Privacy Policy
Effective: April 29, 2026 — Flawk LLC, 251 Little Falls Dr, Wilmington, DE 19808, USA
1. Who We Are
This Privacy Policy describes how Flawk LLC ("Flawk", "we", "our") collects, uses, and shares your personal data when you use our platform and services. Flawk LLC is the data controller of the personal data we collect through the Service. Our registered office is at 251 Little Falls Dr, Wilmington, DE 19808, USA, and you can contact us about privacy matters at reports@flawk.com.
2. Data We Collect About Account Holders
| Category | Data points | Source |
|---|---|---|
| Account | Name, email, hashed password, organisation name, role, country | Registration |
| Billing | Stripe customer ID, subscription status, invoices, payment history (we do not store raw card numbers — Stripe holds them) | Billing flow |
| Campaign | Campaign content, budget, targeting criteria, ad creatives | Campaign creation |
| Usage | Page views, feature usage, IP address, browser and device info, session logs | Platform usage |
| AI content | Prompts submitted to AI tools, reference media, and generated assets | AI tools |
2A. Data Collected About Viewers of DOOH & CTV Inventory
Flawk delivers ads to Digital Out-of-Home (DOOH) screens in public venues and to Connected TV (CTV) devices. To make ad delivery work, our systems and our supply-side partners process a limited set of data about the screens themselves and, in coarse form, the audiences in front of them. We do not identify individual viewers, and we do not infer or transmit any sensitive personal-data category (such as health, emotion, racial or ethnic origin, religious beliefs, or precise sexual life or orientation) to our supply-side partners.
| Category | Data points | Source & lawful basis |
|---|---|---|
| Device telemetry | Device ID (IFA / hashed), device IP, device type, OS, browser, screen dimensions, orientation | Reported by the screen / CTV device. Lawful basis: legitimate interests (Art. 6(1)(f)) — ad delivery, fraud prevention, and operational integrity. |
| Coarse location | Approximate latitude / longitude, city, region, country | Geolocation by IP or device-reported coordinates. Legitimate interests — geo-relevant ad delivery and reporting. |
| Venue context | Venue type (mall, transit, hotel, etc.), publisher / network identifier | Configured by the screen owner. Legitimate interests. |
| Audience modelling (coarse) | Statistical estimates such as broad age band and venue-typical interests, aggregated and not tied to identifiable individuals | Modelled by Flawk or supply-side partners from venue, time, and inventory characteristics. Legitimate interests — balanced against viewer rights via the no-sensitive-inference commitment in this Section. |
| Impression metrics | First and last request timestamps, total request and impression counts per screen and campaign | Generated automatically. Contract performance with advertisers; legitimate interests for analytics. |
Sensitive inference commitment. We do not populate health, emotion, wealth, income, race, ethnicity, religion, sexual-orientation, biometric, or genetic fields in any outbound bid request, analytics export, or third-party transfer. Where any field of those types appears in legacy schema or in third-party SSP signalling, we redact it before transmission and exclude it from analytics. Cameras are not used by Flawk-managed screens to identify, profile, or biometrically measure viewers.
No identification of individual viewers. Flawk does not associate the viewer-side signals listed above with any account holder, name, contact detail, payment record, or other information that, alone or in combination, would identify a specific person. The signals are used only at the screen and aggregate level.
3. How We Use Your Data
We use your personal data to:
- Provide and operate the Service, including authentication, campaign delivery, and analytics
- Process payments, manage subscriptions, and detect or prevent fraud
- Match advertiser campaigns to relevant DOOH and CTV inventory using device telemetry, coarse location, venue type, and statistical audience modelling supplied by SSP partners. We do not use these signals to make legally significant decisions about identifiable individuals.
- Send service-related communications (e.g. payment receipts, trial expiry, security alerts)
- Send optional marketing emails where you have consented, which you can withdraw at any time
- Improve the Service, troubleshoot bugs, and maintain platform security
- Comply with legal obligations (including tax, accounting, and lawful requests from authorities)
4. Legal Bases for Processing (GDPR / UK GDPR)
| Processing activity | Legal basis |
|---|---|
| Account operation & service delivery | Contract performance — Art. 6(1)(b) |
| Payment processing & subscription billing | Contract performance — Art. 6(1)(b) |
| DOOH / CTV ad delivery, viewer-side device telemetry, coarse-location and venue-context signalling | Legitimate interests — Art. 6(1)(f), balanced against the no-sensitive-inference commitment in Section 2A |
| Platform analytics, security and fraud prevention | Legitimate interests — Art. 6(1)(f) |
| Marketing communications | Consent — Art. 6(1)(a) |
| Tax, accounting and legal compliance | Legal obligation — Art. 6(1)(c) |
5. Sub-Processors & Third Parties
We share personal data with the following service providers, who process data strictly on our instructions:
| Sub-processor | Purpose | Location & transfer safeguards |
|---|---|---|
| Stripe, Inc. | Payment processing | USA — Standard Contractual Clauses (SCCs) for EU/UK transfers |
| Amazon Web Services, Inc. | Hosting, storage (S3), queues (SQS), analytics (Athena), CDN (CloudFront) | USA / Global — SCCs |
| Google LLC (Gemini, Imagen) | AI image and text generation | USA — SCCs |
| OpenAI, Inc. | AI campaign brief assistance (mobile app) | USA — SCCs |
| Byteplus (ByteDance) | Video AI generation (Seedance) | Singapore / Global — contractual safeguards |
| Firebase (Google) | Push notifications | USA — SCCs |
| Resend | Transactional email delivery | USA |
| Elasticsearch | Analytics search indexing | Varies |
| Prebid (header-bidding intermediary) | DOOH / CTV bid request relay | Global — contractual safeguards |
| Hivestack — Perion Network Ltd. | DOOH supply-side platform (SSP) | Global — contractual safeguards |
| ADTE / Destination Network | DOOH supply-side platform (SSP) | Global — contractual safeguards |
We do not sell your personal data, and we do not "share" personal information for cross-context behavioural advertising as defined under the California Consumer Privacy Act / Privacy Rights Act. We may also disclose data where legally required (e.g. subpoena, court order) or to protect our rights, users, or the public.
Sub-processor change notice. We will provide at least 30 days' advance notice by email and at /privacy before adding any new sub-processor that processes personal data. Customers under our Data Processing Agreement may object to a new sub-processor within that notice period; if the objection cannot be resolved, the customer may terminate the affected portion of the Service for cause.
6. International Data Transfers
Flawk is based in the USA. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) per Implementing Decision (EU) 2021/914 and the UK International Data Transfer Addendum where applicable. For Canadian users, cross-border transfers comply with PIPEDA requirements.
7. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Account data | Duration of the account, plus 30 days after termination to allow account recovery and data export. Anonymised or deleted within 60 days of termination, except for fields subject to a specific legal-retention obligation listed below. |
| Payment and invoice records | 7 years (U.S. tax and accounting obligations; longer where required by foreign tax law) |
| Campaign data (creative, targeting, performance) | Duration of the account + 12 months for dispute and audit support; thereafter aggregated only |
| Usage and analytics logs | 24 months rolling |
| AI prompts, reference media, and generated assets | Until manually deleted by you, then 30 days in soft-delete state for recovery |
| DOOH / CTV viewer-side telemetry (per Section 2A) | 13 months at request-level granularity, then aggregated only |
| Security and incident logs | 13 months at full granularity; longer where retention is required for an active investigation |
8. Your Rights
All users can: access the personal data we hold about you; correct inaccuracies; request deletion (subject to retention obligations we cannot override, such as tax records); and export a machine-readable copy of your account data at /account/data-export once authenticated. To exercise any right, contact reports@flawk.com — we respond within 30 days.
Users in the EU / UK (GDPR / UK GDPR) additionally have the right to: restrict processing; object to processing based on legitimate interests; withdraw consent at any time where processing is based on consent; and lodge a complaint with their local supervisory authority (ICO in the UK; the relevant national Data Protection Authority in EU member states).
Users in California (CCPA / CPRA) additionally have the right to:
- Know — what personal information we collect, the categories of sources, the business or commercial purpose, and the categories of third parties to whom it is disclosed (all as described in this Policy);
- Delete — request deletion of personal information we have collected, subject to permitted exceptions (e.g. legal-retention obligations);
- Correct — request correction of inaccurate personal information;
- Limit use of sensitive personal information — Flawk does not collect or use sensitive personal information for purposes that require an opt-out (we do not derive identity, race, ethnicity, religion, union membership, communications content, genetic data, biometric identifiers, health, or precise geolocation about identifiable individuals; see Section 2A);
- Opt out of "sale" and "sharing" — Flawk does not sell personal information and does not share personal information for cross-context behavioural advertising. To formally exercise this right at any time, email reports@flawk.com or follow the "Do Not Sell or Share My Personal Information" link in the website footer; and
- Non-discrimination — we will not discriminate against you for exercising any of these rights.
Global Privacy Control (GPC). Where you visit the Flawk website with a browser or extension that transmits a Global Privacy Control ("GPC") signal, we treat that signal as a valid request to opt out of any "sale" or "sharing" of personal information under California law, even though we do not currently sell or share. We honour authorised-agent requests in accordance with applicable law.
Users in Canada (PIPEDA) additionally have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada.
9. Cookies & Similar Technologies
We use cookies and similar technologies to operate the Service (such as authentication and CSRF protection) and to remember your preferences. For details of the cookies we set and how to manage them, see our Cookie Policy.
10. Security
We use industry-standard technical and organisational measures to protect your personal data, including encryption in transit (TLS), encryption at rest for sensitive stores, access controls, and routine backups. No system is entirely immune to breach; if a security incident materially affects your personal data we will notify you and, where required, the relevant supervisory authority without undue delay.
11. Children's Privacy
The Service is intended for business use by adults aged 18 or older. We do not knowingly collect personal data from children under 13, and we do not knowingly direct the Service to children. The Flawk mobile application asks users to confirm at signup that they are 18 or older. If you become aware that a child under 13 has provided personal data to us, please contact reports@flawk.com; we will delete the data within seven (7) days of confirming the report, in line with our obligations under the U.S. Children's Online Privacy Protection Act (COPPA).
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to you by email or via a prominent notice in the Service at least 30 days before they take effect. The "Effective" date at the top of this page tells you when it was last updated.
13. Contact
Flawk LLC
251 Little Falls Dr, Wilmington, DE 19808, USA
Privacy & data enquiries: reports@flawk.com
14. Automated Decision-Making
Flawk does not use solely automated decision-making, including profiling, that produces legal effects concerning you or that significantly affects you in a similar way (within the meaning of GDPR Article 22). Audience modelling for ad targeting and brand-safety classification of creative content are not such decisions: they neither identify individual viewers (Section 2A) nor determine eligibility for any benefit, service, or right of an account holder. Where Flawk introduces any feature that would constitute automated decision-making with legal or similarly significant effects, we will update this Section, provide a meaningful explanation, and offer the rights to obtain human intervention, express your view, and contest the decision.