Skip to content

Privacy Policy

Last updated: 22 May 2026

1. Who we are

Flux is operated by Redbite Solutions Ltd, a company registered in England and Wales. We are the data controller for the personal data we process through Flux. You can reach us at hello@umin.ai.

2. What data we collect

Account data

When you create an account, we collect your name, email address, and (if you use password authentication) a hashed password. If you sign in via Google OAuth, we receive your name, email, and profile picture from Google.

Workspace and board content

We store the content you create in Flux - boards, columns, cards, comments, checklists, labels, and file attachments. This data belongs to you.

Usage data

We collect basic usage analytics via Google Analytics 4 (GA4), including pages visited, session duration, and device type. GA4 data is aggregated and does not identify you personally.

Technical data

When you use Flux, our servers automatically record your IP address, browser type, and request timestamps for security and debugging purposes.

3. How we use your data

We use your data to:

  • Provide the service - store and display your boards, cards, and files
  • Authenticate you - verify your identity when you sign in
  • Enforce access control - ensure only authorised workspace members can access your data
  • Send transactional emails - password resets, workspace invitations, and notifications you have enabled
  • Improve the service - analyse aggregated usage patterns to fix bugs and prioritise features
  • Maintain security - detect and prevent abuse, fraud, and unauthorised access

4. AI features and third-party data processing

Flux offers optional AI-powered features. When you use an AI feature, relevant board content (such as card titles, descriptions, and column names) may be sent to third-party AI providers for processing.

This data is sent only when you actively trigger an AI feature - never in the background. Google processes this data under their API terms of service. We do not use your content to train AI models.

5. Legal basis for processing (UK GDPR)

We process your personal data on the following bases:

  • Contract - processing necessary to provide Flux to you (account data, workspace content)
  • Legitimate interests - usage analytics, security monitoring, and service improvement, where our interests do not override your rights
  • Consent - where you opt in to AI features that send data to third-party providers

6. Who we share data with

We do not sell your personal data. We share data only with:

  • Infrastructure providers - Amazon Web Services (hosting, database, file storage, email delivery via SES)
  • Authentication providers - Google (if you use Google sign-in)
  • AI providers - third-party AI services (only when you use AI features)
  • Analytics - Google Analytics 4 (aggregated usage data)

All sub-processors operate under data processing agreements. We do not share data with other third parties unless required by law.

7. Data storage and transfers

Your data is stored on servers operated by Amazon Web Services. Some sub-processors (Google) may process data outside the UK. Where this occurs, we rely on appropriate safeguards such as Standard Contractual Clauses or UK adequacy decisions.

8. Data retention

  • Account data - retained while your account is active. Deleted within 90 days of account closure.
  • Workspace content - retained while the workspace exists. Soft-deleted content is permanently removed within 90 days.
  • Activity logs - retained for the lifetime of the workspace to support undo and audit functionality.
  • Technical logs - retained for up to 90 days for security and debugging.

9. Your rights

Under UK GDPR, you have the right to:

  • Access - request a copy of the personal data we hold about you
  • Rectification - ask us to correct inaccurate data
  • Erasure - ask us to delete your data (subject to legal obligations)
  • Restriction - ask us to restrict processing in certain circumstances
  • Portability - receive your data in a structured, machine-readable format
  • Object - object to processing based on legitimate interests
  • Withdraw consent - where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, email us at hello@umin.ai. We will respond within 30 days.

10. Cookies

Flux uses the following cookies:

  • Session cookies - essential for authentication. These keep you signed in and cannot be disabled.
  • Analytics cookies - set by Google Analytics 4 to collect aggregated usage data.

We do not use advertising or tracking cookies.

11. Children's privacy

Flux is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Security

We take reasonable technical and organisational measures to protect your data, including encryption in transit (TLS), hashed passwords, role-based access control, rate limiting, and security headers. No system is perfectly secure - if you discover a vulnerability, please report it to hello@umin.ai.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect.

14. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

15. Contact

For any privacy-related questions, contact us at hello@umin.ai.