Privacy Policy

Last updated: April 10, 2026

Privacy-first by design. We collect the absolute minimum.

1. Information We Collect

FlushIt is built on the principle of minimal data collection. We collect only what is strictly necessary to provide the Service:

Email address: Used for account authentication, login, and essential service notifications
Password hash: Your password is hashed using bcrypt before storage. We never store, log, or have access to your plain text password

That is the entirety of personal information we collect. Two data points. Nothing more.

2. What We Don't Collect

We believe privacy is a fundamental right, not a feature. The following is an explicit list of information we do NOT collect, request, or store:

✗Full name or legal name

✗Government-issued ID or documents

✗Phone number

✗Physical address or location

✗Date of birth or age

✗Company name or business details

✗Tax ID or social security number

✗Selfies or biometric data

✗IP address logs (beyond session security)

✗Browsing history or behavior analytics

✗Third-party tracking cookies

✗Device fingerprinting data

We do not perform Know Your Customer (KYC) verification, identity verification, or any form of personal identification. Your anonymity is not a side effect -- it is a core design principle.

3. How We Use Your Information

The limited information we collect is used exclusively for the following purposes:

Account Authentication: To verify your identity when you log in and to secure your account sessions
Service Delivery: To provide access to the messaging platform, process campaigns, and deliver messages
Credit Balance Management: To track your credit purchases, usage, and refunds for bounced or failed deliveries
Essential Notifications: To communicate critical service updates, security alerts, or account-related information

We do not use your information for marketing, advertising, profiling, behavioral analysis, or any purpose beyond operating the Service.

4. Payment Information

FlushIt accepts payments exclusively in cryptocurrency. We process payments through on-chain verification with no third-party payment processors.

We record the cryptocurrency wallet address used for payment solely for the purpose of verifying on-chain transactions and crediting your account
We do not store credit card numbers, bank account details, or any traditional financial information
Payment wallet addresses are associated with your account only for transaction verification and are not shared with any third party
We do not link payment information to your real-world identity

5. Data Retention

Your account data (email address, password hash, credit balance, and campaign history) is retained for as long as your account remains active.

Upon request, we will permanently delete your account and all associated data. Deletion requests can be submitted through the support ticket system and will be processed within 72 hours.

Campaign delivery reports and message logs are retained for 90 days after campaign completion, after which they are automatically purged from our systems.

6. Third-Party Data Sharing

We do not sell, rent, trade, or share your data with any third party. Ever.

This is not a conditional statement. There are no exceptions for "trusted partners," "analytics providers," "advertising networks," or "service improvement." Your data stays with us and is used only to operate the Service.

The only circumstance under which we may disclose account information is in response to a valid, legally binding order from a court of competent jurisdiction. Given the minimal data we collect (email and password hash), any such disclosure would be extremely limited in scope.

7. Cookies

FlushIt uses a single, essential session cookie to maintain your authenticated login state. This cookie is:

httpOnly: Not accessible via JavaScript, preventing XSS-based session theft
Secure: Transmitted only over HTTPS connections
Session-scoped: Expires when you close your browser or after a defined inactivity period

We do not use analytics cookies, tracking cookies, advertising pixels, third-party scripts, or any other form of client-side tracking technology. There are no cookie consent banners because there is nothing to consent to beyond the essential session cookie.

8. Security

We implement industry-standard security measures to protect your data:

Passwords are hashed using bcrypt with appropriate work factors -- we never store plain text passwords
All data is encrypted at rest and in transit via TLS/HTTPS
Authenticated sessions use secure, httpOnly JWT tokens
Access to production systems is restricted and audited

For a comprehensive overview of our security practices, visit our Security page.

9. Your Rights

You have the following rights regarding your data:

Right to Delete: Request complete deletion of your account and all associated data at any time
Right to Export: Request an export of all data we hold about you, including campaign history and credit transaction logs
Right to Unsubscribe: Opt out of all non-essential communications from FlushIt
Right to Access: Request a summary of what information we hold about you (spoiler: it's just your email and password hash)

To exercise any of these rights, submit a request through the support ticket system.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify users via the email address associated with their account.

Your continued use of the Service after changes are posted constitutes your acceptance of the revised Privacy Policy.

11. Contact

If you have questions about this Privacy Policy or our data practices, please contact us through our support ticket system.