Privacy Policy

Last updated: 27 April 2026

This is a convenience translation of the German privacy policy (Datenschutzerklärung). The German version is the sole legally binding document.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Rafik Halabi, Esmarchstr. 5, 40223 Düsseldorf, Germany

Email: legal@flintery.com

2. Overview of Data Processing

flintery is a financial planning tool for photographers, videographers, content creators and creative service providers. We process your data to provide our services, to fulfil contracts and to improve our platform.

Categories of data processed:

3. Platform Services

3.1 User Accounts and Authentication

For registration and login we process: email address, password (stored encrypted), name (optional), industry and years of experience (optional).

For session management we use the open-source library Better Auth. Authentication data is stored in our PostgreSQL database in Germany. We use HTTP-only session cookies for session management.

Legal basis: The storage of this technically necessary information on your device is carried out without consent on the basis of Section 25(2) TDDDG (German Telecommunications-Telemedia Data Protection Act). The subsequent processing of the data is based on Art. 6(1)(b) GDPR (performance of contract).

3.2 Hosting (Hetzner)

Our application is hosted on dedicated servers of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.

3.3 CDN and DDoS Protection (Cloudflare)

To protect our platform against attacks and to accelerate content delivery we use services of Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. For customers in the EU, the responsible entity is: Cloudflare (London) Ltd., County Hall/The Riverside Building, Belvedere Road, London, SE1 7PB.

3.4 Database (Self-hosted PostgreSQL)

For storing application data we operate a self-hosted PostgreSQL database on a dedicated server of Hetzner Online GmbH in Germany.

3.5 Email Delivery (Resend)

For sending transactional emails we use the service Resend by Resend, Inc., San Francisco, CA, USA. This includes only account-related emails such as password reset, email verification, Stripe payment confirmations, invoice PDF delivery, and account and security notifications (licence expiry warnings, monthly financial reports). Marketing, newsletter, and lifecycle emails are sent exclusively via Brevo (see 3.8).

3.6 Automated Notifications

flintery sends automated email notifications to inform you about relevant events in your account:

3.7 Lead Magnet & Starter Guide

Via our day rate calculator and potentially other pages we offer free content (e.g. the "Starter Guide for Financial Planning"). To provide this content we collect the following data:

3.8 Marketing, Newsletter, and Lifecycle Emails (Brevo)

For sending newsletters, lifecycle sequences (e.g. trial reminders, onboarding, Creator Pass, win-back), and other marketing emails we use the service Brevo by Sendinblue SAS, 7 rue de Madrid, 75008 Paris, France. Emails are sent exclusively from the subdomain news.flintery.com.

4. Bank Integration (BanksAPI)

For the optional integration of your bank accounts we use the services of BANKSapi Technology GmbH, Pettenkoferstr. 35, 80336 Munich. BANKSapi is a BaFin-licensed account information service provider (AISP) in accordance with the German Payment Services Supervision Act (ZAG) and PSD2-compliant.

You can disconnect the bank integration at any time in the settings. Previously synchronised transactions can be deleted upon request.

5. Payment Processing (Stripe)

For payment processing and subscription management we use Stripe. For customers in the EU, the responsible entity is: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland.

6. Accounting Integrations

6.1 sevDesk

You can optionally connect your account with sevDesk. Provider is sevDesk GmbH, Hauptstr. 115, 77652 Offenburg.

6.2 lexoffice

Alternatively you can connect your account with lexoffice. Provider is Haufe Service Center GmbH, Freiburg.

6.3 CSV Import of Financial Data

You can import bank statements and financial data as a CSV file into flintery.

7. Benchmark Feature

flintery offers an optional benchmark feature that provides anonymised market data on fees. When you use this feature, your project data is anonymised and included in aggregate statistics.

Legal basis: Art. 6(1)(a) GDPR (consent)

You can disable benchmark participation at any time in the settings.

8. Cookies and Similar Technologies

8.1 Technically Necessary Cookies

We use technically necessary cookies that are required for the operation of the platform (e.g. session cookies for login, CSRF tokens).

Legal basis: The storage of this technically necessary information on your device or access thereto is carried out without consent on the basis of Section 25(2) TDDDG (German Telecommunications-Telemedia Data Protection Act). The subsequent processing of any personal data is based on Art. 6(1)(f) GDPR (legitimate interest in the functionality of the platform) or Art. 6(1)(b) GDPR (insofar as required for performance of contract).

8.2 Local Browser Storage (localStorage)

In addition to cookies we use your browser's local storage (localStorage) for caching form entries and UI preferences.

Legal basis: The storage on your device is carried out without consent on the basis of Section 25(2) TDDDG. The subsequent processing on our systems is based on Art. 6(1)(b) GDPR (performance of contract) or Art. 6(1)(f) GDPR (legitimate interest in user-friendliness).

8.3 Google Analytics 4

We use Google Analytics 4, a web analytics service of Google Ireland Limited, Dublin, Ireland.

In addition to client-side data collection, we transmit server-side events to Google Analytics via the GA4 Measurement Protocol (e.g. after completion of a registration or purchase). This transmission occurs without accessing your device and without the use of cookies. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analysing the use of our service and advertising effectiveness).

8.4 Meta Pixel (Facebook/Instagram)

We use the Meta Pixel of Meta Platforms Ireland Limited, Dublin, Ireland (hereafter „Meta"). When you reach our website via a Meta ad, Meta sets a cookie (so-called Click ID cookie) on your device. This cookie helps us measure the success of our advertising campaigns and trace whether a user took a specific action on our website after clicking on an ad (e.g. registration, subscription).

Purpose: Reach measurement, conversion tracking, optimisation of advertising and the building of lookalike audiences.

Data processed: IP address, browser and device information, referrer URL, actions on the platform, click ID (fbc), browser ID (fbp), and a pseudonymised (SHA-256-hashed) email address and user ID, where applicable when you are logged in or registering.

In addition we capture conversion events (e.g. registration, trial start, subscription, lead request) server-side via the Meta Conversions API (CAPI). These server-side events are transmitted directly to Meta without cookies and without access to your device. Browser and server events are deduplicated via a shared event ID so that a conversion is counted at most once.

We use the Advanced Matching feature of the Meta Conversions API. Identifiers you provide during registration or purchase (email address, external user ID where applicable) are hashed server-side using SHA-256 (pseudonymised) and transmitted to Meta in this form. Meta matches these hashes against existing Meta accounts to attribute conversions more reliably to the triggering ad click. Transmission only occurs if you have consented to the „Marketing" category. Per contract Meta does not use the hashed identifiers for other purposes.

Third-country transfer: Meta is certified under the EU-US Data Privacy Framework. Additionally, EU Standard Contractual Clauses have been agreed.

Legal basis for the access to your device (click ID cookie, browser ID, pixel) is your consent under section 25(1) TDDDG. The subsequent processing is based on your consent under Art. 6(1)(a) GDPR. For server-side events without device access, the legal basis is Art. 6(1)(a) GDPR (consent) — without marketing consent there is no transmission via the Conversions API.

You can withdraw your consent at any time via the „Cookie settings" link in the footer. On withdrawal, click ID and browser ID cookies are deleted and no further browser or server events are transmitted to Meta.

8.5 Consent Management

For obtaining and managing your consents we use the consent management tool Cookiebot by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark. Cookiebot stores your consent status in a cookie on your device to remember your preferences on future visits.

Legal bases: The storage on your device is based on Section 25(2) TDDDG (technically necessary). The processing of data (including IP address and consent status) for documenting consent is based on Art. 6(1)(c) GDPR (legal obligation to provide evidence).

You can revoke or adjust your consent at any time via the "Cookie Settings" link in the footer of our website.

8.6 Error Tracking and Performance Monitoring (Sentry)

For detecting and fixing technical errors we use Sentry (Functional Software, Inc., USA).

8.7 Google Ads Conversion Tracking

We use Google Ads Conversion Tracking, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google"). When you visit our website via a Google advertisement, Google Ads places a cookie on your device (a "conversion cookie"). This cookie is used to measure the effectiveness of our advertising campaigns and allows us to determine whether a user has performed a specific action on our website after clicking an ad (e.g. registration, subscription purchase).

The following data is processed: IP address (anonymised), information about the browser and operating system used, the page visited on our website, referrer URL, time of the page visit, and information about the conversion action. Google creates anonymised statistics from this data that do not allow the personal identification of individual users.

Additionally, we transmit custom conversion events server-side via the GA4 Measurement Protocol (e.g. registration, first calculation, purchase completion). These server-side events are sent directly to Google Analytics without cookies and without accessing your device.

We use the Enhanced Conversions feature of Google Ads. Your email address provided during registration or purchase is hashed server-side using SHA-256 (pseudonymised) and transmitted to Google in this form. Google matches this hash against existing Google accounts to more reliably attribute conversions to the originating ad click. This transmission only occurs if you have consented to the "Marketing" category. The hashed email address is not used by Google for any other purposes and is not shared with third parties.

Legal basis for accessing your device (conversion cookie) is your consent pursuant to Section 25(1) TDDDG. The subsequent data processing is based on your consent pursuant to Art. 6(1)(a) GDPR. For server-side events without device access, the legal basis is Art. 6(1)(f) GDPR (legitimate interest in analysing advertising effectiveness).

You can withdraw your consent at any time via our cookie settings (Cookiebot banner). The conversion cookie is only set if you have consented to the "Marketing" category. For more information about Google's data protection practices, please visit: https://policies.google.com/privacy

8.8 Google Ads Remarketing

We use the remarketing function of Google Ads. Google Ads Remarketing enables us to show targeted advertisements to visitors of our website on other websites within the Google Display Network, tailored to their previous interactions with our website.

For this purpose, a Google Ads Remarketing tag is loaded when you visit our website, which sets a cookie on your device (e.g. _gcl_aw). Using this cookie, Google can recognise that you have visited our website and can show you personalised advertisements on other websites. No personal data is shared with third parties; the attribution is pseudonymised.

Legal basis for accessing your device is your consent pursuant to Section 25(1) TDDDG. The subsequent data processing is based on your consent pursuant to Art. 6(1)(a) GDPR.

The remarketing tag is only loaded if you have consented to the "Marketing" category in our consent banner (Cookiebot). You can withdraw your consent at any time via the cookie settings. Additionally, you can disable personalised advertising in your Google account settings at https://adssettings.google.com.

8.9 PostHog (Product Analytics)

We use PostHog, a product analytics service provided by PostHog, Inc. All data processing takes place exclusively on servers within the EU (Frankfurt, Germany).

Features: We use PostHog for event tracking (e.g. registration, page views), session replays (playback of anonymised user sessions) and heatmaps (aggregated click and scroll analyses).

Data processed: Anonymised user ID, device and browser information, usage behaviour, click positions, scroll depth, page views.

Session Replays: Form inputs and sensitive content are automatically masked. IP addresses are not stored.

No third-country transfer: All data is processed and stored on PostHog EU cloud servers in Frankfurt (Germany). No transfer to third countries takes place.

Legal basis: Storage on your device or access thereto only takes place with your explicit consent pursuant to Section 25(1) TDDDG (“Statistics” category in the cookie banner). The subsequent data processing is based on Art. 6(1)(a) GDPR (consent).

More information: PostHog Privacy Policy

8.10 Affiliate Tracking (FirstPromoter)

We use the affiliate tracking service FirstPromoter operated by Igil Webs SRL, Romania (hereinafter “FirstPromoter”). If you reach our website via an affiliate link (parameter ?via=, ?ref= or ?aff=), a cookie is set on your device that stores the referring partner (affiliate). When you subsequently register, your email address is transmitted to FirstPromoter so that the referral can be attributed to the corresponding referring partner.

Purpose: Commission calculation for referring partners, attribution of registrations and subscriptions to the referring partner.

Processed data: IP address, browser and device information, referral cookie ID, affiliate identifier, and your email address upon registration. Upon conclusion of a subscription, additional subscription-related data (status, amount, currency) is processed via the provider's Stripe integration.

International data transfer: No international data transfer occurs. FirstPromoter is operated exclusively within the European Union (Romania).

Legal basis for accessing your device (setting the referral cookie) is your consent pursuant to Section 25(1) TDDDG. The subsequent data processing is based on Art. 6(1)(a) GDPR (consent).

Retention period: The transmitted data is stored for the duration of the contractual relationship with the referring partner and for statutory retention periods.

Data processing agreement: A data processing agreement pursuant to Art. 28 GDPR is in place with FirstPromoter.

Revocation: You can revoke your consent at any time via the “Cookie Settings” link in the footer. Upon revocation, set referral cookies will be deleted and no further data will be transmitted to FirstPromoter.

9. Storage Duration and Deletion Periods

We store your data only as long as necessary for the respective purposes or as required by statutory retention obligations.

10. Your Rights

You have the following rights regarding your personal data:

11. Data Security

We employ extensive technical and organisational measures: TLS 1.3 encryption, bcrypt hashing for passwords, ISO 27001-certified hosting (Hetzner), daily backups, private network between application and database servers.

11.1 Abuse Protection (Self-hosted Redis)

For rate limiting to protect against brute-force attacks we operate a self-hosted Redis server on our infrastructure in Germany (Hetzner, Nuremberg).

Legal basis: Art. 6(1)(f) GDPR (security of the platform).

11.2 Monitoring (Self-hosted)

For monitoring the availability and performance of our systems we use self-hosted monitoring solutions (Uptime Kuma). These run exclusively on our own infrastructure in Germany.

12. Transfers to Third Countries

Some of our service providers are based outside the EEA. The following safeguards are in place for these transfers:

ServiceLocationSafeguard
CloudflareUK / USAAdequacy decision (UK) + EU-US Data Privacy Framework (USA) + SCCs
StripeIreland/USAEU-US Data Privacy Framework + SCCs
SentryUSA (Server: EU)EU-US Data Privacy Framework + SCCs
ResendUSAStandard Contractual Clauses (SCCs)
Google (Analytics)USA (EU: Ireland)EU-US Data Privacy Framework + SCCs
Meta (Pixel)USA (EU: Ireland)EU-US Data Privacy Framework + SCCs

13. Data Processing Agreements

We have concluded data processing agreements pursuant to Art. 28 GDPR with all service providers who process personal data on our behalf.

14. Changes to this Privacy Policy

We reserve the right to update this privacy policy. The current version is always available on our website. We will inform you by email about material changes.

15. Contact

For questions about data protection please contact us at: legal@flintery.com