time to time as FluxType evolves. When we make changes, we update the date at the top of this page.

For material changes — particularly changes that affect what personal information we collect, how we use it, or with whom we share it — we will provide at least 30 days' notice to registered users before the updated policy takes effect, either through an in-app notice, an email to your registered address, or a prominent notice on our website, where practical.

Continued use of FluxType after a new Privacy Policy becomes effective constitutes your acceptance of the updated policy. If you do not agree with changes, you may delete your account and stop using FluxType before the effective date.