Privacy Policy
Last updated: March 30, 2026 · Effective: March 30, 2026
Summary: We collect only what we need to run the service. We don't sell your data. We use third-party processors (OpenAI, Stripe, Supabase, Resend) only to deliver the service. You can delete your account and all associated data at any time.
1. Who we are
Flevo is a SaaS platform providing AI-powered lead detection tools. We scan public platforms (Hacker News, Product Hunt, Stack Overflow, GitHub, Twitter/X, Indie Hackers) to surface purchase intent signals for our users. For GDPR purposes, Flevo is the data controller for personal data you provide when creating an account.
Contact: hello@flevo.io
2. Data we collect
2.1 Account data
- Email address (required for authentication)
- Password (stored as a bcrypt hash — never in plaintext)
- Name (optional)
- Account creation date, last login
- Plan and billing status
2.2 Workspace configuration
- Product description and target ICP you enter
- Keywords inferred or manually set
- Notification webhook URLs (Slack, Discord, Telegram) — stored encrypted
- Tone and scoring preferences
2.3 Usage data
- Leads detected, saved, and dismissed
- Messages generated and marked as sent
- Monthly usage counters for quota enforcement
- CRM notes and status updates you add to leads
2.4 Billing data
Card numbers and billing addresses are processed entirely by Stripe and never stored on our servers. We store only your Stripe customer ID and subscription status.
2.5 Waitlist data
If you submit your email on the Business plan waitlist, we store that email address solely to notify you when the plan launches. It is not used for marketing purposes and is deleted once the plan is live.
2.6 Public content processed
When scanning platforms, Flevo processes publicly available posts, questions, and comments. This content is used to detect leads and generate suggested messages. None of this constitutes personal data you have provided to us directly.
3. How we use your data
- Service delivery: to run workspace scans, score leads, and generate outreach messages
- Billing: to manage subscriptions via Stripe
- Quota enforcement: to track monthly lead usage against your plan
- Notifications: to send you lead alerts via email or webhooks you configure
- Analytics: aggregate, anonymous usage metrics to improve the product
- Security: to detect abuse and protect the service
- Legal compliance: to meet applicable legal obligations
4. Data sharing
We do not sell, rent, or trade your personal data. We share data only with the processors listed below and only to the extent necessary to deliver the service.
5. Third-party processors
| Processor | Purpose | Data sent |
|---|
| OpenAI | Lead scoring and message generation | Post content, product description (no PII) |
| Stripe | Payment processing | Email, billing info |
| Supabase | Database hosting (EU region) | All account and lead data |
| Railway | Backend hosting (EU region) | Application logs |
| Vercel | Frontend hosting | Anonymous request logs |
| Resend | Transactional email | Your email address |
| Google Analytics | Anonymous traffic analytics | Anonymized IP, page views |
6. Data retention
We retain your data for as long as your account is active. Upon account deletion:
- All account data, workspace data, and lead data is permanently deleted immediately
- If you are on a paid plan, your Stripe subscription is cancelled at the moment of deletion — no partial refund is issued for the current billing period
- Billing transaction records are retained for 7 years as required by French tax law
- Anonymized aggregate statistics may be retained indefinitely
- If you re-register with the same email address after deletion, you will start on the Free plan with a fresh usage quota
7. Your rights (GDPR)
If you are located in the EU/EEA, you have the following rights under GDPR:
- Access: request a copy of all personal data we hold about you
- Rectification: correct inaccurate data
- Erasure: request deletion of your data ("right to be forgotten")
- Portability: receive your data in a machine-readable format
- Objection: object to certain types of processing
- Restriction: request we limit processing in certain circumstances
To exercise any right, email hello@flevo.io. We will respond within 30 days. You may also lodge a complaint with the CNIL (cnil.fr).
8. Security
- Passwords hashed with bcrypt (never stored in plaintext)
- Webhook URLs encrypted at rest
- All connections over TLS 1.2+
- Database hosted on Supabase (EU West, Ireland)
- Backend hosted on Railway (EU region)
- Access to production systems restricted to authorized personnel only
In the event of a data breach affecting your rights, we will notify you within 72 hours as required by GDPR.
9. Cookies
We use localStorage (not traditional cookies) for authentication and preferences. We also use Google Analytics in anonymized mode. See our Cookie Policy for the full list.
Data protection questions: hello@flevo.io. We aim to respond within 5 business days.