Privacy Policy

Last updated: 4 March 2026

This is a convenience translation of the German privacy policy (Datenschutzerklärung). The German version is the sole legally binding document.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Rafik Halabi, Esmarchstr. 5, 40223 Düsseldorf, Germany

Email: legal@flintery.com

2. Overview of Data Processing

flintery is a financial planning tool for photographers, videographers, content creators and creative service providers. We process your data to provide our services, to fulfil contracts and to improve our platform.

Categories of data processed:

Master data (name, email address, address)
Usage data (access times, features used)
Project data (calculations, client data, usage rights)
Financial data (income, expenses, bank data when synchronisation is enabled)
Payment data (processed via Stripe)
Lead data (email address, optionally name and profession when using free content such as the Starter Guide)

3. Platform Services

3.1 User Accounts and Authentication

For registration and login we process: email address, password (stored encrypted), name (optional), industry and years of experience (optional).

For session management we use the open-source library Better Auth. Authentication data is stored in our PostgreSQL database in Germany. We use HTTP-only session cookies for session management.

Legal basis: The storage of this technically necessary information on your device is carried out without consent on the basis of Section 25(2) TDDDG (German Telecommunications-Telemedia Data Protection Act). The subsequent processing of the data is based on Art. 6(1)(b) GDPR (performance of contract).

3.2 Hosting (Hetzner)

Our application is hosted on dedicated servers of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.

Data processed: IP address, access times, browser type, referrer URL
Server location: All servers are located exclusively in Germany (data centres in Nuremberg/Falkenstein). Personal data never leaves the European Economic Area.
Third-country transfer: Not applicable — Hetzner is a German provider with exclusively German data centres. No transfer to third countries.
Certifications: ISO/IEC 27001, SOC 1 Type II, SOC 2 Type II
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and efficient service provision)
More information: https://www.hetzner.com/de/legal/privacy-policy

3.3 CDN and DDoS Protection (Cloudflare)

To protect our platform against attacks and to accelerate content delivery we use services of Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. For customers in the EU, the responsible entity is: Cloudflare (London) Ltd., County Hall/The Riverside Building, Belvedere Road, London, SE1 7PB.

Data processed: IP address, access times, browser type, referrer URL. All traffic is routed through the Cloudflare network.
Purpose: DDoS protection, Web Application Firewall (WAF), SSL/TLS termination, CDN caching of static content.
Server location: Cloudflare routes traffic via the nearest edge location. For German users this is typically Frankfurt or Düsseldorf. Personal data is not permanently stored in Cloudflare systems.
Third-country transfer: For data transfers to the United Kingdom to Cloudflare (London) Ltd., an adequacy decision by the EU Commission is in place. Any onward transfer to the USA to Cloudflare, Inc. is based on the EU-US Data Privacy Framework, under which Cloudflare is certified. Additionally, EU Standard Contractual Clauses (SCCs) have been agreed.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting the platform against cyber attacks and in performant service provision)
More information: https://www.cloudflare.com/de-de/privacypolicy/

3.4 Database (Self-hosted PostgreSQL)

For storing application data we operate a self-hosted PostgreSQL database on a dedicated server of Hetzner Online GmbH in Germany.

Server location: Germany (Nuremberg/Falkenstein). Personal data never leaves the European Economic Area.
Security measures: Encryption in transit (TLS 1.2+), access exclusively via a private network, no public database access
Backups: Daily automated database backups, stored in Germany (Hetzner Object Storage, Nuremberg)
Third-country transfer: Not applicable — fully self-hosted in Germany.
Legal basis: Art. 6(1)(b) GDPR (performance of contract)

3.5 Email Delivery (Resend)

For sending emails we use the service Resend by Resend, Inc., San Francisco, CA, USA. This includes transactional emails (e.g. password reset, email verification), automated onboarding and lifecycle emails (e.g. Creator Pass sequence, trial sequence) and notifications (licence expiry warnings, monthly financial reports).

Data processed: Email address, name, contents of the respective notification.
Server location: Processing takes place primarily on servers in the USA.
Purpose: Reliable delivery of all account-related emails required for the operation of the service and the ongoing contractual relationship.
Third-country transfer: The transfer is based on EU Standard Contractual Clauses (SCCs) agreed with the provider to ensure an adequate level of data protection.
Legal basis: Art. 6(1)(b) GDPR (performance of contract) for all account-related emails including onboarding and lifecycle sequences, as these are directly related to the ongoing contractual relationship (trial/subscription); additionally Art. 6(1)(f) GDPR (legitimate interest) for licence warnings and financial reports.
More information: https://resend.com/legal/privacy-policy

3.6 Automated Notifications

flintery sends automated email notifications to inform you about relevant events in your account:

Licence expiry warnings: When usage rights in your projects are about to expire.
Monthly financial report: On the last day of each month you receive a summary with aggregated financial metrics.
Opt-out: Both notification types can be disabled at any time in the account settings under "Notifications".
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in informing the user about relevant contractual events)

3.7 Lead Magnet & Starter Guide

Via our day rate calculator and potentially other pages we offer free content (e.g. the "Starter Guide for Financial Planning"). To provide this content we collect the following data:

Data processed: Email address (required), name (optional), profession (optional, e.g. photographer, videographer).
Purpose: Delivery of the requested document via email and — with your consent — occasional tips on pricing and project calculation.
Storage: Data is stored in our database in Germany (see 3.4) and delivered via Resend (see 3.5).
Withdrawal & deletion: You can unsubscribe at any time via the unsubscribe link in every email. Upon request to legal@flintery.com we will delete your lead data completely.
Legal basis: Art. 6(1)(a) GDPR (consent). Consent is given via an opt-in checkbox before download and can be withdrawn at any time.

4. Bank Integration (finAPI)

For the optional integration of your bank accounts we use the services of finAPI GmbH, Adams-Lehmann-Str. 44, 80797 Munich. finAPI is a BaFin-licensed account information and payment initiation service provider in accordance with the German Payment Services Supervision Act (ZAG) and PSD2-compliant.

Data processed: Account information, transaction data, IBAN, account balances
Server location: Germany
Data storage: During the contract period and subsequently for up to 8 years (statutory retention obligations for accounting records)
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with Section 59(2) ZAG

You can disconnect the bank integration at any time in the settings. Previously synchronised transactions can be deleted upon request.

5. Payment Processing (Stripe)

For payment processing and subscription management we use Stripe. For customers in the EU, the responsible entity is: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland.

Data processed: Name, email address, transaction data. We do not store your full credit card details on our systems. The entry and processing of sensitive payment data (credit card number, CVC, etc.) is handled directly by Stripe via an embedded payment form. We only receive information about the payment status and a masked reference (e.g. the last four digits of the card) from Stripe.
Third-country transfer: Stripe is certified under the EU-US Data Privacy Framework. Additionally, EU Standard Contractual Clauses have been agreed.
Legal bases: Art. 6(1)(b) GDPR (performance of contract), Art. 6(1)(f) GDPR (legitimate interests for regulatory obligations such as fraud prevention)

6. Accounting Integrations

6.1 sevDesk

You can optionally connect your account with sevDesk. Provider is sevDesk GmbH, Hauptstr. 115, 77652 Offenburg.

Data transmitted to sevDesk: Client data, invoice data, project items
Data received from sevDesk: Invoice status, contact data
Server location: Germany (AWS Frankfurt)
Legal basis: Art. 6(1)(b) GDPR (performance of contract)

6.2 lexoffice

Alternatively you can connect your account with lexoffice. Provider is Haufe Service Center GmbH, Freiburg.

Data transmitted and received: Analogous to sevDesk
Server location: Germany (Frankfurt area)
Legal basis: Art. 6(1)(b) GDPR (performance of contract)

6.3 CSV Import of Financial Data

You can import bank statements and financial data as a CSV file into flintery.

Data processed: Transaction date, amount, purpose/description. Extracted transactions are permanently stored in your account. The original CSV file is not permanently stored.
Legal basis: Art. 6(1)(b) GDPR (performance of contract)

7. Benchmark Feature

flintery offers an optional benchmark feature that provides anonymised market data on fees. When you use this feature, your project data is anonymised and included in aggregate statistics.

Legal basis: Art. 6(1)(a) GDPR (consent)

You can disable benchmark participation at any time in the settings.

8. Cookies and Similar Technologies

8.1 Technically Necessary Cookies

We use technically necessary cookies that are required for the operation of the platform (e.g. session cookies for login, CSRF tokens).

Legal basis: The storage of this technically necessary information on your device or access thereto is carried out without consent on the basis of Section 25(2) TDDDG (German Telecommunications-Telemedia Data Protection Act). The subsequent processing of any personal data is based on Art. 6(1)(f) GDPR (legitimate interest in the functionality of the platform) or Art. 6(1)(b) GDPR (insofar as required for performance of contract).

8.2 Local Browser Storage (localStorage)

In addition to cookies we use your browser's local storage (localStorage) for caching form entries and UI preferences.

Legal basis: The storage on your device is carried out without consent on the basis of Section 25(2) TDDDG. The subsequent processing on our systems is based on Art. 6(1)(b) GDPR (performance of contract) or Art. 6(1)(f) GDPR (legitimate interest in user-friendliness).

8.3 Google Analytics 4

We use Google Analytics 4, a web analytics service of Google Ireland Limited, Dublin, Ireland.

Data processed: Device and browser information, usage behaviour, referrer URL.
IP anonymisation: In Google Analytics 4, IP addresses are anonymised by default and are not stored in full.
Consent Mode: We use Google Consent Mode v2 (Advanced). This means: The Google Analytics library is loaded on page view but does not set cookies or access the storage on your device without your explicit consent (Section 25 TDDDG). Instead, only cookieless, heavily restricted pings (e.g. connection data including briefly processed IP address) are sent to Google. We base this basic data transmission on our legitimate interest (Art. 6(1)(f) GDPR) in rudimentary reach measurement (Conversion Modeling) to compensate for measurement gaps. Only after your explicit consent via the cookie banner (category "Statistics") are cookies set, user identifiers generated and full analytics data collected (Art. 6(1)(a) GDPR).
Google Signals: We additionally use the "Google Signals" feature. This links session data with information from Google account users who have enabled ad personalisation. This enables us to create aggregate reports on demographic characteristics and interests of our users. This feature is only activated when you have given us your explicit consent to statistical analysis via the cookie banner.
Third-country transfer: Google is certified under the EU-US Data Privacy Framework.
More information: https://policies.google.com/privacy

In addition to client-side data collection, we transmit server-side events to Google Analytics via the GA4 Measurement Protocol (e.g. after completion of a registration or purchase). This transmission occurs without accessing your device and without the use of cookies. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analysing the use of our service and advertising effectiveness).

8.4 Meta Pixel (Facebook/Instagram)

We use the Meta Pixel of Meta Platforms Ireland Limited, Dublin, Ireland.

Purpose: Measurement of advertising effectiveness, optimisation of our offering.
Data processed: IP address, browser information, referrer URL, actions on the platform.
Third-country transfer: Meta is certified under the EU-US Data Privacy Framework. Additionally, EU Standard Contractual Clauses have been agreed.
Legal basis: Art. 6(1)(a) GDPR (consent) via the cookie banner.

8.5 Consent Management

For obtaining and managing your consents we use the consent management tool Cookiebot by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark. Cookiebot stores your consent status in a cookie on your device to remember your preferences on future visits.

Legal bases: The storage on your device is based on Section 25(2) TDDDG (technically necessary). The processing of data (including IP address and consent status) for documenting consent is based on Art. 6(1)(c) GDPR (legal obligation to provide evidence).

You can revoke or adjust your consent at any time via the "Cookie Settings" link in the footer of our website.

8.6 Error Tracking and Performance Monitoring (Sentry)

For detecting and fixing technical errors we use Sentry (Functional Software, Inc., USA).

Data processed: Anonymised user ID, technical error data, browser information, session replays (form inputs masked). IP addresses are anonymised.
Third-country transfer: Sentry is certified under the EU-US Data Privacy Framework. Additionally, EU Standard Contractual Clauses have been agreed.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in error resolution)

8.7 Google Ads Conversion Tracking

We use Google Ads Conversion Tracking, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google"). When you visit our website via a Google advertisement, Google Ads places a cookie on your device (a "conversion cookie"). This cookie is used to measure the effectiveness of our advertising campaigns and allows us to determine whether a user has performed a specific action on our website after clicking an ad (e.g. registration, subscription purchase).

The following data is processed: IP address (anonymised), information about the browser and operating system used, the page visited on our website, referrer URL, time of the page visit, and information about the conversion action. Google creates anonymised statistics from this data that do not allow the personal identification of individual users.

Additionally, we transmit custom conversion events server-side via the GA4 Measurement Protocol (e.g. registration, first calculation, purchase completion). These server-side events are sent directly to Google Analytics without cookies and without accessing your device.

We use the Enhanced Conversions feature of Google Ads. Your email address provided during registration or purchase is hashed server-side using SHA-256 (pseudonymised) and transmitted to Google in this form. Google matches this hash against existing Google accounts to more reliably attribute conversions to the originating ad click. This transmission only occurs if you have consented to the "Marketing" category. The hashed email address is not used by Google for any other purposes and is not shared with third parties.

Legal basis for accessing your device (conversion cookie) is your consent pursuant to Section 25(1) TDDDG. The subsequent data processing is based on your consent pursuant to Art. 6(1)(a) GDPR. For server-side events without device access, the legal basis is Art. 6(1)(f) GDPR (legitimate interest in analysing advertising effectiveness).

You can withdraw your consent at any time via our cookie settings (Cookiebot banner). The conversion cookie is only set if you have consented to the "Marketing" category. For more information about Google's data protection practices, please visit: https://policies.google.com/privacy

8.8 Google Ads Remarketing

We use the remarketing function of Google Ads. Google Ads Remarketing enables us to show targeted advertisements to visitors of our website on other websites within the Google Display Network, tailored to their previous interactions with our website.

For this purpose, a Google Ads Remarketing tag is loaded when you visit our website, which sets a cookie on your device (e.g. _gcl_aw). Using this cookie, Google can recognise that you have visited our website and can show you personalised advertisements on other websites. No personal data is shared with third parties; the attribution is pseudonymised.

Legal basis for accessing your device is your consent pursuant to Section 25(1) TDDDG. The subsequent data processing is based on your consent pursuant to Art. 6(1)(a) GDPR.

The remarketing tag is only loaded if you have consented to the "Marketing" category in our consent banner (Cookiebot). You can withdraw your consent at any time via the cookie settings. Additionally, you can disable personalised advertising in your Google account settings at https://adssettings.google.com.

8.9 PostHog (Product Analytics)

We use PostHog, a product analytics service provided by PostHog, Inc. All data processing takes place exclusively on servers within the EU (Frankfurt, Germany).

Features: We use PostHog for event tracking (e.g. registration, page views), session replays (playback of anonymised user sessions) and heatmaps (aggregated click and scroll analyses).

Data processed: Anonymised user ID, device and browser information, usage behaviour, click positions, scroll depth, page views.

Session Replays: Form inputs and sensitive content are automatically masked. IP addresses are not stored.

No third-country transfer: All data is processed and stored on PostHog EU cloud servers in Frankfurt (Germany). No transfer to third countries takes place.

Legal basis: Storage on your device or access thereto only takes place with your explicit consent pursuant to Section 25(1) TDDDG (“Statistics” category in the cookie banner). The subsequent data processing is based on Art. 6(1)(a) GDPR (consent).

privacy.s8.s89.moreInfo

9. Storage Duration and Deletion Periods

We store your data only as long as necessary for the respective purposes or as required by statutory retention obligations.

Contract data: During the contract period.
Statutory retention periods:
- Invoices and accounting records: 8 years (Section 147 AO, Section 14b UStG)
- Annual financial statements: 10 years
After account deletion: Personal data is deleted within 30 days. Data subject to retention obligations is blocked.
Lead data (Starter Guide): Until withdrawal of consent or deletion request.

10. Your Rights

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR): Against processing based on legitimate interests. Against direct marketing at any time.
Withdrawal of consent: Possible at any time with effect for the future.
Right to lodge a complaint: With the competent supervisory authority (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestr. 2-4, 40213 Düsseldorf).

11. Data Security

We employ extensive technical and organisational measures: TLS 1.3 encryption, bcrypt hashing for passwords, ISO 27001-certified hosting (Hetzner), daily backups, private network between application and database servers.

11.1 Abuse Protection (Self-hosted Redis)

For rate limiting to protect against brute-force attacks we operate a self-hosted Redis server on our infrastructure in Germany (Hetzner, Nuremberg).

Legal basis: Art. 6(1)(f) GDPR (security of the platform).

11.2 Monitoring (Self-hosted)

For monitoring the availability and performance of our systems we use self-hosted monitoring solutions (Uptime Kuma). These run exclusively on our own infrastructure in Germany.

12. Transfers to Third Countries

Some of our service providers are based outside the EEA. The following safeguards are in place for these transfers:

Service	Location	Safeguard
Cloudflare	UK / USA	Adequacy decision (UK) + EU-US Data Privacy Framework (USA) + SCCs
Stripe	Ireland/USA	EU-US Data Privacy Framework + SCCs
Sentry	USA (Server: EU)	EU-US Data Privacy Framework + SCCs
Resend	USA	Standard Contractual Clauses (SCCs)
Google (Analytics)	USA (EU: Ireland)	EU-US Data Privacy Framework + SCCs
Meta (Pixel)	USA (EU: Ireland)	EU-US Data Privacy Framework + SCCs

13. Data Processing Agreements

We have concluded data processing agreements pursuant to Art. 28 GDPR with all service providers who process personal data on our behalf.

14. Changes to this Privacy Policy

We reserve the right to update this privacy policy. The current version is always available on our website. We will inform you by email about material changes.

15. Contact

For questions about data protection please contact us at: legal@flintery.com