FlintFlint
SupportTerms of Service

Privacy Policy

Last updated: May 2, 2026

Who we are

Flint is operated by ZEALOUS OU (registry code 16989036), registered at Harju maakond, Tallinn, Kesklinna linnaosa, Tornimae tn 5, 10145, Estonia.

For anything privacy-related, email us at privacy@getflint.work.

What we collect and why

We only collect what we need to run the service. Here is exactly what, and the legal basis under GDPR:

Account data

What: Email address, password (hashed), full name.

Why: To create and authenticate your account.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

CV / resume data

What: Extracted CV text and structured profile data (skills, job titles, years of experience, education). The PDF or DOCX file you upload is read once to pull the text out and then deleted from our server — only the text and parsed fields are retained.

Why: To build your profile and score job matches against it. This is the core service.

Legal basis: Contract performance (Art. 6(1)(b) GDPR). We need your CV data to deliver the matching service you signed up for.

AI processing: Your CV text is sent to Anthropic (Claude API) for skill and experience extraction. Anthropic processes this data as a sub-processor under our instructions and does not use it to train models. See Anthropic's privacy policy.

Job interaction data

What: Jobs you save, apply to, dismiss, or click on. Application status tracking.

Why: To power your pipeline and improve match quality.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Payment data

What: Subscription status and Stripe customer ID. We do not store card numbers, bank details, or other payment credentials.

Why: To manage your subscription.

Legal basis: Contract performance (Art. 6(1)(b) GDPR). Stripe processes payments as an independent controller. See Stripe's privacy policy.

Technical data

What: IP address, browser type, device info, page views.

Why: Security, debugging, and basic analytics.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in maintaining a secure and functional service.

Cookies and local storage

Flint stores a small amount of data on your device. We split it into two categories:

Strictly necessary (always on)

  • Authentication token in localStorage — keeps you logged in.
  • Theme preference in localStorage — remembers Paper or Ember.
  • Error reporting (Sentry) — captures crash reports and stack traces so we can fix bugs. Sent to Sentry, hosted in the EU. No persistent identifiers about you are stored on your device by Sentry; reports are correlated by anonymous session only.

These are exempt from the consent requirement under PECR Reg. 6 / ePrivacy Directive Art. 5(3) because they are strictly necessary to deliver the service or for security.

Analytics (opt-in)

  • Product analytics (PostHog) — pageviews and product events (e.g. CV upload, registration). Hosted in the EU (Frankfurt). Stores a short anonymous identifier in localStorage so events survive page navigation; once you sign in, the identifier is linked to your account ID. No third-party cookies are set.
  • Marketing measurement (Google Tag Manager) — a Google-hosted container we use to fire ad-conversion and campaign-attribution tags when we run paid acquisition. Loading the GTM script alone contacts Google and may set Google cookies on your browser. The script is not loaded at all unless you opt in.

On your first visit you will see a consent banner asking whether to allow analytics. Decline and these tools never load — the app works the same. Accept and your decision is remembered for this browser. Legal basis: consent (Art. 6(1)(a) GDPR + PECR Reg. 6).

You can change your decision at any time using the button below.

Who we share data with

We share data only with the sub-processors needed to run the service:

  • Anthropic (San Francisco, USA) -- CV text processing via Claude API. Covered by Standard Contractual Clauses for EU-US transfers (Art. 46(2)(c) GDPR).
  • Stripe (San Francisco, USA) -- Payment processing. Independent controller. EU-US Data Privacy Framework certified.
  • Railway (San Francisco, USA) -- Infrastructure hosting. Servers in EU region. Data Processing Agreement in place.
  • Sentry (San Francisco, USA) -- Error reporting and performance monitoring. Captures crash stack traces and request context so we can fix bugs. Personal-data fields are masked at the SDK layer. EU-US Data Privacy Framework certified. See Sentry's privacy policy.
  • PostHog (EU region, Frankfurt) -- Product analytics: pageviews and interaction events (e.g. CV upload, registration). Loaded only with your opt-in consent. Identified users linked by account ID once they sign up. See PostHog's privacy policy.
  • Google Tag Manager (Google LLC, USA) -- Marketing-measurement container we use when running paid acquisition campaigns. Loaded only with your opt-in consent. May set Google cookies on your browser when active. EU-US Data Privacy Framework certified. See Google's privacy policy.
  • Resend (EU region) -- Transactional and marketing emails (welcome, CV review ready, weekly digest, match alerts). Processes your email address and the content of each email. You can unsubscribe from marketing emails at any time via the one-click link in every footer. See Resend's privacy policy.

We never sell your data. We never share your CV with employers or recruiters. Job data comes to you from public sources -- we do not send your data out.

International transfers

Your data is stored on EU servers (Railway EU region). When data is sent to US-based sub-processors (Anthropic, Stripe), we rely on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and/or adequacy decisions where applicable. We assess each transfer to ensure adequate protection per Art. 44-49 GDPR.

How long we keep data

  • Account data: Until you delete your account.
  • CV and profile data: Until you delete your CV or your account. You can delete your CV at any time from your profile settings.
  • Job interaction data: Until you delete your account.
  • Payment records: 7 years after the transaction for tax and legal compliance (Art. 6(1)(c) GDPR).
  • Server logs: 90 days.

When you delete your account, we remove your personal data within 30 days, except where retention is required by law.

Your rights

Under GDPR, you have the right to:

  • Access your data (Art. 15) -- export your profile from settings, or email us.
  • Rectify inaccurate data (Art. 16) -- edit your profile anytime, or contact us.
  • Erase your data (Art. 17) -- delete your CV, delete your account, or email us.
  • Restrict processing (Art. 18).
  • Data portability (Art. 20) -- request a machine-readable export.
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, where consent is the legal basis.

Email privacy@getflint.work to exercise any right. We respond within 30 days (Art. 12(3) GDPR).

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.

Security

Passwords are hashed with bcrypt. All data is transmitted over TLS. Database access is restricted to application services only. We use environment-level secrets management. We do not store raw payment credentials.

Children

Flint is not intended for anyone under 16 (Art. 8 GDPR). We do not knowingly collect data from children. If we discover we have, we will delete it promptly.

Changes to this policy

We may update this policy. If we make material changes, we will notify you by email or in-app notification before the changes take effect. Continued use after the effective date means you accept the updated policy.

ZEALOUS OU -- Harju maakond, Tallinn, Kesklinna linnaosa, Tornimae tn 5, 10145, Estonia
Registry code: 16989036
Contact: privacy@getflint.work