FluxNote Security and Privacy: What Happens to Your Videos and Data

The core question is: who owns the AI video you just made? With FluxNote, you do. Our Terms of Service explicitly state that you retain all rights to the content you generate using our platform.

We do not claim any ownership. This is not just a policy statement; it's operational.

The videos you download are yours to use commercially—in ads, on social media, for client work—without requiring additional licensing from us or attribution. This contrasts with platforms that retain broad licenses to use your content for their own model training or promotional purposes.

Your 21 videos per month on the $7.99/mo Rise plan are 21 assets you fully control. We act as a processor, providing access to third-party AI models like Sora 2 Pro and Veo 3.1, but the output is your property.

This clear demarcation is essential for creators, agencies, and businesses who need to protect their intellectual property and avoid downstream licensing surprises.

We minimize data collection to what's required for the service to function and improve. This includes your account information (email, plan tier), usage data (credits consumed, models used), and the content you actively input (prompts, uploaded images for face identity, audio for voice cloning).

We do not, however, store the raw video output files on our servers indefinitely for Free, Rise, or Pro plan users. They are cached temporarily for delivery and then purged.

For Max plan users, a longer cache may apply for convenience. Crucially, we do not use your prompt data or generated videos to train our own foundational AI models.

We use aggregated, anonymized usage data (e.g., 'Veo 3.1 is used 30% more than Kling 3.0') for internal product decisions. Your input data for features like PuLID face identity is processed to create the model and is not used for any other purpose.

All data in transit is encrypted using TLS 1.2+. We use established cloud infrastructure providers (AWS, Google Cloud) for hosting, relying on their physical and network security controls.

FluxNote operates under a data processing framework designed to meet global standards. We act as a data processor for our users, adhering to GDPR principles for our EU users and similar regulations elsewhere.

This means we have defined procedures for data subject requests (like access or deletion). We are currently undergoing a SOC 2 Type I audit, with the goal of Type II, to provide an independent verification of our security controls.

A critical layer of transparency involves the third-party AI models we provide access to, such as OpenAI's Sora or Google's Veo. When you generate a video, your prompt and parameters are sent to the respective model provider's API.

Each provider has its own privacy policy regarding this data. For example, as of 2026-05-14, OpenAI states it does not use data from its API to train its models.

We surface links to these key policies within the app so you can make informed choices about which model to use for sensitive projects. FluxNote's role is to broker access while enforcing our own strict contractual terms with these providers regarding data handling.

Account security starts with authentication. We support standard email/password login with bcrypt hashing for passwords.

We encourage and support the use of strong, unique passwords. For added security, we recommend using a password manager.

We do not store your full payment card details on our servers. All payment processing is handled by PCI-DSS compliant third-party payment gateways (Stripe, PayPal).

For our users in India, we accept UPI payments directly through a secure gateway, which also avoids card data handling. Your billing information (plan, renewal date, invoice history) is stored securely and is only accessible to you and our limited billing support staff.

We monitor for anomalous login attempts and will notify you of logins from new devices. If you suspect unauthorized access, you can immediately revoke all sessions from your account settings.

For teams or enterprise needs, we can discuss single sign-on (SSO) options. The principle is simple: your creative workspace should be as secure as your email inbox.

Specific features raise specific concerns. For PuLID face identity: you upload a reference image.

This image is sent to the model provider to generate a face embedding. We do not store the original reference image long-term after processing.

The embedding is stored linked to your account to use in future generations. You can delete this face identity data at any time from your dashboard, which purges the embedding.

For ElevenLabs voice cloning (available on Rise plan and above): the process is similar. Your audio sample is processed to create a voice profile.

The original audio is not retained. The profile is yours to use or delete.

For confidential prompts—for example, generating a video for an unannounced product—your prompt text is stored in our database as part of your project history so you can revisit it. This data is encrypted at rest.

You can permanently delete projects, which removes the prompt and metadata from our active systems. For maximum confidentiality, you could use a generic prompt in the app and refine the video details in a separate, secure document.

Using models like GPT Image 2 or Imagen 4, which have clear API data policies, adds another layer of predictability for sensitive work.

Control includes the right to exit. When you cancel a paid plan (Rise, Pro, Max), you revert to the Free plan limits (1 video/month, 100 image credits) at the end of your billing period.

Your existing projects, generated content, and data remain in your account unless you delete them. When you delete your account, we initiate a full data purge process.

This includes your personal account information, project metadata, prompts, stored face/voice identities, and any cached generated media. Deletion is permanent.

Backups containing your data are retained for a limited disaster recovery period (typically up to 30 days) before being cycled out. We do not retain your data 'in case you come back.' A deleted account is a closed ledger.

This process applies globally, whether you were on the US $19/mo Pro plan or the India ₹1699/mo Pro plan. If you have outstanding credits or an active subscription period when you delete, they are forfeited.

We recommend using remaining credits and downloading final videos before initiating deletion.

It's important to separate concerns.

The primary 'threats' for most users are: 1) Unauthorized access to their account (mitigated by strong passwords and monitoring). 2) The platform misusing their content or data (mitigated by our clear ownership policy and no training on user data). 3) A data breach exposing their email, prompts, or project names (mitigated by encryption and access controls).

The reality is that FluxNote is not a high-value target for attackers seeking financial data (we don't store it) or massive troves of personal data (we collect minimal PII).

The more valuable data—the final video files—are transient.

Our security investments are proportional to this model: ensuring infrastructure is patched, access is logged, and data is encrypted.

For users with extremely high-security needs (e.g., generating content for unreleased blockbuster films), the weakest link may be the third-party model's API.

In those edge cases, we recommend using the platform with generic asset placeholders and completing final versions internally.

For the other 99.7% of use cases—UGC-style ads, faceless explainers, social reels—our security and privacy posture is more than sufficient.