Legal
Privacy Policy
How Fluck AI Ltd collects, uses, and protects your personal data. Written in plain English, compliant with UK GDPR, EU GDPR, and CCPA.
Effective date: 2026-04-15
Fluck Privacy Policy
Effective date: 2026-04-15 Last updated: 2026-05-17
This policy explains what information Fluck collects when you use our mobile app, website, and related services, what we do with it, and the rights you have over it. We've tried to keep it in plain English. If something isn't clear, email us at privacy@fluckai.com and we'll explain.
1. Who we are
Fluck is a social expense-sharing app operated by Fluck AI Ltd ("Fluck", "we", "us"), a company registered in England and Wales, United Kingdom at Innovation Centre, Knowledge Gateway, Boundary Road, Colchester, Essex, CO4 3ZQ, United Kingdom.
- Website: https://www.fluckai.com
- Privacy contact: privacy@fluckai.com
- Data Protection Officer: Not required under GDPR Art. 37 (Fluck does not conduct systematic large-scale monitoring or process special categories of data)
- Company registration: 15723506 (Companies House, England and Wales)
For users in the EU/EEA and UK, Fluck AI Ltd is the data controller for the personal data described below.
2. What data we collect
We only collect what we need to make the app work. The table below lists every category.
2.1 You give us
| Category | Examples | When |
|---|---|---|
| Identity | Name, date of birth | On signup and profile edit |
| Contact | Email address, phone number | On signup |
| Credentials | Password (hashed — we never see it in plaintext), OTP codes | On signup / login |
| Financial activity | Bill amounts, payment references, split details, IOUs | When you create or join a bill split |
| User-generated content | Group names, messages, notes, calendar events, receipt photos | When you use these features |
| Contacts (optional) | Names and phone numbers from your device contact book | Only if you grant contacts permission to invite friends |
| Calendar (optional) | Events you create in Fluck that we sync to your device calendar | Only if you grant calendar permission |
| Photos (optional) | Receipt images from your camera or photo library | Only if you grant camera/photo permission |
| Connected business channels (Fluck Business Portal only) | Facebook Page name and ID, Instagram Business account name and ID, WhatsApp Business phone number, access tokens, channel profile photo and metadata | Only if you, as a business owner, connect a channel under Messaging → Configure → Channels |
2.2 Collected automatically
| Category | Examples |
|---|---|
| Device | Device model, OS version, app version, language, timezone |
| Identifiers | Firebase installation ID (for push notifications), app-scoped user ID |
| Usage | Screens viewed, features used, approximate session duration |
| Diagnostics | Crash reports, performance traces, error logs (scrubbed of personal content) |
| Network | IP address (used transiently for request routing and abuse prevention) |
2.3 What we don't collect
- We do not access your bank accounts or card numbers.
- We do not collect precise GPS location.
- We do not track you across other apps or websites.
- We do not sell personal information (CCPA: "we do not sell").
3. How we use your data and why (legal bases)
Under GDPR Art. 6, every use of your data needs a lawful basis. Here's ours:
| What we do | Why | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Create and maintain your account | So you can log in and use Fluck | Contract (6(1)(b)) |
| Let you split bills, message groups, share calendars | Core product | Contract (6(1)(b)) |
| Send OTP + password-reset emails | Account security | Contract + legitimate interest (6(1)(f)) |
| Send push notifications about your activity | You asked us to via opt-in | Consent (6(1)(a)) — revocable in settings |
| Detect fraud and abuse | Keep the platform safe | Legitimate interest (6(1)(f)) |
| Improve the app (aggregated analytics) | Build better features | Legitimate interest (6(1)(f)) |
| Comply with the law | Tax, accounting, legal requests | Legal obligation (6(1)(c)) |
4. Who we share your data with
We use the following processors. Each is bound by a Data Processing Agreement.
| Processor | Purpose | Location | Policy |
|---|---|---|---|
| Google Firebase (Firebase Cloud Messaging) | Push notifications | US / EU | https://firebase.google.com/support/privacy |
| Brevo (formerly Sendinblue) | Transactional email (OTP, password reset) | EU | https://www.brevo.com/legal/privacypolicy/ |
| DigitalOcean (Spaces + Droplets) | Object storage for receipts; application hosting | EU region | https://www.digitalocean.com/legal/privacy-policy |
| Apple (App Store, APNs) | App distribution, iOS push delivery | Global | https://www.apple.com/legal/privacy/ |
| Google (Play Store) | App distribution on Android | Global | https://policies.google.com/privacy |
| Meta Platforms Ireland (Facebook Login for Business, Pages API, Instagram Graph API, Messenger Platform) | Authenticating your business channel connection and routing inbound messages from your Facebook Pages and Instagram Business Accounts to the Fluck Business Portal inbox | EU / US | https://www.facebook.com/privacy/policy/ |
| WhatsApp Ireland (WhatsApp Business Platform / Cloud API) | Routing inbound and outbound messages from your WhatsApp Business number to the Fluck Business Portal inbox | EU / US | https://www.whatsapp.com/legal/business-policy |
We do not share your data with advertisers. We do not sell your data.
We may disclose data if legally compelled (court order, valid subpoena) or to protect life, property, or the security of the service.
4.1 What we receive from Meta Platforms (Facebook, Instagram, WhatsApp Business)
This sub-section applies only to Fluck Business Portal users who connect a Facebook Page, Instagram Business Account, or WhatsApp Business number ("connected business channel"). It does not apply to the Fluck mobile app.
When you complete Meta's "Login for Business" flow inside the Fluck Business Portal, we receive:
- The identifier of the Facebook Page, Instagram Business Account, or WhatsApp Business phone number you selected during the flow
- A long-lived access token scoped only to the use cases you approved (e.g. send and receive messages, read page metadata, manage WhatsApp templates)
- Inbound messages sent by your end customers to that channel (text, images, audio, video, documents, location pins, reactions, and any attachments)
- Profile metadata Meta attaches to each inbound message about the end customer who sent it — typically a display name, a profile picture URL, and an app-scoped or Page-Scoped ID. We never receive the end customer's phone number or email address unless the customer voluntarily types it into a message
- Business asset metadata of the channel itself: page name, page category, business hours, Instagram handle, WhatsApp Business Account name, profile photo, address, and description
In Meta's terms, Fluck acts as a Tech Provider operating the platform on your behalf as the business. The end customer's data is processed solely for your purpose of replying to that customer through the connected channel.
We do not receive:
- Your personal Facebook friend list, posts, photos, or any data unrelated to the connected channel
- Data from any Facebook or Instagram account you have not explicitly connected
- Payment information from Meta (except where an end customer voluntarily types card details into a message — which we strongly discourage and recommend you redirect to a secure payment link)
Legal bases: Contract (Art. 6(1)(b)) — to provide the inbox feature you signed up for — and legitimate interest (Art. 6(1)(f)) — to operate the Business Portal securely.
Retention: Inbound message content is retained for the life of your Fluck Business Portal account. On channel disconnection or account deletion we revoke access tokens immediately and retain message history for 30 days for audit and dispute resolution, then permanently delete it.
How to disconnect: see section 7.3 below, or our Data Deletion Instructions. You may also revoke our access at any time directly from Meta — go to Facebook Business Settings → Business Integrations, find "Fluck", and click Remove.
5. International transfers
Your data is processed primarily in the EU region of DigitalOcean (Frankfurt). Some processors (Firebase, Apple, Google) may process data in the United States. For transfers outside the EU/EEA/UK, we rely on:
- The European Commission's Standard Contractual Clauses (SCCs), and
- Supplementary measures including encryption in transit (TLS 1.2+) and at rest.
6. How long we keep your data
| Data | Retention |
|---|---|
| Active account data | For as long as your account is open |
| Deleted account — personal data | Purged or anonymised within 30 days of deletion request |
| Financial / bill-split records (required for tax and dispute) | Up to 7 years after deletion, anonymised where possible |
| Crash / diagnostic logs | 90 days |
| OTP codes | 10 minutes then permanently deleted |
| Backups | Rotated out within 35 days |
| Meta-connected channel data (access tokens, message content, channel records) | Until disconnection or account deletion + 30 days grace period; access tokens revoked immediately on disconnect |
7. Your rights
7.1 If you're in the EU/EEA/UK (GDPR)
You have the right to:
- Access your data — request a copy (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data — the "right to be forgotten" (Art. 17)
- Restrict or object to processing (Art. 18, 21)
- Portability — receive your data in a machine-readable format (Art. 20)
- Withdraw consent at any time, without affecting past processing (Art. 7(3))
- Lodge a complaint with your supervisory authority (the UK Information Commissioner's Office (ICO) if you are in the UK, or your local EU supervisory authority)
7.2 If you're in California (CCPA/CPRA)
You have the right to:
- Know what personal information we collect and why
- Delete your personal information
- Correct inaccurate personal information
- Opt out of "sale" or "sharing" — Fluck does not sell or share personal information for cross-context behavioural advertising
- Non-discrimination for exercising your rights
7.3 How to exercise your rights
The fastest way: Profile → Delete account in the app (for erasure) or Profile → Export my data (for access).
Fluck Business Portal users can also delete a single connected channel without removing the whole account — go to Messaging → Configure → Channels in the portal and click Disconnect on the relevant channel. See our Data Deletion Instructions for the full set of options, including how to revoke our access directly from your Facebook Business Settings.
Alternatively, email privacy@fluckai.com with your registered email address. We respond within 30 days.
8. Children
Fluck is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has signed up, contact privacy@fluckai.com and we will delete the account.
9. Cookies and similar technologies
The Fluck mobile app does not use cookies. Our website (www.fluckai.com) uses only strictly necessary cookies for session handling and CSRF protection. We do not use analytics or advertising cookies without your consent.
10. Security
We take security seriously:
- TLS 1.2+ for all data in transit
- Passwords hashed with bcrypt
- RSA-signed JWTs for authentication; access tokens are short-lived
- Tokens on device are stored in the platform secure enclave (iOS Keychain / Android EncryptedSharedPreferences)
- Access to production systems is restricted and logged
- Regular dependency and code security reviews
No system is perfectly secure. If you believe you've found a vulnerability, email security@fluckai.com.
11. Changes to this policy
If we make material changes, we will notify you in-app and by email at least 30 days before they take effect. The "Last updated" date at the top of this policy always reflects the most recent revision.
12. Contact
- Privacy questions: privacy@fluckai.com
- Security reports: security@fluckai.com
- Data deletion: Data Deletion Instructions
- Account deletion: Delete your Fluck account
- Postal: Fluck AI Ltd, Innovation Centre, Knowledge Gateway, Boundary Road, Colchester, Essex, CO4 3ZQ, United Kingdom
<a id="deletion"></a>
How to delete your account
- Open the Fluck mobile app
- Tap the profile menu (top-right) → Delete account
- Confirm the deletion warning and enter your password to proceed
Your account is soft-deleted immediately (your data becomes invisible to other users) and permanently erased after a 30-day grace period. To cancel during the grace period, simply log back in with the same credentials and confirm reactivation.
If you cannot access the app, email privacy@fluckai.com from your registered email address and we will process the deletion manually within 30 days.
Effective date: 2026-04-15. Questions? privacy@fluckai.com
Read our Terms of Service →