Login

Flectar Base

Privacy Policy

How Flectar Base handles account, project, customer, booking, payment, analytics, messaging, integration, and security data.

Effective date: June 26, 2026

Terms of Service Login

1. Roles And Responsibility

For platform accounts, signup, subscription billing, security, and operation of Flectar Base, Flectar acts as the service operator. For customer data collected through a project website, booking page, listing page, invoice, file share, message thread, subscription, or integration, the project owner is usually responsible for deciding why and how that data is processed. In those cases, Flectar Base acts as a service provider or processor for that project unless a separate agreement says otherwise.

If you are a customer or visitor of a specific project, contact that project first for questions about its services, bookings, refunds, listings, communications, or business-specific privacy choices.

2. Data We Collect

The service may collect the following categories of information depending on how it is used:

  • Account data, including name, surname, email, phone, password credentials, Google sign-in identifiers, profile image, role, organization membership, invitations, sessions, and two-factor settings.
  • Project data, including project name, slug, domains, branding, locale settings, modules, templates, website pages, colors, typography, navigation, media, files, and admin configuration.
  • Customer and booking data, including contact details, booking requests, appointments, resources, services, extras, blocked dates, requirements, coupons, subscriptions, messages, invoices, payment status, and attendance records where enabled.
  • Content and listing data, including blog posts, menu items, property listings, rich text, categories, tags, images, documents, and public page blocks.
  • Payment and billing data, including invoice profiles, tax details entered by project owners, billing documents, payment provider, provider order/reference identifiers, subscription status, checkout session identifiers, and payment notification metadata.
  • Messaging and notification data, including email, SMS, WhatsApp, contact form, conversation, and delivery-related data.
  • Integration data, including OAuth tokens, encrypted credentials, API keys, calendar mappings, contact mappings, Google event identifiers, sync tokens, WhatsApp phone identifiers, payment merchant settings, and other integration configuration.
  • Analytics and device data, including page path, hashed visitor and session identifiers, referrer host, UTM source, language, device type, approximate location from hosting headers where available, user agent, IP-derived rate-limit keys, and timestamps.
  • Security and operations data, including audit logs, request metadata, cookie diagnostics, rate-limit data, error logs with sensitive values redacted, anti-abuse checks, Turnstile verification data, and file upload metadata.
  • AI feature data, including prompts, messages, context, generated replies, and related metadata when AI-assisted features are enabled and used.

3. How We Use Data

We process data to:

  • Provide accounts, authentication, sessions, organization access, project administration, and security controls.
  • Operate websites, booking flows, listings, menus, blogs, link hubs, dashboards, files, messaging, subscriptions, invoices, and customer records.
  • Process payments, reconcile billing records, detect duplicate or expired payment flows, support refunds or disputes, and keep required financial records.
  • Send operational emails, codes, password reset links, invitations, booking notices, SMS, WhatsApp notifications, and customer messages.
  • Connect and sync optional integrations selected by a project owner or authorized user.
  • Measure site usage, diagnose performance, prevent abuse, enforce body-size and rate limits, protect sessions, and maintain audit trails.
  • Improve, debug, and support the service, including AI-assisted features where enabled.
  • Comply with legal, tax, accounting, security, and platform governance obligations.

4. Legal Bases

Where laws such as the GDPR apply, processing may rely on contract performance, legitimate interests, consent, legal obligations, or the need to protect the service and users. Examples include contract performance for accounts and bookings, legal obligations for invoices and tax records, consent for optional marketing or non-essential tracking where required, and legitimate interests for security, fraud prevention, product reliability, and basic analytics that respect browser privacy signals.

5. Cookies, Local Storage, And Similar Technologies

The service uses cookies and browser storage for authentication sessions, account switching, security, theme preference, language paths, form flows, and platform operation. Public analytics uses a generated visitor identifier in local storage and a generated session identifier in session storage. Analytics is skipped when the browser sends Do Not Track or Global Privacy Control signals.

Optional third-party integrations, such as payment providers, Google services, Meta Pixel, embedded media, or messaging providers, may use their own cookies, identifiers, or tracking technologies according to their policies and the project owner's configuration.

6. Sharing And Processors

Data may be shared with service providers that help run the platform, including hosting, database, storage, email, SMS, WhatsApp, payment, fraud prevention, captcha, analytics, domain provisioning, calendar/contact sync, AI, logging, and support providers. Examples reflected in the codebase include Postgres, S3-compatible storage, Cloudflare Turnstile, Resend, Twilio, Meta WhatsApp Cloud API, Google services, Stripe, Redsys, PayPal, Enhance domain provisioning, and AI API providers.

We may also share data when needed to comply with law, enforce terms, investigate abuse, protect rights and security, complete a business transaction, or follow instructions from the project owner responsible for the data.

7. International Transfers

The platform and its providers may process data in countries other than where you live. Where transfer rules apply, transfers should rely on appropriate safeguards such as contractual protections, provider data processing terms, adequacy decisions, or other lawful mechanisms.

8. Retention

Data is kept for as long as needed to provide the service, operate projects, comply with legal and tax obligations, maintain audit and security records, resolve disputes, enforce agreements, support backups, and honor project owner instructions. Retention periods vary by data type. For example, authentication sessions expire, password reset and magic-link tokens are short-lived, payment and invoice records may need longer retention, and audit or security logs may be retained for operational accountability.

9. Security

The service uses security measures such as same-origin checks for unsafe authenticated requests, HTTP-only session cookies, secure cookie settings in production, rate limits, request body limits, anti-abuse checks, encrypted integration credentials where configured, audit logs, sensitive-value redaction in errors, role-based access, two-factor authentication, and private storage for protected media and files. No system is perfectly secure, and users remain responsible for protecting their accounts and devices.

10. Your Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or receive a copy of personal data. You may also have rights to withdraw consent, opt out of certain sale, sharing, or targeted advertising uses, limit certain sensitive-data uses, and avoid discrimination for exercising privacy rights. Requests may require identity verification.

If your request concerns a project customer's booking, invoice, message, listing inquiry, subscription, or customer profile, the project owner may need to handle the request. If your request concerns a Flectar Base account or platform operation, contact us at [email protected].

11. Children

Flectar Base is not intended for children to create administrator accounts. Project owners are responsible for deciding whether their public services are directed to children and for obtaining any required consent before collecting data from minors.

12. Changes To This Policy

We may update this policy as the product, providers, laws, or operational practices change. The updated version will be posted on this page with a revised effective date when appropriate.

13. Contact

Privacy questions can be sent to [email protected]. Include enough detail to identify the relevant account, project, booking, message, invoice, or public page so the request can be routed correctly.