Legal

Privacy Policy

Last updated 19 April 2026 Effective date 19 April 2026 Version 1.0

This Privacy Policy explains how Flint collects, uses, shares, and protects personal data. Flint is offered only in the United States. We aim to comply with US federal and state privacy laws (including CCPA/CPRA) and, as an Indian-incorporated company, with applicable Indian obligations under the IT Act, 2000 and IT Rules, 2021.

About this policy

This policy describes how we handle information relating to Flint accounts, users, visitors, and others who interact with us. It forms part of our Terms of Service.

Who we are

Data controller: Anycast Technology Private Limited, WeWork, Two Horizon Center, Sector-43, Gurgaon, Haryana — 122002, India.

Flint is Anycast's standalone product; personal data collected through Flint is not combined with data from other Anycast products or brands, except for shared security, legal, and audit functions.

India Grievance Officer (IT Rules, 2021): Jivesh Gupta, [email protected]. All privacy questions: [email protected].

Scope

This policy applies to account holders, authorised users, site visitors at flintads.com, recipients of our communications, and merchants who install our Shopify app on their stores. Flint is available globally, with our primary commercial focus and product compliance work directed at the United States market. Users outside the US may sign up and use the Service subject to this policy and the rights frameworks set out below (CCPA / CPRA, GDPR, DPDPA, and other applicable state and country laws — we honour the strongest applicable standard).

Data we collect

Information you provide

  • Account data: name, work email, mobile, company name, role.
  • Product / campaign data: product URLs, descriptions, images, SKUs, pricing, brand guidelines — used to generate ads.
  • Prompts and the generated Output.
  • Support communications.

Information collected automatically

  • Usage data: pages visited, features used, generation metadata (not Input Materials), click events.
  • Device and connection: IP address, approximate geolocation, browser, OS, device identifiers.
  • Cookies and similar technologies (see Section 16).
  • Server and security logs.

Billing information via the Merchant of Record

Payments are processed by one or more authorised third-party Merchants of Record ("MoR"). The MoR for your transaction is disclosed at checkout. The MoR collects billing information (name, address, payment details, tax IDs, transaction data) as an independent controller for its own compliance. We receive from the MoR only the information required to operate your account (customer identifier, plan, entitlements, settlement totals). Each MoR's own privacy policy governs the data it collects directly.

Purposes & legal bases

We process personal data for these purposes, on the bases noted:

  • Provide and operate Flint — contract / legitimate interests.
  • Generate AI Output using your Input Materials — contract.
  • Billing (via MoR), accounting, tax — legal obligation.
  • Security, fraud prevention, abuse investigation — legitimate interests.
  • Product analytics and improvement — legitimate interests / consent where required.
  • Marketing communications — consent, with opt-out at any time.
  • Responding to legal requests — legal obligation.

No AI training on your data

We do not use your Input Materials, prompts, or Output to train, fine-tune, or evaluate foundation AI models, whether our own or a third party's. We use only aggregated, anonymised, non-reversible operational metadata (render latency, error rates, feature-usage counts) to improve Service reliability.

Sharing & processors

We share personal data with the following categories of recipients, each bound by written agreements:

  • Cloud hosting: Amazon Web Services (AWS Mumbai, ap-south-1, as primary region).
  • Third-party AI model providers — Google (Veo), ElevenLabs, Seedance, VEED, sync.so, and others we may add. Input Materials and Output are transmitted to these providers for processing, including in regions outside India (primarily US).
  • Merchant-of-Record partners used for global checkout and tax handling (disclosed at checkout on each transaction).
  • Email, analytics, and customer-support providers (see sub-processor list below).
  • Professional advisors (legal, accounting, audit).
  • Law enforcement, regulators, or courts where required by law or to protect rights.
  • A successor entity in a merger, acquisition, financing, or sale of assets.

We do not sell personal data. We do share limited personal data (hashed email, Meta browser identifiers, event metadata) with Meta Platforms, Inc. for cross-context behavioural advertising as defined under California law, solely to measure and optimise our own marketing on Facebook and Instagram. California residents and other eligible users may opt out at any time — see Your California Privacy Rights.

Sub-processors

The following third parties process personal data on our behalf. We update this list as our stack changes; material additions are communicated by updates to this page.

  • Amazon Web Services, Inc. — application hosting, database (Aurora), object storage (S3). Primary region: Mumbai (ap-south-1).
  • Cloudflare, Inc. — DNS, CDN, DDoS protection, static site hosting (Pages), and email routing for flintads.com.
  • Google LLC — (i) Google Workspace for our business email (including the [email protected] mailbox); (ii) Google Veo, Gemini, and related generative AI APIs used to produce Output from your prompts and Input Materials.
  • Intercom, Inc. — customer support inbox, web chat widget, and outbound support email. Intercom processes conversation content, contact details, IP address, and device metadata of users who contact support.
  • ElevenLabs, Inc., Seedance, VEED.IO, sync.so, and other AI model providers we may add — generative audio, video, and editing APIs used to produce Output.
  • Dodo Payments — Merchant of Record for checkout, billing, tax calculation, and refunds. The MoR is an independent controller for the billing relationship.
  • Meta Platforms, Inc. — advertising delivery and conversion measurement via the Meta Pixel and Conversions API. Meta receives page-view, sign-up, trial-start, and purchase events from flintads.com and the Flint application, together with hashed email addresses and Meta-issued browser identifiers, to attribute our advertising on Facebook and Instagram. Governed by Meta's Business Tools Terms.
  • Shopify Inc. — e-commerce platform integration. When a merchant installs our Shopify app ("Flint AI Content"), Shopify provides product catalog data (titles, descriptions, images, prices, inventory) and webhook deliveries (product create / update / delete, app uninstall, GDPR compliance topics). We act as a data processor for the merchant's product information and as an independent controller for our own service operation. Governed by Shopify's API License and Terms of Use.

Each sub-processor operates under a written data-processing agreement with appropriate security, confidentiality, and (where applicable) cross-border transfer safeguards. A current DPA summary is available on request to [email protected].

Shopify integration ("Flint AI Content")

If you install our Shopify app on your store, the following terms apply specifically to that integration:

  • What we read. We request the minimum scopes required to operate the app: read_products (your catalog: titles, descriptions, images, variants, prices, inventory, tags) and write_files (to push generated assets back to your store's Files library when you click "Push to Shopify Files"). We do not request access to orders, customers, payments, or any other store data.
  • What we store. A copy of your product catalog (the fields above) is cached in our database to power the in-app product browser and stay synchronised via Shopify's product webhooks. Generated assets (images and videos) are stored in our durable object storage so the URLs remain valid for ad-account uploads after the underlying AI provider purges its temporary file.
  • What we don't store. We never store Shopify customer personally identifiable information (names, addresses, emails, order history). The app does not request, receive, or process that data.
  • How long we retain it. Product catalog cache lives for as long as the app is installed plus a 30-day grace period after uninstall (during which a re-install reactivates the same workspace without re-syncing). Generated assets persist as long as the merchant chooses to keep them in our Library.
  • GDPR compliance webhooks. We honour the three Shopify-mandated compliance topics:
    • customers/data_request — we have no per-customer data tied to a Shopify shop's consumers, so the response is "no records held"; logged for the audit trail.
    • customers/redact — same response; we have no per-customer records to delete.
    • shop/redact — fired 48 hours after a merchant uninstalls; on receipt we hard-delete the shop's connection record, all cached product data, and all associated generation jobs and outputs.
  • Tokens. The Shopify access token granted by the merchant during install is stored encrypted at rest in AWS Secrets Manager. On uninstall, the token is revoked and removed from our store on a best-effort basis within minutes; on the shop/redact webhook, removal is enforced.
  • Billing. The Shopify app itself is free to install. Generations are charged in credits against the merchant's existing Flint subscription. We do not use Shopify's Billing API.

International transfers

Although the Service is offered only in the United States, your personal data may be stored and processed in other countries in the ordinary course of running Flint:

  • Primary hosting: AWS Mumbai (ap-south-1), India.
  • AI model providers may process data in the US, EU, or other regions.
  • The applicable Merchant-of-Record partner may process billing data in its own region.
  • Email and analytics providers may process data in the US.

By using the Service, you consent to these transfers. We apply contractual safeguards with each processor. Request a summary by emailing [email protected].

Retention

  • Account data: life of the account + 3 years.
  • Input Materials: 90 days from submission, or until account deletion, whichever is earlier.
  • Generated Output: 90 days from generation; download earlier to retain.
  • Prompt and usage logs: up to 12 months.
  • Security logs: up to 18 months.
  • Billing and tax records: as required by law (up to 8 years under Indian GST/Income Tax rules).
  • Deletion on request: within 30 days, except where retention is required to defend legal claims or comply with law.

Your privacy rights

Regardless of where in the United States you are located, you may:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion, subject to legal retention obligations.
  • Withdraw consent where processing is consent-based.
  • Opt out of marketing communications at any time.

To exercise any right, email [email protected]. We respond within 30 days and may verify your identity before responding.

California residents (CCPA / CPRA)

If you are a California resident, you have the following additional rights:

  • Right to know the categories and specific pieces of personal information we collect, the sources, purposes, and categories of third parties with whom we share it.
  • Right to delete personal information, subject to statutory exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale / sharing. We do not sell personal information. We do share limited information with Meta Platforms, Inc. for cross-context behavioural advertising of our own services. You may opt out at any time by clicking Do Not Sell or Share My Personal Information, which sets a persistent preference on this browser. We honour Global Privacy Control (GPC) signals as an opt-out under CPRA.
  • Right to limit use and disclosure of sensitive personal information.
  • Right to non-discrimination for exercising these rights.

To exercise California rights, email [email protected] with "California Privacy Request" in the subject line. You may designate an authorised agent; we may require written authorisation and identity verification.

Other US state laws

We honour comparable rights (access, correction, deletion, opt-out of targeted advertising, opt-out of sale) under other US state privacy statutes (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas DPSA, Oregon OCPA, and others) to the extent they apply. Email [email protected] to make a request.

Automated decision-making

We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing. AI generation is a creative output; you decide whether to use it.

Children

Flint is not directed to, or available to, persons under 18. We do not knowingly collect personal data from minors. If we learn that we have, we will delete it.

Security

We apply reasonable technical and organisational measures: encryption in transit and at rest for sensitive fields, least-privilege IAM, MFA for admin access, logging, vulnerability scanning, secrets management, and incident response. No system is perfectly secure; we will notify affected users of breaches as required by law.

Cookies & similar technologies

We use cookies, pixels, and similar technologies in three categories:

  • Strictly necessary — for authentication, session management, and security. These cannot be disabled without breaking the Service.
  • Customer support — our chat widget (provided by Intercom) sets first-party and third-party cookies (including intercom-id-*, intercom-session-*, and intercom-device-id-*) to persist support conversations across visits and identify returning contacts. These are set when you open the chat or are logged into the Service.
  • Advertising and conversion measurement — we use the Meta Pixel and the Meta Conversions API (Meta Platforms, Inc.) to measure the effectiveness of our advertising on Facebook and Instagram, attribute sign-ups and subscriptions to specific ads, and build lookalike and retargeting audiences for our own marketing. Events sent to Meta include page views, sign-ups, trial starts, and purchases, together with hashed email addresses and browser identifiers (fbp / fbc cookies). We do not transmit your prompts, Input Materials, or Output to Meta.

You can control cookies via your browser settings. California residents and other eligible users can also opt out of advertising and conversion measurement at any time using the Do Not Sell or Share My Personal Information control below; once opted out, the Meta Pixel and Conversions API will no longer receive events about you from this site.

Geographic availability

Flint is available globally. Our commercial focus and primary regulatory work are oriented to the United States market, but the Service is offered to users in any jurisdiction subject to applicable export controls and sanctions law. Where local privacy law is stricter than US law (for example GDPR in the EU/UK, DPDPA in India), we honour the stricter standard. Where local consumer or content laws conflict with the operation of the Service in your jurisdiction, you remain responsible for using the Service in compliance with those laws.

Changes

We will post updates here and notify registered users by email at least 15 days before material changes take effect.

Contact

  • Privacy questions and rights requests: [email protected]
  • India Grievance Officer: Jivesh Gupta, [email protected]
  • Registered office: Anycast Technology Pvt Ltd, WeWork, Two Horizon Center, Sector-43, Gurgaon, Haryana — 122002, India

Still got a question?

Email us and we'll get back to you within two business days.

[email protected]