LEGAL
Privacy Policy
Last updated: May 2026 · Effective date: May 2026
This Privacy Policy explains how Fluorly collects, uses, and protects your personal data when you use our service at fluorly.com. We are committed to being transparent about our data practices and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are (Data Controller)
Fluorly is operated by Ben Ratcliffe, a sole trader based in the United Kingdom ("I", "me", "my"). I am registered with the Information Commissioner's Office (ICO) under registration number ZC137038. You can verify this at the ICO register.
For any data protection queries, please contact me at: hello@fluorly.com
2. Personal Data I Collect
I collect and process the following categories of personal data:
Account data (collected via Google OAuth)
- Your name and email address, as provided by Google at sign-in
- Your timezone and productivity preferences (focus hours, default calendar, default task list)
Google Workspace access tokens
- OAuth access and refresh tokens are stored encrypted at rest using AES-256. These tokens allow the service to communicate with Google APIs on your behalf. They are never disclosed to third parties and are deleted when you close your account.
Slack tokens (if you connect Slack)
- Your Slack user token, bot token, workspace ID, and Slack user ID are stored encrypted at rest. Channel metadata (channel IDs and message timestamps) is cached to efficiently detect new messages directed at you.
Data generated through your use of the service
- AI-generated summaries — short summaries generated to help you triage email and chat alerts. Original message content is not stored.
- AI action audit log — a record of actions the assistant performed on your behalf (e.g. "Created calendar event 'Team meeting' at 10am on 14 April"). Conversation transcripts are not retained.
- Journal entries — mood score (1–5), personal notes, total focus time, and task references you record in the daily journal.
- Focus session records — Pomodoro session start/end times, durations, and the task title associated with each session, for journal and standup reference.
- Notification metadata — source identifiers (e.g. Gmail message IDs, Slack thread IDs) and AI-generated summaries for alerts shown in the app. No message body or content is stored.
RSS and newsletter feed content
- Feed URLs you subscribe to and the HTML content of RSS articles and newsletters you have added to your recreation feed. This content powers your recreation mode and is automatically deleted after 90 days. The body of emails classified as standard communications (not newsletters) is never stored.
Optional API keys
- If you provide your own Ollama API key or Brave Search API key, these are stored encrypted at rest and used solely to route your AI inference and web search requests under your own credentials.
Billing data
- If you subscribe, your Stripe customer ID, payment method type (e.g. Visa), and the last four digits of your card are stored. Full card numbers are never stored. Stripe's privacy policy applies to payment data.
Technical data
- Standard server logs including your IP address, browser user agent, and session identifiers, retained for 90 days for security and debugging purposes.
Data I do not store
- The body of standard emails (newsletters you have added to your recreation feed are the exception — see above)
- Google Chat or Slack message content
- Calendar event details or descriptions
- Google Contacts or directory data
- AI conversation transcripts
3. Lawful Basis for Processing
I rely on the following lawful bases under Article 6 of the UK GDPR:
- Performance of a contract (Article 6(1)(b)): Account management, connecting to your Google Workspace and Slack, running the AI assistant, and storing your journal and focus sessions are all necessary to provide the service you have signed up for.
- Legitimate interests (Article 6(1)(f)): Limited technical and security data (error logs, session tokens) is processed to maintain the security and reliability of the service.
- Legal obligation (Article 6(1)(c)): Where retention or disclosure is required by law (e.g. financial records, lawful requests from authorities).
4. How I Use Your Data
- To create and manage your account
- To connect to your Google Workspace services and surface AI-triaged alerts
- To provide the AI assistant, Pomodoro timer, journal, and recreation feed features
- To send transactional notifications related to your account
- To maintain the security and integrity of the service
- To comply with legal obligations
I do not use your data for advertising. I do not sell your data to any third party.
5. Google Workspace Data
Fluorly accesses your Google Workspace data (Gmail, Calendar, Tasks, Chat, Contacts) via Google OAuth 2.0. This data is accessed in real time through the Google APIs and is not stored on Fluorly's servers, with the limited exceptions in Section 2 (AI-generated summaries, action audit log, notification metadata).
Fluorly's use of Google APIs complies with Google's API Services User Data Policy, including the Limited Use requirements. Only the OAuth scopes necessary to provide the features you use are requested.
You can revoke Fluorly's access to your Google account at any time at myaccount.google.com/permissions. Revoking access will prevent the service from functioning but will not affect data already stored (see Section 8 for deletion rights).
6. Third Parties and Sub-processors
I share your data with the following third parties only to the extent necessary to operate the service. All sub-processors are bound by data processing agreements.
- Stripe (Stripe Payments Europe, Limited — Ireland) — payment processing. Ireland has an adequacy decision for UK transfers. See Stripe's Privacy Policy.
- Sentry (Functional Software, Inc. — EU) — error tracking. Basic diagnostic data (which may include your user ID and the nature of an error) may be sent to Sentry when an application error occurs. Data is stored in the EU, which has UK adequacy. See Sentry's Privacy Policy.
- Google Cloud (text-to-speech) — if text-to-speech is enabled, AI response text is sent to Google Cloud TTS for synthesis. This text is the assistant's spoken reply and may reference details from your calendar or tasks. Google Cloud's data processing terms apply.
- Google Analytics 4 (Google Ireland Limited — Ireland) — website traffic analytics. When you visit fluorly.com, anonymised usage data (pages visited, session duration, approximate location derived from IP) is sent to Google Analytics. IP addresses are anonymised before storage. Ireland has an adequacy decision for UK transfers. See Google's Privacy Policy.
- Microsoft Clarity (Microsoft Ireland Operations Limited — Ireland) — session recordings and heatmaps. When you accept analytics cookies, Clarity records anonymised session replays and heatmap data to help understand how visitors interact with fluorly.com. Strict mode is enabled: all text inputs are masked before any data leaves your browser and no personal data is captured in recordings. Ireland has an adequacy decision for UK transfers. See Microsoft's Privacy Statement.
Your own third-party services (not Fluorly sub-processors)
The following are services you connect using your own credentials. Requests are routed via Fluorly's server using your API key, but the data goes to your own account with that provider — their privacy policy governs those requests directly.
- Ollama — if you provide your own Ollama API key, your assistant messages are sent to Ollama under your credentials. See Ollama's Privacy Policy.
- Brave Search — if you provide your own Brave API key, search queries generated by the assistant are sent to Brave under your credentials. See Brave's Privacy Policy.
I do not use advertising networks or tracking pixels.
7. International Data Transfers
Fluorly's servers are hosted in the United Kingdom. Stripe, Google Analytics, and Microsoft Clarity are processed by entities based in Ireland, which has a UK adequacy decision. Sentry stores data in the EU, which also has UK adequacy. Google Cloud TTS operates under Google's standard contractual terms.
You can request details of the transfer mechanisms in place by contacting me at hello@fluorly.com.
8. How Long I Keep Your Data
- Account data and preferences: Retained while your account is active. Deleted within 30 days of account closure.
- Google and Slack OAuth tokens: Deleted immediately upon account closure or integration disconnection.
- AI action audit log: Retained for 12 months, then automatically deleted.
- Journal entries and focus sessions: Retained until you delete them or your account is closed.
- Feed articles: Automatically deleted after 90 days.
- Notification summaries: Dismissed notifications are cleared daily. All remaining records are deleted upon account closure.
- Server logs: Retained for 90 days.
- Billing records: Retained for 7 years as required by HMRC.
9. Cookies and Local Storage
Fluorly does not use advertising or tracking cookies. Your authentication token is stored in your browser's localStorage (not a cookie) to keep you signed in. This is strictly necessary for the service to function and does not require your consent under PECR.
With your consent, we use two analytics tools on fluorly.com. Google Analytics 4 sets cookies (such as _ga and _ga_*) to measure pages visited, session duration, and approximate location. IP addresses are anonymised before storage. You can opt out across all sites using the Google Analytics Opt-out Browser Add-on.
Microsoft Clarity sets cookies (such as _clck and _clsk) to record anonymised session replays and generate heatmaps. Strict mode is enabled, meaning all text you type is masked before any data leaves your browser. Neither tool is loaded until you accept analytics cookies via the consent banner.
I do not use advertising networks or tracking pixels.
10. Your Rights
Under UK GDPR, you have the following rights:
- Right of access (Article 15): Request a copy of the personal data held about you.
- Right to rectification (Article 16): Ask me to correct inaccurate data.
- Right to erasure (Article 17): Request deletion of your data. You can delete your account at any time from the Settings page — all personal data is removed within 30 days.
- Right to data portability (Article 20): Download your data in a machine-readable format from the Settings page.
- Right to restriction (Article 18): Ask me to restrict processing in certain circumstances.
- Right to object (Article 21): Object to processing based on legitimate interests.
- Rights related to automated decision-making (Article 22): The AI assistant makes recommendations but does not take legally significant automated decisions without your explicit confirmation.
To exercise any of these rights (other than account deletion, which is self-serve), email hello@fluorly.com. I will respond within one calendar month as required by UK GDPR.
If you are not satisfied with my response, you have the right to lodge a complaint with the ICO:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
ico.org.uk/make-a-complaint
I would welcome the opportunity to resolve any concern directly before you approach the ICO.
11. Security
OAuth tokens and API keys are encrypted at rest using AES-256. All data in transit uses TLS. Write actions (sending emails, creating calendar events, modifying tasks) require your explicit confirmation before execution — the service cannot act on your accounts without your approval in that session.
If you believe your account has been compromised, contact me immediately at hello@fluorly.com.
12. Children's Privacy
Fluorly is not directed at children under 13. I do not knowingly collect personal data from anyone under 13. If you believe I have inadvertently done so, please contact me and I will delete it promptly.
13. Changes to This Policy
Where changes are material, I will notify you by email or in-app notice at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.