Privacy Policy

Last updated: March 18, 2026

Introduction

This Privacy Policy describes how fluidsoul collects, uses, and protects information when you use our website (fluidsoul.io), API, SDK, CLI, and related services (collectively, the “Service”).

fluidsoul operates in two roles depending on the data involved. For behavioral event data submitted by our customers about their end users, fluidsoul acts as a data processor on behalf of the customer. For account information, billing data, and website usage data, fluidsoul acts as a data controller.

Information We Collect

Account Information

When you create an account, we collect information via Clerk, our authentication provider, including your email address and Clerk user ID.

Behavioral Event Data (as Processor)

When our customers send events through the API, we process the following data on their behalf:

User identifier (customer-defined user_id)
Event type and timestamp
Event metadata (customer-defined JSON)
Outcome type (if specified)

Computed Profiles

From behavioral events, we compute user context profiles that may include:

User category, preferred mode, engagement level, and user maturity
Feature priorities and recommended defaults
Confidence scores and explainability data
Optional LLM-generated narrative summaries

Billing Data

We collect billing information through Stripe, including Stripe customer and subscription IDs, event counts, and LLM refresh counts per billing period.

Website Usage Data

For authenticated users of fluidsoul.io, we track page views and dashboard interactions using our own service for product improvement purposes.

Audit Logs

We maintain audit logs that record actions, actors, resources, and timestamps for security and compliance purposes.

Automatically Collected Information

Our infrastructure and authentication provider (Clerk) may automatically collect IP addresses and user agent strings.

How We Use Your Information

Service delivery: processing events, computing context profiles, and serving API requests
Payments: managing subscriptions and metered billing through Stripe
Authentication: verifying identity and managing sessions through Clerk
Optional LLM narratives: generating human-readable summaries of user context when enabled by the customer
Product improvement: using our own dogfooding data to improve fluidsoul.io
Security and audit: maintaining audit trails and detecting unauthorized access

Data Processing Roles

As a processor: we process end-user behavioral data strictly on behalf of our customers, according to their instructions (API calls and workspace configuration). We do not use customer end-user data for our own purposes.

As a controller: we independently determine the purposes and means of processing for account information, billing data, and website usage data.

Third-Party Services

We use the following third-party services:

Clerk — authentication and user management
Stripe — payment processing and subscription management
Railway — backend infrastructure hosting
Vercel — frontend and documentation hosting
LLM providers (optional) — when customers enable LLM narratives, we send aggregated context data (user category, preferred mode, engagement level, user maturity, feature priorities, recommended defaults, confidence scores, event counts, event types, and days active) to the configured provider (OpenAI, Anthropic, or Google). We do not send raw events, user identifiers, email addresses, or event metadata to LLM providers.
Webhooks— customers may configure webhook URLs (HTTPS only) to receive notifications. Data sent to webhooks is determined by the customer's configuration.

We do not sell your personal data to any third party.

Data Retention

Events and computed context are retained for as long as the workspace is active
Audit logs are retained for the lifetime of the workspace
Account data is retained until you request deletion
Billing records are retained as required by applicable law

Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights regarding your personal data:

Access: request a copy of your data via the export endpoint (POST /v1/privacy/export)
Erasure: request deletion of your data via the delete endpoint (DELETE /v1/privacy/delete). This removes events, computed context, audit entries, cohort assignments, and context history.
Portability: export your data in JSON format
Rectification: request correction of inaccurate data
Restriction: request restricted processing
Objection: object to processing based on legitimate interests

For end-user data processed on behalf of our customers: the customer (data controller) is responsible for fulfilling end-user rights requests. fluidsoul provides API tools (export and delete endpoints) to enable customers to fulfill these obligations.

California Privacy Rights (CCPA)

If you are a California resident, you have the following rights:

Right to know: what personal information we collect, use, and disclose
Right to delete: request deletion of your personal information
Right to opt-out of sale: we do not sell personal information
Right to non-discrimination: we will not discriminate against you for exercising your rights

Data Security

We implement appropriate technical and organizational measures to protect your data, including:

API tokens are stored as hashes, never in plain text
All data in transit is encrypted via HTTPS
SSRF prevention on customer-configured webhook URLs (HTTPS only, no internal network targets)
Strict tenant isolation enforced on every database query
Internal errors are never exposed in API responses
Comprehensive audit trail of all significant actions

Age Restriction

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

International Data Transfers

Our infrastructure is hosted in the United States (Railway for backend services, Vercel for frontend). If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. Where required, we rely on standard contractual clauses or other appropriate safeguards for international data transfers.

Cookies and Tracking

We use Clerk session cookies for authentication purposes. For authenticated users, we track page views and dashboard interactions using our own service for product improvement. We do not use third-party advertising or tracking cookies.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us via the contact information on our website.