Is Fluxora actually free?

Yes. The Free tier is the full self-hosted server, every client app, LAN streaming, and TMDB metadata. Free forever, no credit card.

Do I need to be on the same Wi-Fi as my server?

Only for the Free tier. Plus, Pro, and Ultimate use WebRTC to stream from your home server to wherever you are — no port-forwarding, no VPN, no public IP needed.

What media formats are supported?

Common video (MP4, MKV, MOV, AVI), audio (MP3, FLAC, AAC, WAV), and documents (PDF, EPUB, CBZ). FFmpeg transcoding handles the rest.

Where is my data stored?

Entirely on your hardware. Fluxora has no cloud accounts and never uploads your media anywhere.

Privacy Policy

Effective 6 May 2026

Fluxora is a self-hosted media streaming product. Most of what people call "user data" in a typical SaaS context — your media files, library index, watch history, paired-device tokens, preferences — lives on hardware you own and control. None of it touches Fluxora-controlled systems. This page covers the narrow surface where data does flow through systems we control: the marketing site, the paid-tier purchase + license-delivery path (which routes through Polar), and any opt-in integrations the operator turns on.

This policy is written under and complies with the spirit of the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / CPRA, and India's Digital Personal Data Protection Act, 2023. The canonical version of this policy is the PRIVACY.md file in the GitHub repository — this rendered page mirrors it.

1. Who is responsible for your data

Maintainer / data controller: Marshalx (portfolio at marshalx.dev), individual operator, Delhi, India. GitHub @Marshal-GG.

Fluxora is not a registered legal entity. There is no Data Protection Officer — the maintainer reads every privacy email personally. For data the operator collects on their own self-hosted server: the operator is the controllerof any data their paired clients send to their server. We provide the software; we are not a controller or processor of an operator's media library.

2. What data we actually collect

This list is exhaustive. If a category isn't here, we don't collect it.

2.1 Marketing site (`fluxora.marshalx.dev`)

The marketing site is a static export served by Cloudflare Pages. It runs no analytics, sets no cookies, embeds no tracking pixels, includes no third-party JavaScript beyond what Next.js statically inlines. Cloudflare may collect standard request metadata on our behalf for platform operations and DDoS protection: IP address, user-agent, timestamp, request method/path, HTTP referrer. We never see this in identifiable form. See Cloudflare's privacy policy.

We do not receive Cloudflare Analytics. We do not log IPs server-side. We do not store anything keyed to a visitor identity from this site.

2.2 Paid-tier purchases (Polar)

Plus, Pro, and Ultimate purchases are processed by Polar (Stripe-backed). Polar collects: your email, billing address (for tax compliance — GST in India, sales tax / VAT elsewhere), payment-method details, the Polar order ID, the items purchased. Card details never touch Fluxora. See Polar's privacy policy.

Polar shares back to Fluxora's webhook only: the Polar order ID, your email address, the product purchased (which maps to a tier), the order timestamp.

Fluxora stores in our polar_orders table:

order_id — for idempotency (prevents double-issuing on webhook retry)
customer_email — solely to re-issue a license key if you lose it
tier — the tier associated with your purchase
license_key — the HMAC-signed key we generated and emailed you
processed_at — audit + duplicate detection

We do not store: card numbers, CVV, billing addresses, IP addresses, payment-method tokens, or Polar customer IDs beyond the order ID. We do not market to you. There is no opt-in marketing list, no newsletter, no unsolicited mail.

2.3 The self-hosted server (operator side)

This is informational — it describes data on your own hardware that we never see. The Fluxora server stores in its local SQLite database: your media library index, paired client records (HMAC-hashed bearer tokens, never plaintext), stream-session history, operator settings (server name, transcoding preferences, optional TMDB API key, optional license key), and notifications generated by your server.

None of this leaves your hardware unless you explicitly opt in. Specifically: pairing requests + token issuance never touch us; LAN streaming never touches us; WebRTC P2P streaming is between your devices and your server (we never proxy); Cloudflare Tunnel HLS segments are blocked at the public ingress so media stays LAN-only.

2.4 Third-party services your server may contact

The operator's server may contact these depending on configuration: TMDB (when an API key is set, for poster art + metadata — sends only the file's cleaned title); the operator's own Cloudflare Worker proxy for TMDB (when configured to bypass ISP-level blocks); Cloudflare DoH at 1.1.1.1/dns-query(to resolve TMDB hosts past hijacked DNS); Cloudflare CIDR-range refresh on startup. We do not insert telemetry beyond these. There is no "phone home" check.

2.5 Sentry error reporting (opt-in)

If the operator sets FLUXORA_SENTRY_DSN to their own Sentry project's DSN, unhandled exceptions on the server are sent there. Bearer tokens, license keys, file paths under ~, customer emails, and TMDB API keys are scrubbed before send. The DSN belongs to the operator. We do not run a Sentry project that aggregates everyone's errors. Off by default.

3. What we explicitly do not do

This is not boilerplate — these are the specific behaviours we've decided not to engage in:

No third-party analytics (Google Analytics, Plausible, Fathom, Amplitude, Mixpanel, Heap, Posthog, etc.) on the marketing site or the desktop / mobile clients.
No behavioural cookies on the marketing site. Polar's checkout sets its own session cookies during payment — those are scoped to polar.sh, not us.
No fingerprinting. No canvas, font, WebGL, or audio fingerprinting.
No cross-site trackers, pixels, or beacons.
No "phone home" telemetry from server, mobile, or desktop. No heartbeat, no update-check ping.
No data sales, sharing, or rentals. We have not entered any data-sharing agreement.
No advertising. No ad networks, no sponsored content.
No use of your media library content for any purpose. We have no access to it.
No marketing emails. The only mail we'll ever send a customer is the license-key delivery (and a single re-issue if you ask).
No machine-learning training on customer data.
No account creation requirement for the Free tier.

4. Cookies & local storage

Marketing site: zero cookies, zero localStorage / sessionStorage writes. Inspect with DevTools to confirm.

Polar checkout (third-party iframe / redirect): Polar sets its own session, fraud-detection, and post-payment redirect cookies. Scoped to polar.sh and *.stripe.com, not to fluxora.marshalx.dev. Lifecycle governed by Polar's cookie policy.

Self-hosted server: uses HMAC-SHA256-hashed bearer tokens and opaque session identifiers in flutter_secure_storage on paired clients. These are functional credentials, not tracking cookies — scoped to your server, never sent to us.

5. Data retention

Marketing site logs (Cloudflare Pages): per Cloudflare's standard retention. We do not export or aggregate.
polar_orders table (license key + email): indefinite while the maintainer continues to operate. Deleted on request — see §7.
Polar's own customer record: per Polar's policy. They retain payment records as long as required by Indian / EU / US tax law (typically 7 years for invoicing).
Sentry error reports (if you opted in): per your project's retention setting. The maintainer has no access.

If the maintainer ever ceases to operate, the customer-email + license-key table will be deleted within 90 days. Your already-issued license key continues to work — it's a self-contained HMAC-signed token, not a database lookup.

6. Data security

Real implementations, not aspirational:

License-key signing key stored in ~/.fluxora/config.json with file-system permissions; never logged. Validation is local.
Bearer-token storage uses HMAC-SHA256 hashes only. The raw token is shown to the client once and never recoverable.
Polar webhook verification uses Standard-Webhooks signatures. Replay attacks are prevented by an idempotency table on order_id.
Admin endpoints are localhost-only; tunneled requests carrying CF-Connecting-IP are rejected even from loopback.
HLS media segments are blocked on the public Cloudflare Tunnel ingress — your media never traverses the public internet via the tunnel.
Logs are scrubbed of bearer tokens, license keys, customer emails, and home-directory file paths.

Marketing site: TLS 1.2+ enforced by Cloudflare Pages, HSTS preloaded, no mixed content, no third-party JS.

Paid-tier delivery: Polar / Stripe handle all PCI-scope. Card details never touch our infrastructure.

Found a vulnerability? See SECURITY.md.

7. Your rights

These rights apply globally; the legal basis varies by jurisdiction (GDPR for EU/UK, CPRA for California, DPDP Act for India). Where the law gives you a stronger right, that one applies.

Access — get a copy of any data we hold about you.
Correction — fix incorrect data (typo in email, etc.).
Deletion — have your data deleted within 30 days. Your license key remains valid (HMAC-signed, not DB-looked-up).
Portability — receive a JSON export.
Objection / restriction — stop or limit processing.
Withdraw consent — the only optional processing is your operator-side Sentry opt-in, which you revoke by unsetting FLUXORA_SENTRY_DSN.
Lodge a complaint — with your local DPA (EU), the ICO (UK), the Data Protection Board (India), or the CPPA (California).

Exercise rights via privacy@fluxora.marshalx.dev. We respond within 30 days, usually much sooner. We will not retaliate for a rights request.

8. Children's privacy

Fluxora is not directed at children under 13 (or the equivalent age of digital consent in your jurisdiction). The Free tier requires no account and no age verification, so we collect nothing from children any more than from adults; the paid-tier path inherits Polar's age requirements. If you are a parent and discover your child has purchased a paid tier on a card you control, contact us — refund and deletion guaranteed.

9. International transfers

Data flows in the paid-tier path: visitor browser → Cloudflare edge (anycast, global) → Polar checkout (US-based via Stripe) → Fluxora server (maintainer's machine in Delhi, India). EU/UK data is processed under standard contractual clauses where applicable. India: governed by the DPDP Act, 2023, with the maintainer as data fiduciary.

10. Changes to this policy

Material changes will be announced on the GitHub repository at least 14 days before they take effect, and reflected by updating the "Effective" date at the top of this page. A material change adds a data category, adds a third-party processor, changes retention, or reduces your rights / our commitments. Cosmetic edits don't reset that clock.

11. Contact

Privacy rights request: privacy@fluxora.marshalx.dev
Security vulnerability: see SECURITY.md
General questions: GitHub Discussion tagged privacy
Escalation if your request was mishandled: marshalgcom@gmail.com

This policy describes Fluxora's actual data practices in plain language. It is not a legal opinion or contract drafted by counsel. If you spot something here that's wrong (a service we no longer use, a flow that's deprecated), file an issue. Privacy claims that don't match implementation are bugs; we treat them as such.