FlintTerms of Service

Privacy Policy

Last updated: April 15, 2026

Who we are

Flint is operated by ZEALOUS OU (registry code 16989036), registered at Harju maakond, Tallinn, Kesklinna linnaosa, Tornimae tn 5, 10145, Estonia.

For anything privacy-related, email us at privacy@useflint.app.

What we collect and why

We only collect what we need to run the service. Here is exactly what, and the legal basis under GDPR:

Account data

What: Email address, password (hashed), full name.

Why: To create and authenticate your account.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

CV / resume data

What: The PDF or DOCX file you upload, the extracted text, and structured profile data (skills, job titles, years of experience, education).

Why: To build your profile and score job matches against it. This is the core service.

Legal basis: Contract performance (Art. 6(1)(b) GDPR). We need your CV data to deliver the matching service you signed up for.

AI processing: Your CV text is sent to Anthropic (Claude API) for skill and experience extraction. Anthropic processes this data as a sub-processor under our instructions and does not use it to train models. See Anthropic's privacy policy.

Job interaction data

What: Jobs you save, apply to, dismiss, or click on. Application status tracking.

Why: To power your pipeline and improve match quality.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Payment data

What: Subscription status and Stripe customer ID. We do not store card numbers, bank details, or other payment credentials.

Why: To manage your subscription.

Legal basis: Contract performance (Art. 6(1)(b) GDPR). Stripe processes payments as an independent controller. See Stripe's privacy policy.

Technical data

What: IP address, browser type, device info, page views.

Why: Security, debugging, and basic analytics.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in maintaining a secure and functional service.

Cookies and local storage

We keep this simple. Flint uses:

  • Authentication token stored in localStorage -- essential for keeping you logged in. No consent banner needed (strictly necessary, ePrivacy Directive Art. 5(3)).
  • Product analytics (PostHog) -- cookieless and hosted in the EU. We keep a single short ID in localStorage so we can tell repeat pageviews from new visitors and so events survive page navigation. No third-party cookies are set. Anonymous visitors are counted for pageviews and product events; identified users are linked by account ID after signup (implicit consent via ToS and privacy policy acceptance).
  • No third-party advertising cookies. No Google Analytics, no Facebook pixels, no ad networks.

Since our analytics uses no cookies or persistent local storage for anonymous users, we do not show a cookie consent banner. If we add marketing or advertising cookies in the future, we will update this policy and add consent controls first.

Who we share data with

We share data only with the sub-processors needed to run the service:

  • Anthropic (San Francisco, USA) -- CV text processing via Claude API. Covered by Standard Contractual Clauses for EU-US transfers (Art. 46(2)(c) GDPR).
  • Stripe (San Francisco, USA) -- Payment processing. Independent controller. EU-US Data Privacy Framework certified.
  • Railway (San Francisco, USA) -- Infrastructure hosting. Servers in EU region. Data Processing Agreement in place.
  • PostHog (EU region, Frankfurt) -- Product analytics: pageviews and interaction events (e.g. CV upload, registration). No cookies; session-only in-memory tracking for anonymous visitors. Identified users linked by account ID once they sign up. See PostHog's privacy policy.

We never sell your data. We never share your CV with employers or recruiters. Job data comes to you from public sources -- we do not send your data out.

International transfers

Your data is stored on EU servers (Railway EU region). When data is sent to US-based sub-processors (Anthropic, Stripe), we rely on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and/or adequacy decisions where applicable. We assess each transfer to ensure adequate protection per Art. 44-49 GDPR.

How long we keep data

  • Account data: Until you delete your account.
  • CV and profile data: Until you delete your CV or your account. You can delete your CV at any time from your profile settings.
  • Job interaction data: Until you delete your account.
  • Payment records: 7 years after the transaction for tax and legal compliance (Art. 6(1)(c) GDPR).
  • Server logs: 90 days.

When you delete your account, we remove your personal data within 30 days, except where retention is required by law.

Your rights

Under GDPR, you have the right to:

  • Access your data (Art. 15) -- export your profile from settings, or email us.
  • Rectify inaccurate data (Art. 16) -- edit your profile anytime, or contact us.
  • Erase your data (Art. 17) -- delete your CV, delete your account, or email us.
  • Restrict processing (Art. 18).
  • Data portability (Art. 20) -- request a machine-readable export.
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, where consent is the legal basis.

Email privacy@useflint.app to exercise any right. We respond within 30 days (Art. 12(3) GDPR).

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.

Security

Passwords are hashed with bcrypt. All data is transmitted over TLS. Database access is restricted to application services only. We use environment-level secrets management. We do not store raw payment credentials.

Children

Flint is not intended for anyone under 16 (Art. 8 GDPR). We do not knowingly collect data from children. If we discover we have, we will delete it promptly.

Changes to this policy

We may update this policy. If we make material changes, we will notify you by email or in-app notification before the changes take effect. Continued use after the effective date means you accept the updated policy.

ZEALOUS OU -- Harju maakond, Tallinn, Kesklinna linnaosa, Tornimae tn 5, 10145, Estonia
Registry code: 16989036
Contact: privacy@useflint.app