Privacy Policy

1. Data Controller

The data controller within the meaning of the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG) is:

FluxHuman
Martin Benes (sole proprietor)
Vienna, Austria
Email: hello@fluxhuman.com

Given the size of the business, we are not legally required to appoint a Data Protection Officer (Art. 37 GDPR). Please direct privacy enquiries to the address above.

2. Hosting and Server Logs

The site is operated on our own infrastructure and delivered through the edge network of Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). Acting as a processor, Cloudflare handles connection metadata (notably your IP address) for delivery, DDoS protection, and TLS termination. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a secure, performant site). Transfers to the United States rely on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

When you visit the site, our server briefly handles:

• IP address (passed by Cloudflare in the cf-connecting-ip header)
• Date and time of the request
• Requested URL / path
• HTTP status code and response size
• Browser, browser version, and operating system (User-Agent)
• Referrer URL (if your browser sends one)

IP addresses are kept only in memory for rate-limiting / abuse-prevention and are evicted automatically after at most five minutes. We do not maintain persistent access logs containing IP addresses, and IP addresses are stripped server-side before any analytics event is dispatched (see section 5).

3. Contact Form, Chat and Newsletter

3.1 Contact Form

When you use our contact form, we process the data you provide (name, email address, optional company, optional phone, message, optional newsletter opt-in). This data is stored in our self-hosted PostgreSQL database (Payload CMS, EU-based servers) and forwarded to our self-hosted automation platform n8n, which runs in the same private Docker network. n8n does not forward the data to third parties; it only handles internal routing of your enquiry. Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) and Art. 6 (1) (f) GDPR (responding to your request).

3.2 Chat Widget

Our chat widget processes your messages to answer your questions. Depending on the operating mode, replies are generated either by a locally hosted language model (Ollama) on our own infrastructure or by an n8n automation; in both cases, your messages do not leave our EU-based infrastructure. A random, non-identifying session ID (e.g. session-1742...) is stored in your browser's localStorage (key Flux_chat_session_id) so that individual messages within a session can be correlated. If you submit a booking or contact form via the chat, the rules of section 3.1 apply. Chat transcripts are automatically deleted from our automation platform after at most 30 days.

3.3 Newsletter

If you sign up for our newsletter, we forward your email address to our n8n automation, which delivers the message via the processor Brevo(see section 4). Legal basis: Art. 6 (1) (a) GDPR (consent). You can withdraw consent at any time via the unsubscribe link in any newsletter email or by sending a message to hello@fluxhuman.com.

4. Email Delivery (Brevo)

For sending transactional emails (e.g. confirmations, replies, newsletters, lead follow-up emails) we use the SMTP service Brevo, operated by Sendinblue SAS(106 Boulevard Haussmann, 75008 Paris, France). Brevo processes the recipient's name, email address, the message contents and technical delivery metadata (e.g. delivery status, bounces). Legal basis: Art. 6 (1) (b) or (f) GDPR. Processing takes place inside the EU; a Data Processing Agreement under Art. 28 GDPR is in place.

5. Audience Measurement (PostHog, EU)

We measure usage of our site with the analytics tool PostHog, operated by PostHog Inc., hosted in the EU region (eu.i.posthog.com, servers in Frankfurt, Germany). Unlike conventional analytics services:

• No client-side tracking script runs in your browser. Events are reported server-side via our own endpoint /api/track.
• Your IP address is stripped server-side before any event is forwarded to PostHog. PostHog explicitly receives no $ipfield.
• No cross-site recognitiontakes place. A random session ID is stored only in your browser's sessionStorage (key fluxhuman-session-id) and is deleted when you close the tab.

Without your consent, we record only an anonymous page view (URL, viewport size, anonymous session ID). The legal basis is Art. 6 (1) (f) GDPR and § 165 (3) of the Austrian TKG 2021 (technically necessary audience measurement without cookies and without IP storage).

With your consent, we additionally record interaction events that are not pure page views (e.g. contact-form submissions, chat messages, clicks on booking links). Legal basis: Art. 6 (1) (a) GDPR.

You can withdraw consent at any time via the cookie banner ("Configure"). A Data Processing Agreement with PostHog is in place.

6. Browser Storage (No Tracking Cookies)

This site sets no tracking cookies and no advertising cookies, and loads no third-party cookies. We use only first-party browser storage (localStorage / sessionStorage) for the following technically necessary purposes:

• fluxhuman-theme – your selected colour theme (light/dark).
• fluxhuman-locale – your selected language.
• fluxhuman-consent – your consent choice.
• fluxhuman-session-id / fluxhuman-session-start / fluxhuman-session-utm – an anonymous session ID and UTM parameters, valid only for the duration of the browser session.
• Flux_chat_session_id – your chat session ID, only if you use the chat widget.

These entries stay on your device and are not transmitted to third parties. You can clear them at any time through your browser settings.

7. External Booking Links (Cal.com)

On some pages we link out to Cal.com (Cal.com, Inc.) for appointment booking. You leave our website only when you actively click such a link. Once you are on Cal.com, the Cal.com privacy policy applies. We do not embed Cal.com scripts or iframes on our pages.

8. Fonts

We use the "Geist" and "Geist Mono" typefaces. They are self-hosted via the next/font mechanism: the font files are downloaded at build time and served directly from our server. Your browser does not connect to Google Fonts or any other font CDN.

9. Recipients of Personal Data (Processors)

• Cloudflare, Inc. – edge / tunnel delivery, DDoS protection, TLS (USA, EU SCCs + DPF).
• Sendinblue SAS (Brevo) – SMTP email delivery and newsletters (France, EU).
• PostHog Inc. – audience measurement on the EU region (Germany; Art. 28 GDPR contract in place).

Our database (PostgreSQL), the Payload CMS, the chat backend (Ollama) and the automation platform (n8n) all run on our own EU-based infrastructure.

10. Retention Periods

• In-memory IP for rate-limiting: max. 5 minutes.
• Contact-form submissions and lead records: until your enquiry is closed and for the duration of statutory retention obligations (e.g. 7 years under § 132 BAO for invoice-related records).
• Newsletter data: until you withdraw consent.
• Chat transcripts in the automation platform: max. 30 days.
• PostHog events: 12 months, after which they are automatically deleted.

11. Your Rights

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): request information about the data we hold.
• Right to rectification (Art. 16 GDPR): request correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): request deletion of your data.
• Right to restriction (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR).
• Right to object (Art. 21 GDPR), in particular against processing based on legitimate interests.
• Right to withdraw consent (Art. 7 (3) GDPR), with effect for the future.

To exercise these rights, an informal email to hello@fluxhuman.com is sufficient.

12. Right to Complain

You have the right to lodge a complaint with a supervisory authority. The authority competent for us is:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna, Austria
Email: dsb@dsb.gv.at

13. Data Security

We employ technical and organisational security measures to protect your data against accidental or intentional manipulation, loss, destruction or unauthorised access. All traffic is delivered over TLS, passwords are stored only as cryptographic hashes, and access to the admin area is restricted to a limited group of authorised users.

14. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in the law or in our services. The current version is always available on this page; the date of the most recent update is shown at the top.

15. Contact for Privacy Inquiries

For questions about data protection, please contact:
Email: hello@fluxhuman.com