Data Privacy Policy

Flinque Data Privacy Policy

The short version, for the technical details

This Data Privacy Policy covers the technical and operational specifics of how we handle data: where it lives, who processes it, what security controls we apply, how we respond to incidents, and how we handle international transfers. Think of it as the detailed companion to our Privacy Policy, which covers the principles.

This is the page your security, legal, and compliance teams should read when evaluating Flinque. We publish sub-processor lists, encryption standards, incident response timelines, and data flow specifics so your due diligence goes fast.

For detailed GDPR rights, see our GDPR Compliance page. For CCPA-specific disclosures, see our CCPA Compliance Policy.

1. Purpose and Scope
2. Data Categories We Handle
3. Our Role as Controller and Processor
4. Data Flows and Architecture
5. Sub-processors and Third-Party Vendors
6. Data Location and Hosting
7. Encryption Standards
8. Access Controls
9. Data Minimization Practices
10. Retention and Deletion
11. Cross-Border Data Transfers
12. Incident Response and Breach Notification
13. Data Subject Rights Mechanisms
14. Due Diligence and Audits
15. Updates and Contact

1. Purpose and Scope

This Data Privacy Policy provides the technical and operational details of how Flinque processes personal data across our influencer marketing platform, including data architecture, sub-processors, security controls, and incident response procedures.

This policy complements and should be read alongside:

• Our Privacy Policy, which covers the principles and legal framework
• Our Cookie Policy, which covers browser storage and tracking technologies
• Our Data Retention Policy, which covers retention schedules
• Our Data Processing Agreement, which is the contractual framework for processor relationships
• Our Security Policy, which details our security program

Where this policy conflicts with the Privacy Policy, the Privacy Policy controls. Where this policy provides greater specificity, use the specific guidance here.

2. Data Categories We Handle

Flinque processes several distinct categories of personal data, each with different handling requirements.

2.1 Customer account data

Information about individuals who hold a Flinque account (brand marketers, agency leads, creators who sign up as customers): name, email, company, role, password hashes, authentication tokens, IP addresses at login, session identifiers, billing contacts.

2.2 Customer billing data

Payment-related data, stored by our payment processor Stripe, not directly by Flinque: card numbers (tokenized), billing address, tax identifiers, transaction history. Flinque receives only reference tokens and metadata.

2.3 Customer usage data

Telemetry generated by customer use of the platform: pages viewed, features used, searches run, exports taken, session durations, clicks, and errors encountered. Stored in aggregated form where possible and tied to account identifiers rather than individual personal details.

2.4 Creator public data

Publicly available data from Instagram, TikTok, YouTube, and X about creator profiles: usernames, display names, bios, profile photos, public post content and captions, follower and engagement counts, public contact information listed on the profile. Derived metrics (authenticity scores, audience estimates) generated by our algorithms.

2.5 User content

Content customers create in the platform: saved creator lists, outreach message templates, campaign notes, tags, annotations, and exports. This is customer data that Flinque holds on behalf of the customer.

2.6 Support and feedback data

Content shared when contacting our support team: tickets, screenshots, video recordings, chat transcripts, and details from our Report an Issue, Technical Support, and Improvement Feedback pages.

2.7 Marketing and communication data

Data collected when you interact with our marketing channels: email opens, click events, webinar registrations, content downloads, and event attendance. Processed for legitimate-interest marketing and lead qualification.

3. Our Role as Controller and Processor

Depending on the data category, Flinque acts as either a data controller or a data processor under GDPR and equivalent frameworks.

3.1 When we are a controller

Flinque is a data controller when we determine the purpose and means of processing. This applies to:

• Customer account management (registrations, logins, billing, support)
• Our own marketing communications
• Analytics about how customers use our platform to improve it
• Creator public data aggregation and algorithmic scoring
• Security monitoring and fraud prevention across the service

3.2 When we are a processor

Flinque is a data processor when we store and process data on behalf of our customers under their instructions. This applies to:

• User Content created inside customer workspaces (saved lists, outreach messages, campaign notes)
• Third-party creator contact data customers upload or import
• Integration data flowing from customer-connected tools (for example Shopify, Google Ads, Meta Ads)

For processor relationships, our Data Processing Agreement forms the contractual basis for how we handle customer data.

4. Data Flows and Architecture

At a high level, data flows through Flinque in four main pipelines.

4.1 Customer data pipeline

When a customer signs up, their account details flow into our primary database via encrypted HTTPS. Billing data flows separately to Stripe through Stripe’s secure tokenization. Session data flows into short-lived Redis caches and back into the primary database for persistent storage.

4.2 Creator data pipeline

Creator public data is collected through authorized APIs and data aggregators, processed through our normalization and scoring pipelines, and stored in our creator database. Creator data is refreshed on scheduled intervals (typically daily or weekly depending on tier) and does not flow back to the original platforms.

4.3 Integration pipeline

When customers connect tools from our Integrations page, data flows bi-directionally over OAuth-authenticated connections. For most integrations, we pull read-only data for display and analysis. Write operations (for example syncing a creator list to a CRM) happen only on explicit user action.

4.4 API pipeline

Customer API requests through our Developer API flow through authentication, rate limiting, and logging layers before reaching the relevant backend service. Responses are returned over HTTPS with full TLS encryption.

5. Sub-processors and Third-Party Vendors

We work with carefully vetted sub-processors who help us operate the influencer marketing platform. Each sub-processor is bound by a Data Processing Agreement that requires them to meet our privacy and security standards.

Current sub-processor categories include:

We maintain a current list of named sub-processors available to Enterprise customers on request. This list is updated when sub-processors are added, removed, or substantially changed.

Enterprise customers receive at least 30 days notice before we add or change a sub-processor that processes their data, and may object to such changes following the procedure in our Data Processing Agreement.

6. Data Location and Hosting

Flinque primarily hosts customer data in data centers located in the United States. Specific details:

• Primary production: United States (East and West coast regions for redundancy)
• Backups: Separate US region, encrypted at rest
• Edge caching and content delivery: Global CDN with regional points of presence
• Support tooling: Primarily US-based with secure access from team locations

Our team members access production systems from locations including the United States, India, Argentina, and APAC countries. All administrative access is gated by multi-factor authentication and logged for audit purposes. For details on how team members access data, see Section 8 (Access Controls).

Enterprise customers with specific data residency requirements (for example EU-only or APAC-only hosting) should contact us through the contact page to discuss available options.

7. Encryption Standards

Encryption protects data both while it is stored and while it is being transmitted.

7.1 Encryption in transit

• All traffic to and from our platform uses TLS 1.2 or higher
• HTTP requests are automatically redirected to HTTPS
• HTTP Strict Transport Security (HSTS) is enforced
• Webhook deliveries to customer endpoints are signed with HMAC-SHA256 signatures
• API requests require Bearer token authentication over HTTPS

7.2 Encryption at rest

• Production databases use AES-256 encryption at rest
• Backups are encrypted with separate key material
• Object storage (files, exports, attachments) is encrypted at rest
• Secrets (API keys, tokens, credentials) are stored in a dedicated secrets management system, not in application databases

7.3 Password storage

Customer passwords are never stored in plain text. Passwords are hashed using industry-standard adaptive hashing algorithms (bcrypt or equivalent) with per-user salt. Password hashes are not accessible to support staff or any human operator.

8. Access Controls

Access to customer data is restricted on a least-privilege basis. Specific controls include:

• Role-based access: team members receive access only to systems and data required for their role
• Multi-factor authentication: required for all administrative systems
• SSO: internal systems use single sign-on with enforced 2FA
• Audit logging: all production data access is logged with timestamps, user identity, and accessed records
• Quarterly access reviews: unused accounts and over-privileged access are removed
• Off-boarding: access is revoked within hours of a team member leaving
• Privileged access management: elevated production access requires ticketed approval and time-boxed credentials

Customer-facing access controls include workspace permissions, role assignments, and SSO integration for Enterprise plans. Workspace admins manage team member access from the Flinque dashboard.

9. Data Minimization Practices

We collect and store only the personal data necessary to operate the Service. Specific practices:

• Registration forms request the minimum required fields to create an account
• Optional profile fields are clearly marked as optional
• Analytics and telemetry are aggregated where possible rather than stored at individual-event level
• IP addresses are truncated in analytics where full precision is not required
• Pseudonymization is applied where identity is not needed for the processing purpose
• Automated purges remove data that is no longer needed under our retention schedules

For full details on retention periods across data categories, see our Data Retention Policy.

10. Retention and Deletion

Data retention follows the schedules detailed in our Data Retention Policy. Key points:

• Active customer data is retained while the account is active
• After account closure, personal data is deleted or anonymized within 30 days unless a longer period is legally required
• Billing records are retained for 7 years to meet tax and audit obligations
• Creator data is refreshed or removed based on source availability and opt-out requests
• Backups are retained for 35 days and rotated on a scheduled cycle
• Logs are retained for up to 12 months depending on category

Individuals may exercise deletion rights at any time by following our Data Removal and Right to Erasure Policy.

11. Cross-Border Data Transfers

Because our infrastructure and team are globally distributed, personal data may be transferred internationally. We use the following safeguards to ensure transfers respect applicable privacy laws.

11.1 Transfers from the EEA, UK, and Switzerland

Transfers from the European Economic Area, United Kingdom, and Switzerland to third countries use:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement or UK Addendum where applicable
• Swiss addendum where applicable
• Transfer impact assessments completed where required
• Supplementary measures (encryption, pseudonymization, access controls) where the destination country has lower protection standards

11.2 Transfers from other regions

For transfers from Canada, Australia, Brazil, India, and other regions with data protection laws, we apply appropriate safeguards equivalent to SCCs, including contractual commitments, encryption, and access controls.

11.3 Copy of safeguards

For details on transfer mechanisms or to request a copy of the safeguards applicable to your data, contact us via the contact page or see our GDPR Compliance page.

12. Incident Response and Breach Notification

Despite strong security controls, data incidents can happen. We maintain a documented incident response program to detect, contain, and resolve incidents quickly.

12.1 Our incident response approach

• Detection: continuous monitoring across systems for unusual activity
• Triage: incidents are classified by severity within 1 hour of detection
• Containment: affected systems isolated within 4 hours of confirmed incident
• Investigation: root cause identified and documented with timeline
• Notification: regulators and affected users notified per legal requirements
• Post-mortem: written review with preventive measures for all confirmed incidents

12.2 Regulatory breach notification

Where required by applicable law:

• GDPR: we notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying personal data breach
• CCPA: we notify affected California consumers without unreasonable delay
• US state laws: we comply with state-specific breach notification requirements where applicable
• Other jurisdictions: we follow local notification obligations in regions where users are affected

12.3 User notification

We notify affected users directly when an incident poses a high risk to their rights or freedoms. Notifications include:

• Nature of the incident and categories of data affected
• Likely consequences and any steps users should take
• Actions we have taken to mitigate harm
• Contact details for follow-up questions

12.4 Reporting a suspected incident

If you suspect a security incident involving Flinque, contact our security team immediately via the contact page (specify “Security Concern”) or submit through Report an Issue with severity set to P1 Critical.

13. Data Subject Rights Mechanisms

We provide practical mechanisms for individuals to exercise their data protection rights.

• Access requests: customers can export their account data directly from their dashboard; formal subject access requests are handled via our contact page
• Rectification: customers can edit most personal data in their account settings; for other corrections, contact our support team
• Erasure: handled per our Data Removal and Right to Erasure Policy
• Portability: account data can be exported in machine-readable formats (JSON or CSV)
• Restriction and objection: submit requests via the contact page with details of what processing you want restricted
• Consent withdrawal: marketing emails have unsubscribe links; cookie preferences can be updated at any time per our Cookie Policy

Requests are typically fulfilled within 30 days of verified submission. Complex or bulk requests may take longer, in which case we notify you of the revised timeline.

Creators whose public data appears in our platform can submit opt-out and removal requests per our Data Removal and Right to Erasure Policy.

14. Due Diligence and Audits

Enterprise customers conducting security and privacy due diligence can request:

• Our current sub-processor list with named entities
• Copies of relevant certifications and attestations as they become available
• Completion of security questionnaires (SIG, CAIQ, custom formats)
• Audit rights as set out in our Data Processing Agreement
• Summaries of recent penetration testing and vulnerability assessments

Reasonable requests from Enterprise customers can be made via the contact page. We typically respond to due diligence requests within 10 business days.

For more on our security program, see our Security Policy.

15. Updates and Contact

This Data Privacy Policy is updated when our data handling practices, sub-processors, or security measures materially change. Updates are reflected in the “Last updated” date, and material changes are communicated to active customers.

For questions about anything in this policy, or to exercise your data rights, contact us.