Privacy Policy

How FlagFree protects your data at every step.

Last updated: June 2026

FlagFree is built for people in high-conflict situations. We know your data is sensitive and could be used against you. That is why privacy is the foundation of every design decision we make. This policy explains exactly what happens to your information -- no legalese, no fine print.

Who We Are

FlagFree Messaging is operated by FlagFree Messaging LLC.

If you have any questions about this privacy policy or your personal data, you can reach us at: team@flagfreemessaging.com.

For written correspondence, contact us via email at team@flagfreemessaging.com to request our mailing address.

For the purposes of applicable data protection laws (including GDPR), FlagFree Messaging LLC is the data controller of the personal information collected through this Service.

Core Privacy Principles

Your original messages are ephemeral, meaning they exist only for the moment they are being processed, then they are permanently discarded. Only AI-suggested rewrites are saved temporarily.

All temporary drafts automatically delete after 72 hours. You can delete them sooner at any time.

Your activity log records only metadata (action type, platform, date) -- never any message content.

If our system were ever subpoenaed, there would be no original messages to produce.

Legal Basis for Processing

Contract performance: We process your account data (name, email, password) and profile data (custody schedule, co-parent details) because it is necessary to provide you with the FlagFree service you signed up for.

Consent: When you submit a message for AI review, you are actively choosing to have that text analyzed. You can withdraw consent at any time by simply not using the review feature.

Legitimate interest: We process minimal metadata (action type, platform, date) to maintain service quality, prevent abuse, and improve our product. This never includes message content.

Legal obligation: We may process certain data to comply with applicable laws, such as tax and billing obligations related to paid subscriptions.

What We Collect

Account information: Your name, email address, and encrypted password. If you use social login, we receive your name and email from the provider.

Profile information: Your state of residence, preferred language, custody schedule, co-parent names, communication platform preferences, and children's names and ages. You provide this voluntarily during onboarding.

Subscription and billing data: If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store only your subscription tier and status -- never your credit card number or banking details.

Usage metadata: Action type (e.g., message reviewed, draft saved), platform used, and timestamp. We never log message content in our activity records.

Messages & Text

When you submit a message for review, it is processed ephemerally: sent to the AI for analysis and immediately discarded. Nothing is saved. Your original messages are never sold, shared with advertising or analytics providers, retained, or used to train AI models.

Only the AI-suggested rewrite is saved as a temporary draft -- never your original words.

Drafts expire and are permanently deleted after 72 hours, or sooner if you delete them manually.

The 'Just the Facts' filter processes incoming messages in real-time and does not store the original or filtered text.

Screenshots, Images & PDFs

Screenshot and image text extraction (OCR) happens entirely in your browser using Tesseract.js. The image never leaves your device.

PDF text extraction also happens entirely in your browser using pdfjs-dist. The file is never uploaded to any server.

Only the extracted text is used for message review -- the original image or PDF file is never stored or transmitted.

Voice Memos

Voice recordings are sent securely for transcription only. The audio is not stored after transcription.

The transcribed text is returned to you for review before any message review occurs.

No audio recordings are kept in our system at any point.

AI Processing

FlagFree uses AI service providers, including Anthropic and OpenAI, to process messages, generate rewrites, apply the 'Just the Facts' filter, produce Foresight coaching, and build your Voice Profile. Provider processing is governed by the providers' commercial API terms and FlagFree's agreements with them.

AI providers process your data and return results immediately. FlagFree does not store message content beyond your active session.

Voice-to-text transcription is processed by an AI service provider using encrypted connections. No audio is retained after transcription.

Your profile context (names, custody details) is included with AI requests to personalize results but is not stored beyond your account settings.

AI Training Data

Your messages, voice recordings, images, and PDFs are never used as training data for any AI model.

FlagFree does not use customer content to train its own models, and FlagFree's agreements with AI providers prohibit use of customer data for model training.

We do not share, sell, or provide your message content to any third party for AI or model training purposes.

Third-Party Services & Data Transfers

AI service providers, both in the United States: Anthropic (message analysis, rewrites, emotion filtering, Foresight, Voice Profile) and OpenAI (voice-to-text transcription; AI processing during service transitions). Provider processing is governed by commercial API terms and FlagFree's agreements with each provider. FlagFree does not use customer content to train its own models.

Stripe (United States): Handles all payment processing for paid subscriptions. We never receive or store your full credit card details.

Hosting provider (United States): Our application and database are hosted on secure infrastructure in the United States.

If you are located outside the United States, your data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses where required under GDPR.

Authentication (Clerk, Inc., San Francisco, CA, United States): Clerk handles password credentials, email verification, account recovery, and session issuance. FlagFree does not receive or store raw passwords.

Advertising & analytics providers (United States): Meta Platforms, Inc. (Meta Pixel and Conversions API) and Google LLC (Google Analytics 4). We share the marketing measurement data described in the Cookies & Tracking section with these providers to measure and attribute advertising performance. Their processing is governed by their own terms, including the Meta Business Tools Terms. This sharing is limited to marketing and analytics identifiers and event data; it never includes your message content, saved drafts, or co-parenting communications.

CRM and marketing automation (United States): we use GoHighLevel / LeadConnector as our customer-relationship-management and marketing-operations platform. It may process your contact information (such as name and email), your signup and lead status, communications we send you (such as email or SMS), your activity on our funnels and checkout pages, and campaign and source attribution. This is a service provider that processes data on our behalf and is separate from the advertising and analytics tools described in the Cookies & Tracking section.

Social media: we may maintain a presence on social-media platforms (such as Facebook, and in the future platforms like Instagram, LinkedIn, Google Business Profile, YouTube, or TikTok). If you interact with FlagFree on one of those platforms, that platform's own terms and privacy policy govern how it handles your information. We do not represent these as active tracking tools unless and until they are connected and separately disclosed.

Cookies & Tracking

We use a single essential session cookie to keep you logged in. This cookie is strictly necessary for the Service to function and does not track your behavior.

We use analytics and advertising technologies from third parties to understand site traffic and measure the performance of our marketing. These include Google Analytics 4 and Meta Business Tools (the Meta Pixel and the Meta Conversions API).

These tools may set cookies and collect device and browser information, online identifiers (including Meta browser identifiers stored in the _fbp and _fbc cookies), the pages you view and the referring page, marketing attribution parameters (such as utm_source, utm_medium, utm_campaign, and utm_content), and, for server-side conversion matching, your IP address (used transiently and not stored). When you create an account we record a registration conversion event.

We use this information to measure advertising performance, attribute sign-ups to campaigns, and improve our marketing, and we may share the event and identifier data described above with Meta and Google for those purposes. Depending on your location you may have the right to opt out of this analytics and advertising activity; contact us to exercise that right. This sharing is limited to marketing and analytics identifiers and event data; it never includes your message content, saved drafts, or co-parenting communications.

We also use search-performance tools, including Google Search Console and Bing Webmaster Tools, for search indexing, site diagnostics, sitemap and search-visibility management, and aggregate search-performance reporting. These tools are enabled through domain or platform verification, not through cookies or tracking scripts on our site, and they do not track your individual behavior.

Data Retention

Message drafts: Automatically deleted after 72 hours.

Activity log: Stores only action type (message review, sent), platform, co-parent, and timestamp. No message content.

Profile data: Your name, state, custody details, and co-parent information are stored to personalize the AI. You can delete your account at any time.

Original messages, screenshots, PDFs, and voice recordings: Never stored. Processed in real-time and discarded.

Account data: Retained as long as your account is active. When you delete your account, all associated data (profile, co-parents, children, drafts) is permanently removed.

Your Rights

Access: You can view all your personal data at any time from the Settings page, including your profile, co-parent, and children information.

Correction: You can edit any of your profile, co-parent, or children information at any time from the Settings page.

Deletion: You can delete any draft at any time (drafts also auto-delete after 72 hours). You can request full account deletion by contacting us at team@flagfreemessaging.com.

Data portability: You may request a copy of your personal data in a commonly used, machine-readable format by contacting us at team@flagfreemessaging.com.

Restrict or object: You have the right to restrict or object to certain processing of your data. Contact us and we will respond within 30 days.

Withdraw consent: Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing performed before withdrawal.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Right to know: You can request details about the categories of personal information we collect, the purposes for collection, and whether we sell or share your information. We do not sell your personal information.

Right to delete: You can request deletion of personal information we have collected from you, subject to certain legal exceptions.

Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your rights, contact us at team@flagfreemessaging.com. We will verify your identity and respond within 45 days.

Children's Privacy

FlagFree is intended for adults aged 18 and older. We do not knowingly collect personal information from children under 18.

While you may enter your children's names and ages as part of your co-parenting profile to help personalize AI suggestions, this information is associated with your adult account and is not used to directly interact with or market to children.

If we learn that we have collected personal information from a child under 18 without parental consent, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us at team@flagfreemessaging.com.

Data Security

All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).

Passwords are hashed using bcrypt and are never stored in plain text.

Access to user data is protected with user-level authentication and access controls. No other user can access your drafts, activity log, or profile information.

We regularly review our security practices and update them as needed to protect your data.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

For material changes that significantly affect your rights, we will make reasonable efforts to notify you via the email address associated with your account.

Global Privacy Control and your opt-out rights: FlagFree does not sell your personal information for money. However, our use of third-party advertising and analytics tools (such as the Meta Pixel and Conversions API and Google Analytics 4, described in Cookies & Tracking) may involve "sharing" of online identifiers for cross-context behavioral advertising as defined under California's CPRA. This sharing is limited to marketing and analytics identifiers and never includes your message content or saved drafts. If your browser sends the Sec-GPC (Global Privacy Control) signal, FlagFree records and honors it as an opt-out of that sharing. You may also opt out by contacting team@flagfreemessaging.com.

How to Submit a Privacy Request

Email: team@flagfreemessaging.com

You can also submit a request through Account Settings > Privacy. Include your account email and a description of your request. We will verify your identity before processing.

We will respond to all privacy requests within 45 days. If we need additional time, we will notify you of the extension and the reason.

If you are in the EU/EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.

Questions about your privacy? Contact us at team@flagfreemessaging.com. This app is designed with your protection as the top priority. Every feature has been built to minimize data exposure and maximize your safety.