Fluent privacy and data lifecycle policy

Privacy Policy

Version 2026-05-05.1 · Effective May 5, 2026

This policy covers Fluent early access and the meetfluent.app waitlist. Data you keep in a self-run open-source runtime stays in the environment you operate unless you choose to migrate it into Fluent.

Account data Stored while the account is active, then removed through deletion. Canceled or lapsed accounts are kept up to 90 days for export, support, and reactivation unless deletion is requested earlier.

Runtime exports Export files are handled by the Fluent account or support path and expire after 7 days.

Deletion Waitlist-only deletion starts by email. Provisioned account deletion is operator-assisted today and normally completes within 30 days.

Who Runs Fluent

Fluent early access and the meetfluent.app waitlist are operated by 1001597427 ONTARIO INC., an Ontario corporation using the Meet Fluent brand. For any privacy, data, or policy question, contact us at [email protected].

Geographic Scope

Fluent early access is currently offered to residents of the United States and Canada. We do not actively offer the service to residents of the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions outside the US and Canada. If you submit the waitlist from outside this scope, we may decline your request and delete the submission. Once we expand availability, this policy will be updated and additional notices and rights will apply.

What Fluent Stores

For approved early-access accounts, Fluent stores only the account and domain data needed to operate the service:

Account and tenant records: user identity, email, display name, tenant, profile, membership, enabled domains, lifecycle state, timestamps, and operator-visible onboarding state.
Domain memories: Meals, Style, and Health state that you or your connected assistant create, update, or approve.
Meals data: preferences, meal plans, plan entries, grocery plans, grocery intents, grocery actions, inventory, brand preferences, feedback, meal memory, plan reviews, grocery run metadata, confirmed order sync summaries, and referenced recipes.
Style data: style profile, closet items, item photos, item profiles, provenance/evidence metadata, and style import run metadata.
Health data: preferences, goals, training plans, plan entries, training blocks, block sessions, block state, block reviews, workout logs, body metrics, and weekly reviews. Health is included in early access as limited fitness and routine planning. It is not medical advice, diagnosis, treatment, emergency support, clinical nutrition, or a substitute for a professional.
Artifacts: metadata for Fluent artifacts and binary objects stored in object storage, such as style photos, generated grocery artifacts, and short-lived user export files.
Auth and consent metadata: Better Auth user, session, account, OAuth consent, OAuth access token, and verification rows needed for sign-in and connected-client authorization.
Access metadata: waitlist review, invite, onboarding, access audit, deletion request, export request, and export audit rows.
Billing metadata: account-to-Stripe customer and subscription references, checkout session references, subscription status, webhook event ids, and billing lifecycle timestamps. Fluent does not collect or store payment card numbers.

What Fluent Does Not Store

Fluent does not store your full assistant chat transcript as a separate product record.
Fluent does not store OAuth client secrets, operator credentials, or verification secrets in user data exports.
Fluent does not embed binary artifact bytes in the current export JSON.
Fluent does not store universal one-click grocery checkout data. Current Meals records are planning, grocery preparation, and sync summaries where supported.
Fluent does not sell subscriptions inside ChatGPT. Early access is currently invite-based. If paid managed access is introduced later, billing and account management will happen on meetfluent.app through Stripe.
Fluent does not sell your personal information and does not share it for cross-context behavioral advertising.
The waitlist form does not store raw IP addresses or raw request headers in the waitlist signup row.

AI Assistants And Connected Clients

Fluent is designed to be used through an AI assistant such as Claude, ChatGPT, Cursor, Codex, or Claude Code. When you connect an assistant to Fluent through the Model Context Protocol, the assistant authenticates with OAuth and acts as a client on your behalf. While that session is active, the assistant can read and write the domain data you have authorized.

This means content from your Meals, Style, or Health domains is sent to the assistant provider you chose when you ask the assistant to help with that domain. The assistant provider, not Fluent, controls how that content is processed, retained, and whether it is used for product analytics or model training. Their terms and privacy policy apply to that processing. We recommend reviewing the assistant provider's data and training policy before connecting it.

You can revoke an assistant's access at any time by removing the OAuth consent in Fluent. Revocation stops new reads and writes; it does not retroactively recall content the assistant has already received.

Domain Memories And Derived Data

Domain memories are not a separate hidden profile. They live in the same domain tables that power the product: meal memory, pantry and grocery state, closet profiles and provenance, Health plan state, reviews, and similar records. Some records are derived from earlier user-authored data, such as summaries, source snapshots, or planner state.

When a full account is deleted, derived memories tied to that tenant are deleted with the account data. Fine-grained self-serve erasure of every derived record is not complete yet. If a user needs a specific derived memory removed or recomputed before full account deletion, contact Fluent for operator-assisted review.

Style Photos And Likenesses

Style item photos may incidentally include images of people. Fluent does not run face recognition, biometric identification, or biometric-template extraction on closet photos. Photos are stored as item attachments and are linked to your closet profile and provenance metadata. Do not upload photos of other people without their permission. If a photo of you needs to be removed before full account deletion, contact us and we will action the removal.

Sub-Processors And Service Providers

Fluent relies on a small number of third-party service providers to run the service. The current list, including their role, location, and the privacy policies that apply to their handling of data, is maintained at /subprocessors/. Material additions or changes to this list will be reflected on that page and, where required, called out in this policy.

Cookies And Similar Technologies

The meetfluent.app landing site does not set advertising or cross-site tracking cookies and does not run third-party advertising or analytics tags. Cloudflare may set strictly necessary cookies for security and performance as part of serving the site. Once you sign in to your Fluent account, that product uses session cookies and OAuth tokens that are required for sign-in and to keep your session active; these are described in Fluent account documentation.

When you submit the waitlist, we record a hashed, non-reversible fingerprint of request signals (such as a truncated address and user agent) for rate-limit and abuse protection. We do not store the raw IP address or raw request headers in the waitlist signup row.

Backups And Snapshots

Fluent early access runs on Cloudflare infrastructure. Cloudflare D1 Time Travel keeps database recovery history for up to 30 days on paid Workers plans and 7 days on free Workers plans. Deletion removes data from active Fluent systems first. Backup and recovery copies are not self-serve, are used only for resilience or incident recovery, and age out through the infrastructure retention window rather than by manual user download.

Current export files are runtime artifacts and expire after 7 days. This landing site does not provide a waitlist export endpoint. Open-source runtime snapshot files are created only when an operator runs the snapshot export command in their own environment.

Logs

Fluent writes product audit rows for lifecycle events such as access review, onboarding, export requests, export downloads, and deletion transitions. Runtime logs may include operational errors and routing metadata needed to debug the managed service. They are not a user-facing system of record and are not included in user exports today.

Current product code does not implement a per-user self-serve runtime-log export or deletion path. Product audit rows tied to an active account are removed with account deletion unless a retention exception applies. Runtime-log review, incident records, or security records are operator-assisted.

Waitlist Data

The meetfluent.app waitlist stores:

Email address.
Optional assistant and priority domain selections.
Source path and sanitized referrer URL without query-string parameters.
Waitlist review state, public lifecycle state, operator notes or tags when used for early-access review, and deletion-request markers for waitlist-only records.
Submission timestamps, duplicate submission count, consent copy version, privacy policy version, and policy URL.
A hashed rate-limit fingerprint, request counts, rate-limit window timestamps, and any temporary block timestamp used to protect the endpoint.

Waitlist data is retained while Fluent is managing early access, unless you ask us to delete it earlier. If your waitlist record becomes an invite or account, matching access records may also be created in the runtime product.

Personal Information We Collect (CCPA Categories)

For users in California and other US jurisdictions with similar laws, the categories of personal information we collect map to the statutory categories as follows. We have not sold personal information and have not shared personal information for cross-context behavioral advertising in the past twelve months.

Category	Examples we collect	Purpose	Disclosed to
Identifiers	Email, account id, tenant id, OAuth subject identifiers	Provide and secure the service; sign-in; account communications	Hosting, email, auth sub-processors
Customer records	Display name, profile, billing references	Account and billing	Hosting, payment processor
Commercial information	Subscription status, checkout session references	Billing and access lifecycle	Payment processor
Internet or network activity	Hashed rate-limit fingerprint, sanitized referrer, request counts	Security and abuse protection	Hosting
Geolocation (coarse)	Country derived at request time for geographic-scope enforcement; not stored long-term	Limit signups to in-scope regions	Hosting
Inferences	Domain memories, summaries, planner state derived from your inputs	Provide the Meals, Style, and Health features you authorize	Connected AI assistants you authorize
Sensitive personal information	Health-domain data (workouts, body metrics, plans); OAuth access tokens	Provide the Health domain and authorized connections; never used for inferences about you for advertising	Connected AI assistants you authorize

Legal Basis For Processing

For users in jurisdictions that require us to identify a lawful basis (such as Quebec under Law 25), we rely on the following bases:

Performance of our agreement with you: creating and operating your account, processing your domain inputs, providing exports, and handling support requests.
Your consent: connecting an AI assistant, opting into Health-domain processing, and any optional features you turn on.
Our legitimate interests: protecting the service against fraud and abuse, rate-limiting, security monitoring, and improving the product, where these interests are not overridden by your rights.
Legal obligations: retaining minimal records to satisfy tax, accounting, fraud-prevention, and regulatory requirements.

Your Rights

Depending on where you live, you have one or more of the following rights with respect to the personal information Fluent holds about you:

Right to know and access: request a copy of the personal information we hold about you.
Right to correct: ask us to correct inaccurate personal information.
Right to delete: ask us to delete your personal information, subject to limited exceptions.
Right to portability: receive your information in a portable format. The runtime export described below is our portability mechanism.
Right to opt out of sale or sharing: Fluent does not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of.
Right to limit use of sensitive personal information: ask us to limit the use of sensitive personal information to providing the service. Health-domain data and OAuth tokens are treated as sensitive by default.
Right to non-discrimination: we will not deny service or change pricing because you exercised a privacy right.
Right to appeal: if we deny a rights request, you can appeal by replying to our response. We will provide a written decision within 60 days.

To exercise any of these rights, email [email protected] from the address associated with your account or waitlist submission, or, if you no longer have access to that address, give us enough information to verify your identity proportionate to the sensitivity of the request. We will acknowledge your request within 10 business days and respond substantively within 45 calendar days. If we need more time, we will tell you why and may take an additional 45 days. You may also have the right to lodge a complaint with your local privacy regulator (in Canada, the Office of the Privacy Commissioner of Canada or your provincial regulator; in the United States, your state attorney general).

Retention Periods

Active account data: retained while the account is active or needed to provide Fluent.
Runtime export files: retained for 7 days, then treated as expired.
Payment failure: trialing and active accounts have full access. Payment failure keeps full access for 7 days before limited access.
Canceled or lapsed accounts: Fluent keeps domain data for up to 90 days for export, deletion, support, billing portal access, and reactivation unless deletion is requested earlier.
Waitlist-only deletion: requested by email from the landing confirmation flow and handled as a support follow-up.
Provisioned account deletion: operator-assisted today and normally completed within 30 days after confirmation unless a legal, fraud, billing, security, safety, or incident-review exception applies.
Deletion request audit: minimal deletion request and audit metadata may be retained for up to 6 years to prove fulfillment and handle abuse, security, legal, or safety obligations.

Export Process

Provisioned users can request an export from their Fluent account or support path. The export is a portable JSON file with account metadata, domain memories, Meals data, Style data, Health data, artifact metadata, settings, consent records when available, timestamps, excluded-data notes, binary-artifact handling, and migration notes. This landing site only stores waitlist intake and does not provide a waitlist export endpoint.

If the authenticated runtime export is disabled or paused, the request becomes operator-assisted. A Fluent operator can run the managed export fallback and provide the same logical export categories.

Deletion Process And Timeline

Waitlist-only users can request deletion by emailing Fluent from the landing confirmation flow. Signed-in deletion belongs to the Fluent account path, where users can start account deletion after invite acceptance or onboarding. Provisioned Fluent account deletion moves to operator review until the full multi-table and artifact purge job is self-serve.

Landing self-serve today: waitlist submission and duplicate update. Waitlist deletion is an email handoff.
Runtime-owned today: signed-in account export and deletion initiation after invite/onboarding.
Operator-assisted today: provisioned account deletion, binary artifact package creation, special retention exceptions, and migration packaging.
After completion: Better Auth sessions and OAuth access are revoked. Connected clients cannot reconnect to the deleted account.

Security

Fluent applies technical and organizational measures intended to be appropriate to the risk of the data we hold. Production traffic is served over TLS. Account secrets are stored hashed or encrypted at rest. Access to production data is limited to the operating team and is gated by the authentication and authorization controls of the underlying infrastructure. Database changes are versioned through migrations under source control. Object storage is read-restricted and signed URLs are short-lived. No system can be guaranteed fully secure; if you discover a vulnerability, please report it privately to [email protected].

Breach Notification

If we become aware of a security incident that has compromised the confidentiality, integrity, or availability of personal information we hold about you, we will notify you without undue delay where the incident creates a real risk of harm, and we will notify the appropriate regulator where required by law. The notice will describe what happened, the categories of information involved, the steps we are taking, and what you can do.

Children And Minimum Age

Fluent is not directed to children. You must be at least 16 years old to create an account or join the waitlist. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a person under 16, we will delete it. A parent or guardian who believes a child has submitted information can contact us at [email protected].

Demo And Mock Data

Public Fluent demos use seeded fake data and labeled static mock frames. They are not a user's Fluent account data. Private capture folders, when present, are internal asset-preparation material and should not be published unless they have been redacted and approved under the demo asset process.

Migration

Self-run to early access

The open-source runtime can create local snapshots. Migration into early access is feasible only as an operator-assisted process today, because tenant/profile identity and artifact handling need to be mapped deliberately. Do not assume uploading a snapshot into Fluent is self-serve.

Early access to self-run

The export is portable JSON, not a direct open-source runtime snapshot import. Where feasible, a Fluent operator can use the export fallback and map the exported sections into a migration package. Binary artifacts require separate handling because exports include metadata rather than inline bytes.

Governing Law

This policy is governed by the laws of Ontario and the federal laws of Canada that apply there, except where mandatory consumer-protection or privacy laws of your place of residence require otherwise. Nothing in this policy limits any non-waivable right you have under applicable law.

Changes To This Policy

We may update this policy as the service evolves. The version string and effective date at the top of this document identify the current version. Material changes will be communicated by updating the version, and where appropriate, by emailing the address on your account or waitlist record before the change takes effect. Continued use of the service after the effective date of an update constitutes acceptance of the updated policy. Prior versions are preserved in source control and can be requested by email.

Contact

Export, deletion, migration, rights requests, security disclosures, and any other privacy questions can be sent through Fluent Support or emailed to [email protected].