Privacy Policy

Effective July 14, 2026 · Version 2026-07-14

This Privacy Policy explains how [Operator legal name — to be completed], [Registered address — to be completed], Bulgaria (company no. [company/UIC number]) — trading as "Fynlix" ("we", "us") — collects and processes personal data when you visit fynlix.com, register for or use the Fynlix platform, or otherwise interact with us. We are the controller for the processing described in this Policy. You can reach us about privacy at privacy@fynlix.com.

1. What this Policy covers — and the important exception

This Policy covers: (a) visitors to our websites; (b) people who register for and use Fynlix (account holders and their team members); and (c) people who contact us (support, sales, abuse reports).

It does not cover pages, funnels and shops that our customers build and publish with Fynlix. For the data collected through those pages — for example when you submit a form, subscribe, or buy something from a business that uses Fynlix — that business is the data controller and its own privacy notice applies. We process such data only as that business's processor, under our Data Processing Addendum. If you are such a visitor or buyer ("End User"), please direct privacy questions and requests to the business that operates the page; if you contact us instead, we will forward your request to them where we can identify them, and will assist them in responding as their processor.

2. Personal data we collect

Account and profile data. Name, email address, password (stored only as a salted cryptographic hash — we cannot read your password), avatar, workspace names, team memberships and roles, language and preference settings.

Billing data. Plan, subscription status and history, invoices, and payment metadata (such as the card brand and last four digits, and a payment-processor customer reference). Full card numbers are collected and processed by our payment processor (Stripe) and never stored by us.

Workspace content you provide. The content of your funnels, pages, media, products, campaigns, automations and settings — including any personal data you import or collect there (such as your contact lists). To the extent this contains your End Users' personal data, we process it as your processor under the DPA, not under this Policy.

Usage and technical data. IP address, browser and device information, authentication events (logins, failed attempts, lockouts), API and MCP request logs, security and error logs, and coarse product-usage events (for example which features a workspace uses and metered AI credit consumption).

AI feature data. Prompts, inputs and relevant workspace context you submit to AI features, and the generated output. These are transmitted to the AI model providers listed in Section 6 to fulfil your request.

Communications. Support tickets and emails, abuse reports, and — if you opt in — product news. Our marketing websites do not use advertising trackers (see the Cookie Policy).

We do not intentionally collect special categories of personal data (such as health or political data) and ask that you do not submit them.

3. Purposes and legal bases

We process personal data for the following purposes, on the following legal bases under Article 6(1) GDPR:

  • Providing the Service — creating and administering your account, hosting your workspaces, processing your instructions, providing support: performance of a contract (Art. 6(1)(b)).
  • Billing and accounting — charging subscriptions, issuing invoices, keeping accounting records: contract and legal obligation (Art. 6(1)(b), (c)).
  • Security and abuse prevention — authentication, rate limiting, lockouts, logging, investigating fraud, spam and AUP violations, protecting the platform and third parties: legitimate interests (Art. 6(1)(f)) in keeping the Service secure and lawful.
  • AI features — sending your prompts and context to model providers to generate the output you requested: performance of a contract (Art. 6(1)(b)).
  • Product improvement — analysing aggregated, coarse usage data to understand which features work and fix problems: legitimate interests (Art. 6(1)(f)); we use the least identifying data practical for this.
  • Service communications — transactional emails such as verification, security alerts, billing notices and material changes to the Service or terms: contract and legitimate interests.
  • Marketing communications — product news and offers, only where you have opted in or where otherwise permitted for existing customers, always with an opt-out: consent (Art. 6(1)(a)) or legitimate interests with objection right.
  • Legal claims and compliance — establishing, exercising or defending legal claims, complying with lawful requests: legal obligation and legitimate interests.

Where we rely on legitimate interests, you may object as described in Section 9.

4. AI features — what happens to your inputs

When you use AI features, your prompt and the workspace context needed for the task (for example your brand settings or the page being edited) are sent to third-party model providers through an AI routing service to generate the result. We do not use your content to train our own foundation models, and we select providers and settings aimed at your content not being used to train theirs. AI-feature requests are logged for metering (credits), abuse prevention and debugging. Do not include personal data in prompts beyond what the task needs.

5. Cookies

We use only strictly necessary cookies on our own websites — see the Cookie Policy for the exact list. We do not use advertising cookies, and we do not currently use analytics cookies on our websites.

6. Recipients of personal data

We share personal data only as follows:

  • Service providers (processors) acting on our instructions: our hosting provider ([EU hosting provider — to be completed]), Stripe (payment processing), and — when you use AI features — our AI routing provider (OpenRouter, Inc., USA) and the model providers fulfilling the request. The current list of processors used for customer workspaces is maintained in the DPA subprocessor annex.
  • Integrations you connect. When you connect third-party services to your workspace (for example your Stripe account, shipping carriers, social networks, your SMTP server, or tracking pixels on your pages), data is shared with them at your direction under their own terms. They are your providers, not ours.
  • Authorities and legal process, where we are legally required or where necessary to protect rights, safety or the integrity of the Service.
  • Business transfers. If we are involved in a merger, acquisition or asset sale, personal data may be transferred as part of the transaction, with continuity of protection and notice to you.

We do not sell personal data.

7. International transfers

The Service is hosted in the European Union. Where personal data is transferred outside the EU/EEA — in particular to US-based providers such as Stripe and AI model providers — we rely on adequacy decisions (including, where applicable, the EU–US Data Privacy Framework) or the European Commission's Standard Contractual Clauses, plus supplementary measures where needed. You can request more information about the safeguards at privacy@fynlix.com.

8. Retention

  • Account and workspace data: for the life of your account and up to 90 days after termination (Section 18.4 of the Terms), after which it is deleted from production systems; backup copies are deleted as backups rotate out over a limited cycle.
  • Billing and accounting records: 10 years, as required by Bulgaria accounting and tax law.
  • Security and audit logs: audit events are deleted after 24 months, revoked sessions after 90 days, and expired verification tokens automatically; other technical logs are kept up to 12 months, unless needed longer for an active investigation.
  • Support correspondence: up to 3 years after the ticket closes.
  • Consent and contract records (for example your acceptance of the Terms): for the duration of the relationship plus the limitation period for legal claims.

9. Your rights

Under the GDPR you have the right to: access your personal data; rectify inaccurate data; erase data; restrict processing; data portability; object to processing based on legitimate interests and to direct marketing (absolute right); and to withdraw consent at any time, without affecting prior processing.

You can exercise most of these directly in the product — open Settings → Privacy to export your data ("Export my data", delivered immediately as JSON) or delete your account ("Delete my account"; deletion is scheduled with a 14-day grace period during which you can revoke the request, after which the schedule in Section 8 applies). For anything else, email privacy@fynlix.com; we respond within one month (extendable by two further months for complex requests, with notice). We may need to verify your identity before acting.

You also have the right to lodge a complaint with a supervisory authority — in Bulgaria: the Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, cpdp.bg — or with the authority of your habitual residence or place of work.

10. Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit (TLS), salted password hashing, role-based and workspace-scoped access controls, scoped API keys, rate limiting and login lockouts, security logging, network isolation of administrative access, and routine backups. No system is perfectly secure; we notify affected users and authorities of personal-data breaches as required by law. Please report suspected vulnerabilities responsibly to security@fynlix.com (see our policy at /.well-known/security.txt); we acknowledge reports within 72 hours.

11. Children

The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under 18 as account holders. If you believe a minor has provided us personal data, contact privacy@fynlix.com and we will delete it.

12. Automated decision-making

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. AI features generate content at your request; automated security controls (such as rate limiting) protect the Service and are always subject to human review on request.

13. Changes to this Policy

We may update this Policy as the Service or the law evolves. Material changes are announced by email or in-app at least 14 days before they take effect. The current version and its effective date are always published on this page.

14. Contact

[Operator legal name — to be completed], [Registered address — to be completed], Bulgaria

Privacy requests: privacy@fynlix.com · General: support@fynlix.com