FlickPrivacy Policy
Effective date: February 11, 2026
At Flick, we take your privacy seriously. This Privacy Policy explains what information we collect, how we use it, who we share it with, and how we keep it safe. By using Flick, you agree to the practices described below.
1. What We Collect
Account Information
When you create an account, we collect your email address and, optionally, your name. If you set a password, we store a securely hashed version — never the password itself. We also record when you created your account and when you last logged in.
Your Content
When you upload files — photos, videos, documents, and other materials — we store them in encrypted object storage along with metadata such as file name, size, type, and upload date. If AI classification is enabled, we also store generated descriptions, keywords, and content ratings.
Usage Information
We collect information about how you use the Services, including actions like uploading, sharing, downloading, and organizing files. This helps us improve the product and troubleshoot issues.
Device & Connection Information
When you access Flick, we may collect your IP address, browser type, and device information. This data is used for security purposes, including detecting unauthorized access and preventing abuse.
2. How We Use Your Data
We use the information we collect to:
- Provide the Services: Host your files, generate thumbnails and video transcodes, enable sharing, and deliver email notifications
- Improve the product: Understand usage patterns to build better features
- Ensure safety: Run AI content classification to detect and flag prohibited material
- Communicate with you: Send transactional emails such as magic link logins, password resets, file upload notifications, and billing receipts
- Process payments: Manage subscriptions, billing, and invoicing
- Enforce our Terms: Detect, investigate, and prevent violations of our Terms of Service
3. How We Protect Your Data
We take the security of your data very seriously and employ multiple layers of protection:
Encryption at Rest
All uploaded files are stored in Wasabi S3 object storage with server-side encryption enabled. Your data is encrypted at rest, meaning even the raw storage is not readable without proper authorization. Files are organized in isolated per-company, per-group storage paths to prevent cross-tenant access.
Encryption in Transit
All connections to Flick are encrypted using HTTPS/TLS. Data transferred between your browser and our servers, between our servers and storage, and between our servers and third-party services is always encrypted in transit.
Password Security
Passwords are hashed using bcrypt with a cost factor of 12 — an industry-standard adaptive hashing algorithm designed to be computationally expensive to crack. We never store your password in plain text, and even our own team cannot retrieve it. If you forget your password, you can reset it via a time-limited secure link.
Session Security
Authentication sessions use HttpOnly, Secure cookies with SameSite protections. Magic login links expire after 15 minutes. Password reset links expire after 60 minutes. Invitation links expire after 7 days. All time-limited tokens are single-use.
Access Controls
Flick enforces role-based access control at every level. Company Admins, Group Admins, and Members each have different permissions. API endpoints verify authorization on every request. Files and groups are isolated per tenant — one organization cannot access another's data.
4. Third-Party Services
We use a limited number of trusted third-party services to operate Flick. Each processes only the data necessary for its specific function:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, billing details, subscription info |
| Amazon SES | Transactional email delivery | Email addresses, email content |
| Wasabi | Encrypted file storage (S3-compatible) | Uploaded files and metadata |
| Groq (Meta Llama) | AI image classification | Image data for content analysis |
We do not sell your personal information to third parties. We do not use third-party advertising or tracking services. We do not share your data with anyone except as described in this policy.
5. AI Content Processing
When you upload images, Flick may use AI (powered by Meta Llama via Groq) to automatically generate descriptions, keywords, and content safety ratings. This processing is done to:
- Make your photos searchable by their contents
- Detect and flag prohibited content (see our Terms of Service)
AI-generated descriptions and keywords are stored alongside your files and can be edited or removed by you at any time. Image data sent for AI analysis is processed in real-time and is not retained by the AI provider after processing.
6. Sharing & Disclosure
We may share your information only in these circumstances:
- With your team: Your name and email are visible to other members of your organization on Flick. Company Admins can see membership details and usage.
- When you share content: If you create a share link, anyone with that link (and the password, if set) can access the shared content.
- Service providers: As described in the Third-Party Services section above.
- Legal requirements: We may disclose information if required by law, subpoena, court order, or government request, or if necessary to protect the safety of our users or the public.
- Safety enforcement: We may disclose information to law enforcement if we detect content involving the exploitation of minors or other serious illegal activity.
7. Data Retention
We retain your data for as long as your account is active. When you delete a file, it is permanently removed from our storage — we do not keep copies. If your account is terminated or deleted, we will delete your data within a reasonable timeframe.
We may retain certain information as required by law (for example, billing records) or to resolve disputes and enforce our Terms.
8. Your Rights
You have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Update or correct your account information at any time via your profile settings
- Deletion: Request deletion of your account and associated data by contacting us
- Data portability: Download your files at any time through the platform
- Opt out: Unsubscribe from non-essential email notifications via your notification settings
To exercise any of these rights, contact us at hello@flick.sh. We will respond to requests within 30 days.
9. Children's Privacy
Flick is not intended for use by children under 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will promptly delete it. If you believe a child under 16 has provided us with personal information, please contact us at hello@flick.sh.
10. Cookies
Flick uses essential cookies only — specifically, authentication session cookies required for you to stay logged in. We do not use tracking cookies, analytics cookies, or advertising cookies. We do not use any third-party cookie-based tracking.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Services at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.
12. Contact
If you have questions about this Privacy Policy or how we handle your data, contact us at hello@flick.sh.