Privacy policy.

FlareX operates the FlareX platform — an AI-assisted application builder and hosting service available at flarex.app and related subdomains. References to "you" and "your" mean any user of the platform, including signed-in account holders and visitors to our public website.

We collect the following categories of personal information:

• Account information. When you sign in via Discord, Google, or GitHub OAuth, we receive your provider user id, username, email address, and avatar URL.
• Workspace and project content. Anything you create on the platform — chat messages with our AI, project source files, build proposals, deployments, audit events, configuration, and uploaded media.
• Secrets and credentials you choose to store. Project environment variables, API tokens, and database credentials. These are encrypted at rest with AES-256-GCM and decrypted only on the runner host at runtime.
• Billing information. If you subscribe to a paid plan or buy an AI credit top-up, we maintain a Stripe customer id and your subscription state. We never receive or store your card number — that is handled directly by Stripe.
• Support communications. Tickets you submit (subject, message, email, the page you were on, and any attachments) and any reply correspondence.
• Notifications. In-product alerts we generate for you (billing, quota, deploy outcomes, security events). Stored against your user record and dismissible.
• Custom domains. If you point a domain at your project we store the domain name, the verification token we issued you, and a record of each DNS-verification attempt. We perform DNS lookups against the domain to verify ownership; we do not query any other records.
• Usage and technical data. Server-side request logs (IP, user agent, route, status, latency), runtime logs your projects emit, audit events recording sensitive actions, and product metrics necessary to operate and secure the platform.

• Directly from you when you sign in, fill out forms, or interact with the platform.
• From third-party identity providers (Discord, Google, GitHub) via OAuth when you choose to sign in with them.
• Automatically through cookies and server logs as you use the platform.
• From our payment processor (Stripe) when you subscribe or buy a top-up.

• To create and authenticate your account and manage workspace access.
• To provide the FlareX platform — generating, building, deploying, and hosting your projects.
• To meter AI usage and bill you in accordance with your selected plan.
• To respond to support requests and communicate service updates.
• To prevent abuse, fraud, and breaches of our Terms of Service.
• To improve product quality, performance, and security.
• To comply with our legal obligations.

We disclose limited personal information to the following third-party service providers ("sub-processors") so we can operate the platform. Each is bound by its own privacy practices and contractual obligations to us:

• OpenAI and Anthropic — to generate AI responses from your chat messages. Your messages and selected project context are sent to the provider for the model you select. Providers may retain inputs/outputs in accordance with their published policies.
• Stripe — to process subscription and one-time payments. Stripe is the controller for cardholder data.
• Cloudflare — for DNS, edge proxying, DDoS protection, and TLS termination.
• OVHcloud (or our then-current hosting provider) — for the underlying compute and storage that runs the platform.
• Cloudflare R2 — for offsite storage of build artifacts, media uploads, archived logs, and audit archive snapshots.
• Resend — to send transactional email (sign-in receipts, billing receipts, security alerts, support replies).

We also rely on the following identity providers (separate from sub-processors — they hold their own relationship with you and act as independent controllers of the data you authenticated against them):

• Discord, Google, and GitHub — when you choose one of these to sign in. We receive only the fields you authorise (provider user id, username, email, avatar URL).

We do not sell or rent personal information. We may also disclose personal information when required by Australian law, a court order, or to protect the rights, property, or safety of FlareX, its users, or others.

Some of our sub-processors are located outside Australia, including in the United States and the European Union. By using FlareX you consent to the transfer of your personal information to those jurisdictions for the purposes described in this policy. Where APP 8 applies, we take reasonable steps to ensure recipients comply with the APPs or are subject to a substantially similar law.

• Encryption in transit (TLS 1.2+) for all public traffic.
• Encryption at rest for project secrets (AES-256-GCM with platform-managed keys).
• Sandboxed Docker runtime per project: read-only filesystem, dropped Linux capabilities, strict CPU/RAM limits, no docker-in-docker.
• Per-project database role with scoped search_path; no cross-tenant table access.
• Outbound-network DNS re-verification to mitigate rebinding attacks against private IP ranges.
• Hash-chained audit log of sensitive actions; offsite archival at 90 days.
• Two-factor authentication (TOTP) available on every plan; force-2FA on the Elite plan.

No system is 100% secure. We will notify affected individuals and the Office of the Australian Information Commissioner ("OAIC") of any eligible data breach as required under the Notifiable Data Breaches scheme.

• Account data is kept while your account is active.
• Runtime logs follow your plan's retention window (Starter: none, Core: 3 days, Pro: 14 days, Elite: 30 days).
• Audit events are retained for 365 days, with offsite archival after 90 days.
• Deleted workspaces and projects enter a 30-day tombstone, after which they are permanently erased.
• Backups follow the lifecycle of the project they belong to.
• Support tickets are retained for as long as reasonably necessary (typically 24 months) to maintain context for follow-up questions.

We use a small number of cookies essential to operate the platform:

• Session cookie — signed, HTTP-only; identifies you while signed in.
• CSRF token — double-submit pattern; protects against cross-site request forgery.
• Active-workspace selector — remembers which of your workspaces you last viewed.
• OAuth state — short-lived (set during sign-in, cleared on callback); protects against CSRF on the OAuth handshake and carries the PKCE verifier.
• Two-factor pending cookie — short-lived (5 minutes); set after successful first-factor sign-in to gate the TOTP step.
• Theme preference — light or dark UI choice.

We do not use third-party advertising or analytics cookies that share data with advertisers.

FlareX is not directed to individuals under 16. If you are under 16, please do not create an account. If we become aware that we hold personal information of a person under 16, we will delete it.

Subject to the exceptions in the Privacy Act, you may request:

• A copy of the personal information we hold about you (workspace export is available in-product; broader requests can be made via email).
• Correction of any information you believe is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
• Deletion of your account and associated data.

We will respond within 30 days. If we refuse a request, we will provide written reasons and details of how to complain.

If you believe we have breached the APPs or this policy, please email [email protected] with details of the complaint. We will investigate and respond within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be notified by email and an in-product banner before taking effect.

Privacy questions: [email protected]
General support: [email protected]