Privacy Policy
Effective Last updated
1. Who we are and how to reach us
This Privacy Policy explains how Flyletter ("Flyletter," "we," "us," or "our") collects, uses, and shares personal information when you use our website at flyletter.io, our application at app.flyletter.io, and our Claude MCP Connector at mcp.flyletter.io (together, the "Service"). For purposes of the EU and UK General Data Protection Regulation ("GDPR"), Flyletter is the data controller for personal information processed through the Service.
Contact details for the controller:
- Postal address: 3601 Menchaca Road #101, Austin, TX 78704
- Email: [email protected]
- Privacy requests: [email protected]
We have not appointed a Data Protection Officer because we are not required to under GDPR Art. 37. We have not appointed an EU representative under GDPR Art. 27.
2. What this policy covers and who it applies to
This Policy applies to consumers and prospective consumers who use the Service. It does not apply to Flyletter employees, contractors, job applicants, or business contacts in their professional capacity; those individuals receive separate notices.
3. What personal information we collect
Flyletter collects the categories of personal information described below. For California residents, each category is mapped to the statutory categories under Cal. Civ. Code § 1798.140. We have collected each of these categories within the past twelve months from the sources described in Section 4.
(a) Account information. Email address, first and last name, and profile image. Authentication credentials (passwords, multi-factor secrets) are handled by our authentication subprocessor (Clerk) and are not stored by Flyletter.
- CCPA category: Identifiers; California customer records.
- Source: Provided directly by you at signup.
(b) Brand profile content. Writing samples you submit, brand name, brand description, target audience description, brand differentiators, the persona analysis we generate from your samples, social media handles you provide, and any logos or profile images you upload.
- CCPA category: Identifiers (handles); commercial information; inferences (the generated persona).
- Source: Provided directly by you.
(c) Newsletter and idea content. Newsletter drafts, outlines, research, social posts, generated images, ideas, notes, conversation history with our AI assistant, and edits you make to generated content.
- CCPA category: Commercial information; inferences.
- Source: Created by you using the Service or generated by the Service from your inputs.
(d) Connected source content. When you connect an external content source (a newsletter you publish, a blog, a YouTube channel, a podcast), we fetch publicly available content from those sources and store article text, transcripts, summaries, titles, URLs, and publication dates. We do not access password-protected or paywalled content unless you provide credentials.
- CCPA category: Internet or other electronic network activity information.
- Source: Fetched from publicly available URLs you provide.
(e) Integration credentials. API keys, OAuth access tokens, refresh tokens, publication identifiers, and server prefixes for publishing platforms you connect (beehiiv, Kit, Mailchimp, WordPress).
- CCPA category: Identifiers.
- Source: Provided directly by you when you connect an integration.
(f) Billing information. Stripe customer identifier, plan tier, subscription status, current billing period dates, trial end date, payment method status (whether a card is on file), and usage period generation counts. Flyletter does not store full payment card numbers, card verification codes, or bank account details; those are held by our payment processor (Stripe) under PCI-DSS-compliant terms.
- CCPA category: Identifiers; commercial information.
- Source: Created when you start a paid subscription; some fields received from Stripe.
(g) Usage data. Generations consumed per billing period, plan tier, overage charges, server logs (IP address, request timestamps, user agent string, page paths) used for security and operational monitoring.
- CCPA category: Internet or other electronic network activity information; identifiers (IP).
- Source: Generated automatically when you use the Service.
(h) Marketing site analytics. On flyletter.io we use Plausible Analytics, which does not set cookies and does not collect personal information. We may also use Google Analytics 4, which does set cookies and may collect IP address and device information. The authenticated application at app.flyletter.io does not run third-party analytics.
- CCPA category: Internet or other electronic network activity information.
- Source: Generated automatically when you visit the marketing site.
(i) Communications. When you contact support, we receive your message content and any information you choose to share.
- CCPA category: Commercial information; identifiers.
- Source: Provided directly by you.
We do not knowingly collect "sensitive personal information" as defined under CPRA (Cal. Civ. Code § 1798.140(ae)). If you choose to include sensitive personal information in your writing samples or newsletter content, you do so at your own discretion and we treat it as part of Your Content under our Terms of Service.
4. Sources of personal information
We collect personal information from the sources noted in Section 3: directly from you (account, brand profile, content, integrations, communications), automatically from your use of the Service (usage, analytics, server logs), and from third parties (publicly available content URLs you provide; Stripe billing events; Clerk authentication metadata).
5. Why we use your personal information and our legal basis
For users in the EU, UK, and other jurisdictions where GDPR or equivalent applies, our legal basis under GDPR Art. 6 is identified for each purpose.
| Purpose | Categories used | GDPR legal basis |
|---|---|---|
| Provide and operate the Service (authenticate users, generate newsletters, store drafts, publish to integrations) | (a)-(e) | Contract (Art. 6(1)(b)) |
| Bill paid plans and process overages | (a), (f), (g) | Contract (Art. 6(1)(b)) |
| Send transactional and service emails (receipts, plan changes, security notices, password resets) | (a), (f) | Contract (Art. 6(1)(b)) |
| Send lifecycle and onboarding emails (welcome series, feature announcements) | (a) | Legitimate interests (Art. 6(1)(f)): to onboard new users effectively. You can opt out at any time. |
| Send marketing emails | (a) | Consent (Art. 6(1)(a)) where required, otherwise legitimate interests; you can opt out at any time |
| Detect and prevent fraud, abuse, and security incidents | (g) | Legitimate interests (Art. 6(1)(f)): to keep the Service secure |
| Comply with legal obligations (tax, accounting, lawful requests) | (f), (g) | Legal obligation (Art. 6(1)(c)) |
| Improve the Service through aggregated, anonymized analytics | (g), (h) | Legitimate interests (Art. 6(1)(f)): to operate the product. We do not use your writing samples, brand profile, or content to train shared AI models. |
We do not use automated decision-making that produces legal or similarly significant effects on you within the meaning of GDPR Art. 22. The persona analysis we run on your writing samples produces an editorial style profile used solely to generate content you can review and edit; it does not score, screen, or classify you for any consequential decision.
6. Subprocessors
We share personal information with the following service providers ("subprocessors"). Each receives only the data necessary to perform its function and is bound by a written agreement requiring confidentiality, security, and use limited to providing services to Flyletter.
| Subprocessor | Function | Data shared |
|---|---|---|
| Anthropic, PBC | AI text generation (Claude API) | Writing samples (during persona analysis); newsletter context including topic, outline, brand profile slices, and prior content (during generation). Anthropic does not train models on API data per its commercial terms. |
| Google LLC (Vertex AI / Gemini) | AI image generation | Image prompts derived from your newsletter content and brand profile; reference images you provide. Google does not use Vertex AI customer data to train its foundation models per its terms. |
| Cloudinary, Inc. | Image hosting and delivery | Generated and uploaded images; logos and profile images |
| Clerk, Inc. | Authentication and session management | Email, name, profile image, authentication credentials |
| Stripe, Inc. | Payment processing and subscription billing | Customer identifier, email, billing address (collected by Stripe), payment method (collected and held by Stripe), invoice and charge history |
| Loops, Inc. | Transactional and lifecycle email | Email, name, plan, signup date, key milestones (persona created, newsletter count, onboarding status) |
| Webshare, Inc. | HTTP proxy used to fetch publicly available URLs you submit as content sources | Outbound request URLs (third-party content addresses), not your personal information |
| Railway Corporation | Application hosting | All data processed by the Service in the course of normal operation |
If we add, remove, or change a subprocessor, we will update this list before the change takes effect for your account.
7. We do not sell or share your personal information
We do not sell your personal information for monetary or other valuable consideration, and we do not share your personal information for cross-context behavioral advertising as those terms are defined under California law. We do not have a "Do Not Sell or Share My Personal Information" link because there is nothing to opt out of.
8. Your rights
You have the rights described below. To exercise any of these rights, email [email protected]. We will respond within the timeframes required by applicable law (generally 45 days for CCPA requests, extendable by 45 more days when reasonably necessary; one month for GDPR requests, extendable by two more months for complex requests). We do not charge a fee for exercising these rights, except where requests are manifestly unfounded or excessive.
We will verify your identity before fulfilling a rights request. Verification typically means confirming you control the email address on the account.
For all users:
- Right to access: request a copy of the personal information we hold about you and information about how we process it.
- Right to correction: ask us to correct inaccurate or incomplete personal information.
- Right to deletion: ask us to delete personal information we hold about you, subject to legal exceptions (e.g., billing and tax records we are required to keep).
- Right to data portability: receive a copy of your personal information in a structured, commonly used, machine-readable format. You can also export your brand profiles, newsletters, and ideas at any time from your account dashboard.
For California residents (CCPA/CPRA):
- Right to know: request the categories and specific pieces of personal information we have collected, sold, or shared about you in the past 12 months; the categories of sources; the business or commercial purpose for collection; and the categories of third parties to whom we disclosed personal information.
- Right to limit use of sensitive personal information: Flyletter does not knowingly process sensitive personal information beyond what is necessary to provide the Service. If you believe we are using sensitive personal information for a purpose that requires limitation, contact us.
- Right to non-discrimination: we will not deny you the Service, charge a different price, or provide a different level of service because you exercised your rights under California law.
- Authorized agent: you may designate an authorized agent to make a request on your behalf. We will require written authorization and verification of the agent's identity.
For EU, UK, EEA, and Swiss users (GDPR and equivalents):
- Right to object to processing based on legitimate interests, including profiling for direct marketing.
- Right to restrict processing in certain circumstances.
- Right to withdraw consent where processing is based on consent. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
- Right to lodge a complaint with a supervisory authority in the EU or EEA member state where you reside or work or where the alleged infringement occurred. A list of EU supervisory authorities is at edpb.europa.eu. UK users may complain to the Information Commissioner's Office.
Provision of personal information. Some personal information (account email, billing details for paid plans) is required to use the Service. If you do not provide it, we cannot create your account or process your subscription. Other information (writing samples, brand profile, integrations) is required to use specific features but not the Service as a whole; without it, those features will not be available.
9. International data transfers
Flyletter is operated from the United States. When you use the Service from outside the United States, your personal information is transferred to and processed in the United States and in regions where our subprocessors operate.
Where required, we rely on the European Commission's Standard Contractual Clauses (Module Two for controller-to-processor transfers) to provide appropriate safeguards for transfers from the EU/EEA to the United States. The UK International Data Transfer Agreement applies to transfers from the United Kingdom. Copies are available on request from [email protected].
10. How long we keep your information
We retain personal information only as long as necessary for the purposes for which it was collected, plus any period required by law. The criteria below describe our retention practice; specific durations may vary based on legal hold or active disputes.
| Category | Retention criterion |
|---|---|
| Account information (a) | Until you delete your account. After deletion: removed within 30 days, except as noted below for billing records. |
| Brand profile content (b), newsletter and idea content (c), connected source content (d) | Until you delete the brand profile, newsletter, idea, or content source, or until you delete your account. After deletion: removed within 30 days. |
| Integration credentials (e) | Until you disconnect the integration or delete your account. After disconnection: deleted immediately. |
| Billing information (f) | Retained for the period required by tax and accounting law in our jurisdiction (generally up to seven years for invoices, charges, and tax records). |
| Usage data (g) | Retained for up to 24 months in identifiable form for security and operational monitoring; aggregated indefinitely. |
| Marketing site analytics (h) | Plausible: 24 months. Google Analytics 4: as configured in our GA4 property settings. |
| Communications (i) | Three years after the support interaction is closed, unless a longer period is required for a dispute. |
Encrypted database backups are retained for 30 days and then expire automatically.
11. How we protect your information
We use industry-standard administrative, technical, and physical safeguards designed to protect your personal information. These include encryption in transit (HTTPS) for all connections, encrypted credentials for database access, restricted access to integration credentials and OAuth tokens within the application code that uses them, and authentication via Clerk with industry-standard session management.
No method of transmission over the internet or electronic storage is fully secure, and we cannot guarantee absolute security. We will notify affected users and applicable regulators of personal data breaches as required by law (GDPR Art. 33-34; applicable US state breach notification laws).
We do not currently hold a SOC 2 or ISO 27001 certification; we plan to pursue compliance certifications appropriate to our customer base as we grow.
12. Children's privacy
The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe we have collected personal information from your child, contact [email protected] and we will delete it promptly. For users in the United States, this policy reflects the higher of COPPA's age 13 floor and our age 16 minimum to align with EU GDPR rules for children's consent.
13. Cookies and similar technologies
Our marketing site uses Plausible Analytics, which does not set cookies. If Google Analytics 4 is enabled on the marketing site, it sets cookies for analytics purposes. The authenticated application uses cookies and similar technologies that are strictly necessary to operate the Service, including Clerk's authentication session cookie and our onboarding state cookie. We do not use advertising cookies, tracking pixels, or similar technologies for cross-context behavioral advertising.
14. Third-party links and content
The Service may contain links to third-party websites or import content from third-party platforms (YouTube, Substack, podcast hosts) at your direction. Those third parties have their own privacy practices, which we do not control. Review their policies before providing personal information.
15. Claude MCP Connector
This Section describes data flows specific to the Flyletter Claude MCP Connector (the "Connector"), a Model Context Protocol server hosted at mcp.flyletter.io that allows users of Claude.ai to read their own Flyletter brand persona data inside Claude conversations. This Section supplements the rest of this Policy; the Sections above continue to apply to the Connector to the extent they describe Flyletter as a whole.
(a) What data the Connector collects. The Connector collects the minimum data necessary to authenticate you and return brand persona data you already have in Flyletter:
- An OAuth access token issued by Clerk that identifies your Flyletter account during the session.
- Tool invocation parameters you send through Claude (for example, a brand persona identifier).
- Standard server logs (timestamp, IP address, user agent, tool name, response status) used for security and rate-limiting.
The Connector does not collect, read, store, or transmit:
- The contents of your Claude conversations.
- Claude's memory, chat history, or conversation summaries.
- Files you have uploaded to Claude.
- Any data from Claude beyond the tool invocation parameters explicitly sent to the Connector.
This commitment matches Anthropic's Software Directory Policy Sections 1.D (data minimization) and 1.F (no extraction from Claude memory, chat history, conversation summaries, or user-uploaded files).
(b) How the Connector uses your data. Tool invocations are used solely to:
- Authenticate the request against your Flyletter account.
- Query your own brand persona records from the Flyletter database.
- Return the requested data to Claude so it can use the data in your active conversation.
(c) How the Connector stores your data. The Connector is read-only and stateless. No persona content is cached by the Connector. Each request fetches fresh data from the Flyletter database on every invocation. OAuth tokens are managed by Clerk; the Connector does not persist them. Standard server logs are retained per the same schedule as the rest of the Service (Section 10, "Usage data").
(d) Third-party sharing. The Connector shares data only with the subprocessors already disclosed in Section 6 that are necessary to operate it (Clerk for authentication, Railway for hosting, the Flyletter database). The Connector does not share your data with Anthropic beyond the tool response that Claude itself receives in the course of your conversation. Anthropic's handling of that response is governed by Anthropic's Privacy Policy.
(e) Data retention. Persona data accessed through the Connector is retained per Section 10, "Brand profile content (b)." Server logs are retained per Section 10, "Usage data (g)." OAuth tokens managed by Clerk are retained per Clerk's policies and revoked when you disconnect the Connector in Claude or delete your Flyletter account.
(f) User rights. All rights described in Section 8 apply to data accessed through the Connector. You can revoke the Connector's access at any time by disconnecting it in Claude.ai (Settings > Connectors) or by signing out of the active Clerk session. Revocation takes effect immediately for new requests.
(g) Contact. Questions about the Connector specifically or privacy rights requests: [email protected].
16. Changes to this policy
We may update this Policy from time to time. When we make material changes, we will update the "Effective" date at the top of this page and notify you by email and through an in-app notice at least 30 days before the change takes effect, unless a shorter notice period is required by law. Your continued use of the Service after the effective date means you accept the updated Policy. If you do not agree, stop using the Service and contact us to delete your account.
17. Contact
For privacy questions, rights requests, or to report a privacy concern:
- Email: [email protected]
- Postal mail: 3601 Menchaca Road #101, Austin, TX 78704
- Subject line for rights requests: "Privacy Rights Request: [Right being exercised]"