Privacy Policy

This Privacy Policy explains how Flatproof processes personal data when you use the website, hosted app, workspaces, proof uploads, review links, integrations, billing, and support.

1. Data Controller

The data controller is Miguel Jose Leal da Silva, autonomo registered in Spain, VAT ESZ2417972X. You can contact us at [email protected].

2. Data We Collect

Account Data

When you sign in, we may process your name, email address, avatar, authentication identifiers, session data, organization membership, workspace role, invitation status, and billing entitlement. Flatproof does not store your Google password or email-provider password.

Workspace and Proof Data

We process the content you add to Flatproof, including uploaded files, file names, generated previews, conversion metadata, project and folder names, versions, comments, comment attachments, approval status, mentions, notifications, reviewer names, and audit events.

Share Link Data

When a reviewer opens a share link, we may process the link token, proof metadata, comments, approval actions, display name, email address if required by the link owner, browser session data, and basic access logs needed for security, abuse prevention, and review history.

Integration Data

If you connect Google Drive, Figma, or another integration, we process the authorization tokens, file metadata, selected files, frame information, import status, and related settings needed to provide the integration. You can disconnect integrations where the app provides that control.

AI Review Data

If you use AI-assisted review, relevant proof content and review context may be sent to a managed AI relay or to a provider configured by you. This may include selected image regions, document text, comments, prompts, and metadata needed to generate a response.

Billing and Support Data

Paddle handles payment details as Merchant of Record. We receive billing identifiers, plan status, customer identifiers, email address, and subscription events needed to provision paid access. If you contact support, we process your message, email address, and any information you include.

3. How We Use Data

• Provide accounts, workspaces, uploads, share links, comments, approvals, and notifications.
• Store and serve proofs, previews, versions, and comment attachments.
• Import files or review surfaces from integrations you authorize.
• Process billing entitlements and plan limits.
• Provide support, troubleshoot bugs, prevent abuse, and secure the service.
• Improve Flatproof using aggregated product usage and operational logs.
• Comply with legal, tax, accounting, security, and dispute-resolution obligations.

4. Legal Bases Under GDPR

• Contract performance: to provide the Flatproof service you request.
• Legitimate interests: to secure the service, prevent abuse, support users, maintain logs, and improve product reliability.
• Consent: where you choose optional integrations, optional AI processing, or optional communications.
• Legal obligation: where tax, accounting, consumer, security, or regulatory duties require processing.

5. Processors and Third Parties

We use service providers to operate Flatproof. The exact providers may evolve during beta.

6. International Transfers

Some providers may process data outside the European Economic Area. Where required, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, contractual data protection terms, or other lawful transfer mechanisms.

7. Retention

We retain personal data for as long as needed to provide the service, comply with law, resolve disputes, enforce agreements, and maintain security. In general:

• Account and workspace data is retained while your account or organization remains active.
• Proof assets, versions, comments, and attachments are retained until deleted by the workspace or account.
• Share link audit and access events may be retained for security and review history.
• Billing records are retained as required for tax, accounting, and payment-dispute obligations.
• Operational logs are retained for a limited period unless needed for security, abuse, or legal reasons.

8. Your Rights

Depending on your location, you may have the right to access, correct, delete, restrict, object to, or receive a portable copy of your personal data. You may also withdraw consent where processing is based on consent.

To exercise privacy rights, contact [email protected]. If you are in the EU, you also have the right to lodge a complaint with your local supervisory authority. In Spain, that authority is the Agencia Espanola de Proteccion de Datos.

9. Cookies and Local Storage

Flatproof uses necessary cookies and local storage for authentication, security, reviewer identity, app preferences, and product functionality. We do not currently use advertising cookies or third-party behavioral ad tracking on the Flatproof app.

10. Security

We use technical and organizational measures designed to protect personal data, including access controls, signed upload/download flows, rate limits on sensitive endpoints, encryption where appropriate, and production security headers. No system is perfectly secure, especially during beta, so you should avoid uploading content that your own policies prohibit from being processed by beta software.

11. Children

Flatproof is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, contact us and we will take appropriate action.

12. Changes

We may update this policy as Flatproof changes. Material changes will be posted on this page or communicated through the service. Continued use after the policy changes take effect means you acknowledge the updated policy.