Legal

Privacy Policy

We respect your privacy. This policy explains what data we collect, why, and how we protect it.

Last updated: 1 May 2026

1. Data Controller

iDeployed UG (haftungsbeschränkt)
Torgauer Straße 231-233
04347 Leipzig, Germany
HRB 45472, Amtsgericht Leipzig
E-Mail: [email protected]
Tel: +49 172 6282363

2. Data We Collect

Account Data

When you create an account:

  • Email address
  • Full name
  • Password (bcrypt hashed — never stored in plain text)
  • Account creation timestamp

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

Usage Data

When you use the service:

  • Notification content you send (retained for your selected history window: 7 days / 90 days / unlimited depending on plan)
  • Event delivery counts
  • API key usage timestamps
  • Connected device counts (not individual device identifiers)

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

Billing Data

When you subscribe:

  • Subscription tier and status
  • Billing history (invoice records)
  • Last 4 digits of payment card, card brand, expiry date

Full card details are processed exclusively by Stripe, Inc. and never stored by FlushKit.

Legal basis: Art. 6(1)(c) GDPR — legal obligation (invoice retention).

Technical Data

Automatically collected:

  • IP addresses (server logs, retained 30 days)
  • Browser type and version (web dashboard access)
  • Request timestamps

Legal basis: Art. 6(1)(f) GDPR — legitimate interest (security and abuse prevention).

3. Notification Content

Notification content (titles, messages) that you send via the API is:

  • Transmitted to connected devices in real time.
  • Stored in your notification history for the duration of your plan's history window.
  • Never used for advertising or sold to third parties.
  • Never read or accessed by FlushKit staff except when required to investigate abuse reports.

Important:You are responsible for ensuring that the content of notifications you send complies with applicable law and that you have appropriate consent from your app's users to receive notifications.

4. Data Storage and Security

  • All data is stored on Google Cloud Platform in Frankfurt, Germany (europe-west3).
  • Data does not leave the EU/EEA.
  • Databases are encrypted at rest (AES-256).
  • All connections use TLS 1.3.
  • Passwords are hashed with bcrypt (cost factor 12).
  • API keys are stored as SHA-256 hashes.
  • Access to production data is restricted to authorised personnel only.

5. Data Processors (Sub-processors)

We use the following sub-processors:

ProcessorPurposeLocation
Google Cloud PlatformInfrastructure, database hostingFrankfurt, DE (EU)
Stripe, Inc.Payment processingUSA (SCC)
Resend, Inc.Transactional emailUSA (SCC)

For processors outside the EU, Standard Contractual Clauses (SCCs) are in place per Art. 46 GDPR.

6. Data Retention

Data typeRetention period
Account dataUntil account deletion
Notification historyPer plan (7 days / 90 days / unlimited)
Billing records10 years (German tax law)
Server logs30 days
Email verification tokens24 hours
Password reset tokens1 hour

7. Your Rights Under GDPR

Under the GDPR you have the right to:

  • Access (Art. 15): Request a copy of your personal data.
  • Rectification (Art. 16): Correct inaccurate or incomplete data.
  • Erasure (Art. 17): Request deletion of your account and associated data.
  • Restriction (Art. 18): Restrict processing in certain circumstances.
  • Portability (Art. 20): Receive your data in a machine-readable format.
  • Object (Art. 21): Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise your rights, email [email protected]. We respond within 30 days.

You also have the right to lodge a complaint with the supervisory authority:

Sächsische Datenschutz- und Transparenzbeauftragte (SDT)
Devrientstraße 5
01067 Dresden
www.datenschutz.sachsen.de

8. Cookies

The FlushKit dashboard uses the following cookies:

CookiePurposeDuration
fk_accessAuthentication session15 minutes
fk_refreshSession renewal30 days

No third-party tracking cookies. No advertising cookies. No analytics cookies.

9. Children's Privacy

FlushKit is not directed at persons under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact [email protected].

10. Changes to This Policy

We will notify you of material changes via email at least 30 days in advance. Minor changes will be noted with an updated “Last updated” date.

11. Contact

For privacy-related enquiries: [email protected]
Response time: within 5 business days