Skip to content
Back to Home
Legal

Privacy Policy

Last updated: May 14, 2026

1. Data Controller

The data controller within the meaning of the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG) is:

FluxHuman
Martin Benes (sole proprietor)
Vienna, Austria
Email: hello@fluxhuman.com

Given the size of the business, we are not legally required to appoint a Data Protection Officer (Art. 37 GDPR). Please direct privacy enquiries to the address above.

2. Hosting and Server Logs

The site is operated on our own infrastructure and delivered through the edge network of Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). Acting as a processor, Cloudflare handles connection metadata (notably your IP address) for delivery, DDoS protection, and TLS termination. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a secure, performant site). Transfers to the United States rely on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

When you visit the site, our server briefly handles:

  • IP address (passed by Cloudflare in the cf-connecting-ip header)
  • Date and time of the request
  • Requested URL / path
  • HTTP status code and response size
  • Browser, browser version, and operating system (User-Agent)
  • Referrer URL (if your browser sends one)

IP addresses are kept only in memory for rate-limiting / abuse-prevention and are evicted automatically after at most eleven minutes. We do not maintain persistent access logs containing IP addresses, and IP addresses are stripped server-side before any analytics event is dispatched (see section 5).

3. Contact Form, Chat and Newsletter

3.1 Contact Form

When you use our contact form, we process the data you provide (name, email address, optional company, message, optional newsletter opt-in). This data is stored in our self-hosted PostgreSQL database (Payload CMS, EU-based servers) and forwarded to our self-hosted automation platform n8n, which runs in the same private Docker network. From n8n the data is then handed to the processors listed in section 9 (notably Brevo for email delivery and Slack for the internal lead notification). Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) and Art. 6 (1) (f) GDPR (responding to your request).

Ad-channel attribution (only with marketing consent).If you arrived via an ad click and explicitly opted in to marketing processing in the cookie banner, we additionally store the ad network's click identifier (e.g. Google, Microsoft, Meta, LinkedIn), the original landing page, and UTM parameters together with the lead record. This information is used solely for our own internal channel analysis; we forward it to the relevant ad networks only if and to the extent you have separately consented. Without marketing consent, click identifiers are neither stored nor forwarded. Legal basis: Art. 6 (1) (a) GDPR (consent). You may withdraw consent at any time via the cookie banner ("Configure").

3.2 Chat Widget

Our chat widget processes your messages to answer your questions. Depending on the operating mode, replies are generated either by a locally hosted language model (Ollama) on our own infrastructure or by an n8n automation that uses the European processor Mistral AI SAS(Paris, France) for AI inference. In both cases, your messages do not leave EU jurisdiction. A random, non-identifying user ID and a per-session ID (e.g. usr_… and ses_…) are stored in your browser's localStorage (keys Flux_chat_user_id and Flux_chat_session_id; the session ID rotates after 30 minutes of inactivity) so that individual messages can be correlated within a session and across return visits. If you submit a booking or contact form via the chat, the rules of section 3.1 apply. If you submit a contact form in the same browser tab as a prior chat session, the anonymous chat session ID may be merged in our analytics tool with the pseudonymous identifier derived from your email address (see section 5), so that chat events and form submission can be analysed as a single interaction. Chat transcripts are automatically deleted from our automation platform after at most 30 days.

3.3 Newsletter

If you sign up for our newsletter, we forward your email address to our n8n automation, which delivers the message via the processor Brevo(see section 4). Legal basis: Art. 6 (1) (a) GDPR (consent). You can withdraw consent at any time via the unsubscribe link in any newsletter email or by sending a message to hello@fluxhuman.com.

3.4 Outbound Research (B2B Outreach)

As part of our B2B outreach, we research publicly available business contact data (e.g. from company websites, public industry and company directories) and create a lead record in our own database. Categories of data processed: business email address, contact-person name, company, optionally industry, and a short AI-generated summary of the publicly available website. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in direct B2B business outreach to decision-makers).

Pursuant to Art. 14 GDPR we inform the data subjects at the latest on first contact (initial outreach email) about the processing, the source of the data and the recipients. You have the right to object to this processing at any time pursuant to Art. 21 GDPR and to request erasure of your record pursuant to Art. 17 GDPR; an informal email to hello@fluxhuman.com is sufficient. Records that have not been contacted are retained for a maximum of 12 months; after first contact the retention rules of section 10 apply.

4. Email Delivery (Brevo)

For sending transactional emails (e.g. confirmations, replies, newsletters, lead follow-up emails) we use the SMTP service Brevo, operated by Sendinblue SAS(106 Boulevard Haussmann, 75008 Paris, France). Brevo processes the recipient's name, email address, the message contents and technical delivery metadata (e.g. delivery status, bounces). Legal basis: Art. 6 (1) (b) or (f) GDPR. Processing takes place inside the EU; a Data Processing Agreement under Art. 28 GDPR is in place.

5. Audience Measurement (PostHog, EU)

We measure usage of our site with the analytics tool PostHog, operated by PostHog Inc., hosted in the EU region (eu.i.posthog.com, servers in Frankfurt, Germany). Unlike conventional analytics services:

  • No client-side tracking script runs in your browser. Events are reported server-side via our own endpoint /api/track.
  • Your IP address is stripped server-side before any event is forwarded to PostHog. PostHog explicitly receives no $ipfield.
  • No cross-site recognitiontakes place. A random session ID is stored only in your browser's sessionStorage (key fluxhuman-session-id) and is deleted when you close the tab.

Without your consent, we record only an anonymous page view containing: the requested path, viewport size, an anonymous session ID, and the referring domain (hostname of the previously visited page, e.g. google.com — explicitly without path or query string, so no personal URL fragments are processed). The legal basis is Art. 6 (1) (f) GDPR and § 165 (3) of the Austrian TKG 2021 (technically necessary audience measurement without cookies and without IP storage).

With your consent, we additionally record interaction events that are not pure page views (e.g. contact-form submissions, chat messages, clicks on booking links), the full referrer URL, screen resolution and session duration, a technical measurement of the time elapsed until your first interaction with the page (first interaction timing), and JavaScript error events from your browser if the page raises one (client error reporting; potentially personal content such as email addresses or tokens is automatically stripped server-side before transmission). Legal basis: Art. 6 (1) (a) GDPR.

To prove and analyse whether visitors grant or decline consent, we transmit the display of the consent banner and your subsequent choice (consent_banner_shown, consent_choice) anonymously to PostHog even without consent. No personal data and no IP address is transmitted with these two events. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in evidencing and analysing the consent request pursuant to Art. 7 (1) GDPR).

You can withdraw consent at any time via the cookie banner ("Configure"). A Data Processing Agreement with PostHog is in place.

Pseudonymous person identifier after lead capture. When you submit our contact form, your email address is converted server-side, before any handover to PostHog, into a one-way hash value(truncated SHA-256). PostHog only ever receives this pseudonymous identifier; your actual email address is never transmitted to PostHog. This allows events from your prior chat session in the same browser tab to be associated with the same pseudonymous record so we can analyse our conversion funnel coherently. This is pseudonymisation within the meaning of Art. 4 (5) GDPR; re-identification on PostHog's side is not readily possible without our involvement. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in meaningful, data-minimised conversion measurement). You may object to this processing at any time pursuant to Art. 21 GDPR.

6. Browser Storage (No Tracking Cookies)

This site sets no tracking cookies and no advertising cookies, and loads no third-party cookies. We use only first-party browser storage (localStorage / sessionStorage) for the following technically necessary purposes:

  • fluxhuman-theme – your selected colour theme (light/dark).
  • fluxhuman-locale – your selected language.
  • fluxhuman-consent – your consent choice.
  • fluxhuman-session-id / fluxhuman-session-start / fluxhuman-session-utm – an anonymous session ID and UTM parameters, valid only for the duration of the browser session.
  • fluxhuman-session-attribution – ad click identifiers plus first-touch landing page and referrer, written only after marketing consent and valid only for the duration of the browser session.
  • Flux_chat_user_id – a stable pseudonymous identifier for your chat widget, persisted locally. Allows multiple chat conversations to be linked.
  • Flux_chat_session_id / Flux_chat_session_last_activity– a pseudonymous session ID and last-activity timestamp. A session expires after 30 minutes of inactivity.

These entries stay on your device and are not transmitted to third parties. You can clear them at any time through your browser settings.

7. External Booking Links (Cal.com)

On some pages we link out to Cal.com (Cal.com, Inc.) for appointment booking. You leave our website only when you actively click such a link. Once you are on Cal.com, the Cal.com privacy policy applies. We do not embed Cal.com scripts or iframes on our pages.

8. Fonts

We use the "Geist" and "Geist Mono" typefaces. They are self-hosted via the next/font mechanism: the font files are downloaded at build time and served directly from our server. Your browser does not connect to Google Fonts or any other font CDN.

9. Recipients of Personal Data (Processors)

  • Cloudflare, Inc. – edge / tunnel delivery, DDoS protection, TLS (USA, EU SCCs + DPF).
  • Sendinblue SAS (Brevo) – SMTP email delivery and newsletters (France, EU).
  • PostHog Inc. – audience measurement on the EU region (Germany; Art. 28 GDPR contract in place).
  • Mistral AI SAS – AI inference for the chat widget (Paris, France; Art. 28 GDPR contract in place). Data processed: the content of your chat messages and our replies for the sole purpose of generating the next reply. Your inputs are not used for model training.
  • Slack Technologies LLC – internal lead notification posted to a private Slack channel (USA; Art. 28 GDPR contract in place; transfer basis: EU Standard Contractual Clauses and EU-US Data Privacy Framework). Data processed: name, email, company and an excerpt of the message from the contact form, or lead summary metrics.

Our database (PostgreSQL), the Payload CMS, the chat backend (Ollama) and the automation platform (n8n) all run on our own EU-based infrastructure.

10. Retention Periods

  • In-memory IP for rate-limiting: max. 11 minutes.
  • Contact-form submissions and lead records: until your enquiry is closed and for the duration of statutory retention obligations (e.g. 7 years under § 132 BAO for invoice-related records).
  • Newsletter data: until you withdraw consent.
  • Chat transcripts in the automation platform: max. 30 days.
  • PostHog events: 30 days, after which they are automatically deleted.
  • n8n execution history (internal workflow logs, may contain lead content): max. 30 days.

11. Your Rights

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): request information about the data we hold.
  • Right to rectification (Art. 16 GDPR): request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): request deletion of your data.
  • Right to restriction (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR).
  • Right to object (Art. 21 GDPR), in particular against processing based on legitimate interests.
  • Right to withdraw consent (Art. 7 (3) GDPR), with effect for the future.

To exercise these rights, an informal email to hello@fluxhuman.com is sufficient.

12. Right to Complain

You have the right to lodge a complaint with a supervisory authority. The authority competent for us is:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna, Austria
Email: dsb@dsb.gv.at

13. Data Security

We employ technical and organisational security measures to protect your data against accidental or intentional manipulation, loss, destruction or unauthorised access. All traffic is delivered over TLS, passwords are stored only as cryptographic hashes, and access to the admin area is restricted to a limited group of authorised users.

14. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in the law or in our services. The current version is always available on this page; the date of the most recent update is shown at the top.

15. Contact for Privacy Inquiries

For questions about data protection, please contact:
Email: hello@fluxhuman.com