PRIVACY POLICY
In Flux Studio LLC
Effective Date: May 18, 2026 | Draft for Counsel Review — Rev. 5
Revised against fourth engineering codebase review
| Legal Entity | In Flux Studio LLC |
| Incorporated | Delaware, USA (August 12, 2025) |
| NJ Registration | ID 0451332183 (August 21, 2025) |
| Business Address | 8 The Green, Suite A, Dover, Delaware 19901 |
| Privacy Contact | hey@influxstudio.co |
| Business Purpose | Versioning and delivery of brand video content; enabling clients to produce personalized brand video content at scale |
1. Introduction
In Flux Studio LLC (“In Flux Studio,” “we,” “us,” or “our”) operates a professional software-as-a-service platform for versioning and delivery of brand video content. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you use our platform, website, and desktop application (collectively, the “Service”).
By accessing or using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.
Scope. This Policy applies to: (a) users who access the Service through the web or desktop application; (b) users who authenticate via Google OAuth; and (c) visitors to our website. It does not apply to data processed solely within your organization’s own infrastructure.
Note on client use cases. In Flux Studio’s customers use the Service to produce and version their own brand video content. This Policy governs In Flux Studio’s data practices as a platform operator. It does not govern how customers use content produced through the Service in their own advertising or marketing campaigns.
2. Data Controller
For purposes of applicable privacy law, In Flux Studio LLC is the data controller of personal data collected through the Service.
| Controller | In Flux Studio LLC |
| Address | 8 The Green, Suite A, Dover, Delaware 19901 |
| Contact | hey@influxstudio.co |
| Governing Law | State of Delaware, United States |
| ⚠ NEEDS WORK — Dedicated Privacy Contact AddressAll GDPR data subject requests and privacy inquiries currently route to hey@influxstudio.co, a general inbox. Enterprise clients and EU regulators expect a dedicated privacy@influxstudio.co address so requests are correctly routed and SLAs tracked. No engineering required — operational change only. Resolve before EU onboarding, then update Sections 2, 10, and 17. |
| ⚠ NEEDS WORK — GDPR Data Controller / EU RepresentativeIf In Flux Studio has users in the European Economic Area, it may be required to designate an EU representative under GDPR Article 27. Counsel should advise on whether an EU representative or DPA is required before EU users are onboarded. |
3. Information We Collect
3.1 Account Information
When you create an account or log in, we collect:
- Email address
- Password (stored as a one-way cryptographic hash — we never store your plaintext password)
- Session tokens used to keep you logged in
- Password reset tokens (short-lived and single-use)
Google Sign-In. If you log in with Google, we receive your name, email address, and Google account ID from Google. We do not receive your Google password.
3.2 Project and Media Data
When you use the Service, we store:
- Project files — timelines, clips, asset metadata, and variations
- Uploaded media files — video, image, audio, and font files you upload to the platform
All project data is associated with your account and stored on our servers.
3.3 Google Drive Data
Read-only, import-only scope. If you connect your Google Drive to import assets, we request read-only access (drive.readonly scope). We access only files you explicitly select for import.
| ⚠ NEEDS WORK — Google Drive Token Lifecycle — Engineering Decision RequiredThe current codebase stores the Google Drive OAuth token in the server-side session object (req.session.googleDriveToken), where it persists until logout or session expiry — not only for the duration of the import action. Two options: (a) update the policy to accurately state that the token persists until logout or session expiry; or (b) modify the code to delete req.session.googleDriveToken immediately after import completes, then update the policy. Engineering decision required before this section can be finalized. |
3.4 Invitation Data
When you invite another person to collaborate on a project, we collect and process the invitee’s email address for the purpose of delivering the invitation and provisioning access. Invitation data is stored in association with the relevant project.
| ⚠ NEEDS WORK — Invitation System Security Hardening (Issues #1527, #1603)Rate limiting and security hardening should be resolved before the invitation system is described as production-ready in any enterprise agreement or published policy. |
3.5 In-App Feedback Data
The Service includes an in-app feedback form accessible from every page. When you submit feedback, we collect your submitted text (bug reports, feature requests, or general feedback). Feedback is submitted to an In Flux Studio–controlled server endpoint and is not shared with any third-party sub-processor.
Log data. The feedback form includes an optional “include logs” checkbox. If selected, browser log data is also submitted along with your feedback. The form separately offers a “download logs” button that saves a copy of logs to your own device only — that action does not transmit data to In Flux Studio.
| ⚠ NEEDS WORK — Feedback Form — PII Audit Required Before Publishing (Issue #1996)Engineering has not completed an audit of the log sanitization pipeline to confirm no PII leaks through the optional ‘include logs’ path. Do not publish until the audit confirms sanitization is comprehensive. Once complete, also add: how long feedback data is retained and whether it is reviewed by staff or processed by internal tooling. |
3.6 Technical and Log Data
Our hosting infrastructure automatically captures standard web server access log data, including:
- IP address and approximate location derived from IP
- Browser type and operating system
- URL paths requested, HTTP status codes, and timestamps
This data is retained at the infrastructure level by Railway (our hosting provider) and is not independently extracted or processed by In Flux Studio beyond what is required for security and operational monitoring. Railway is disclosed as a sub-processor in Section 5.1.
Google Fonts. Our interface loads the Noto Sans typeface from Google Fonts (fonts.googleapis.com). This request is made directly by your browser to Google. Google may log your IP address under their own privacy policy. This transfer is outside our control.
3.7 Communications Data
If you use the password reset feature, we process your email address to send a transactional message via Resend, our email delivery provider.
3.8 Audit Log Data
| ⚠ NEEDS WORK — Audit Log Data — Engineering Must Confirm What Is Currently Stored (Issue #1436)Audit log types and utilities exist in the codebase (audit-types.ts, audit-project-name.ts). Engineering must confirm: (a) whether audit events are currently being persisted to the database, and (b) what data fields are captured and for how long. Once confirmed, this section must be updated. When issue #1436 is fully implemented, a further material update will be required. |
3.9 Information We Do Not Currently Collect
We do not currently collect:
- Payment card numbers or bank account information (no payment processing is currently active)
- Social Security numbers or government-issued identification
- Biometric data
- Health or medical information
- Data from advertising networks (In Flux Studio operates no advertising and uses no ad networks)
- Behavioral analytics or usage tracking (no analytics vendor is currently active — see Section 8)
| ⚠ NEEDS WORK — Payment Processing Activation — Sections 3, 4, and 5.1 Must Be UpdatedWhen Paddle or Stripe is activated, this section must be updated to remove the ‘no payment processing’ bullet, and a new subsection must be added to Section 3 disclosing what payment data is collected and how it is processed. The Section 4 purpose table and the sub-processors table in Section 5.1 must also be updated. The activation flags in Sections 5.4 and 8 will prompt the notification obligation but do not cover these Section 3 and Section 4 updates — do not activate payment processing without completing all three. |
4. How We Use Your Information
| Purpose | Legal Basis (where applicable) |
| Provide and operate the Service | Performance of contract; legitimate interest |
| Authenticate your identity and maintain your session | Performance of contract |
| Send password reset emails | Performance of contract |
| Validate your account against the beta allowlist | Performance of contract; legitimate interest |
| Process and transcode media files you upload | Performance of contract |
| Deliver project invitations to collaborators | Performance of contract; legitimate interest |
| Review in-app feedback submissions to improve the Service | Legitimate interest |
| Maintain server security, integrity, and availability | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Respond to your support inquiries | Legitimate interest; performance of contract |
| ⚠ NEEDS WORK — GDPR Legal Bases (Article 6)The legal bases above are preliminary. Before onboarding EU users, counsel should confirm each processing activity has a documented lawful basis under GDPR Article 6, and that a Records of Processing Activities (ROPA) register is maintained as required by GDPR Article 30. |
5. How We Share Your Information
We do not sell your personal data. We do not share your data with advertising networks. We share your information only as described below.
5.1 Sub-Processors
The following third-party service providers process personal data on our behalf under contractual arrangements. We will provide at least 30 days’ prior notice before adding a new sub-processor that materially affects the processing of your data. Enterprise clients requiring a formal sub-processor addendum should contact hey@influxstudio.co.
| Provider | Role | Data Involved |
| Railway | Cloud hosting, deployment, and server infrastructure | All Service data; server logs |
| Railway PostgreSQL | User account database | Email, hashed password, session data |
| Resend | Transactional email delivery | Email address |
| Google (OAuth) | Authentication provider | Name, email, Google account ID |
| Google (Drive) | Asset import — read-only, user-initiated | Selected files during import only |
| IFS License Server | Beta allowlist validation (self-hosted on Railway) | Email address |
Google Fonts. Our interface loads the Noto Sans typeface directly from Google’s servers (fonts.googleapis.com). This is a browser-level request — your browser contacts Google directly, outside of In Flux Studio’s control and without a data processing agreement between In Flux Studio and Google governing this use. Google may log your IP address under their own privacy policy. See also Sections 3.6 and 7.
| ⚠ NEEDS WORK — DPA Template RequiredEnterprise clients will require a formal Data Processing Agreement (DPA) before signing any pilot or MSA. No DPA template currently exists. Legal drafting task, no engineering dependency. |
5.2 Legal Requirements
We may disclose your information if required by law, regulation, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, investigate fraud, or respond to a government request.
5.3 Business Transfers
If In Flux Studio LLC is involved in a merger, acquisition, asset sale, or reorganization, your data may transfer as part of that transaction. We will provide notice before your data becomes subject to a different privacy policy.
5.4 Vendors Wired but Not Yet Active
The following vendors are integrated in our codebase but are not currently processing user data. Before any of these are activated, we will provide prominent notice within the Service, and will also attempt to notify you by email where a bulk email delivery mechanism is available at that time. All vendors on this list that process personal data will be added to the sub-processors table in Section 5.1 at activation.
- Sentry — error and crash monitoring
- Paddle or Stripe — payment processing and subscription billing
- Better Stack — uptime monitoring and server log aggregation
- AWS (S3) — potential future media asset storage (would process uploaded user media files)
- PostHog / Amplitude — product analytics and usage tracking (explicitly deferred; would process page visits and behavioral data)
| ⚠ NEEDS WORK — Bulk Email Notification CapabilitySections 5.4 and 15 commit to notifying users of material changes. Currently the only outbound email pathway is transactional password reset via Resend — no bulk email capability exists. In-Service notice is the firm commitment; email is best-effort. If bulk email capability is built before publication, this language can be strengthened. |
6. Data Storage, Retention, and Security
6.1 Where Data Is Stored
Your data is stored on Railway’s infrastructure, which runs on Google Cloud Platform (GCP). Depending on Railway’s region configuration, data may be stored in the United States or the European Union.
| ⚠ NEEDS WORK — Data Residency ConfigurationRailway region must be confirmed and documented here before publication. EU enterprise clients require EU-region data residency (issues #1996, #1693). |
6.2 Security Measures
We implement the following security measures:
- All data in transit is encrypted using HTTPS/TLS
- Passwords are stored as one-way cryptographic hashes (never in plaintext)
- Session cookies are HTTP-only and not accessible to client-side scripts
- Storage encryption at rest is provided at the infrastructure layer by GCP via Railway
| ⚠ NEEDS WORK — Encryption-at-Rest Representation (Issue #2152)Infrastructure-layer encryption is provided by GCP via Railway. In Flux Studio does not independently manage or rotate encryption keys, and application-level encryption has not been implemented. Counsel must ensure this Policy does not make unqualified ‘encrypted at rest’ claims. |
6.3 Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Upon a deletion request, we will delete or anonymize your data within a commercially reasonable period, except where retention is required for legal, tax, or regulatory compliance.
| ⚠ NEEDS WORK — Retention ScheduleA formal data retention schedule with specific periods per data category (account data, project files, media assets, server logs, email records, invitation data, audit logs, feedback submissions) has not yet been established. Counsel should define these before publication. |
7. Cookies and Similar Technologies
We use the following cookies:
- Session cookie. An HTTP-only cookie that authenticates your session and keeps you logged in. Not accessible to JavaScript; cleared on logout or session expiry.
- OAuth state cookie. A separate short-lived cookie used during the Google OAuth flow. Carries state parameters needed to complete authentication. Cleared upon completion of the OAuth flow.
We do not use advertising cookies, third-party tracking cookies, behavioral analytics, or pixel tracking. We do not use Google Analytics, Meta Pixel, or similar technologies.
Google Fonts. Our interface requests fonts from Google’s servers (fonts.googleapis.com). This is a browser-level request outside our control and may be subject to Google’s own cookie practices.
8. Integrated Services Not Yet Active
The following services are wired into our codebase but are not currently processing user data. See Section 5.4 for the notification commitment that applies when any of these are activated.
| Service | Intended Role When Activated |
| Sentry | Error and crash monitoring — would capture stack traces and potentially request metadata |
| Paddle / Stripe | Payment processing and subscription billing — would handle payment card data |
| Better Stack | Uptime monitoring and server log aggregation |
| AWS (STS / IAM / S3) | System key validation and potential future media asset storage |
| PostHog / Amplitude | Product analytics and usage tracking (explicitly deferred) |
9. Desktop Application
In Flux Studio is available as a desktop application for macOS, Windows, and Linux, built with Electron.
- macOS: Signed with an Apple Developer certificate and notarized through Apple.
- Windows: Signed with a code-signing certificate (DigiCert, Sectigo, or GlobalSign).
- Auto-updates: Uses electron-updater to fetch update metadata from GitHub or AWS S3. No personal data is transmitted beyond standard HTTPS request headers (IP address and user agent).
10. Your Rights and Choices
10.1 Access and Correction
You may request access to the personal data we hold about you, or request corrections to inaccurate data, by contacting us at hey@influxstudio.co. We will acknowledge your request within 5 business days and respond in full within 30 days.
10.2 Account Deletion (Right to Erasure)
You may request deletion of your account and associated personal data by contacting us at hey@influxstudio.co. We will acknowledge your request within 5 business days and complete deletion within 30 days, subject to any legal retention obligations.
| ⚠ NEEDS WORK — No Self-Serve Deletion EndpointNo automated account deletion endpoint currently exists. Deletion is handled manually. Engineering must build a deletion endpoint or document a manual fulfillment workflow with the 30-day SLA. Counsel should ensure this section does not imply automated deletion. |
10.3 Google Drive Disconnection
You may revoke In Flux Studio’s access to your Google Drive at any time through your Google Account settings at myaccount.google.com/permissions.
10.4 Email Communications
The only emails we send are transactional (password reset). You cannot opt out of transactional emails while maintaining an active account, as they are required for account security.
10.5 Data Portability
You have the right to receive a copy of your personal data in a structured, commonly used, machine-readable format. To submit a portability request, contact hey@influxstudio.co. We will acknowledge within 5 business days and fulfill requests manually within 30 days.
| ⚠ NEEDS WORK — No Data Export Mechanism (GDPR Art. 20)No data portability or export feature exists and none is currently on the engineering roadmap. Requests will be fulfilled manually. Engineering must plan and build an export feature before this right can be satisfied at scale. |
10.6 Right to Restrict Processing
In certain circumstances, you have the right to request that we restrict how we process your personal data. To submit a restriction request, contact hey@influxstudio.co. We will acknowledge within 5 business days and confirm the restriction or explain why it cannot be applied.
| ⚠ NEEDS WORK — No Restriction of Processing Mechanism (GDPR Art. 18)No engineering mechanism exists to implement processing restriction systematically. Restriction requests will be handled manually. Engineering work will be required before this can be honored at scale. |
| ⚠ NEEDS WORK — GDPR Data Subject Rights — Full Scope (Articles 15–22)EU/EEA users also have the right to object to processing (Art. 21) and rights related to automated decision-making (Art. 22). No automated decision-making currently occurs. Counsel should confirm all rights can be honored within the 30-day statutory deadline before EU users are onboarded. |
| ⚠ NEEDS WORK — California Privacy Rights (CCPA/CPRA)Counsel should determine whether CCPA/CPRA applies given the B2B nature of the service and current user count, and whether a formal CCPA notice is required. In Flux Studio does not sell personal data. |
11. Upcoming Features That Will Affect This Policy
The following features are in the engineering backlog. Each will require this Policy to be updated before the feature goes live.
| Feature | Issue | New Data Collected |
| Session-based watermarking | #1692 | Viewer email address and IP address embedded into the video stream at playback time |
| SAML 2.0 / Enterprise SSO | #1690 | Identity assertions from agency IdPs (Okta, Azure AD, Adobe Admin Console) including name, email, and role assignments |
| Two-factor authentication (2FA) | #1679 | TOTP secrets stored per user account |
| Secure partner sharing | #1680 | Access granted to named third-party external partners; access events logged with timestamps |
| JIT provisioning | #1691 | Automatic account creation and revocation via agency directory integration |
12. Minimum Age Requirement
In Flux Studio is a professional B2B software platform intended for use by individuals aged 18 and older acting in a commercial or professional capacity. We do not knowingly collect personal data from anyone under the age of 18.
If you become aware that a minor has provided us with personal data, please contact us at hey@influxstudio.co and we will take steps to delete that information promptly.
13. International Data Transfers
In Flux Studio is operated from the United States. If you access the Service from outside the United States, your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.
| ⚠ NEEDS WORK — GDPR International Transfer Mechanisms (Chapter V)Transfers of personal data from the EEA to the US require a lawful transfer mechanism under GDPR Chapter V — such as Standard Contractual Clauses (SCCs). No transfer mechanisms are currently in place. Must be resolved before EU users are onboarded. |
14. Security Incidents and Breach Notification
In the event of a data security incident affecting your personal data, we will take prompt steps to investigate and, where legally required, notify affected users and relevant authorities.
| ⚠ NEEDS WORK — Incident Response Plan (Issue #2151)No formal incident response plan, breach notification runbook, or cyber liability / E&O insurance is in place. Required before any enterprise MSA: (a) breach notification process complying with GDPR 72-hour rule (Art. 33) and US state laws; (b) cyber liability and E&O insurance; (c) incident response runbook. |
15. Changes to This Privacy Policy
We may update this Policy from time to time. When we do, we will revise the Effective Date at the top of this document. For material changes, we will provide prominent notice within the Service at least 30 days before the change takes effect, and will also attempt to notify you by email where a bulk email delivery mechanism is available at that time.
Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes.
16. Governing Law
This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to its conflict-of-law provisions.
For users in the European Union or European Economic Area, nothing in this Policy limits your rights under applicable EU data protection law, including the GDPR.
| ⚠ NEEDS WORK — EU Governing Law / JurisdictionThe Delaware governing law clause is appropriate for commercial disputes but must not deprive EU data subjects of GDPR rights. Counsel should ensure EU users are not required to litigate in Delaware for GDPR-related claims. |
17. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
| Company | In Flux Studio LLC |
| hey@influxstudio.co | |
| Mailing Address | 8 The Green, Suite A, Dover, Delaware 19901 |
| NOTE FOR REVIEWING COUNSEL — REV. 5 CHANGE SUMMARYThis revision incorporates the fourth engineering codebase review. All 3 new findings addressed.Rev. 5 changes:Item 1 — AWS and PostHog/Amplitude added to Section 5.4: Both vendors now appear in Section 5.4’s 30-day notification scope. AWS (S3) noted as would-process-user-media-files; PostHog/Amplitude noted as would-process-behavioral-data. Section 8 cross-references Section 5.4 for the notification commitment. No gap in notification obligation remains.Item 2 — Google Fonts removed from Section 5.1 sub-processors table: Google Fonts is a browser-level public CDN request — not a sub-processor. IFS has no DPA or contract with Google governing this use. Removed from table; described instead in a standalone paragraph below the table (consistent with existing disclosures in Sections 3.6 and 7).Item 3 — Section 3.6 tightened: ‘Pages visited, actions taken’ language replaced. Section 3.6 now accurately describes this as standard web server access log data retained at the infrastructure level by Railway — not independently extracted or processed by IFS. The in-memory request-metrics.ts circular buffer is non-persistent and contains no PII; no separate disclosure required.Remaining open items before publication:Google Drive token lifecycle — engineering decision pending (Section 3.3)Feedback form PII audit of log sanitization — not yet completed (Section 3.5)Audit log data — engineering must confirm what is currently persisted (Section 3.8)Railway/GCP region for data residency — not yet confirmed (Section 6.1)Retention schedule — specific periods per data category not yet defined (Section 6.3)Dedicated privacy contact address — privacy@influxstudio.co recommended (Section 2)Bulk email capability — or accept softened notification language as final (Sections 5.4, 15)GDPR: EU representative, ROPA register, SCCs, DPA template (Sections 2, 5.1, 13)Incident response plan, breach runbook, cyber liability / E&O insurance (Section 14)CCPA/CPRA applicability determination (Section 10)Forward-looking policy language for Section 11 features — draft before each ships |