Privacy Policy
Effective Date: May 23, 2026 | Last Updated: May 23, 2026
1. About This Policy
Fluxora ("we," "our," or "us") operates the website and online file conversion tools available at fluxora.com (the "Service"). We are committed to protecting your privacy and handling your data transparently.
1.1 Data Controller
For the purposes of applicable data protection laws, Fluxora is the data controller of your personal information. You can contact us at any time:
1.2 Information We Collect
Personal Information (provided by you or collected automatically):
- Contact Information: Email address, if you voluntarily contact us via our contact page or support email.
- Payment Records: Transaction amounts, product purchased, and payment timestamps. Full payment card details are processed exclusively by our payment providers — we never see or store them.
- License Activation Data: A one-way hashed device fingerprint is transmitted to our Cloudflare Worker when activating a paid license, for the sole purpose of binding your license to your device (max 2 devices). The original device information cannot be reconstructed from this hash.
- Technical Data: IP address (anonymized), browser type and version, operating system, device type, screen resolution, language preferences, time zone, and referring website URLs.
- Usage Data: Pages visited, tools used, features interacted with, time spent on pages, and conversion actions.
Files You Convert: All file processing occurs entirely in your browser using WebAssembly, Web Workers, and browser-native APIs. Your documents, images, audio, and video files are never uploaded to any server. We cannot see, access, store, or scan your files or conversion results.
1.3 How We Collect Information
- Directly from You: When you contact us via email or our contact form; when you enter a license activation code.
- Automated Technologies: Cookies, local storage, and similar technologies (see our Cookie Policy). Browser APIs automatically provide certain technical information (user agent, language, etc.).
- Third-Party Services: Google AdSense places advertising cookies; Google Analytics (if enabled) collects usage statistics; Lemon Squeezy / Paddle process payments and share transaction metadata with us.
1.4 Legal Basis for Processing (EEA & UK Users)
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases:
- Contractual Necessity (Art. 6(1)(b) GDPR): Processing required to provide the Service — such as verifying your license activation.
- Consent (Art. 6(1)(a) GDPR): For non-essential cookies, advertising tracking, and analytics — you provide consent via our cookie banner and may withdraw it at any time.
- Legitimate Interests (Art. 6(1)(f) GDPR): For website security, fraud prevention, service improvement, and aggregated analytics — where such interests are not overridden by your data protection rights.
1.5 How We Use Your Information
- Service Provision: To operate the conversion tools, manage license activations, and deliver website functionality.
- Payment Processing: To facilitate purchases and maintain transaction records.
- Advertising: To display advertisements via Google AdSense (with consent where required).
- Analytics & Improvement: To understand tool usage patterns, identify bugs, and improve user experience.
- Security & Fraud Prevention: To detect and prevent abuse, unauthorized access, and fraudulent license activations.
- Communication: To respond to your inquiries and support requests. If you purchase a license, we may send a one-time email with your activation code.
2. Third-Party Service Disclosures
We share limited data with the following third-party services to operate the Service. Each acts as an independent data controller or processor under applicable law.
2.1 Google AdSense (Advertising)
| Item | Details |
|---|
| Service | Google AdSense — displays advertisements on our website |
| Data Processing | Google uses cookies and identifiers to collect browsing behavior data for personalized ad delivery, frequency capping, and campaign measurement |
| Data Controller | Google LLC acts as an independent data controller for ad-related processing |
| Privacy Policy | https://policies.google.com/privacy |
| User Controls | Manage ad preferences at Google Ad Settings; opt out of third-party targeted ads at aboutads.info |
| Legal Basis | In the EEA & UK: consent via cookie banner. In the US: opt-out mechanism provided per state privacy laws |
2.2 Payment Processing
| Item | Lemon Squeezy (Primary) | Paddle (Secondary) |
|---|
| Role | Merchant of Record — handles all payments, billing, and invoice generation | Data Processor — processes payment transactions on our behalf |
| Data Processed | Payment card details, billing address, email, transaction metadata | Payment card details, billing address, email, transaction metadata |
| Compliance | GDPR compliant; DPA available | EU GDPR, UK GDPR, CCPA compliant; DPA available |
| Privacy Policy | Lemon Squeezy Privacy | Paddle Privacy |
| DPA | Lemon Squeezy DPA | Paddle DPA |
2.3 Additional Services
| Service | Purpose | Privacy Policy |
|---|
| Google Analytics | Anonymized website usage analytics | Google Privacy |
| Cloudflare CDN | Content delivery, DDoS protection, DNS | Cloudflare Privacy |
| SendGrid / Resend | Transactional email delivery (license activation codes) | SendGrid Privacy / Resend Privacy |
| jsDelivr CDN | JavaScript library delivery (Three.js, Tailwind CSS) | No personal data transmitted |
3. Your Privacy Rights
3.1 EEA & UK Users (GDPR / UK GDPR)
- Right of Access (Art. 15): Request a copy of your personal data we hold.
- Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
- Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data where it is no longer necessary.
- Right to Restrict Processing (Art. 18): Request limited processing in specific circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
- Right to Object (Art. 21): Object to processing for direct marketing purposes at any time.
- Right to Withdraw Consent (Art. 7(3)): Withdraw previously given consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email privacy@fluxora.com. We respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.
3.2 California Residents (CCPA / CPRA)
- Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties with whom it is shared. This Privacy Policy provides these disclosures in Sections 1–2.
- Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing: Fluxora does not sell personal information for monetary consideration. However, Google AdSense cookies used for personalized advertising may constitute a "share" of data under CPRA. You may opt out via our cookie banner ("Reject Non-Essential") or through the Google Ad Settings.
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.
- Global Privacy Control (GPC): We honor the GPC browser signal as an opt-out request for non-essential data processing. When detected, non-essential cookies and tracking are automatically disabled.
To exercise CCPA/CPRA rights, email privacy@fluxora.com with subject "CCPA Request." We will verify your identity before processing.
3.3 Canadian Users (PIPEDA)
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canadian residents have the right to access and correct their personal information, and to withdraw consent for its collection, use, or disclosure, subject to legal or contractual restrictions. To exercise these rights, contact us at privacy@fluxora.com.
4. International Data Transfers
Your personal information may be transferred to, stored, and processed in countries outside your country of residence — including the United States, where our service providers (Google, Cloudflare, Lemon Squeezy, Paddle) operate. When transferring data from the EEA or UK to third countries, we rely on:
- EU-US Data Privacy Framework (DPF): For transfers to DPF-certified US organizations (including Google and Cloudflare).
- Standard Contractual Clauses (SCCs): For transfers to processors not certified under the DPF, we implement the European Commission's approved SCCs, supplemented by additional technical and organizational measures as required.
- UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom.
To request a copy of the relevant safeguard documentation, contact us at privacy@fluxora.com.
5. Children's Privacy (COPPA Compliance)
The Service is not directed to children under the age of 13 (or the applicable age threshold in your jurisdiction). We do not knowingly collect personal information from children under 13.
Important COPPA Update: Effective April 22, 2026, the revised FTC COPPA Rule introduces new requirements including mandatory Data Protection Impact Assessments (DPIAs) for activities involving children's data, expanded scope with narrowed exceptions, and enhanced compliance obligations. We have reviewed our data practices against these updated requirements and confirm that our Service does not target, attract, or knowingly process data from children.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@fluxora.com. We will promptly investigate and delete any such information.
6. Data Security & Retention
6.1 Security Measures
We implement and maintain appropriate technical and organizational security measures, including:
- Encryption in Transit: All traffic is encrypted via HTTPS/TLS. Our domain enforces HSTS.
- Encryption at Rest: License records stored in Cloudflare KV are encrypted at rest.
- Access Control: Access to backend systems is restricted to authorized personnel only and protected by multi-factor authentication.
- Data Minimization: We collect only the data necessary for the operation of the Service. File processing occurs entirely in the user's browser — no file data ever reaches our servers.
- Vulnerability Management: We keep all third-party dependencies updated and monitor for security advisories.
6.2 Data Retention
- License Records: Retained for the duration of license validity plus 12 months after expiration for support and verification purposes.
- Anonymized Analytics: Retained for 26 months per Google Analytics default settings.
- Email Correspondence: Retained for up to 2 years for support continuity.
- Cookie Data: Retention periods detailed in our Cookie Policy.
- LocalStorage Data: Stored exclusively on your device; we have no access. Remains until you clear your browser data.
7. Policy Updates
We may update this Privacy Policy from time to time to reflect changes in law, our data practices, or the Service. When we make material changes, we will update the "Last Updated" date at the top of this page and display a notice on our website. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.
8. Contact Us
For any privacy-related questions, to exercise your rights, or to report a concern:
We aim to acknowledge all privacy inquiries within 48 hours and resolve them within 30 days.