Privacy Policy

Last updated: January 20, 2026

FLUXHOSTER LLC - PRIVACY POLICY

Effective Date: January 17, 2026
Last Updated: January 17, 2026

1. Introduction

FluxHoster LLC ("FluxHoster," "we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website building and hosting platform (the "Service").

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use the Service. By accessing or using FluxHoster, you acknowledge that you have read, understood, and agree to be bound by all the provisions of this Privacy Policy.

This Privacy Policy is incorporated into and forms part of our Terms of Service. Capitalized terms used but not defined in this Privacy Policy have the meanings assigned to them in the Terms of Service.

2. Information We Collect

2.1 Account Registration Information

When you create a FluxHoster account, we collect:

Email Address: Used as your username and for account recovery
Password: Hashed using PBKDF2 with 150,000 iterations; never stored in plaintext
Name: Optional; used for display purposes
Account Creation Timestamp: For account history and security purposes
Account Verification Status: Whether email has been verified

2.2 Payment Information

When you subscribe to FluxHoster, payment information is collected by Stripe, not by FluxHoster. We receive and store only:

Billing Email Address: For payment receipts and invoicing
Subscription Plan: Which tier you are subscribed to (Basic, Pro, Business)
Subscription Status: Active, canceled, or suspended
Payment History References: Links to payment records in Stripe (we do not store card data, CVV, or sensitive payment details)
Billing Cycle: Monthly or annual
Next Renewal Date: When your subscription will renew

2.3 Website Brief Information

When you submit a custom design request via the Brief Submission system, we collect and encrypt:

Contact Name: Your name or business representative's name
Contact Email: Your email address for communication
Contact Phone Number: Your phone number (optional)
Company Name: Your business name (optional)
Project Description: Details about your project requirements
Design Preferences: Your style preferences (colors, layout, tone)
Target Audience Information: Who the website is for
Timeline: Your preferred project timeline
Budget Information: Your budget constraints (if provided)

All brief information is encrypted at rest using AES-256-CBC encryption and is only accessible to authorized FluxHoster staff.

2.4 Website Content

Your website content is stored and hosted on GitHub Pages. We collect and store metadata about:

HTML/CSS/JavaScript Code: The actual code that comprises your website
Images and Media Files: All images, videos, and other media you upload
Domain Name: The custom domain associated with your website
Website Settings: Configuration options for your website
Templates Used: Which template(s) you built your website from
Deployment Settings: Your GitHub integration settings

Website content is not encrypted by FluxHoster; encryption is handled by GitHub and your own GitHub account security.

2.5 Usage and Log Data

We automatically collect certain information about your use of the Service:

IP Address: For rate limiting, security analysis, and aggregate analytics
User-Agent String: Browser and device information; used for session binding and device identification
Access Logs: Timestamps, pages accessed, endpoints called
Error Logs: Error messages and stack traces for debugging
Session Duration: How long you remain logged in
Features Used: Which platform features you interact with
Referrer Information: How you accessed the Service (direct, search, referral)
Device Information: Device type, operating system, browser version

This data is retained for 90 days for security and performance analysis.

2.6 Cookies

We use the following cookies:

Session Authentication Cookie (fh_auth or __Host-fh_auth): 30-day expiration; contains encrypted session identifier
CSRF Token Cookie: For cross-site request forgery protection; expires with session
Analytics Cookie (optional): If you consent, we may use this for website analytics (NOT Google Analytics or third-party trackers)

We do NOT use:

Google Analytics
Facebook Pixel
Third-party advertising cookies
Third-party tracking pixels
Cookie consent tools that share data with third parties

See Section 12 for more information about cookies.

3. How We Collect Information

3.1 Information You Provide

You directly provide information when you:

Create an account (email, password, name)
Submit payment information through Stripe
Update your account profile
Submit a custom design brief
Upload images or content
Contact support or submit forms
Communicate with FluxHoster staff

3.2 Information Collected Automatically

We automatically collect information when you:

Access the FluxHoster website or platform
Browse website pages
Interact with platform features
Click links or buttons
Load pages (access logs)
Make API requests

3.3 Information from Third Parties

We receive limited information from:

GitHub: When you authorize FluxHoster to access your GitHub account, we receive your GitHub username and repository information
Stripe: When you make a payment, Stripe provides us with confirmation of successful payment and subscription status
Cloudflare: When we process DNS queries, Cloudflare provides us with domain name and configuration information
AWS Rekognition: When images are scanned for content, AWS provides flagged-content alerts (not image data)

4. Purpose of Data Collection

We collect information for the following purposes:

4.1 Service Provision

Create and manage your account
Provide website building and hosting services
Deploy and update your websites
Process payments and manage subscriptions
Provide customer support
Send service-related announcements (required by law, e.g., Terms changes)

4.2 Security and Fraud Prevention

Detect and prevent fraudulent transactions
Identify and prevent unauthorized access
Monitor for abuse and misuse
Enforce Terms of Service
Comply with legal obligations (requests from law enforcement)
Rate limiting and DOS protection

4.3 Content Moderation

Scan images for prohibited content (AWS Rekognition)
Flag inappropriate briefs or descriptions
Enforce content policies
Respond to copyright claims

4.4 Service Improvement

Analyze platform usage patterns
Identify technical issues and errors
Improve user experience
Develop new features
Monitor service performance and uptime

4.5 Communication

Send transactional emails (account confirmations, payment receipts, password resets)
Send service updates and maintenance notices
Respond to customer inquiries
Send security alerts

4.6 Legal Compliance

Comply with applicable laws (GDPR, CCPA, etc.)
Respond to legal processes (subpoenas, warrants)
Maintain audit trails for financial and legal purposes
Enforce intellectual property rights

Note: We do NOT use your data for:

Marketing or promotional purposes (unless you opt-in)
Selling or renting your data to third parties
Creating user profiles for advertising
Behavioral tracking or profiling

5. Legal Basis for Processing

Under GDPR and other privacy laws, we process your data only where we have a legal basis. Our legal bases include:

5.1 Contract Performance

We process your data because it is necessary to perform our contract with you:

Creating and managing your account
Hosting your website
Processing payments
Providing customer support
Deploying updates

5.2 Legitimate Interest

We process your data based on our legitimate interests:

Security and fraud prevention (our interest in preventing abuse)
Service improvement and analytics (our interest in providing a better service)
Legal compliance (our interest in obeying the law)
Content moderation (our interest in maintaining a safe platform)

We balance these interests against your privacy rights. You have the right to object to processing based on legitimate interest.

5.3 Legal Obligation

We process your data because law requires it:

Tax compliance (retaining payment records for 7 years)
Responding to legal process (subpoenas, warrants)
Combating child exploitation (reporting to NCMEC)

5.4 Consent

We collect certain optional information only with your consent:

Marketing communications (opt-in via email)
Analytics cookies (opt-in during account setup)
Additional data processing (explicit consent requested)

You can withdraw consent at any time by updating your account settings or contacting [email protected].

6. Data Sharing and Disclosure

6.1 What We Don't Share

FluxHoster does NOT:

Sell your personal data to advertisers or data brokers
Share your data with marketing partners
Share your email address with third parties
Create profiles that are sold or rented
Use your data for behavioral advertising

6.2 What We Do Share

We share your information with the following categories of recipients:

Service Providers (Processors): These companies process data on our behalf under written data processing agreements:

Stripe: Payment processing (email, subscription status)
GitHub: Website hosting (website code, repository access)
Cloudflare: DNS and CDN services (domain names, traffic routing)
AWS Rekognition: Image content moderation (images sent for scanning; not stored)
Supabase: Database backup (encrypted account data, briefs)
DNSimple: Domain registration (domain names for WHOIS)

Legal Requirements: We may disclose your data when required by law:

Responding to subpoenas, warrants, or court orders
Combating fraud or protecting security
Enforcing our Terms of Service
Protecting the rights, privacy, and safety of others

Business Transfers: If FluxHoster is acquired, merged, or sold, your data may be transferred as part of that transaction. We will notify you if such a transfer occurs.

Aggregated Data: We may share aggregated, anonymized data that does not identify you:

Usage statistics (e.g., "50% of users have 2+ websites")
Platform metrics (e.g., "average uptime: 99.8%")
Demographic trends (e.g., "most users in California")

7. Third-Party Service Providers

7.1 Data Processors and Subprocessors

The following companies process your data as subprocessors. Each has their own privacy policy and data handling practices:

Service: Stripe

Purpose: Payment processing

Data Processed: Email, subscription info, billing data

Service: GitHub

Purpose: Website hosting

Data Processed: Website code, images, repository

Service: Cloudflare

Purpose: DNS, CDN, compute

Data Processed: Domain names, traffic, configuration

Service: AWS

Purpose: Image moderation

Data Processed: Images for content scanning

Service: Supabase

Purpose: Database backup

Data Processed: Account data, encrypted briefs

Service: DNSimple

Purpose: Domain registration

Data Processed: Domain names, WHOIS data

7.2 Your Responsibility

You are responsible for reviewing the privacy policies of these third-party services. FluxHoster has executed Data Processing Agreements (DPAs) with all subprocessors to ensure GDPR compliance. These agreements specify:

Permitted purposes of data processing
Data security requirements
Restriction on further subprocessing
Your rights regarding the data
Deletion and return of data upon service termination

7.3 Data Transfers to Subprocessors

By using FluxHoster, you acknowledge and consent to the transfer of your data to these third-party subprocessors. If you do not consent, you may not use the Service.

8. Data Retention

8.1 Retention by Data Category

Account Information:

Retained while account is active
Deleted 30 days after account deletion
Exception: Account email retained for 7 years for tax/legal purposes (anonymized)

Payment Records:

Retained for 7 years (tax compliance requirement under US law)
Payment card: Never stored by FluxHoster (handled by Stripe)

Website Content:

Retained while account is active
GitHub repositories: You are responsible for deleting via GitHub
FluxHoster metadata: Deleted 30 days after account deletion

Website Briefs:

Retained while account is active
Deleted 30 days after account deletion
Archived briefs (for reference): Retained for 1 year after project completion

Usage Logs and Analytics:

Retained for 90 days
Deleted automatically after 90 days
Exception: Logs related to security incidents retained for 1 year

Cookies:

Session cookies: Expire after 30 days of inactivity
CSRF tokens: Deleted upon logout

Backups:

Retained for disaster recovery for up to 90 days
Deleted after recovery period
Exception: Archived backups for compliance retained up to 1 year

8.2 Data Deletion Requests

You may request deletion of your account and associated data at any time. Upon deletion:

1. Your account will be marked for deletion

2. You have 30 days to recover your account

3. After 30 days, all data is permanently deleted

4. Tax records are retained for 7 years (anonymized)

To request deletion, contact [email protected].

9. User Rights

9.1 GDPR Rights (EU Users)

If you are located in the European Union, you have the following rights under the General Data Protection Regulation:

Right to Access (Article 15): You have the right to request a copy of all your personal data in a structured, machine-readable format (JSON). We will provide this within 30 days of your request.

Right to Rectification (Article 16): You have the right to correct inaccurate or incomplete personal data. You can update your account information directly in your account settings, or contact [email protected] for assistance.

Right to Erasure / "Right to Be Forgotten" (Article 17): You have the right to request deletion of your personal data, except where we have a legal obligation to retain it (e.g., tax records). We will delete your data within 30 days, subject to exceptions.

Right to Restrict Processing (Article 18): You may request that we restrict how we process your data while we investigate your concerns. We will stop processing your data (except for storage) during this period.

Right to Data Portability (Article 20): You have the right to receive your data in a portable format and to transmit that data to another service provider. We provide a JSON export of your account data.

Right to Object (Article 21): You have the right to object to processing of your data based on legitimate interest. We will cease such processing unless we have an overriding legal basis.

Right to Withdraw Consent (Article 7): If processing is based on your consent, you may withdraw that consent at any time. We will stop processing your data for that purpose.

Right to Lodge a Complaint (Article 77): If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority (e.g., the Information Commissioner's Office in the UK, or your country's equivalent).

9.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

Right to Know (CCPA Â§ 1798.100): You have the right to know what personal information we collect, use, and share. We provide this information in this Privacy Policy and will provide additional details upon request.

Right to Know If Data Is Sold (CCPA Â§ 1798.100(d)): FluxHoster does NOT sell your personal information. We do not sell, rent, or exchange your data for monetary or other valuable consideration. Your data is used only for the purposes described in this Privacy Policy.

Right to Delete (CCPA Â§ 1798.105): You have the right to request deletion of your personal data. We will delete your data within 45 days, except where we have a legal obligation to retain it.

Right to Opt-Out of Sale (CCPA Â§ 1798.120): Since we do not sell your data, this right does not apply. However, we provide an opt-out link for compliance purposes.

Right to Non-Discrimination (CCPA Â§ 1798.125): We will not discriminate against you for exercising your CCPA rights. You will not be denied services, charged different prices, or treated differently if you exercise your rights.

Right to Correct Inaccurate Data (CCPA Â§ 1798.106): You have the right to request correction of inaccurate personal information.

Right to Limit Use and Disclosure (CCPA Â§ 1798.115): You may limit how we use and disclose your personal information, except where necessary to provide our services or comply with the law.

9.3 How to Exercise Your Rights

To exercise any of the above rights, contact:

Email: [email protected]

Address: FluxHoster LLC, 3855 Washington Street, San Francisco, CA, United States

Please include:

Your name and account email
Clear description of your request
Proof of identity (required for security purposes; acceptable forms include government ID, utility bill, or other official documentation)

We will:

Confirm receipt of your request within 10 days
Respond to your request within 30 days (extendable to 60 days for complex requests)
Provide information in the format you requested (where applicable)
Not charge a fee for most requests (except multiple, frivolous, or excessive requests)

9.4 Right to Appeal

If you are unsatisfied with our response to your rights request, you may:

Appeal to FluxHoster management at [email protected]
Lodge a complaint with your local data protection authority
Pursue legal remedies available in your jurisdiction

10. Data Security

10.1 Technical Security Measures

FluxHoster implements comprehensive security measures to protect your data.

Encryption at Rest:

All sensitive data (briefs, passwords, API keys) encrypted using AES-256-CBC
Encryption keys managed securely and rotated regularly
Database-level encryption enabled where applicable

Encryption in Transit:

TLS 1.2 or higher for all communications
All HTTP requests redirected to HTTPS
Certificate pinning for sensitive API communications
No plaintext transmission of passwords or credentials

Password Security:

Passwords hashed using PBKDF2 with 150,000 iterations
No plaintext password storage
Automatic logout after 30 days of inactivity
Password reset via secure email verification

Authentication & Authorization:

Cookie-based session authentication
HTTP-only, Secure, SameSite cookie attributes
CSRF protection via double-submit cookie pattern
Multi-layered access controls (role-based)
Session invalidation on security events

Rate Limiting and DOS Protection:

Rate limiting: 15 requests per minute per IP address
Per-user rate limiting: 15 requests per minute per account
Automated blocking of suspicious activity
DDoS protection via Cloudflare

Monitoring and Logging:

Security event logging (login attempts, failed payments, permission changes)
Access logs retained for 90 days
Anomaly detection for suspicious behavior
Automated alerts for security incidents

10.2 Organizational Security Measures

Personnel & Training:

Limited access to sensitive data (need-to-know basis)
All staff with access to data undergo security training
Confidentiality agreements for all employees
Background checks for security-sensitive roles

Access Controls:

Role-based access control (RBAC) for all staff
Multi-factor authentication for internal accounts
Segregation of duties (no single person has full system access)
Audit logs of all administrative actions

Infrastructure Security:

Secure development environment (code review, testing)
Regular security updates and patching
Vulnerability scanning and penetration testing
Incident response plan and security team

Vendor Management:

Data Processing Agreements with all subprocessors
Regular security audits of third-party vendors
Contractual requirements for data security
Right to audit vendor security practices

10.3 Security Limitations

While we implement strong security measures, no system is 100% secure. We cannot guarantee:

Prevention of all security breaches or unauthorized access
Protection against sophisticated cyberattacks or nation-state actors
Protection against user negligence (e.g., sharing passwords, poor account security)
Security of devices or networks outside our control

Your Responsibility:

Use strong, unique passwords
Secure your 12-word recovery phrase
Keep your device and software updated
Avoid phishing and social engineering attacks
Use secure networks (avoid public WiFi for sensitive operations)

11. Children's Privacy

11.1 Age Restrictions

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover that we have inadvertently collected information from a child under 13, we will immediately:

1. Stop collecting data from that child

2. Delete all information collected from that child

3. Terminate the child's account

11.2 Children 13-17

Users between 13 and 17 may use the Service only with verifiable parental or guardian consent. By allowing your child to use FluxHoster, you represent that:

You are the child's parent or legal guardian
You have reviewed this Privacy Policy and the Terms of Service
You consent to the child's use of the Service
You are responsible for your child's use and any content they create

FluxHoster may request proof of parental consent (e.g., notarized letter, government ID).

11.3 COPPA Compliance

FluxHoster complies with the Children's Online Privacy Protection Act (COPPA), which protects children under 13. We:

Do not knowingly collect personal information from children under 13
Do not allow children under 13 to create accounts
Do not market to children under 13
Delete data from children under 13 if discovered
Provide parents with access to their child's information and deletion rights

12. Cookies and Tracking

12.1 What Are Cookies?

Cookies are small text files stored on your device that contain information about your browsing. When you visit FluxHoster, we set cookies to authenticate your session and protect against attacks.

12.2 Cookies We Use

Essential Cookies (Required for Service):

Cookie Name: fh_auth or __Host-fh_auth

Purpose: Session authentication and login

Expiration: 30 days or session end

Attributes: HTTP-only, Secure, SameSite=Strict

Cookie Name: CSRF_TOKEN

Purpose: Protection against cross-site request forgery

Expiration: Session

Attributes: HTTP-only, SameSite=Strict

Analytics Cookies (Optional):

We may use first-party analytics cookies only if you opt-in
We do NOT use Google Analytics, Facebook Pixel, or third-party tracking
Analytics data is used only to improve the Service
You can disable analytics cookies in your account settings

12.3 Cookies We Don't Use

FluxHoster does NOT use:

Google Analytics or similar third-party analytics
Facebook Pixel or advertising pixels
Third-party tracking cookies
Advertising or behavioral targeting cookies
Cookie consent banner tools that share data with third parties
Social media tracking pixels

12.4 Cookie Management

How to Manage Cookies:

You can control cookies through your browser settings:

1. Open your browser settings

2. Find "Cookies" or "Privacy and Security"

3. Manage cookie preferences

4. Allow/block specific sites

Effects of Disabling Cookies:

Disabling essential cookies will log you out and prevent login
Disabling analytics cookies will prevent usage tracking (non-essential)
Some features may not function without cookies

Third-Party Cookies:

Since we do not set third-party cookies, you should not see third-party cookies from FluxHoster. If you see third-party cookies while using FluxHoster, they may come from:

GitHub (when accessing GitHub integration)
Cloudflare (when accessing DNS features)
Your browser or operating system

Review the privacy policies of these services for their cookie practices.

12.5 Tracking Technologies

Besides cookies, we may use:

Web Beacons (Pixels): Not used by FluxHoster
Local Storage: Not used for tracking (only for essential application data)
Session Storage: Used for temporary session data
Log Files: We log access to our servers for security and performance

13. International Data Transfers

13.1 Where Your Data Is Processed

FluxHoster processes data primarily in the United States (California). However, data may be transferred to and processed in other countries due to:

GitHub: Servers in the United States and other locations
Cloudflare: Global CDN in multiple countries
AWS: Processing in US regions (specifically us-east-1 for Rekognition)
Supabase: Processing in the United States

13.2 Legal Safeguards for International Transfers

For EU Residents (GDPR):

If your data is transferred outside the EU/EEA, we ensure adequate safeguards:

Standard Contractual Clauses (SCCs): We have executed SCCs with all subprocessors that transfer data outside the EU
Data Processing Agreements (DPAs): All subprocessors are contractually bound to protect EU data with appropriate safeguards
Adequacy Decisions: Where applicable, we rely on EU adequacy decisions
Your Rights: You retain all GDPR rights even when data is transferred internationally

For California Residents (CCPA):

We do not restrict international transfers, but we maintain contractual commitments to protect your data with equivalent security measures.

13.3 Your Consent

By using FluxHoster, you consent to the transfer of your data to countries outside your country of residence, including the United States. If you do not consent to international data transfers, you may not use the Service.

14. Data Breach Notification

14.1 What is a Data Breach?

A data breach occurs when unauthorized individuals access, misuse, or disclose your personal data without permission.

14.2 Our Breach Response Protocol

If FluxHoster experiences a data breach affecting your personal data, we will:

1. Investigate: Determine the scope, nature, and affected data

2. Notify: Inform affected users within 72 hours (GDPR requirement)

3. Mitigate: Take steps to prevent further unauthorized access

4. Report: Report to authorities if required by law

5. Support: Provide guidance and support to affected users

14.3 What We'll Tell You

Our breach notification will include:

Description of the breach (what happened)
Date and time of the breach
Types of data affected (email, passwords, payment info, etc.)
Likely consequences of the breach
Measures we've taken to prevent recurrence
Our contact information and next steps
Resources for credit monitoring (if applicable)

14.4 Legal Notifications

GDPR Requirement: We will notify you within 72 hours if you are an EU resident and the breach poses a risk to your rights and freedoms.

CCPA Requirement: We will notify you without unreasonable delay if you are a California resident.

Other Jurisdictions: We will comply with all applicable breach notification laws in your jurisdiction.

14.5 Your Rights After a Breach

Right to know what data was affected
Right to obtain credit monitoring or fraud protection services
Right to take legal action against FluxHoster (if negligent)
Right to report the breach to your data protection authority

15. Changes to This Privacy Policy

15.1 Policy Updates

FluxHoster may modify this Privacy Policy at any time. Material changes will be announced by:

Email notification to your registered email address
In-app notification on the Service
Updated "Last Updated" date on this page

15.2 Your Acceptance

Your continued use of the Service after notification of changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with changes, you may delete your account and discontinue using the Service.

15.3 Change Log

We will maintain a log of significant changes to this Privacy Policy, including:

Date of change
Summary of what changed
Reason for change

16. Contact Information

For questions, concerns, or to exercise your rights regarding this Privacy Policy, please contact:

Data Protection Officer / Privacy Officer

Email: [email protected]

Mailing Address:

FluxHoster LLC

3855 Washington Street

San Francisco, CA

United States

Support Email: [email protected]

Response Time: We aim to respond to privacy inquiries within 10 business days.

EU Representative: If required under GDPR, FluxHoster will appoint an EU representative upon request.

16.1 Data Protection Authorities

If you have concerns about our privacy practices, you may lodge a complaint with your local data protection authority:

EU/EEA: Your national data protection authority (e.g., CNIL in France, ICO in the UK)
California: California Attorney General ([email protected])
Other Jurisdictions: Your state or country's privacy regulatory body

Last Updated: January 17, 2026