1. Introduction
Welcome to the Privacy Policy of Flob Inc. ("Company," "we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our reOS platform ("Research Operating System") and related services (collectively, the "Service").
We are committed to protecting your privacy and ensuring you understand how your personal data is processed. Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
2. Data Controller Information
The data controller responsible for your personal data is:
Flob Inc. 1111B S Governors Ave STE 49827 Dover, DE 19904 United States
Data Protection Contact: support [at] reos [dot] ai
For European Union residents, Flob Inc. acts as the data controller for the processing of your personal data under the General Data Protection Regulation (GDPR).
3. Information We Collect
We collect information in several ways when you use our Service:
3.1 Information You Provide to Us
Account Information:
- Email address
- Full name
- Profile picture/avatar
- Password (stored in encrypted/hashed form)
- Two-factor authentication settings and backup codes
- Passkey/WebAuthn credentials for passwordless authentication
Organization Information:
- Organization name
- Organization logo
- Member roles and permissions
Billing Information:
- Billing name (individual or company)
- Billing email address
- Billing address (street, city, state/province, postal code, country)
- Tax identification number (VAT ID, if applicable)
Note: Payment card information is collected and processed directly by our payment processor (Polar) and is not stored on our servers.
Research Content:
- Video and audio interview files
- Documents and transcripts
- Notes and annotations
- Observations and insights
- Personas and customer profiles
- Reports and summaries
- Any other content you upload or create through the Service
Communications:
- Support requests and correspondence
- Feedback and suggestions
- Survey responses
3.2 Information Collected Automatically
Device and Technical Information:
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Screen resolution and device capabilities
Session Information:
- Session tokens
- Login timestamps
- User agent strings
- Referring URLs
Usage Information:
- Features accessed and actions taken within the Service
- AI model usage (tokens consumed, models used)
- Time spent on pages
- Click patterns and navigation paths
- Search queries within the Service
Log Data:
- Server logs recording requests to our Service
- Error logs and diagnostic data
- Performance metrics
3.3 Information from Third Parties
OAuth Providers: If you choose to sign in using third-party authentication providers, we may receive:
- Basic profile information (name, email, profile picture)
- OAuth tokens for authentication purposes
Payment Processor: Our payment processor (Polar) may share:
- Transaction status and confirmation
- Subscription status
- Customer identifiers
3.4 Research Data Processing
When you use our AI-powered analysis features, the following data may be processed:
- Transcripts of uploaded audio/video content
- Text content from documents
- User-generated prompts and queries
- AI-generated outputs (observations, insights, summaries)
This data is processed by our third-party AI providers as described in Section 6.
4. How We Use Your Information
We use the information we collect for the following purposes:
4.1 Providing and Maintaining the Service
- Creating and managing your account
- Authenticating your identity and securing your account
- Processing your research content through AI analysis
- Generating insights, observations, and reports
- Enabling collaboration features
- Processing payments and managing subscriptions
4.2 Improving and Developing the Service
- Analyzing usage patterns to improve features
- Developing new features and functionality
- Debugging and fixing errors
- Conducting research and analysis
- Testing new features
4.3 Communications
- Sending service-related notifications (account verification, security alerts, billing)
- Responding to your inquiries and support requests
- Sending product updates and announcements (with your consent where required)
4.4 Security and Fraud Prevention
- Detecting and preventing fraud, abuse, and security threats
- Monitoring for suspicious activity
- Enforcing our Terms of Service
- Protecting our rights and property
4.5 Legal Compliance
- Complying with applicable laws and regulations
- Responding to legal requests and court orders
- Establishing, exercising, or defending legal claims
4.6 Advertising and Marketing
- Serving targeted advertisements through third-party advertising networks
- Measuring advertising effectiveness
- Creating custom and lookalike audiences for advertising purposes
5. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under Article 6 of the GDPR:
5.1 Contract Performance (Article 6(1)(b))
Processing necessary for the performance of our contract with you, including:
- Account creation and authentication
- Providing the core Service features
- Processing payments
5.2 Legitimate Interests (Article 6(1)(f))
Processing necessary for our legitimate interests, including:
- Improving and developing the Service
- Ensuring security and preventing fraud
- Analyzing usage and performance
- Marketing our services (to existing customers)
We balance our legitimate interests against your rights and freedoms.
5.3 Consent (Article 6(1)(a))
Where you have given consent, including:
- Marketing communications (where consent is required)
- Analytics cookies and advertising cookies
- Certain data sharing with third parties
You may withdraw consent at any time.
5.4 Legal Obligation (Article 6(1)(c))
Processing necessary to comply with legal obligations, including:
- Tax and accounting requirements
- Responding to lawful government requests
6. Data Sharing and Third Parties
We may share your information with the following categories of third parties:
6.1 AI Service Providers
To provide AI-powered analysis features, we transmit your research content to the following third-party AI providers:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Anthropic | AI analysis, content generation | Prompts, transcripts, documents | United States |
| OpenAI | AI analysis, content generation | Prompts, transcripts, documents | United States |
| Google AI | AI analysis, content generation | Prompts, transcripts, documents | United States |
| AssemblyAI | Audio/video transcription | Audio/video files | United States |
These providers process your data according to their respective privacy policies and data processing agreements.
6.2 Infrastructure Providers
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Cloudflare | Hosting, CDN, security, file storage (R2), AI Gateway | All Service data, uploaded files | Global (US-based) |
| PlanetScale | Database hosting | All structured data | United States |
6.3 Analytics and Monitoring Providers
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| PostHog | Product analytics, session recording, feature flags | Usage data, session recordings, device info, IP address | United States/EU |
| Google Analytics | Web analytics, traffic analysis | Usage data, device info, IP address | United States |
| Sentry | Error tracking, performance monitoring | Error logs, stack traces, device info, IP address | United States |
PostHog Session Recording: We may record user sessions to understand how users interact with our Service. Session recordings may capture:
- Mouse movements, clicks, and scrolls
- Page navigation and interactions
- Form inputs (sensitive fields like passwords are automatically masked)
- Console errors and network requests
You can opt out of session recording through our cookie consent manager.
Sentry Error Tracking: When errors occur in the Service, we automatically collect diagnostic information including:
- Error messages and stack traces
- Browser and device information
- User actions leading to the error
- Performance metrics
This data helps us identify and fix bugs to improve the Service.
6.4 Payment Processing
| Provider | Purpose | Data Shared |
|---|---|---|
| Polar | Subscription and payment processing | Billing information, transaction data |
6.5 Email Services
| Provider | Purpose | Data Shared |
|---|---|---|
| Resend | Transactional emails, notifications | Email addresses, names |
6.6 Advertising Partners
We use advertising services that may collect data for targeted advertising:
| Provider | Purpose | Data Collected |
|---|---|---|
| Google Ads | Advertising, conversion tracking | Cookies, usage data, device identifiers |
| Meta (Facebook/Instagram) | Advertising, conversion tracking | Cookies, usage data, device identifiers |
| LinkedIn Ads | Advertising, conversion tracking | Cookies, usage data, device identifiers |
| Reddit Ads | Advertising, conversion tracking | Cookies, usage data, device identifiers |
| OpenAI Ads | Advertising, conversion tracking | Cookies, usage data, device identifiers |
You can opt out of advertising cookies through our cookie consent manager.
6.7 Other Disclosures
We may also share your information:
- With your consent: When you direct us to share information with third parties
- For legal reasons: To comply with laws, legal processes, or government requests
- For safety and security: To protect the rights, property, or safety of Flob Inc., our users, or others
- In business transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets
- With service providers: Contractors and agents who perform services on our behalf, bound by confidentiality obligations
7. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws than your home country.
7.1 Transfer Mechanisms
For transfers from the EEA, UK, or Switzerland to the United States and other countries without an adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms
- Data Privacy Framework: For transfers to certified US companies
- Your consent: Where appropriate and where you have provided explicit consent
7.2 Safeguards
We implement appropriate safeguards to protect your data during international transfers, including:
- Encryption in transit and at rest
- Access controls and authentication
- Contractual protections with service providers
8. Data Retention
We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
8.1 Retention Periods
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion request |
| Research content | Duration of account + 30 days after deletion |
| Billing records | 7 years (legal requirement) |
| Usage logs | 90 days |
| Support communications | 3 years |
| Marketing consent records | Duration of consent + 3 years |
8.2 Deletion
When you delete your account or request data deletion:
- Your personal data will be deleted or anonymized within 30 days
- Backup copies may be retained for up to 90 days
- We may retain certain data as required by law or for legitimate business purposes
9. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
9.1 Rights Under GDPR (European Union, EEA, UK)
If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights under the General Data Protection Regulation:
Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
Right to Rectification (Article 16): You have the right to correct inaccurate personal data and to complete incomplete data.
Right to Erasure ("Right to be Forgotten") (Article 17): You have the right to request deletion of your personal data in certain circumstances.
Right to Restriction of Processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances.
Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Article 21): You have the right to object to processing based on legitimate interests, including profiling and direct marketing.
Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
Response Time: We will respond to your requests within 30 days, which may be extended by two further months where necessary.
9.2 Rights Under CCPA (California)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes of collection, and the categories of third parties with whom we share your information.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" of your personal information and the "sharing" of your personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of Personal Information Collected: In the past 12 months, we have collected the following categories of personal information: identifiers, commercial information, internet activity, geolocation data, professional information, and inferences.
"Sale" and "Sharing" of Personal Information: We may "share" personal information with advertising partners for targeted advertising purposes. You can opt out through our cookie consent manager.
9.3 Rights Under LGPD (Brazil)
If you are located in Brazil, you have the following rights under the Lei Geral de Proteção de Dados:
- Confirmation of the existence of processing
- Access to personal data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary or excessive data
- Data portability
- Deletion of data processed with consent
- Information about sharing with third parties
- Information about the possibility of denying consent
- Revocation of consent
9.4 Rights Under Other Jurisdictions
Canada (PIPEDA): Canadian residents have rights to access and correct personal information, and to withdraw consent subject to legal restrictions.
Australia (Privacy Act): Australian residents have rights to access and correct personal information under the Privacy Act 1988.
9.5 Exercising Your Rights
To exercise any of your privacy rights, please contact us at:
Email: support [at] reos [dot] ai
Mail: Flob Inc. Attn: Privacy Request 1111B S Governors Ave STE 49827 Dover, DE 19904 United States
We may need to verify your identity before processing your request. We will respond to verified requests within the timeframes required by applicable law.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
10.1 Security Measures
- Encryption: Data is encrypted in transit (TLS/HTTPS) and at rest
- Access Controls: Role-based access controls and authentication requirements
- Infrastructure Security: Secure cloud infrastructure with Cloudflare protection
- Credential Protection: API keys and sensitive credentials are encrypted before storage
- Monitoring: Security monitoring and logging for suspicious activity
- Vendor Security: Third-party vendors are evaluated for security practices
10.2 Your Responsibilities
You are responsible for:
- Maintaining the security of your account credentials
- Using strong, unique passwords
- Enabling two-factor authentication
- Notifying us promptly of any unauthorized access
10.3 Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.
11. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support [at] reos [dot] ai.
12. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to collect and track information about your use of the Service. For detailed information about our use of cookies, please see our Cookie Policy.
12.1 Types of Cookies
- Essential Cookies: Required for the Service to function (authentication, security)
- Functional Cookies: Remember your preferences (theme, settings)
- Analytics Cookies: Help us understand how you use the Service
- Advertising Cookies: Used to deliver targeted advertisements
12.2 Your Choices
You can manage your cookie preferences through our cookie consent banner or by adjusting your browser settings. Note that disabling certain cookies may affect the functionality of the Service.
13. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. Our Service does not currently respond to DNT signals, as there is no industry standard for handling such signals. You can manage tracking through our cookie consent manager.
14. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party websites you visit.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:
- Posting the updated Privacy Policy on the Service
- Updating the "Last Updated" date
- Sending you an email notification (for material changes)
Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Flob Inc. 1111B S Governors Ave STE 49827 Dover, DE 19904 United States
Email: support [at] reos [dot] ai
Data Protection Contact: For GDPR-related inquiries, you may contact our data protection point of contact at the same address.
16.1 Complaints
If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with your local data protection authority:
- EU Residents: Contact your local Data Protection Authority (DPA)
- UK Residents: Information Commissioner's Office (ICO) - https://ico.org.uk
- California Residents: California Attorney General - https://oag.ca.gov/privacy
- Brazilian Residents: Autoridade Nacional de Proteção de Dados (ANPD)
17. California Privacy Notice
This section provides additional information for California residents pursuant to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
17.1 Categories of Personal Information
In the preceding 12 months, we have collected the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Yes |
| Personal Information (Cal. Civ. Code 1798.80) | Name, address, phone number | Yes |
| Protected Classification Characteristics | None intentionally collected | No |
| Commercial Information | Purchase history, subscription records | Yes |
| Biometric Information | None collected | No |
| Internet Activity | Browsing history, interactions with Service | Yes |
| Geolocation Data | IP-based approximate location | Yes |
| Sensory Data | Audio/video files you upload | Yes |
| Professional Information | Job title (if provided) | Yes |
| Education Information | None intentionally collected | No |
| Inferences | Usage patterns, preferences | Yes |
| Sensitive Personal Information | Account credentials | Yes |
17.2 Sources of Personal Information
We collect personal information from:
- You directly (account creation, content upload)
- Automatically (usage data, device information)
- Third parties (OAuth providers, payment processor)
17.3 Business or Commercial Purposes
We use personal information for the purposes described in Section 4 of this Privacy Policy.
17.4 Disclosure for Business Purposes
We disclose personal information to the categories of third parties described in Section 6 of this Privacy Policy.
17.5 Sale and Sharing of Personal Information
We may "share" personal information with advertising partners for cross-context behavioral advertising. You can opt out using our cookie consent manager or by emailing support [at] reos [dot] ai with the subject line "Do Not Sell or Share My Personal Information."
17.6 Retention
We retain personal information as described in Section 8 of this Privacy Policy.
This Privacy Policy was last updated on January 24, 2025.