LEGAL
Privacy Policy
Last updated: 13 July 2026
Your privacy matters to us. This policy explains how Flagmint collects, uses, and protects your personal data in accordance with the UK/EU General Data Protection Regulation (GDPR) and other applicable laws.
1. Who We Are
Just Izzy Ltd ("Just Izzy", "we", "us", or "our") is a UK-registered SaaS company (England and Wales) that develops Flagmint, a feature flag management platform for European development teams. Our registered office is 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. We are the data controller for personal data collected through our website and platform.
2. Data We Collect
Information you provide directly: When you create an account, contact support, or subscribe to communications, we collect your name and email address, company name and job title, billing information (processed securely via our payment processor), usage data and preferences, and support communications.
Technical data collected automatically: We automatically collect technical data such as IP addresses, browser type, pages visited, and feature usage telemetry to improve our product and ensure security.
SDK and evaluation data: When your applications use our SDKs to evaluate feature flags, the SDK transmits context attributes you provide (such as user identifiers, custom properties, and segment membership) along with flag evaluation counts. This data is used solely to evaluate flags, calculate your usage, and provide analytics within your dashboard. We process this data on your behalf as a data processor; the specific attributes sent are determined entirely by your implementation.
3. How We Use Your Data
We process your personal data for the following purposes: providing and improving the Flagmint platform and services; processing payments and managing subscriptions; communicating product updates, security notices, and support responses; complying with legal obligations under UK and EU law; detecting and preventing fraud and abuse; and conducting aggregated analytics to understand product usage.
4. Legal Bases for Processing Under GDPR Article 6
For Our B2B Customers (Account & Service Delivery):
- Contract Performance: We process your business account details, API credentials, and configuration settings to deliver the feature flag services you have contracted to receive.
- Legitimate Interests: We process system logs, usage metrics, and platform performance data to ensure infrastructure security, prevent API abuse, and continuously optimize our SDKs.
- Legal Obligation: We process billing and corporate records to comply with applicable UK and EU tax laws and regulatory frameworks.
For End-User Context Data (Our Role as a Data Processor):
When our clients use our service to deliver targeted feature flags, we act strictly as a Data Processor. Our clients act as the Data Controllers and are responsible for obtaining the appropriate legal basis—such as Consent or establishing a Legitimate Interest—from their end-users before transmitting context data to our servers. We process this targeting data solely based on our clients' documented instructions and in accordance with our Data Processing Addendum (DPA).
- Purpose & Retention: We process end-user context data solely to evaluate feature flags and maintain an automated audit log matching evaluated context to flag outcomes. This data is hosted on our secure infrastructure without the use of third-party subprocessors, and is automatically hard-deleted after a maximum period of 14, 30, or 90 days, depending on the client's subscription tier.
5. Data Storage and International Data Transfers
5.1 Infrastructure and Data Residency
Our feature-flagging infrastructure is hosted via Railway, with application deployments and database backups strictly pinned to data centers located within the European Economic Area (EEA) (Amsterdam, Netherlands). All end-user context data and customer account data are stored at rest within the EEA.
5.2 Cross-Border Transfers (EU to UK)
As a company registered in the United Kingdom serving clients in the European Union, data transmitted from our EU clients to our platform constitutes an international transfer. These transfers are fully lawful under the European Commission’s statutory Adequacy Decision for the UK, which recognizes that UK data protection laws provide an equivalent level of security to the EU GDPR.
5.3 Transfers Outside the EEA and UK (Sub-processors)
Some of our business operational sub-processors (detailed in Section 9) may process limited account metadata outside the EEA or the UK. Where these transfers occur, we ensure that appropriate safeguards are implemented in compliance with Chapter V of both the EU GDPR and UK GDPR. This includes utilizing:
- The European Commission’s Standard Contractual Clauses (SCCs) for transfers originating in the EU.
- The UK International Data Transfer Addendum (UK Addendum) to the SCCs for transfers originating in the UK.
- Verification of valid Data Privacy Framework (DPF) certifications where sub-processors are based in the United States.
6. Data Retention
We retain personal data only for as long as necessary to fulfill the specific purposes outlined in this policy, or to comply with our statutory legal obligations.
Our retention schedules are defined as follows:
- Account Data: Personal data associated with your B2B account profile is retained for the duration of your active customer relationship plus two (2) years.
- Billing & Corporate Records: Invoices, transaction data, and billing histories are retained for six (6) years to comply with UK statutory tax requirements and corporate filing laws.
- System Log Data: General platform telemetry and server security logs are retained for a maximum of twelve (12) months.
- SDK Evaluation Data (End-User Context): Logged end-user context attributes processed for targeting audits are automatically hard-deleted after 14, 30, or 90 days, depending strictly on your specific service subscription tier.
- Database Backups: Residual encrypted data contained within automated system backups and disaster-recovery snapshots is permanently overwritten and rotated out within thirty (30) days of primary deletion.
You may request earlier deletion of your account data at any time, subject to our overriding legal or financial retention requirements.
7. Your Rights Under the UK and EU GDPR
Depending on your jurisdiction, you have the following statutory rights regarding your personal data:
- Right of Access & Portability: Request copies of your data in a structured, machine-readable format.
- Right to Rectification: Mandate the correction of inaccurate or incomplete records.
- Right to Erasure & Restriction: Request the deletion ("right to be forgotten") or restriction of your data under specific statutory conditions.
- Right to Object: Object to data processing based on our legitimate interests or direct marketing tracking.
- Right to Withdraw Consent: Revoke previously granted consent at any time without detriment.
7.1 How to Exercise Your Rights
- For B2B Account Customers: To exercise any of your rights regarding your corporate account, billing profile, or platform settings, contact our compliance team at support@flagmint.com.
- For Client End-Users (SDK Context Data): Because we operate strictly as a Data Processor for the targeting context data sent through our SDK, we cannot directly alter or delete end-user records without our clients' authorization. End-users must submit data rights requests directly to the respective application or website provider (the Data Controller).
7.2 Statutory Complaints Handling Procedure
In accordance with Section 164A of the UK Data Protection Act (via the Data (Use and Access) Act 2025), if you believe your data has been handled unlawfully, you have a statutory right to file a formal complaint with us.
- We will formally acknowledge your complaint within thirty (30) days of receipt.
- We will investigate and provide a full resolution update without undue delay.
- If our internal resolution process fails to satisfy your concern, you may then escalate your complaint to our primary supervisory authority, the UK Information Commissioner’s Office (ICO), or your local EU National Data Protection Authority.
8. Cookies and Tracking Technologies
8.1 Our Platform and Web Console
We use strictly necessary first-party cookies and local browser storage (`localStorage`) to operate our web platform and customer console.
- Session Management: We store secure session authentication tokens (JWT) as cookies to verify your identity and maintain your logged-in status.
- Feature Gating:We deploy our own SDK within the web console to securely evaluate workspace permissions and subscription tiers. When you log in, functional account attributes (including your encrypted User ID, Organization ID, and current Billing Plan name) are evaluated in-memory and cached in browser `localStorage`. This is strictly necessary to render the appropriate technical tools, protect premium environments, and prevent interface lag.
Because these tracking technologies are used exclusively to deliver core services and features explicitly requested by you, a cookie consent banner is not legally required for our web console under the ePrivacy Directive or PECR. We do not use advertising, tracking, or optional third-party analytics cookies on our site.
8.2 Our SDK (When Integrated Into Client Applications)
Separate from our own web console, when our SDK is embedded within our clients' applications, it utilizes browser `localStorage` to cache flag evaluations and persist user context for their end-users.
- As detailed in Section 4, our B2B clients act as the Data Controllers for their respective deployments.
- Our clients are contractually responsible for determining if their specific usage requires prior end-user consent via their own corporate Consent Management Platforms (CMPs).
9. Third-Party Processors (Sub-processors)
We work with a limited set of third-party data processors to assist us in operating our platform and delivering our services. All sub-processors are bound by strict Data Processing Addendums (DPAs) that incorporate European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where cross-border transfers occur.
Our current sub-processors are:- Railway (Railway Corp.) — Application hosting and primary database infrastructure. Data is strictly pinned to EU data residency (Amsterdam, Netherlands).
- Stripe (Stripe Payments Europe, Ltd.) — Payment processing, billing automation, and subscription management. Processed within the EU region (Dublin, Ireland).
- Cloudinary (Cloudinary Ltd.) — Temporary media asset storage and system log exports. Pinned to the EU data residency region; all temporary export files are automatically deleted upon user download.
- Postmark (ActiveCampaign, LLC) — Transactional email delivery (system notifications, API alerts, and password resets). Data is processed in the United States and protected under the EU-U.S. Data Privacy Framework (including the UK Extension) and standard contractual frameworks.
We actively monitor our vendors and will update this list when our sub-processors change. We will notify affected customers of any material changes in advance. A current list is always available upon request support@flagmint.com.
10. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include encryption at rest and in transit, role-based access controls, and regular security reviews.
In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority (the UK Information Commissioner’s Office and/or your local EU National Data Protection Authority) without undue delay and within 72 hours of becoming aware of or determining the breach, as required by Article 33 of both the UK GDPR and EU GDPR.
11. Automated Decision-Making and Profiling
11.1 Our Operational Role as a Data Processor
Flagmint operates strictly as a Data Processor when executing feature flag evaluations. The configuration, logic, and targeting criteria are defined, managed, and controlled entirely by our B2B customers (the Data Controllers). Flagmint does not act as an independent decision-maker, nor do we independently deploy algorithms to evaluate or profile individual end-users.
11.2 Regulatory Frameworks (UK and EU GDPR)
We do not engage in independent automated decision-making (ADM) or profiling that produces legal or similarly significant effects on individuals.
- Under the EU GDPR (Article 22): We do not independently initiate or control automated processing activities that trigger the strict prohibitions outlined under European Union frameworks.
- Under the UK GDPR (Articles 22A to 22D): In alignment with the Data (Use and Access) Act 2025, our platform does not act as a primary controller of automated decision-making workflows.
Where our B2B customers choose to utilize our feature-flagging infrastructure to execute high-consequence automated rollouts, A/B testing, or demographic segmentation, those customers retain sole statutory responsibility for implementing meaningful human intervention, conducting Data Protection Impact Assessments (DPIAs), and providing appropriate safeguards for their data subjects.
12. Data Processing Agreement (DPA)
When our B2B customers integrate our SDK into their applications, Flagmint processes personal data (such as end-user context attributes) strictly on their behalf. In these transactions, Flagmint acts as a Data Processor under Article 28 of both the EU GDPR and the UK GDPR (as amended by the Data Use and Access Act 2025).
To ensure complete regulatory compliance, a formal Data Processing Agreement (DPA)—which includes the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum—governs all processing activities. Our standard DPA applies automatically to all subscription tiers (including Free, Pro, Growth, and Custom plans) where customer SDK data is transmitted to our infrastructure.
A copy of our execution-ready DPA can be reviewed or signed by contacting our compliance team at support@Flagmint.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect operational changes, infrastructure updates, or shifting regulatory frameworks.
If we make a material modification to how we process your personal data, we will notify you via email or through a prominent disclosure inside our customer platform workspace at least fourteen (14) to thirty (30) days before the changes take effect, depending on the scope of the structural adjustment.
The effective date at the top of this page will indicate when the policy was last updated. Your continued use of our platform after the specified effective date indicates that you have read, understood, and acknowledged the current version of this Privacy Policy.
14. Contact Us
For privacy-related questions, data subject requests, or to contact our Data Protection Officer, please write to: support@flagmint.com or by post to Just Izzy Ltd, 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.
Questions about this policy?
Contact our Data Protection Officer at dpa-officer@flagmint.com
Ready to start experimenting?
Run your first A/B test today. No credit card required.