Privacy Policy
Last updated: February 25, 2026
1. Scope of This Policy
This policy covers two distinct categories of data: (a) visitor data collected when you browse this website, and (b) client engagement data — royalty statements and related financial information — processed under a separate Data Processing Agreement (DPA) executed before any engagement begins.
Institutional clients should refer to the Legal Framework page for the full DPA framework, sub-processor disclosure, and regulatory compliance posture.
2. Website Visitor Data
When you submit a pilot analysis request, we collect your name, title, company, email address, and the context you provide. This information is used exclusively to respond to your request. We do not sell, rent, or share your contact information with third parties.
We use PostHog for anonymized site analytics (page views, scroll depth, button clicks) and Google Analytics 4 for aggregate traffic analysis. Neither service receives personally identifiable information. We use Resend to deliver transactional emails.
Visitor contact data is stored in an AWS Aurora PostgreSQL database hosted in us-east-1, encrypted at rest (AES-256 via AWS KMS) and in transit (TLS 1.3). The database is not publicly accessible.
3. Client Royalty Data — Data Processing Agreement
Royalty statements and related financial data submitted for pilot analysis or ongoing engagement are processed under a GDPR Article 28-aligned Data Processing Agreement, executed before any data is transferred. The DPA establishes Fluxiem as the Data Processor and the client organization as the Data Controller.
Client data is processed solely for the purpose defined in the applicable Engagement Letter. It is never used to train, improve, or fine-tune any AI model — including the models that power Fluxiem's own pipeline. It is never used for benchmarking, market research, or any commercial purpose outside the defined engagement scope, without separate explicit written consent.
Upon engagement completion, all client data is securely deleted from Fluxiem systems and sub-processors within 30 days. A written deletion certificate is provided as standard.
4. Technical Security Measures
Client data is protected by the following technical controls, all of which are binding in the DPA:
- ✓AES-256 encryption at rest via AWS KMS with automatic key rotation
- ✓TLS 1.3 encryption in transit for all data transfers
- ✓Role-based access control (RBAC) and multi-factor authentication for all staff with data access
- ✓Logical data isolation via PostgreSQL Row-Level Security — no client's data is accessible to another client's processing context
- ✓Immutable AWS CloudTrail audit logs for all access events
- ✓Annual third-party penetration testing
- ✓SOC 2 Type I audit in progress
5. Sub-Processors
Fluxiem uses the following sub-processors in the delivery of its services. All are subject to equivalent data protection obligations. Clients receive 30 days advance notice of any sub-processor change.
| Sub-Processor | Purpose |
|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting, S3 storage, Aurora database, Lambda compute |
| AWS Textract | OCR processing of royalty statement PDFs |
| Amazon Bedrock / Anthropic Claude | AI-powered semantic extraction and anomaly detection |
| AWS KMS | Encryption key management |
| AWS CloudTrail / CloudWatch | Audit logging and access monitoring |
| Resend | Transactional email delivery for pilot request acknowledgements |
6. Regulatory Compliance
Fluxiem's data handling framework is designed to satisfy the vendor due diligence requirements that institutional clients face under SEC Regulation S-P (amended 2024), GDPR Article 28, the Gramm-Leach-Bliley Act (GLBA), and CCPA where applicable.
The DPA includes the 72-hour breach notification clause mandated by SEC Reg S-P for covered institutions (RIAs, PE firms, and advisory firms subject to SEC oversight). If a security incident involving client data is discovered, Fluxiem notifies the client within 72 hours of becoming aware — regardless of weekend, holiday, or timezone.
7. Data Subject Rights
For client data governed by GDPR, Fluxiem will promptly notify the data controller of any data subject request received directly and will assist the controller in fulfilling such requests to the extent technically feasible. Fluxiem will not respond to data subject requests without the controller's prior written authorization, except as required by applicable law.
8. Data Retention
Website visitor contact data is retained for as long as necessary to respond to your inquiry and for up to 24 months thereafter unless you request deletion.
Client engagement data is retained only for the duration of the engagement and deleted within 30 days of completion as described in Section 3. Signed agreement documents are retained for a minimum of five years to support client compliance obligations under SEC Reg S-P record retention requirements.
9. Contact and DPA Requests
Privacy questions or DPA requests: hello@fluxiem.com
Institutional clients may also request the full legal document package — NDA, DPA, and Engagement Letter template — by emailing with subject line “Legal Package Request.”