Privacy Policy
1. Who we are
fl1p.club ("fl1p", "we", "us") operates an invite-only network for online business operators. For the purposes of data protection law, fl1p is the data controller responsible for your personal data.
Data protection contact: privacy@fl1p.club
2. Information we collect
2.1 Account data
When you register, we collect:
- Email address
- Username and display name
- Authentication credentials (stored securely; we never store passwords in plain text)
- OAuth profile data (name, avatar) if you sign up via Google or GitHub
2.2 Profile data
Information you voluntarily add to your profile:
- Avatar image
- Biography, status, role
- Links to external websites or social accounts
- TrustMRR integration data (revenue metrics from connected payment processors)
2.3 Content data
Content you create on fl1p:
- Posts, comments, and replies
- Direct messages
- Marketplace listings (including business descriptions, pricing, financial metrics)
- Community contributions, polls, and votes
- Uploaded images and files
2.4 Usage data
We automatically collect:
- IP address
- Browser type, operating system, and device information
- Pages viewed, features used, and interaction timestamps
- Referrer URL
- General geolocation (country/region level, derived from IP)
We do not track you across other websites. We do not use third-party behavioral tracking or retargeting pixels.
2.5 Payment data
When you purchase a Paid Service, payment is processed by Creem (creem.io) as our merchant of record. Creem collects your payment information (card number, billing address) directly. fl1p does not receive, process, or store your full payment card details. We receive only:
- Confirmation of payment success or failure
- Transaction ID and amount
- Subscription status
Creem processes payments in accordance with their Privacy Policy and PCI DSS standards.
2.6 Communication data
If you contact our support team, we collect the content of your communications, your email address, and any attachments.
3. How we use your information
We use your information for the following purposes:
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and manage your account | Contract performance |
| Deliver platform features (feed, DMs, communities, marketplace) | Contract performance |
| Process payments for Paid Services | Contract performance |
| Send transactional emails (password resets, account notifications) | Contract performance |
| Prevent fraud, abuse, and unauthorized access | Legitimate interest |
| Enforce Community Rules and moderate content | Legitimate interest |
| Analyze usage patterns to improve fl1p | Legitimate interest |
| Respond to support requests | Contract performance |
| Comply with legal obligations (tax, law enforcement) | Legal obligation |
| Display public content in search engine results | Legitimate interest |
We do not sell your personal data. We do not use your data for automated decision-making or profiling that produces legal effects.
4. How we share your information
We share personal data only in the following circumstances:
4.1 Service providers
We use the following third-party service providers who process data on our behalf:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, real-time features | Account data, content, usage data |
| Cloudflare | Hosting, CDN, DDoS protection | IP address, request metadata |
| Creem | Payment processing (merchant of record) | Email, transaction data, billing info |
| Resend | Transactional email delivery | Email address, email content |
Each provider is bound by data processing agreements and processes data only for the purposes described above.
4.2 Law enforcement and legal requests
We may disclose personal data if required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to:
- Comply with a legal obligation.
- Protect the safety of any person.
- Investigate fraud, abuse, or violations of our Terms.
- Protect fl1p’s rights and property.
4.3 Business transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred as part of the transaction. We will notify you via email or in-app notification before your data is transferred and becomes subject to a different privacy policy.
4.4 Public content
Posts, comments, profile information (username, display name, avatar, bio), and marketplace listings are public by default and may be:
- Viewed by anyone, including non-registered visitors.
- Indexed by search engines (Google, Bing, etc.).
- Accessed by search engine and web crawlers as permitted by our robots.txt.
- Cached by third-party services beyond our control.
4.5 With other Users
Your public profile, posts, and community activity are visible to other fl1p Users. Direct messages are visible only to the participants of the conversation.
5. International data transfers
fl1p’s infrastructure spans multiple regions. Your data may be processed in countries outside your country of residence, including the United States and the European Union. When we transfer data outside the EU/EEA, we ensure appropriate safeguards are in place, including:
- European Commission adequacy decisions.
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data processing agreements with all service providers.
6. Data retention
We retain your personal data for as long as necessary to fulfill the purposes described in this policy:
| Data category | Retention period |
|---|---|
| Account data | Until account deletion + 30 days for processing |
| Content (posts, comments) | Until deleted by you or account deletion |
| Direct messages | Until deleted by you or account deletion |
| Usage data (analytics) | 12 months, then aggregated/anonymized |
| Payment records | 7 years (legal/tax obligation) |
| Support tickets | 3 years from resolution |
| Moderation logs (bans, warnings) | Duration of platform operation (safety and abuse prevention) |
| IP addresses (security logs) | 90 days |
After account deletion, we may retain anonymized or aggregated data that can no longer identify you.
7. Your rights
7.1 Rights under GDPR (EU/EEA/UK residents)
If you are located in the European Union, European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Restriction — request that we limit processing of your data in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
You also have the right to lodge a complaint with your local data protection authority.
7.2 Rights under CCPA (California residents)
If you are a California resident, the California Consumer Privacy Act provides you with:
- Right to know — what personal information we collect, use, disclose, and sell.
- Right to delete — request deletion of your personal information.
- Right to opt-out — opt out of the sale of personal information. Note: fl1p does not sell personal data.
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.
7.3 How to exercise your rights
To exercise any of these rights:
- Self-service: Use Settings to edit your profile, export your data, or delete your account.
- Email: Contact privacy@fl1p.club with your request. We will verify your identity and respond within 30 days (extendable by 60 days for complex requests, with notice).
8. Cookies and local storage
fl1p uses minimal browser storage:
| Item | Type | Purpose | Duration |
|---|---|---|---|
| Session token | Cookie | Authentication (strictly necessary) | Session / 30 days |
| fl1p-theme | Local storage | Theme preference | Persistent |
| Cookie consent | Local storage | Record your consent decision | Persistent |
| Composer drafts | Local storage | Save unsent post drafts | Until sent or cleared |
| Dismissed banners | Local storage | Remember UI preferences | Persistent |
| Feed cache | Local storage | Faster page loads | Until next visit |
We do not use third-party tracking cookies, advertising pixels, or cross-site identifiers. Our cookie banner allows you to reject non-essential storage at any time.
9. Direct messages
Direct messages on fl1p are private communications between participants. Regarding DMs:
- Messages are stored encrypted at rest in our database.
- DMs are gated by the follower graph — you cannot message someone who doesn’t follow you (unless they initiate the conversation).
- fl1p staff do not read your messages except when: (a) required by law or valid legal process; (b) investigating a report of abuse, harassment, or Terms violation filed by a participant.
- Deleted messages are permanently removed from our servers within 30 days.
10. Children’s privacy
fl1p is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from a child under 18, we will delete the account and associated data promptly. If you believe a minor has registered on fl1p, please contact privacy@fl1p.club.
11. Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS) and at rest.
- Secure password hashing.
- Web application firewall and DDoS protection.
- Rate limiting and abuse detection.
- Role-based access controls for administrative functions.
- Regular security reviews.
No system is perfectly secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be:
- Announced via in-app notification at least 14 days before the effective date.
- Reflected in the "effective" date at the top of this page.
Continued use of fl1p after the effective date constitutes acceptance. If you disagree with a change, you may close your account.
13. Contact
For privacy-related questions, requests, or complaints:
- Privacy: privacy@fl1p.club
- General: hello@fl1p.club
- Security incidents: security@fl1p.club
- In-app: Support
We aim to respond to all privacy-related requests within 30 days.
