Privacy Policy

This Privacy Policy explains how Flints ("we", "us", "our") collects, uses, and protects your information when you use the Flints service across macOS, iOS, and the web ("Service"). This policy applies to users worldwide and addresses our obligations under the Australian Privacy Act 1988, the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Information We Collect

Account Information

When you register, we collect your name, email address, and password (stored as a secure hash). We also store which invite code you used to register.

Your Content

The core of Flints is the entries you create — notes, ideas, decisions, questions, learnings, feedback, and wins. We store the text content, entry type, associated project, and timestamps for each entry. This data is yours and exists solely to provide the Service to you.

Device and Sync Information

To enable cross-device sync, we collect device identifiers, device names, platform type (macOS, iOS, web), and last sync timestamps. This allows us to keep your entries consistent across all your devices.

Usage Information

We collect basic usage data such as when you access the Service and which features you use. We do not track the content of your entries for analytics purposes.

Payment Information

If you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your full credit card number, bank account details, or other sensitive payment information on our servers. Stripe's handling of your payment data is governed by their privacy policy.

2. Lawful Basis for Processing (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following lawful bases:

• Contract performance — Processing necessary to provide the Service to you (account data, entry storage, sync, team sharing)
• Legitimate interests — Processing necessary for our legitimate interests, such as improving the Service, preventing fraud, and ensuring security, where these interests are not overridden by your rights
• Legal obligation — Processing necessary to comply with applicable laws
• Consent — Where we rely on your consent, you may withdraw it at any time by contacting us

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Sync your entries across your devices
• Display your entries to team members in shared projects you configure
• Process subscription payments
• Send transactional emails (account verification, password resets, team invitations)
• Respond to support requests
• Detect, prevent, and address fraud, abuse, and security issues

We do not sell your personal information. We do not use Your Content to train machine learning models. We do not serve advertising. We do not share your personal information with third parties for their marketing purposes.

4. How Your Content Is Shared

Your entries are private by default. We do not share Your Content with any third party unless you explicitly configure the Service to do so. Content is only shared in ways you actively enable:

• Team projects — When you invite members to a project, they can see entries in that project according to the permissions you set.
• AI context URLs — If you enable an AI context URL for a project, entries are accessible at that URL as structured markdown. You control when this is enabled and can revoke access at any time.
• Project log export — If configured, entries are exported as local markdown files on your device. This data stays on your machine.
• Integrations — Obsidian sync and other integrations transmit data locally on your device. The CLI tool reads from the local database.
• Bot API tokens — If you create bot tokens, those tokens can read and write entries in the projects you configure. You control which projects each bot can access.

5. AI Tools and Third-Party Data Sharing

Flints provides features that allow you to export and share Your Content with third-party services, including artificial intelligence tools. When you choose to share Your Content with a third-party service — whether through AI context URLs, project log exports, the CLI tool, bot API tokens, or any other export mechanism — you are initiating that transfer. We do not send Your Content to any third party on our own initiative.

Once Your Content has been transmitted to a third-party service at your direction, it is no longer under our control and is subject to that third party's own privacy policy, terms of service, and data handling practices. We have no visibility into, control over, or responsibility for how third-party services — including AI tools — store, process, use, retain, or disclose Your Content after receiving it. This includes, without limitation, whether a third-party service uses Your Content to train machine learning models, shares it with others, or experiences a data breach.

We strongly recommend reviewing the privacy policies and terms of any third-party service before sharing Your Content with it, and avoiding sharing sensitive, confidential, or regulated information with services whose data practices you have not reviewed.

6. Data Storage and Security

Your data is stored on secure servers. We use encryption in transit (TLS) and implement appropriate technical and organisational measures to protect your information against unauthorised access, alteration, disclosure, or destruction.

Passwords are stored using one-way hashing and are never stored in plain text. Two-factor authentication is available for additional account security.

While we take reasonable measures to protect your data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

7. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify the Australian Information Commissioner and affected individuals as required under the Notifiable Data Breaches (NDB) scheme of the Privacy Act 1988. Where required by GDPR, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay. We will also comply with breach notification requirements under any other applicable data protection laws.

For clarity, a data breach affecting a third-party service that received Your Content through an integration or export feature you enabled is not a breach of the Flints Service. We are not responsible for notifying you of breaches affecting third-party services.

8. Data Retention

We retain your account data and entries for as long as your account is active. If you delete your account, we will delete your personal data and entries within 30 days, except where we are required to retain it by law or for legitimate business purposes (such as resolving disputes or enforcing our Terms). Entries in shared projects that you created may be retained if other project members still have access to the project.

Data that has been exported or transmitted to third-party services through integrations you enabled is not within our control and is not subject to our deletion processes.

9. Your Rights

All Users

Regardless of your location, you have the right to:

• Access your data at any time through the Service, project log exports, or the API
• Correct inaccurate personal information via your account settings
• Delete your account and associated data
• Export your entries using project log export, AI context URLs, or the API

Australian Users (Privacy Act 1988)

We handle your personal information in accordance with the Australian Privacy Principles (APPs). You have the right to access your personal information and request correction of inaccurate data. If you believe we have breached the APPs, you may lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC).

EEA and UK Users (GDPR/UK GDPR)

In addition to the rights above, you have the right to:

• Request restriction of processing of your personal data
• Object to processing based on legitimate interests
• Data portability — receive your personal data in a structured, commonly used, machine-readable format
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with your local data protection authority

California Users (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell personal information. You also have the right not to be discriminated against for exercising your privacy rights.

To exercise any of these rights, contact us at hello@flints.app. We will respond to verifiable requests within the timeframes required by applicable law.

10. Cookies

The web application uses essential cookies for authentication and session management. We do not use tracking cookies or third-party advertising cookies. Because we only use strictly necessary cookies, consent is not required under applicable cookie laws.

11. Third-Party Services

We use the following third-party services to operate the Service:

• Stripe — for payment processing. Privacy policy
• Help Scout — for customer support. When you contact us, your name, email address, and message content are processed by Help Scout. Privacy policy

When you enable integrations (Obsidian, AI tools, etc.), your data may be processed by those third-party services according to their own privacy policies. These integrations are always opt-in and initiated by you. We are not a data processor or sub-processor for any third-party service you choose to share Your Content with.

12. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect information from children under 16. If we learn that we have collected information from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal information, please contact us at hello@flints.app.

13. International Data Transfers

Your data may be processed in countries other than your own, including Australia. If you are located in the EEA or UK, we ensure that any transfer of personal data to countries outside the EEA/UK is protected by appropriate safeguards, such as standard contractual clauses approved by the European Commission or UK Information Commissioner's Office, or other legally recognised transfer mechanisms.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification at least 14 days before they take effect. The "Last updated" date at the top indicates when the policy was last revised.

15. Contact and Complaints

If you have questions about this Privacy Policy or how we handle your data, contact us at hello@flints.app.

If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the relevant data protection authority:

• Australia — Office of the Australian Information Commissioner (OAIC): oaic.gov.au
• EU — Your local data protection authority
• UK — Information Commissioner's Office (ICO): ico.org.uk