Flaggy
Get started

Privacy Policy

Last updated: May 31, 2026

This Privacy Policy explains how Flaggy ("Flaggy", "we", "us", or "our") collects, uses, and shares information when you visit flaggy.io, create an account, or use the Flaggy feature flag platform and SDK (together, the "Service"). By using the Service, you agree to the practices described here.

Who we are

The Service is operated by the owner of Flaggy, an individual based in Australia ("Flaggy"). For any privacy question, contact us at [email protected].

Information we collect

  • Account information. When you register, we collect your name, email address, and authentication credentials.
  • Billing information. Paid plans are processed by our payment provider (Stripe). We do not store full payment card numbers on our systems.
  • Configuration data. The feature flags, segments, targeting rules, and environment settings you create in the dashboard.
  • Usage and log data. Standard server logs (IP address, browser/user-agent, timestamps, pages requested) used to operate and secure the Service.
  • Flag evaluation analytics. Aggregate records of flag evaluations reported by the SDK. The entity key in your evaluation context is hashed before storage — we do not store the raw identifiers your application passes to the SDK.

What we do not do

Flags are evaluated locally in your SDK, not on our servers. We do not process or store individual end-user evaluations tied to identifiable end users, and we do not sell your personal information.

How we use information

  • To provide, maintain, and improve the Service;
  • To authenticate users and secure accounts;
  • To process payments and manage subscriptions;
  • To respond to support requests and communicate with you about the Service;
  • To detect, prevent, and address fraud, abuse, and security issues; and
  • To comply with legal obligations.

Cookies and local storage

The marketing site uses your browser's local storage to remember your light/dark theme preference. The application uses cookies and local storage that are strictly necessary to keep you signed in and to operate the Service. We do not use third-party advertising trackers.

Sub-processors

We rely on a limited set of trusted third parties to operate the Service. Each is bound by contractual confidentiality and data-protection obligations:

  • Cloudflare — application hosting, content delivery, and DDoS protection.
  • Stripe — payment processing and billing.

We may update this list as the Service evolves. See our Security & Trust page for more detail.

Data retention

We retain account and configuration data for as long as your account is active. Audit-log and analytics data are retained according to your plan's retention window. When you close your account, we delete or anonymize your data within a commercially reasonable period, except where we are required to retain it to comply with legal obligations or resolve disputes.

Data security

All traffic to the Service is encrypted in transit using TLS, and account and configuration data are encrypted at rest. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

International transfers

We may process and store information in the United States, the European Union, and other jurisdictions where we or our sub-processors operate. Where required, we rely on appropriate safeguards for international transfers.

Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing (for example, under the GDPR or CCPA/CPRA). To exercise any of these rights, email [email protected]. We will respond as required by applicable law. If you are a customer, a Data Processing Agreement (DPA) is available on request.

We handle personal information in line with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). If you have a concern about how we have handled your personal information, please contact us first at [email protected] so we can try to resolve it. If you are not satisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Children

The Service is intended for businesses and is not directed to children under 16. We do not knowingly collect personal data from children.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

Contact

Questions about this policy or your data? Email [email protected].