skip to content
← floeberg

last updated · 2026-05-11

privacy.

What Floeberg collects, why, how long, and your rights. Plain English. Specific. We don't use tracking cookies and we don't sell data. Ever.


01 · what we collect

what we collect

Only what the site needs to work.

  • Account:email address. If you sign in with Discord, GitHub, or Google: your name, avatar URL, and that provider's user ID. We never receive your OAuth password.
  • Reading: when you read the Blueprint Kit, we record the timestamp of your first and most recent read, and a counter. Used to send a single follow-up email about seven days after first read.
  • Messages:messages you post in your private chat thread with Daniel are stored in our database so the thread renders. If you've linked your Discord, the same content syncs to your private Discord thread so we can respond from either side.
  • Feedback: if you submit feedback on the Kit, we store the text along with your account so we can reply.
  • Newsletter: if you sign up for the quarterly note, we store your email address plus the page you signed up from. The email also gets pushed to our Resend audience for delivery. Unsubscribe is one click in any email we send, or email [email protected].
  • Intake form: when you submit the qualifying form at /about, we store your name, email, what you're building, your role, team size, the bottleneck you named, timeline, any notes, and the referring page / UTM parameters that brought you in. Used to reply to you and to prepare for the intro call. Retained on your Lead record until you ask us to delete it.
  • Free ad audit: when you complete the audit at /audit/meta-ad-structure, we store your answers and the computed read (score, structure findings, recommended next step). If you provide an email at the result screen, that email is also stored on the submission row. Anonymous submissions are stored without identifying information; we use them to tune the question set over time. Submissions to the retired operations diagnostic are retained under the same terms until you ask us to delete them.
  • Email engagement: for emails we send through Resend (intake replies, nurture-sequence touches, broadcasts, password recovery links), Resend reports delivery, open, and click events to us via webhook. We store the timestamp of these events against the corresponding send record (LeadActivity, NurtureEmail, or BroadcastEmail row) so we can see what landed and what bounced. The tracking applies only to emails we send to you; it does not follow you around the web.
  • Payments: if you buy a paid engagement (Blueprint, Sprint, etc.), Stripe processes the payment. We store the Stripe customer ID, the line items you bought, the timestamp, and the receipt URL. We do not see or store your card number.
  • Analytics: aggregate, cookie-less page views via self-hosted Plausible. No IP storage, no fingerprinting, no per-visitor profile.

02 · why

why

Each item above maps to exactly one purpose.

  • Account · so the Kit and the audits remember you between visits.
  • Reading · so the seven-day follow-up email goes out once, never twice.
  • Messages · so your private chat thread renders + syncs to Discord if you've linked it.
  • Feedback · so we can read and reply.
  • Newsletter · so we can deliver the quarterly note and you can unsubscribe in one click.
  • Intake form · so we can reply, prepare for the call, and decide whether the engagement fits.
  • Diagnostic · so we can return your personalized recommendation; with email, deliver the PDF and the four-touch nurture sequence; anonymous answers tune the question set over time.
  • Email engagement · so we can see which sends landed, which got opened, and which got clicked. We also stop sending to bouncing addresses. No off-site tracking.
  • Payments · so you have a receipt and we can deliver the work.
  • Analytics · so we can see which pages people read and which they don't.

We never use any of this for advertising. We do not run ad retargeting pixels. We do not build look-alike audiences. We do not sell or rent data.

03 · who else sees it

who else sees it

A short list of vendors. Each handles a specific function.

  • Stripe: payment processing. Privacy: stripe.com/privacy.
  • Resend: outbound transactional email (magic links, receipts, follow-ups). Privacy: resend.com/legal/privacy-policy.
  • Discord, GitHub, Google: only if you sign in via one of those. We see the public profile fields you authorized; they do not see anything we hold.
  • Hetzner: server hosting (Falkenstein, Germany). The database lives here.
  • Cloudflare: DNS and edge proxy in front of the site.
  • Plausible (self-hosted): analytics on our own server. No third-party processor.

That is the entire list. We do not use Google Analytics, Meta Pixel, Mixpanel, Segment, Hotjar, FullStory, Intercom, or any similar tool.

04 · how long we keep it

how long we keep it

  • Account + reading + feedback. Until you delete your account, or three years of inactivity, whichever comes first.
  • Chat messages:stored until you delete your account or message yourself. Bridged messages on Discord are subject to Discord's retention independently.
  • Newsletter: until you unsubscribe. Unsubscribing flips an unsubscribedAtflag on your row; the row itself is retained so a future re-signup can't accidentally re-fire the welcome series. Email yourself a delete request if you want it removed entirely.
  • Intake leads:until you ask us to delete them, or two years after the engagement closed (whichever is shorter). Leads we marked "lost" or archived are removed after one year of inactivity.
  • Diagnostic submissions: two years from submission for rows with email; eighteen months for anonymous rows. Both are useful for tuning the diagnostic; older rows are aggregated to anonymous counts and the originals deleted.
  • Email engagement events: the open/click timestamps stay with the send row for the life of the row. They are deleted when the underlying Lead, Newsletter Subscriber, or Broadcast is deleted.
  • Payment records: seven years, because tax authorities require it. We retain the line items and timestamps; Stripe holds the card details under its own terms.
  • Backups: nightly encrypted Postgres backups, kept for 14 days. Restored only if a production incident requires it.

05 · your rights

your rights

Signed in? Both are self-serve in /settings: download everything we hold about you as JSON, or file a deletion request we action within 30 days. Otherwise email [email protected] from the address attached to your account. We'll respond within seven days.

  • Access: get a copy of what we hold about you.
  • Correct: fix anything inaccurate.
  • Delete:remove your account and everything tied to it, except records we're required to keep for tax purposes.
  • Export: receive your data in a portable format (JSON).
  • Object: tell us to stop processing for a specific purpose.

If you're in the EU, UK, or California, the rights above are granted by law (GDPR, UK-GDPR, CCPA). We extend the same rights to everyone else, by choice.

06 · cookies

cookies

One cookie. Strictly necessary, not tracking. It holds your sign-in session and is set when you log in. We don't use any other cookies. No advertising cookies. No analytics cookies.

You don't need to accept a cookie banner because we don't have the kind of cookies a banner exists to warn you about.

07 · changes and contact

changes and contact

When this policy changes, we update the “last updated” date at the top. Material changes (new vendor, new data type, new purpose) trigger an email to signed-in users.

Questions, complaints, or data requests: [email protected].


terms →
FLB / PRIVACY · 2026-05-11↑ top