Privacy Policy

Last updated: May 22, 2026

Flux Marketing (the "App") is an internal marketing-automation tool operated by Flux Engineering for managing its own advertising campaigns, social content, commerce data, and inventory across third-party platforms. This Privacy Policy describes what data the App processes, how it is stored, who can access it, and how to request its deletion.

1. Scope

The App is hosted on a private network and is used solely by authorized Flux Engineering personnel to manage first-party assets (Flux Engineering's own ad accounts, Facebook Page, Instagram account, Squarespace store, Shippo account, Google Search Console properties). The App does not provide services to, or process data on behalf of, third-party customers or external clients.

2. Data the App Processes

The App processes the following categories of data, all relating to Flux Engineering's own assets:

• OAuth credentials and access tokens issued by Meta (Facebook Login, Instagram Graph API, Marketing API), Google (Google Ads API, Search Console API), Squarespace, and Anthropic. Tokens are encrypted at rest (AES-256-GCM, envelope encryption).
• Advertising campaign data retrieved from Meta Marketing API and Google Ads API: campaign names, statuses, daily budgets, targeting parameters, impressions, clicks, spend, conversions.
• Organic search performance data retrieved from Google Search Console: query strings, impressions, clicks, average position, page URLs.
• Commerce order data retrieved from Squarespace Commerce: order numbers, line items, totals, currencies, fulfillment status, shipping addresses (city/state/ZIP), customer email addresses. Email addresses are hashed (SHA-256) for analytics.
• Inventory data retrieved from Squarespace Commerce: SKU, variant descriptors, quantities.
• Shipment data retrieved from Shippo: tracking numbers, carrier names, status, recipient name, ZIP, and country.
• Product catalog data stored locally: product names, descriptions, target keywords, prices, target audiences.
• AI agent decisions: prompts, model outputs, token counts, costs, and timing metadata for each Anthropic Claude API call.

3. How Data Is Used

• To present advertising performance, organic search performance, sales, and inventory in dashboards visible only to authorized Flux Engineering personnel.
• To generate proposed marketing actions (e.g., suggested ad budget adjustments, suggested page-content changes) via Anthropic Claude, which the user reviews and approves manually before any external action is taken.
• To execute approved actions against the originating third-party platform's API (e.g., pausing an ad campaign on Meta on the authenticated user's behalf).
• To reconcile Squarespace orders against Shippo shipments and identify orders that did not flow through the existing Squarespace–QuickBooks–Shippo integration chain.

4. Data Storage and Security

• Data is stored in a PostgreSQL database hosted on infrastructure private to Flux Engineering (Tailscale-protected, not publicly addressable).
• OAuth tokens and other sensitive credentials are encrypted at rest with AES-256-GCM using envelope encryption (per-row IV + auth tag).
• The App is exposed to the public internet only via Tailscale Funnel for the purpose of OAuth callback handling and Meta platform crawl-checks. Authenticated UI access is gated behind Flux Engineering's identity provider.
• Customer email addresses are stored only as SHA-256 hashes for repeat-customer analytics. The plaintext is not retained beyond the time required to receive the order data from Squarespace.

5. Data Sharing

The App does not sell, rent, or share personal data with third parties for marketing purposes. Data is transmitted only to the third-party APIs from which it was originally retrieved (e.g., updating a Google Ads campaign budget on Google's servers) and to Anthropic for the purpose of generating proposed marketing actions. Anthropic processes data per its API terms; the App does not transmit personal customer data to Anthropic — only product, campaign, and aggregate sales data are included in prompts.

6. Data Retention

Data is retained for as long as the App remains in active use by Flux Engineering. On revocation of an integration (e.g., disconnecting a Meta account), the App retains historical records of past actions for audit purposes but no longer fetches new data from that integration. Encrypted access tokens for a revoked integration are deleted within 30 days.

7. Your Rights and Data Deletion

You may request deletion of any data the App holds about you by following the instructions at /data-deletion. Requests are processed within 30 days. Because the App processes only first-party data belonging to Flux Engineering, third-party requests are evaluated case-by-case.

8. Children's Privacy

The App is not directed at children under 13 and does not knowingly process their data.

9. Changes to This Policy

Flux Engineering may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change.

10. Contact

Questions about this policy or data the App processes can be sent to: brandonhalterman@gmail.com