FLIT
|

Privacy Policy

Version: 2026-04-25

Effective date: 2026-04-25

1. Who We Are

Flit ("we", "us") is operated by [INSERT FULL LEGAL NAME], a [INSERT LEGAL FORM] with registered address at [INSERT FULL REGISTERED ADDRESS]. For the purposes of the GDPR, [INSERT FULL LEGAL NAME] acts as the data controller for personal data processed in connection with the Service.


As of this version, Flit handles privacy matters through a designated privacy owner rather than a formally appointed Data Protection Officer. Privacy questions and data-subject requests should be sent to contact@flit.social.

2. Data We Collect

2.1 Account and Profile Data

  • Email address (via Clerk authentication)
  • Username, display name, gender, date of birth
  • Profile biography and avatar photo
  • Preferred age range and seen-gender filters for plan matching

    • 2.2 Location Data

  • Location names and coordinates you explicitly save
  • The last-known device location snapshot when you open the app and grant location permission
  • Location associated with plans you create or join

    • 2.3 Social and Activity Data

  • Plans you create, join, or are invited to
  • Friends, followers, and follow relationships
  • Block relationships
  • Reports you file against other users
  • Notifications sent to and read by you

    • 2.4 Device and Technical Data

  • Push notification token when you grant OS permission
  • App version and platform for crash reporting
  • Pseudonymous usage events for analytics, only where consent has been given
  • Security and access logs generated by the API and infrastructure

    • 2.5 Consent and Audit Records

  • Your analytics consent state, version, and timestamp
  • Your push notification consent state and timestamp
  • Your Terms of Service acceptance version and timestamp

    • 3. How We Use Your Data

    PurposeData categoriesLawful basis
    Creating and authenticating your accountEmail, profileContract (Art. 6(1)(b))
    Displaying your profile to other usersUsername, gender, age, avatar, interestsContract
    Matching you with relevant plans and usersLast-known location snapshot, saved locations, date of birth-derived age, age range, gender filtersContract
    Sending push notifications about plans and social activityPush tokenConsent (Art. 6(1)(a))
    Analytics and product improvementPseudonymous usage eventsConsent
    Crash and error monitoringDevice and error dataLegitimate interests (Art. 6(1)(f)) limited to service reliability, with consent-gating in the mobile app
    Safety and moderationReports, block records, moderation metadataLegitimate interests (Art. 6(1)(f))
    Complying with legal obligationsAny required dataLegal obligation (Art. 6(1)(c))
    Preventing abuse and securing the serviceIP addresses, request metadata, security logsLegitimate interests (Art. 6(1)(f))

    4. Consent

    Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.


  • Analytics:: Settings → Privacy → Analytics
  • Push notifications:: your device OS notification settings and, where supported, in-app consent controls

    • Withdrawal of analytics consent stops future analytics collection. Withdrawal of push notification permission stops future push delivery but does not delete historical in-app notification records already associated with your account.

    5. Data Sharing and Processors

    We use third-party service providers only where needed to operate, secure, and improve Flit.

    ProcessorPurposeDataRegionTransfer mechanism
    ClerkAuthenticationEmail, account metadata, auth/session metadataUS / global infrastructureSCCs or other lawful transfer mechanism offered by vendor
    Cloudflare R2Avatar and photo storageImage files and object keysEU-region preference where availableSCCs or other lawful transfer mechanism offered by vendor
    PostHog (EU cloud)Product analyticsPseudonymous usage eventsEUEU hosting / vendor terms
    SentryError monitoringError traces and device/runtime metadata, with PII stripped on the backendUSSCCs or other lawful transfer mechanism offered by vendor
    Expo push service, APNS, FCMPush deliveryPush token and notification payloadUS / global infrastructureSCCs or other lawful transfer mechanism offered by vendor
    Hetzner Cloud / Coolify-managed PostgresApplication hosting and database infrastructureCore application dataGermanyEEA processing
    Google Places / GeoapifyLocation searchSearch query string and related request metadataUS / EUSCCs or other lawful transfer mechanism offered by vendor
    DiscordModeration alert deliveryReport metadata included in webhook notificationsUSSCCs or other lawful transfer mechanism offered by vendor

    We do not sell your personal data.

    6. Retention

    Data typeRetention period
    Active account dataUntil account deletion
    Deactivated accounts30 days, then automatically purged
    Plan and saved-location historyDeleted with account unless a shorter in-product deletion happens first
    Analytics events12 months in PostHog
    Crash reports90 days in Sentry
    Server access and security logs30 days, unless a longer period is required for an active security investigation or legal claim
    Consent and ToS audit recordsUntil account deletion, then removed through account deletion and purge flows

    7. Your Rights (GDPR Art. 15–22)

    Subject to applicable law, you have the right to:


  • Access: your data: GET /me/export returns a machine-readable export of the personal data Flit holds for your account.
  • Rectification: Update your profile at any time via PATCH /me/.
  • Erasure: Delete your account in the app through Settings → Account → Delete Account.
  • Portability: The export endpoint (GET /me/export) provides your data in machine-readable JSON.
  • Restriction: Ask us to restrict processing where you contest accuracy or object to certain processing.
  • Object: Object to processing based on legitimate interests.
  • Withdraw consent: See Section 4 above.

    • To exercise any right, contact contact@flit.social. We aim to respond within 30 days. We may ask for reasonable verification of identity before fulfilling a request.


    You also have the right to lodge a complaint with your supervisory authority. For users in Greece, the competent authority is the Hellenic Data Protection Authority (HDPA): https://www.dpa.gr/en

    8. Age Restriction

    Flit is only for users 18 and older. We do not knowingly permit accounts for persons under 18. If you believe a minor has created an account, contact contact@flit.social and we will investigate and remove the account where appropriate.

    9. International Transfers

    Some of our processors operate outside the EEA, including vendors in the United States. Where this occurs, we rely on the transfer mechanisms made available by those vendors and required by applicable law, such as Standard Contractual Clauses, supplementary contractual commitments, or other lawful transfer mechanisms.

    10. Security

    We use technical and organisational measures designed to protect personal data, including:


  • TLS for data in transit
  • Access-controlled object storage with presigned URLs for private media
  • Authentication managed through Clerk rather than storing passwords ourselves
  • Consent-gated analytics collection
  • Header and user-identity scrubbing in backend Sentry reporting
  • Access logging, incident response procedures, and role-based production access

    • No method of transmission or storage is perfectly secure, but we review and update our safeguards on an ongoing basis.

    11. Automated Decision-Making

    Flit uses automated filtering such as age range and gender visibility preferences to shape what a user sees in the product. These filters are based on settings provided by the user and do not produce legal or similarly significant effects within the meaning of GDPR Art. 22.

    12. Changes to This Policy

    We may update this Privacy Policy from time to time. If we make a material change, we will provide notice in-app or by another reasonable channel before the updated version takes effect. The effective version is recorded when relevant consents or policy acceptances are collected.

    13. Contact

    Privacy questions, data-subject requests, or concerns:


    **Email:** contact@flit.social

    **Controller name:** [INSERT FULL LEGAL NAME]

    **Registered address:** [INSERT FULL REGISTERED ADDRESS]

    **VAT / Tax ID:** [INSERT VAT OR TAX ID]

    **GEMI / Registry number:** [INSERT GEMI OR OTHER REGISTRY NUMBER, IF APPLICABLE]

    Back to home