Privacy Policy

FlipHire is operated by T8P Studios LLC, a Florida limited liability company located in Miami, Florida, USA. FlipHire is the controller of personal information collected through the Service (or, where another entity has provided your information to us on its behalf, we act as a processor under contract with that entity).

This Policy applies to the Service. It does not apply to third-party sites, apps, or integrations you may access through links from FlipHire (e.g., LinkedIn, Indeed, Instagram). Their privacy practices are governed by their own policies.

2.1 Information you provide

• Account information: email address, optional name, optional agency name, optional city, optional role/title.
• Billing information: We do not store full card numbers. Payment data is processed and stored by Stripe under Stripe’s privacy policy. We store a Stripe customer ID, subscription status, plan tier, trial-end date, last-4-digit billing identifier (returned by Stripe), and billing country/postal code.
• Profile, preferences, settings: search filters (target salary range, city, industry, role), saved searches, pitch templates you create, notes, lead status tags (new/researched/pitched/replied/won).
• Communications: emails or messages you send us, support tickets, beta feedback.
• Terms acceptance: we log the timestamp at which you accepted the Terms of Service and this Privacy Policy.

2.2 Information collected automatically

• Device & technical: IP address (truncated to /24 in logs after 30 days), user-agent string, operating system, browser type/version, screen resolution, device type, language, time zone.
• Usage: pages viewed, features used, searches run, leads viewed, buttons clicked, time spent, error events, crash reports (desktop app).
• Cookies and similar technologies: see Section 4.
• Desktop app telemetry: the macOS app sends crash reports and feature-usage events. App version, OS version, and a hashed install ID are included; no document content.

2.3 Information from third parties

• Stripe tells us about your payment status (succeeded, failed, refunded, disputed).
• Supabase / Auth provider tells us about successful and failed sign-in attempts.
• Email link clicks (only on transactional emails we send to you) tell us whether you opened the magic-link email.
• Lead data is pulled from job-board APIs (currently JSearch via RapidAPI; Adzuna planned). This data is about companies, not about you. It includes company names, job titles, posting URLs, salary ranges, public social-media handles, and follower counts. Where a public social handle is associated with a hiring company, we display public engagement metrics about that account. This data is sourced from the third-party API; we do not enrich it with information not already public.

2.4 Information we do NOT collect

• Government IDs, driver licenses, passport numbers.
• Social Security or other tax IDs (except as required by Stripe for payouts — handled directly by Stripe).
• Biometric data of any kind (no fingerprints, voiceprints, facial scans). We are not subject to TX CUBI or IL BIPA.
• Protected health information (we are not a HIPAA covered entity).
• Precise geolocation. We may infer approximate region from IP (country/state level) for analytics; we do not collect GPS coordinates.
• Information about minors. We do not knowingly collect from anyone under 18 (see Section 11).

We use the information described above for the following purposes:

• To provide the Service. Authenticate you, run searches you configure, surface relevant leads, generate audits and pitches, sync data across devices, deliver the desktop app.
• To process payments. Charge your subscription on renewal, handle disputes, issue refunds where applicable.
• To communicate with you. Send transactional email (magic-link sign-in, payment receipts, trial-ending reminders, security alerts). Send infrequent product update emails (you can opt out via the unsubscribe link). We do not send marketing email without explicit consent at sign-up.
• To improve the Service. Understand which features are used, identify bugs, prioritize roadmap. Aggregated/anonymized usage data is used for product analytics; individual personal info is not used for ML model training without your explicit consent.
• To detect and prevent abuse. Rate-limit and block automated abuse, fraud, and misuse. Investigate suspected violations of the Terms of Service.
• To comply with law. Respond to lawful subpoenas, court orders, government requests. Enforce our Terms. Defend against legal claims.

Legal basis (EU/UK residents). For users in the European Economic Area or United Kingdom, we process personal information on these GDPR/UK GDPR Article 6 bases: (a) contract performance for account creation, sign-in, billing, and service delivery; (b) legitimate interest for fraud prevention, security, product analytics, and direct outreach to existing customers about similar services; (c) consent for any marketing emails or cookies not strictly necessary; (d) legal obligation for tax records and compliance with court orders.

4.1 What we use

• Strictly necessary cookies: session/auth tokens, CSRF tokens, language preference. Cannot be disabled without breaking the Service.
• Functional cookies: remember UI choices (theme, last-used search filters). Disabling these will reset your preferences each visit.
• Analytics cookies / equivalents: aggregated usage metrics. Anonymized; no cross-site tracking. See Section 5 for sub-processors.
• No advertising / no third-party tracking pixels. We do not use Meta Pixel, Google Ads, TikTok pixel, or similar third-party advertising trackers.
• Local storage: the web app uses browser localStorage to cache UI state. The desktop app uses Electron’s built-in user-data store for the same purposes.

4.2 Do Not Track and Global Privacy Control

We honor browser-level Global Privacy Control (GPC) signals as a valid opt-out of any “sale” or “sharing” of personal information under California and other US state privacy laws. (We do not sell or share personal information for cross-context behavioral advertising regardless.) Because the legal definition of “Do Not Track” is inconsistent across browsers, we do not separately respond to DNT headers; GPC is the operative signal.

4.3 How to manage cookies

You can disable non-essential cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or set notifications. Disabling strictly necessary cookies will prevent sign-in.

We share personal information only with the third-party processors listed below, each of which is bound by a written data processing agreement and may use the data only on our documented instructions:

The current list is maintained for transparency; we may update it as the product evolves. Material additions will be reflected in this Policy.

Other disclosures. In addition to sub-processors, we may share personal information: (a) with your explicit consent; (b) in response to a lawful subpoena, court order, or government request, after evaluating the request and, where possible, notifying you; (c) when necessary to protect the rights, property, or safety of FlipHire, our users, or the public; (d) in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which case the acquiring entity will be bound by this Policy or will give you notice of any material change; (e) with professional advisors (legal, audit, accounting) under confidentiality obligations.

We do not sell your personal information.We do not “share” personal information for cross-context behavioral advertising as those terms are defined under California or other US state law. We have not sold or shared personal information in the preceding 12 months and have no plans to do so.

FlipHire is based in the United States, and most of our sub-processors are based in the United States. If you access the Service from outside the US, your information will be transferred to, stored, and processed in the US.

For transfers of personal information from the EU/EEA, UK, or Switzerland to the US, we rely on (a) the European Commission’s Standard Contractual Clauses(Module 1: Controller to Controller, or Module 2: Controller to Processor, as applicable), supplemented by the UK International Data Transfer Addendum; and (b) where the recipient has self-certified, the EU-US Data Privacy Frameworkand its UK and Swiss extensions. We undertake supplementary technical and organizational measures (encryption in transit and at rest, access controls, audit logging) as recommended by the European Data Protection Board.

• Active account: for as long as your account exists.
• After cancellation: 90 days of read-only retention so you can resubscribe and recover; thereafter, account data is deleted or fully anonymized.
• Billing records: retained for 7 years for US tax and audit compliance, in an encrypted, access-restricted store.
• Server logs: 30 days of full logs; truncated/anonymized after.
• Crash reports: 180 days, then deleted.
• Email-delivery records: 12 months.
• Backups: rolling 30-day backups. A deletion request will be honored in primary systems within 30 days, and within 60 days in backups (backups are restored only in disaster-recovery situations and any restored personal data is re-deleted within 7 days).
• Litigation/legal-hold: longer retention if required by law, court order, or to defend a claim.

We employ industry-standard technical and organizational measures to protect personal information, including: TLS 1.2+ for all data in transit; AES-256 encryption at rest in Supabase Postgres and Vercel Blob; Row-Level Security policies enforcing per-user data isolation; short-lived auth tokens; multi-factor authentication on administrative accounts; least-privilege access controls; audit logging; regular dependency-vulnerability scanning; and incident-response procedures.

No system is perfectly secure.If we become aware of a personal-data breach that creates a risk to your rights or freedoms, we will notify you and applicable regulators in accordance with applicable law — without undue delay and, where feasible, within 72 hours for GDPR-governed data, and within the timelines required by individual US state breach-notification statutes.

Depending on where you reside, US state laws may give you specific rights. The list below reflects rights granted by laws in effect as of May 20, 2026. FlipHire honors equivalent rights for residents of states that pass comparable laws after this date.

9.1 All US residents (universal rights we extend voluntarily)

• Right to access a copy of the personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to delete your personal information, subject to legal-retention exceptions.
• Right to portability — receive your data in a machine-readable format.
• Right to opt out of marketing emails (we do not send unsolicited marketing in any case).
• Right to non-discrimination — we will not deny service, charge different prices, or reduce service quality because you exercised a privacy right.

9.2 California (CCPA/CPRA)

California residents have these additional rights:

• Right to know the categories and specific pieces of personal information we have collected, the sources, the business or commercial purpose, and the categories of third parties with whom we share.
• Right to delete personal information we collected from you, subject to statutory exceptions.
• Right to correct inaccurate personal information.
• Right to opt-out of sale or sharing — FlipHire does not sell or share personal information; this is informational only.
• Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined under California law (no biometrics, no SSN, no driver license, no precise geolocation, no race/ethnicity/religion/health). This right is therefore moot for our processing.
• Right against automated decision-making with significant effects — we do not engage in such decision-making.
• Authorized agents may submit requests on your behalf with verifiable written authorization.
• Categories collected in the prior 12 months: identifiers (email), commercial information (subscription details), internet/network activity (usage logs), inferences (UI preferences). No sensitive categories. No sale. No sharing.
• Shine the Light (Cal. Civ. Code § 1798.83): we do not disclose personal information to third parties for their direct-marketing purposes.

9.3 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (CRA), Delaware (DPDPA), New Hampshire, New Jersey (NJDPA), Minnesota (MCDPA), Maryland (MODPA), Tennessee (TIPA), Indiana, Iowa, and other state privacy laws

Residents of states with comprehensive consumer privacy laws have rights substantially similar to those listed in 9.1 above. Specifically:

• Right to access, correct, delete, and obtain a portable copy.
• Right to opt out of (a) sale of personal data, (b) targeted advertising, and (c) profiling that produces legal or similarly significant effects. FlipHire does none of these.
• Right to appeal a denied request — if we decline a rights request, we will explain in writing within the statutory window, and you may appeal by replying to privacy@t8pstudios.com with subject line “Privacy Rights Appeal.”
• Recognition of universal opt-out signals (e.g., GPC) where required by the applicable state.

9.4 How to exercise rights

Email privacy@t8pstudios.com from the email address on your FlipHire account. Specify which right you are exercising. We will verify your identity (typically by matching the request email to the account email) and respond within 45 days, extendable by 45 additional days when reasonably necessary. There is no fee for the first two rights requests in any 12-month period; we may charge a reasonable fee for excessive or repetitive requests.

10.1 EU/EEA, UK, and Switzerland (GDPR / UK GDPR / FADP)

If you are in the EEA, UK, or Switzerland, you have the following rights regarding personal information we process about you:

• Access (Art. 15) — obtain confirmation of and a copy of your personal data.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure / “right to be forgotten” (Art. 17) — delete your data where one of the legal grounds applies.
• Restriction of processing (Art. 18).
• Data portability (Art. 20) — receive structured, machine-readable data and have it transmitted to another controller where technically feasible.
• Object to processing based on legitimate interests (Art. 21), including objection to direct marketing.
• Withdraw consent at any time, where processing is based on consent (Art. 7(3)). Withdrawal does not affect lawfulness before withdrawal.
• Not be subject to solely automated decision-making with legal or similarly significant effects (Art. 22). FlipHire does not perform such decision-making.
• Lodge a complaint with your national supervisory authority (Art. 77). EEA users can find their authority at edpb.europa.eu. UK users can complain to the ICO. Swiss users to the FDPIC.

Data Protection Officer / EU Representative. Given our current scale we are not required to appoint a DPO or designate an EU Representative under GDPR Articles 27 and 37. We will do so if and when triggered by volume or sensitivity of processing. In the meantime, contact privacy@t8pstudios.com for any GDPR-related inquiry.

10.2 Canada (PIPEDA / Quebec Law 25)

Canadian users have rights to access, correct, and withdraw consent. Quebec residents additionally have the right to data portability and to object to certain automated decisions. Contact us at the email above to exercise any right. The Office of the Privacy Commissioner of Canada is the federal supervisory authority.

10.3 Brazil (LGPD)

Brazilian users have rights substantially similar to GDPR. Contact us to exercise any right. The ANPD is the supervisory authority.

10.4 Other jurisdictions

Where local law in your jurisdiction grants you specific privacy rights not listed above (e.g., Australia’s Privacy Act, Japan’s APPI, South Korea’s PIPA), we will honor those rights to the extent applicable. Contact us via the email above.

FlipHire is a B2B tool intended for marketing professionals and small-business owners. It is not directed at, marketed to, or intended for individuals under 18. We do not knowingly collect personal information from anyone under 18.

If we learn that we have inadvertently collected personal information from a person under 13 (subject to the US Children’s Online Privacy Protection Act, COPPA), we will delete it as quickly as possible. Parents or guardians who believe their child has provided personal information to FlipHire should email privacy@t8pstudios.com.

FlipHire displays publicly available information about companies that have posted job listings on third-party job boards (LinkedIn, Indeed, Glassdoor, ZipRecruiter, and others), and may include the public Instagram username and follower counts associated with those companies. This information is about companies, not about individuals.

Company contact information. Some job postings may include a posting recruiter or contact name. Where present, this information is processed under the legitimate interest of facilitating business-to-business outreach to a person acting in a professional capacity. If you are an individual whose name appears in our index in connection with a job posting and you wish to be removed, contact privacy@t8pstudios.com with the company name, job title, and source URL. We will remove the listing from our cached index within 30 days. We cannot remove the listing from the underlying source; direct that request to the original platform.

FlipHire’s own marketing. We do not send unsolicited marketing email. Transactional email (sign-in links, receipts, security alerts, trial-ending notices) does not require opt-in and may be sent without separate consent under CAN-SPAM, CASL, and GDPR.

Outreach you send through or after using FlipHire.You are the sender of all outreach you generate using FlipHire’s pitch tool. You are responsible for compliance with all applicable anti-spam, anti-phishing, and consumer-protection laws in your jurisdiction and in the recipient’s jurisdiction. FlipHire does not represent that pitches generated by the Service are compliant with any specific law; you must review and ensure compliance before sending. See Sections 5 and 7 of the Terms of Service.

FlipHire uses third-party large language models and automated systems to generate draft pitches, draft audit insights, and other content. Inputs to these systems may include the company-name, public social handle, follower count, post-mix metrics, and the role title for the lead in question. We do not send your personal account information (email, name, billing data) to AI providers as part of generation requests.

We may use anonymized, aggregated input/output samples to fine-tune prompt templates and internal model selection. We do not provide your inputs as training data to any third-party model provider. As of May 20, 2026, OpenAI’s API service terms (and equivalent terms from Anthropic) prohibit use of API submissions to train general-purpose models without explicit opt-in.

You can opt out of AI features by contacting privacy@t8pstudios.com. Without AI generation, the lead-discovery and audit-display features still function; pitch generation will be disabled.

We may revise this Privacy Policy from time to time. If we make material changes (e.g., a new category of data collected, a new sub-processor with material implications, a change in legal basis, or a change that reduces your rights), we will notify you by email and by prominent in-app notice at least 14 days before the change takes effect. The “Last updated” date at the top of this Policy is the authoritative version date.

Historical versions of this Policy are available on request from privacy@t8pstudios.com.

T8P Studios LLC dba FlipHire
Miami, Florida, USA
Privacy inquiries / rights requests: privacy@t8pstudios.com
Legal: legal@t8pstudios.com
General: info@t8pstudios.com