Last updated: March 18, 2026
FlashFeed (flashfeed.ai) is operated as a sole proprietorship based in Bucharest, Romania. We act as the data controller for personal data processed through our Service. Contact: privacy@flashfeed.ai
We collect the minimum data necessary to provide the Service:
Account data: Email address, name (if provided via Google OAuth), hashed password. Legal basis: contract performance (Art. 6(1)(b) GDPR).
Usage data: Number of content packs generated, platforms selected, tone preference, token counts, generation timestamps. This data is linked to your account for billing and usage limit enforcement. Legal basis: contract performance and legitimate interest (Art. 6(1)(b) and 6(1)(f) GDPR).
Content data: Text you submit for content generation is sent to our AI provider (Anthropic) for processing. We do not permanently store your input content or generated outputs on our servers. Content is processed in-memory and discarded after the response is delivered to you. Legal basis: contract performance (Art. 6(1)(b) GDPR).
Payment data: Payments are processed by Paddle (our Merchant of Record). We do not store credit card numbers, bank details, or payment credentials. Paddle handles all payment data under their own privacy policy.
Technical data: IP address (for rate limiting only, not stored permanently), browser type (via standard HTTP headers). We do not use cookies for tracking or advertising.
We do not collect or process: location data (beyond IP-based country for rate limiting), advertising identifiers, social media profiles, browsing history, data from minors (users must be 18+), or any special category data (health, political, biometric, etc.).
Your data is used exclusively to: (a) provide and maintain the Service; (b) authenticate your account; (c) enforce usage limits per your subscription plan; (d) process payments via Paddle; (e) communicate important service updates; (f) prevent abuse and ensure security.
We do NOT use your data for: advertising, profiling, automated decision-making, selling to third parties, or training AI models.
We use the following sub-processors, all of which maintain appropriate data protection standards:
Supabase (EU region — Ireland): Authentication, database hosting. Processes account data and usage metadata.
Anthropic (USA): AI content generation. Processes your input text to generate outputs. Anthropic's API does not use customer data for model training. Data is processed transiently and not stored by Anthropic beyond the API request lifecycle.
Vercel (Global CDN): Website hosting and serverless functions. Processes technical data (IP, headers) for request routing.
Paddle (UK/EU): Payment processing as Merchant of Record. Processes payment and billing data under their own privacy policy.
Cloudflare (Global): DNS and domain management. Processes technical routing data only.
Your account data is stored in the EU (Supabase, Ireland). Content submitted for AI processing is sent to Anthropic's API servers in the USA. This transfer is necessary for contract performance (Art. 49(1)(b) GDPR) and is covered by Anthropic's data processing terms. Content is processed transiently and not stored permanently outside the EU.
Account data: Retained for the duration of your account plus 30 days after deletion request.
Usage logs: Retained for 12 months for billing and analytics, then automatically deleted.
Input content: Not stored. Processed in-memory during generation and discarded.
Payment records: Retained by Paddle per their legal obligations (typically 7 years for tax purposes).
As an EU resident, you have the following rights regarding your personal data:
Right of access: Request a copy of all personal data we hold about you.
Right to rectification: Request correction of inaccurate data.
Right to erasure: Request deletion of your account and all associated data ("right to be forgotten").
Right to data portability: Receive your data in a structured, machine-readable format.
Right to restrict processing: Request that we limit how we use your data.
Right to object: Object to processing based on legitimate interest.
Right to withdraw consent: Where processing is based on consent, withdraw at any time.
To exercise any of these rights, email privacy@flashfeed.ai. We will respond within 30 days. You also have the right to lodge a complaint with the Romanian Data Protection Authority (ANSPDCP) or your local supervisory authority.
We implement appropriate technical and organizational measures to protect your data, including: encryption in transit (TLS/HTTPS), encrypted database connections, access controls, rate limiting, and regular security reviews. No system is 100% secure; we cannot guarantee absolute security but we take commercially reasonable steps to protect your data.
FlashFeed uses only essential cookies required for authentication (session tokens). We do not use tracking cookies, analytics cookies, or advertising cookies. No cookie consent banner is required as we only use strictly necessary cookies per GDPR Art. 5(3) of the ePrivacy Directive.
FlashFeed is not intended for users under 18. We do not knowingly collect data from minors. If we learn we have collected data from a minor, we will delete it promptly.
We may update this Privacy Policy periodically. Material changes will be communicated via email at least 14 days before taking effect. The "Last updated" date at the top indicates the latest revision.
For privacy-related inquiries: privacy@flashfeed.ai
Data Controller: FlashFeed, Bucharest, Romania