Fluxent
Fluxent
Technologies
Scope a build

Privacy Policy

Effective Date: May 11, 2026 · Last Updated: May 11, 2026

This Privacy Policy describes how Fluxent Technologies, Inc.(“Fluxent,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you visit our marketing website at fluxent.tech, submit our contact form, or use the authenticated Client Portal at client.fluxent.tech(collectively, the “Service”).

This policy is written to comply with US privacy law, including the California Privacy Rights Act (CPRA), the California Online Privacy Protection Act (CalOPPA), and the Virginia Consumer Data Protection Act (VCDPA).

1. Who We Are

Fluxent Technologies, Inc. is a New York corporation operating a B2B software service. We are the business under CPRA and the controller under VCDPA for the personal information described in this policy.

This policy covers our marketing site, our contact form, and the authenticated Client Portal. It does not cover third-party websites we link to, or content that our clients upload into their own workspaces about their own end users (for which our client is the controller and Fluxent is a processor under their contract).

You can reach us at support@fluxent.tech.

2. Information We Collect

We collect personal information that you (or an administrator acting on your behalf) provide directly to us through web forms, including:

  • Contact information — name, email address, phone number, company, country.
  • Account credentials — username, password (stored only as a bcrypt hash), one-time authentication codes (stored only as one-way hashes).
  • Billing information — billing email and your Stripe customer ID. Payment-card numbers are entered directly into Stripe and never touch our servers.
  • Project-related content — documents you upload, signatures captured during e-sign flows, and the encrypted contents of your credential vault.
  • Professional information for Fluxent staff only — title and team assignment.

We also collect a limited amount of technical information automatically when you use the Service:

  • Log and session data — IP address, user-agent, request timestamps, and audit-log entries (login, password changes, vault access, signature events, etc.).
  • Strictly-necessary cookies csrftoken and sessionid, set by our backend to operate the Service.

We do not run third-party analytics SDKs (no Google Analytics, PostHog, Mixpanel, Segment, or similar), advertising pixels, behavioral tracking, fingerprinting, or session-replay. We do not profile users or draw inferences from your data, and we do not buy contact lists or obtain personal information from data brokers.

Under CPRA, account credentials and the contents of the credential vault are considered Sensitive Personal Information. We use this data only for authentication and account security — not to infer characteristics about you, and not for advertising.

3. How We Use Your Information

We use the information we collect to:

  • Operate, maintain, and improve the Service.
  • Authenticate users and protect accounts (one-time codes, magic links, password reset, audit logging).
  • Bill for services and meet US tax and accounting obligations.
  • Respond to inbound inquiries.
  • Detect, investigate, and respond to security incidents and suspected abuse.
  • Comply with legal obligations and lawful government requests.

Where we collect information through our public contact form, you must actively check an “I agree” box before submission — we do not use pre-ticked boxes.

We do not sell or share personal information, run targeted advertising, or make automated decisions that produce legal or similarly significant effects. This statement applies throughout the rest of this policy.

4. How We Share Your Information

We share personal information with third-party service providers who perform business functions on our behalf, under written agreements limiting their use to providing services to Fluxent. The categories of service providers we engage are:

  • Hosting, infrastructure, and content-delivery providers.
  • Domain, DNS, and inbound-email-routing providers.
  • Transactional email and SMS providers.
  • Payment processors — specifically Stripe, Inc., to authorize and settle payments. See Stripe’s privacy policy for how Stripe handles payment data.
  • Error-monitoring and observability providers. Personally identifiable information is scrubbed from event payloads before transmission.
  • Identity providers used only for Fluxent employee single sign-on.

We may also disclose personal information to comply with the law (in response to a valid subpoena or court order), to protect rights and safety (suspected fraud, security incidents, or violations of our Terms of Service), in connection with a corporate transaction (merger, acquisition, financing, or sale of assets, with prior notice to affected users), or with your direct consent.

5. Data Retention

We retain personal information only for as long as is reasonably necessary, unless a longer period is required by law.

DataRetention
Contact-form leadsWhile the lead is active; archived after the related engagement closes or after 24 months of inactivity, whichever comes first
Active user accountsFor the duration of the engagement plus a defined archival window
Audit logs2 years from the event timestamp
Billing and tax records7 years, to meet US federal and state tax recordkeeping rules
Authentication tokens (magic-link, password-reset, one-time codes)Expire within minutes; stored only as one-way hashes
Encrypted vault contentsFor the engagement; deleted on user request or at engagement close

6. Your Rights

Subject to applicable law, you have the right to access, correct, delete, and obtain a portable copy of your personal information, as well as to restrict or object to certain processing.

To exercise a right, email support@fluxent.tech from the email address on file. We verify identity by confirming control of that email address. We respond within forty-five (45) days, with a one-time extension where reasonably necessary. We do not charge a fee or discriminate against you for exercising these rights.

7. Additional Rights for California and Virginia Residents

If you are a California resident, the California Privacy Rights Act gives you the rights to know what personal information we collect, to delete it, to correct it, to opt out of any sale or sharing, and to limit the use of Sensitive Personal Information. Because we do not sell or share personal information and use Sensitive PI only for authentication, those opt-outs are already honored by default. You may also use an authorized agent to submit a request.

If you are a Virginia resident, the Virginia Consumer Data Protection Act gives you the same access, correction, deletion, and portability rights, plus the right to opt out of sale, targeted advertising, and profiling — none of which we engage in.

Right to appeal (VCDPA): if we deny a rights request, you may appeal by replying to our denial email or writing to support@fluxent.tech with the subject “VCDPA Appeal.” We will respond within sixty (60) days. If the appeal is denied, you may contact the Virginia Attorney General at oag.state.va.us/consumercomplaint.

GDPR — for visitors in the European Economic Area

If you’re located in the EEA, UK, or Switzerland, the General Data Protection Regulation (GDPR) applies to our processing of your personal data. Below is how we comply, organized by the rights GDPR grants you.

Lawful basis (Article 6)

We process your data under the following lawful bases:

  • Contract performance (Art.6(1)(b))— when you sign up for the portal, log in, or use any consulting service we deliver. We can’t operate the service without your account data.
  • Legitimate interest (Art.6(1)(f))— for audit logging, error tracking, and abuse prevention. We’ve balanced this against your privacy interests and concluded the processing is necessary and proportionate.
  • Legal obligation (Art.6(1)(c)) — for tax + billing records (US 7-year retention requirement).
  • Consent (Art.6(1)(a)) — for any marketing email you specifically opt into. You can withdraw consent at any time via the unsubscribe link in every marketing email.

Your rights (Articles 15–22)

  • Right of access (Art.15) — request a copy of the personal data we hold. Self-serve via GET /api/v1/auth/me/export/ (signed-in users only), or email support@fluxent.tech.
  • Right to rectification (Art.16) — update incorrect data via the profile page or PATCH /api/v1/auth/me/.
  • Right to erasure (Art.17)— also called “ right to be forgotten.” Self-serve via DELETE /api/v1/auth/me/. We scrub personal identifiers and cascade-delete your dependent records; audit log entries are retained with PII fields zeroed (Art.17(3)(b/e) — legal compliance + claims-defense basis).
  • Right to restriction (Art.18) — pause processing while a dispute is resolved. Email support@.
  • Right to portability (Art.20) — receive your data in machine-readable JSON. Same endpoint as the right of access.
  • Right to object (Art.21) — object to processing based on legitimate interest (audit logging, etc). Email support@.
  • Automated decision-making (Art.22)— we don’t make decisions about you based solely on automated processing (no algorithmic credit scoring, no automated content moderation affecting access).

International transfers

Our infrastructure is US-only (DigitalOcean, Vercel, Cloudflare, all US-headquartered). Transfers from the EEA to the US rely on the EU–US Data Privacy Framework where applicable, and Standard Contractual Clauses (SCCs) with each subprocessor.

Supervisory authority

If you believe we’ve mishandled your data and our response doesn’t resolve it, you have the right to lodge a complaint with your local data protection authority. A full list is at edpb.europa.eu.

8. Cookies, Local Storage, and Do Not Track

We use a small set of strictly-necessary cookies (csrftoken for CSRF protection and sessionid for authenticated sessions) and one localStorage key (view_as_role) that admin UI uses to remember a “view as client” toggle locally. We do not use analytics, advertising, behavioral, or fingerprinting cookies. For more detail, see our Cookie Policy.

Some browsers transmit a “Do Not Track” (DNT) signal. Because we do not run third-party trackers, DNT has no practical effect on our processing. This disclosure is provided pursuant to California Business & Professions Code § 22575(b)(5).

9. International Data Transfers

All Fluxent infrastructure, and all service providers described in Section 4, operate from the United States. If you access the Service from outside the United States, you understand and consent that your personal information will be transferred to and processed in the United States.

10. Security

We apply administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit and at rest, one-way hashing of credentials and authentication tokens, append-only audit logging, and PII scrubbing in error reporting. No security program is perfect, and we do not promise impenetrability — but we commit to diligent operations and to prompt notification consistent with applicable breach-notification law.

11. Children’s Privacy

The Service is not directed at children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact support@fluxent.tech and we will delete it.

12. Changes to This Policy

We may update this policy. When we do, we will revise the “Last Updated” date above and, for material changes, provide reasonable in-product or email notice before the change takes effect.

13. Contact Us

Questions, rights requests, appeals, or complaints:

Fluxent Technologies, Inc.
1024 Peninsula Blvd
Woodmere, NY 11598, USA
Email: support@fluxent.tech