Privacy Policy

Last updated: May 31, 2026

FlarePath ("FlarePath", "we", "us", or "our") is a product of Deliberately Works LLC, a limited liability company organized in the United States. This Privacy Policy explains what information we collect from you when you use FlarePath, how we use it, who we share it with, and the choices you have.

By creating an account or using FlarePath, you agree to the practices described here. If you do not agree, please do not use the service.

1. Information we collect

1.1 Information you give us

  • Account information. Your email address and a hashed password when you sign up.
  • Stripe API credentials. A restricted, read-only Stripe API key that you provide to connect your Stripe account.
  • Financial inputs. Bank balance and monthly operating expenses you enter to compute runway.
  • Optional integration credentials. Read-only API keys or OAuth tokens for any other integrations you choose to connect (for example, Google Analytics 4, Google Ads, Google Tag Manager, Sentry).
  • Support and feedback. Any messages you send us by email or in-app feedback forms.

1.2 Information we pull on your behalf

Using the credentials you provide, we fetch business data needed to compute your metrics. This may include:

  • Customer records, subscriptions, invoices, charges, refunds, and payouts from Stripe.
  • Aggregate analytics, ad spend, conversion, and error-tracking data from any integrations you connect.

We do not collect or store your customers' payment card data. We do not initiate charges or refunds against your Stripe account.

1.3 Information collected automatically

  • Log data. IP address, browser type, pages visited, timestamps, and similar request metadata.
  • Essential cookies. A first-party session cookie to keep you logged in, a CSRF token cookie for form security, and a cookie that remembers your cookie choices.
  • Optional website analytics. If you choose Accept analytics on our cookie banner, we load Google Analytics 4 (GA4) on the FlarePath marketing site and app shell. GA4 may set analytics cookies to measure pages visited and similar usage. We do not load GA4 until you opt in. You can reject analytics or change your choice anytime via the cookie banner (clear the flarepath_consent cookie in your browser to see it again) or by emailing us.
  • Optional marketing cookies. If you enable marketing cookies in Manage preferences, we may load advertising and remarketing tags (for example Google Ads). These stay off unless you opt in separately from analytics.
  • Email delivery events. Open, click, bounce, and complaint events reported by our email delivery provider (Resend).

2. How we use your information

We use the information described above to:

  • Provide, operate, and maintain the FlarePath service.
  • Compute and display subscription and website metrics (including MRR, churn, retention, and related aggregates when you connect Stripe and Google Analytics).
  • Send the weekly digest email and other transactional messages you have requested.
  • Authenticate you, secure your account, and prevent abuse.
  • Respond to your questions, feedback, and support requests.
  • Diagnose technical issues and improve the product.
  • Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use your business data to train machine-learning models for resale or for any third party. We do not use your data for advertising.

3. How we share your information

We share information only with the limited set of service providers needed to run FlarePath, and only to the extent required for them to perform their function:

  • Cloud hosting. Render, Inc. hosts the application and the database.
  • Email delivery. Resend sends transactional and digest emails.
  • Payment processor (when applicable). Stripe, Inc. processes any subscription payments you make to FlarePath after the beta.
  • Website analytics (only if you opt in on our site). Google LLC (Google Analytics 4) processes usage data from the FlarePath website when you accept analytics cookies. See Google's Privacy Policy and Google Analytics opt-out.
  • Product integrations (only if you connect them). Google LLC (Google Analytics 4, Google Ads, Google Tag Manager) returns aggregate analytics and ad data from your business accounts via read-only API calls you authorize in FlarePath. This is separate from optional cookies on our website.
  • Error monitoring (optional). Sentry, if enabled, receives error stack traces that may contain technical metadata.

Each of these processors is bound by their own terms and privacy commitments and is permitted to use your data only to provide their service to us.

We may also disclose information when we believe in good faith it is necessary to:

  • Comply with a law, regulation, subpoena, or legal process.
  • Protect the rights, property, or safety of FlarePath, our users, or the public.
  • Enforce our Terms of Service or investigate possible violations.
  • Effect a merger, acquisition, or sale of assets, in which case we will notify you in advance and give you the opportunity to delete your account.

4. How we store and protect your data

  • Encryption in transit. All connections to FlarePath are encrypted with TLS.
  • Encryption at rest. Your Stripe API key and other third-party credentials are encrypted at rest using Fernet (AES-128 in CBC mode with HMAC authentication). Database backups are encrypted at rest by our hosting provider.
  • Access controls. Only the founder operates production systems. Access requires multi-factor authentication and is limited to the minimum necessary to support the service.
  • Read-only credentials. We ask you to use a Stripe restricted key with read-only scopes so that even in the unlikely event of a breach, no charges can be made against your account.

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we work continuously to protect your data.

Breach notification. If we become aware of a personal data breach affecting your information, we will notify you and, where required, the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

5. Data retention

  • We retain account, integration, and metrics data for as long as your account is active.
  • If you delete your account, we delete your personal data and connected credentials within 30 days, except where we are required to retain it for legal, accounting, or fraud-prevention purposes.
  • Aggregated, anonymized data that cannot be linked back to you may be retained indefinitely.
  • Server logs are typically retained for up to 90 days.

6. Your rights and choices

Depending on where you live, you may have rights to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your personal information.
  • Export a copy of your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent where processing is based on consent.

You can disconnect any integration or delete your account at any time from within FlarePath. To exercise any other right, email sean@deliberatelyworks.com. We will respond within 30 days.

6.1 California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, and the right not to be discriminated against for exercising any of these rights. FlarePath does not sell or share personal information for cross-context behavioral advertising.

6.2 European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, UK, or Switzerland, our lawful bases for processing your personal data are: performance of a contract (to provide the service you have signed up for); our legitimate interests in operating and improving the service; and your consent, where applicable. You may lodge a complaint with your local data protection authority.

7. International data transfers

FlarePath is hosted in the United States. If you access the service from outside the United States, your information will be transferred to, stored, and processed in the United States, which may have data protection laws different from those of your country.

8. Children

FlarePath is intended for business use by adults. It is not directed to children under 16 and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

9. Third-party links and services

FlarePath contains links to third-party sites and services (for example, Stripe's documentation, your own Stripe dashboard, or social platforms). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If the changes are material, we will notify you by email or by a prominent notice in the application before the change takes effect.

11. Contact

If you have questions about this policy or our data practices, contact us: