Privacy Policy
1. Introduction
Welcome to the Privacy Policy of Flob Inc. ("Company," "we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our reOS platform ("Research Operating System") and related services (collectively, the "Service").
We are committed to protecting your privacy and ensuring you understand how your personal data is processed. Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
2. Data Controller Information
The data controller responsible for your personal data is:
Flob Inc. 1111B S Governors Ave STE 49827 Dover, DE 19904 United States
Data Protection Contact: support [at] reos [dot] ai
Data Protection Officer: Rob Manzano Email: rob [at] reos [dot] ai
For European Union residents, Flob Inc. acts as the data controller for the processing of your personal data under the General Data Protection Regulation (GDPR). Our Data Protection Officer oversees compliance with data protection requirements and can be contacted directly for any GDPR-related inquiries.
3. Information We Collect
We collect information in several ways when you use our Service:
3.1 Information You Provide to Us
Account Information:
- Email address
- Full name
- Profile picture/avatar
- Password (stored in encrypted/hashed form)
- Two-factor authentication settings and backup codes
- Passkey/WebAuthn credentials for passwordless authentication
Organization Information:
- Organization name
- Organization logo
- Member roles and permissions
Billing Information:
- Billing name (individual or company)
- Billing email address
- Billing address (street, city, state/province, postal code, country)
- Tax identification number (VAT ID, if applicable)
Note: Payment card information is collected and processed directly by our payment processor (Polar) and is not stored on our servers.
Research Content:
- Video and audio interview files
- Documents and transcripts
- Notes and annotations
- Observations and insights
- Personas and customer profiles
- Reports and summaries
- Any other content you upload or create through the Service
Communications:
- Support requests and correspondence
- Feedback and suggestions
- Survey responses
3.2 Information Collected Automatically
Device and Technical Information:
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Screen resolution and device capabilities
Session Information:
- Session tokens
- Login timestamps
- User agent strings
- Referring URLs
Usage Information:
- Features accessed and actions taken within the Service
- AI model usage (tokens consumed, models used)
- Time spent on pages
- Click patterns and navigation paths
- Search queries within the Service
Log Data:
- Server logs recording requests to our Service
- Error logs and diagnostic data
- Performance metrics
3.3 Information from Third Parties
OAuth Providers: If you choose to sign in using third-party authentication providers, we may receive:
- Basic profile information (name, email, profile picture)
- OAuth tokens for authentication purposes
Payment Processor: Our payment processor (Polar) may share:
- Transaction status and confirmation
- Subscription status
- Customer identifiers
3.4 Research Data Processing
When you use our AI-powered analysis features, the following data may be processed:
- Transcripts of uploaded audio/video content
- Text content from documents
- User-generated prompts and queries
- AI-generated outputs (observations, insights, summaries)
This data is processed by our third-party AI providers as described in Section 6.
4. How We Use Your Information
We use the information we collect for the following purposes:
4.1 Providing and Maintaining the Service
- Creating and managing your account
- Authenticating your identity and securing your account
- Processing your research content through AI analysis
- Generating insights, observations, and reports
- Enabling collaboration features
- Processing payments and managing subscriptions
4.2 Improving and Developing the Service
- Analyzing usage patterns to improve features
- Developing new features and functionality
- Debugging and fixing errors
- Conducting research and analysis
- Testing new features
4.3 Communications
- Sending service-related notifications (account verification, security alerts, billing)
- Responding to your inquiries and support requests
- Sending product updates and announcements (with your consent where required)
4.4 Security and Fraud Prevention
- Detecting and preventing fraud, abuse, and security threats
- Monitoring for suspicious activity
- Enforcing our Terms of Service
- Protecting our rights and property
4.5 Legal Compliance
- Complying with applicable laws and regulations
- Responding to legal requests and court orders
- Establishing, exercising, or defending legal claims
4.6 Advertising and Marketing (Consent-Based)
With your explicit consent, we may use your information for:
- Serving targeted advertisements through third-party advertising networks
- Measuring advertising effectiveness
- Creating custom and lookalike audiences for advertising purposes
Legal Basis: All targeted advertising and marketing activities for EEA, UK, and Swiss users are based solely on your consent (Article 6(1)(a) GDPR). You may withdraw your consent at any time through our cookie consent manager, and such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal. Without your consent, we will not process your personal data for advertising purposes.
5. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under Article 6 of the GDPR:
5.1 Contract Performance (Article 6(1)(b))
Processing necessary for the performance of our contract with you, including:
- Account creation and authentication
- Providing the core Service features
- Processing payments
5.2 Legitimate Interests (Article 6(1)(f))
Processing necessary for our legitimate interests, including:
- Improving and developing the Service
- Ensuring security and preventing fraud
- Analyzing usage and performance
We have conducted balancing tests for each legitimate interest processing activity. In each case, we have determined that: (a) the processing is necessary to achieve our legitimate interest; (b) the processing does not override your fundamental rights and freedoms; and (c) you would reasonably expect such processing given your relationship with us. For service improvement and security purposes, we process only aggregated or pseudonymized data where possible, minimizing any impact on your privacy. You have the right to object to processing based on legitimate interests at any time by contacting our Data Protection Officer.
5.3 Consent (Article 6(1)(a))
Where you have given consent, including:
- Marketing communications (where consent is required)
- Analytics cookies and advertising cookies
- Certain data sharing with third parties
You may withdraw consent at any time.
5.4 Legal Obligation (Article 6(1)(c))
Processing necessary to comply with legal obligations, including:
- Tax and accounting requirements
- Responding to lawful government requests
6. Data Sharing and Third Parties
We may share your information with the following categories of third parties:
6.1 AI Service Providers
To provide AI-powered analysis features, we transmit your research content to the following third-party AI providers:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Anthropic | AI analysis, content generation | Prompts, transcripts, documents | United States |
| OpenAI | AI analysis, content generation | Prompts, transcripts, documents | United States |
| Google (Vertex AI) | AI analysis, content generation | Prompts, transcripts, documents | United States |
| Cloudflare Workers AI | AI analysis, embeddings | Prompts, transcripts, documents | Global (Cloudflare network) |
| AssemblyAI | Audio/video transcription | Audio/video files | European Union (Dublin, Ireland) |
These providers process your data according to their respective privacy policies and data processing agreements.
AI Model Training Policy
We have selected AI providers that commit to not using your data for model training. We do not and will never explicitly opt-in to allow any provider to use your data for training purposes. Below are the specific commitments from each provider:
| Provider | Training Policy | Source | Accessed |
|---|---|---|---|
| Anthropic | "Anthropic may not train models on Customer Content from Services." | Commercial Terms | January 2026 |
| OpenAI | "Data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in)." | API Data Usage | January 2026 |
| Google (Vertex AI) | "Google won't use your data to train or fine-tune any AI/ML models without your prior permission or instruction." | Vertex AI Data Governance | January 2026 |
| Cloudflare Workers AI | "Cloudflare does not use your Customer Content to (1) train any AI models made available on Workers AI or (2) improve any Cloudflare or third-party services." | Workers AI Data Usage | January 2026 |
| AssemblyAI | "We will not use files you submit for model training if you [...] are utilizing our European servers." We use exclusively EU servers. | Model Training FAQ | January 2026 |
Important Disclaimer: While we have taken reasonable steps to select providers that commit to not using customer data for training and we do not explicitly authorize such use, we cannot guarantee that providers will not violate their stated commitments. We are not responsible for any unauthorized use of data by third-party providers that occurs in violation of their stated policies.
Automated Decision-Making and AI Processing (Article 22 GDPR)
Our AI-powered features assist you in analyzing research content, generating insights, and creating summaries. We want to be transparent about how this processing works:
Nature of AI Processing: The AI analysis features are tools that support your research workflow. They generate suggestions, summaries, and observations based on content you provide. These outputs are intended to assist your work, not to make autonomous decisions about you or produce legal or similarly significant effects on you.
Human Oversight: All AI-generated outputs are presented to you for review. You retain full control over whether to accept, modify, or reject any AI-generated content. No decisions affecting your rights or access to the Service are made solely by automated means.
6.2 Infrastructure Providers
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Cloudflare | Hosting, CDN, security, file storage (R2), AI Gateway, video transcoding | All Service data, uploaded files | Global edge network (US-based company; data storage regions configurable) |
| PlanetScale | Database hosting | All structured data | United States |
6.3 Analytics and Monitoring Providers
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| PostHog | Product analytics, session recording, feature flags | Usage data, session recordings, device info, IP address | United States/EU |
| Google Analytics | Web analytics, traffic analysis | Usage data, device info, IP address | United States |
| Sentry | Error tracking, performance monitoring | Error logs, stack traces, device info, IP address | United States |
PostHog Session Recording: We may record user sessions to understand how users interact with our Service. Session recordings may capture:
- Mouse movements, clicks, and scrolls
- Page navigation and interactions
- Form inputs (sensitive fields like passwords are automatically masked)
- Console errors and network requests
You can opt out of session recording through our cookie consent manager.
Sentry Error Tracking: When errors occur in the Service, we automatically collect diagnostic information including:
- Error messages and stack traces
- Browser and device information
- User actions leading to the error
- Performance metrics
This data helps us identify and fix bugs to improve the Service.
6.4 Payment Processing
| Provider | Purpose | Data Shared |
|---|---|---|
| Polar | Subscription and payment processing | Billing information, transaction data |
6.5 Email Services
| Provider | Purpose | Data Shared |
|---|---|---|
| Resend | Transactional emails, notifications | Email addresses, names |
| Amazon Web Services (AWS SES) | Transactional emails, notifications | Email addresses, names |
6.5a Meeting Recording Services
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Recall.ai | Meeting bot for recording video conferences (Zoom, Google Meet, Microsoft Teams) | Meeting audio/video, participant information | United States |
6.6 Advertising Partners (Consent-Based)
With your explicit consent, we use advertising services that may collect data for targeted advertising:
| Provider | Purpose | Data Collected |
|---|---|---|
| Google Ads | Advertising, conversion tracking | Cookies, usage data, device identifiers |
| Meta (Facebook/Instagram) | Advertising, conversion tracking | Cookies, usage data, device identifiers |
| LinkedIn Ads | Advertising, conversion tracking | Cookies, usage data, device identifiers |
| Reddit Ads | Advertising, conversion tracking | Cookies, usage data, device identifiers |
| OpenAI Ads | Advertising, conversion tracking | Cookies, usage data, device identifiers |
Important for EEA/UK/Swiss Users: We only share your data with advertising partners if you have provided explicit consent through our cookie consent manager. No advertising cookies are placed, and no data is shared with advertising partners, until you actively consent. You can withdraw your consent at any time through the cookie consent manager, and we will cease sharing your data with advertising partners immediately.
6.7 Other Disclosures
We may also share your information:
- With your consent: When you direct us to share information with third parties
- For legal reasons: To comply with laws, legal processes, or government requests
- For safety and security: To protect the rights, property, or safety of Flob Inc., our users, or others
- In business transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets
- With service providers: Contractors and agents who perform services on our behalf, bound by confidentiality obligations
7. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws than your home country.
7.1 Transfer Mechanisms
For transfers from the EEA, UK, or Switzerland to the United States and other countries without an adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms
- Data Privacy Framework: For transfers to certified US companies
- Your consent: Where appropriate and where you have provided explicit consent
7.2 Safeguards
We implement appropriate safeguards to protect your data during international transfers, including:
- Encryption in transit and at rest
- Access controls and authentication
- Contractual protections with service providers
8. Data Retention
We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
8.1 Retention Periods
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion request |
| Research content | Duration of account + 30 days after deletion |
| Billing records | 7 years (legal requirement) |
| Usage logs | 90 days |
| Support communications | 3 years |
| Marketing consent records | Duration of consent + 3 years |
8.2 Deletion
When you delete your account or request data deletion:
- Your personal data will be deleted or anonymized within 30 days
- Backup copies may be retained for up to 90 days
- We may retain certain data as required by law or for legitimate business purposes
9. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
9.1 Rights Under GDPR (European Union, EEA, UK)
If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights under the General Data Protection Regulation:
Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
Right to Rectification (Article 16): You have the right to correct inaccurate personal data and to complete incomplete data.
Right to Erasure ("Right to be Forgotten") (Article 17): You have the right to request deletion of your personal data in certain circumstances.
Right to Restriction of Processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances.
Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Article 21): You have the right to object to processing based on legitimate interests, including profiling and direct marketing.
Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
Response Time: We will respond to your requests within 30 days, which may be extended by two further months where necessary.
9.2 Rights Under CCPA (California)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes of collection, and the categories of third parties with whom we share your information.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" of your personal information and the "sharing" of your personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of Personal Information Collected: In the past 12 months, we have collected the following categories of personal information: identifiers, commercial information, internet activity, geolocation data, professional information, and inferences.
"Sale" and "Sharing" of Personal Information: We may "share" personal information with advertising partners for targeted advertising purposes. You can opt out through our cookie consent manager.
9.3 Rights Under LGPD (Brazil)
If you are located in Brazil, you have the following rights under the Lei Geral de Proteção de Dados:
- Confirmation of the existence of processing
- Access to personal data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary or excessive data
- Data portability
- Deletion of data processed with consent
- Information about sharing with third parties
- Information about the possibility of denying consent
- Revocation of consent
9.4 Rights Under Other Jurisdictions
Canada (PIPEDA): Canadian residents have rights to access and correct personal information, and to withdraw consent subject to legal restrictions.
Australia (Privacy Act): Australian residents have rights to access and correct personal information under the Privacy Act 1988.
9.5 Exercising Your Rights
To exercise any of your privacy rights, please contact us at:
Email: support [at] reos [dot] ai
Mail: Flob Inc. Attn: Privacy Request 1111B S Governors Ave STE 49827 Dover, DE 19904 United States
We may need to verify your identity before processing your request. We will respond to verified requests within the timeframes required by applicable law.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
10.1 Security Measures
- Encryption: Data is encrypted in transit (TLS/HTTPS) and at rest
- Access Controls: Role-based access controls and authentication requirements
- Infrastructure Security: Secure cloud infrastructure with Cloudflare protection
- Credential Protection: API keys and sensitive credentials are encrypted before storage
- Monitoring: Security monitoring and logging for suspicious activity
- Vendor Security: Third-party vendors are evaluated for security practices
10.2 Your Responsibilities
You are responsible for:
- Maintaining the security of your account credentials
- Using strong, unique passwords
- Enabling two-factor authentication
- Notifying us promptly of any unauthorized access
10.3 Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.
11. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support [at] reos [dot] ai.
12. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to collect and track information about your use of the Service. For detailed information about our use of cookies, please see our Cookie Policy.
12.1 Types of Cookies
- Essential Cookies: Required for the Service to function (authentication, security)
- Functional Cookies: Remember your preferences (theme, settings)
- Analytics Cookies: Help us understand how you use the Service
- Advertising Cookies: Used to deliver targeted advertisements
12.2 Your Choices
You can manage your cookie preferences through our cookie consent banner or by adjusting your browser settings. Note that disabling certain cookies may affect the functionality of the Service.
13. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. Our Service does not currently respond to DNT signals, as there is no industry standard for handling such signals. You can manage tracking through our cookie consent manager.
14. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party websites you visit.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:
- Posting the updated Privacy Policy on the Service
- Updating the "Last Updated" date
- Sending you an email notification (for material changes)
Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Flob Inc. 1111B S Governors Ave STE 49827 Dover, DE 19904 United States
Email: support [at] reos [dot] ai
Data Protection Contact: For GDPR-related inquiries, you may contact our data protection point of contact at the same address.
16.1 Complaints
If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with your local data protection authority:
- EU Residents: Contact your local Data Protection Authority (DPA). A list of all EU DPAs is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- UK Residents: Information Commissioner's Office (ICO) - https://ico.org.uk
- Swiss Residents: Federal Data Protection and Information Commissioner (FDPIC) - https://www.edoeb.admin.ch
- California Residents: California Attorney General - https://oag.ca.gov/privacy
- Brazilian Residents: Autoridade Nacional de Proteção de Dados (ANPD)
17. California Privacy Notice
This section provides additional information for California residents pursuant to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
17.1 Categories of Personal Information
In the preceding 12 months, we have collected the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Yes |
| Personal Information (Cal. Civ. Code 1798.80) | Name, address, phone number | Yes |
| Protected Classification Characteristics | None intentionally collected | No |
| Commercial Information | Purchase history, subscription records | Yes |
| Biometric Information | None collected | No |
| Internet Activity | Browsing history, interactions with Service | Yes |
| Geolocation Data | IP-based approximate location | Yes |
| Sensory Data | Audio/video files you upload | Yes |
| Professional Information | Job title (if provided) | Yes |
| Education Information | None intentionally collected | No |
| Inferences | Usage patterns, preferences | Yes |
| Sensitive Personal Information | Account credentials | Yes |
17.2 Sources of Personal Information
We collect personal information from:
- You directly (account creation, content upload)
- Automatically (usage data, device information)
- Third parties (OAuth providers, payment processor)
17.3 Business or Commercial Purposes
We use personal information for the purposes described in Section 4 of this Privacy Policy.
17.4 Disclosure for Business Purposes
We disclose personal information to the categories of third parties described in Section 6 of this Privacy Policy.
17.5 Sale and Sharing of Personal Information
Note for EEA/UK/Swiss Users: The terms "sale" and "sharing" used in this section are specific legal definitions under California law (CCPA/CPRA) and do not reflect how we process data for users in the EEA, UK, or Switzerland. For EEA/UK/Swiss users, we only share data with advertising partners based on your explicit consent, as described in Sections 4.6 and 6.6.
For California Residents: Under CCPA/CPRA definitions, we may "share" personal information with advertising partners for cross-context behavioral advertising. You can opt out using our cookie consent manager or by emailing support [at] reos [dot] ai with the subject line "Do Not Sell or Share My Personal Information."
17.6 Retention
We retain personal information as described in Section 8 of this Privacy Policy.
This Privacy Policy was last updated on January 27, 2026.