Privacy policy

Last updated · 2026-05-16

FlyWheel ("we", "us") is a private-beta product operated by Ben Bowler from the United Kingdom. We take privacy seriously and have written this policy in plain English. This is the version in effect as of 16 May 2026.

If anything below is unclear, or you have a privacy request, email hello@flywheelagents.com.

What this policy covers

This policy applies to flywheelagents.com (the marketing site) and connector.flywheelagents.com (the FlyWheel MCP server, when invited to private beta). It explains what data we collect, how we use it, who we share it with, and your rights over it.

Google API Services User Data Policy

FlyWheel's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use commitments

FlyWheel will not:

  • Use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
  • Transfer Google user data to third parties except as necessary to provide or improve the service to you, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with adequate notice to you.
  • Allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for FlyWheel's internal operations on data that has been aggregated and anonymized.
  • Use Google user data to train, evaluate, or fine-tune any machine learning or AI model that is generalized or used for any purpose other than providing the FlyWheel service to you, the user who authorized access.

OAuth and ad-platform credentials

When you connect a Google Ads account (or any other ad platform) to FlyWheel, you authorize FlyWheel via OAuth 2.0. The platform issues FlyWheel an access token and a refresh token scoped to the permissions you grant.

Scopes we request

  • Google Ads: https://www.googleapis.com/auth/adwords — enables FlyWheel to read campaign, ad group, and ad data, view performance reports, and create entities on your behalf. We request no additional scopes we do not use.

How we store tokens

Access and refresh tokens are encrypted at rest using AES-256-GCM and are never written to application logs, error reports, or analytics. Tokens are stored only in our application database, accessible only to the operating FlyWheel infrastructure for the purpose of fulfilling tool calls from your authorized agent. Tokens are not shared with sub-processors except the encrypted-storage provider (Neon, see below).

Revoking access

You can revoke FlyWheel's access at any time by visiting Google Account permissions, by emailing hello@flywheelagents.com, or by removing the connection from the FlyWheel dashboard. On revocation we delete the associated tokens within 7 days and stop all background API calls immediately.

What data we collect

From the marketing site (flywheelagents.com)

  • Waitlist signups: the email address you submit, and the optional "what you're building" note. We use these to communicate about the beta and to invite you to onboarding.
  • Pageviews: aggregate, cookieless analytics via Plausible (see "Analytics" below).
  • Server logs: standard web-server logs (IP, user agent, timestamp, response status). Retained 30 days for security and abuse investigation.

From the connector app (private beta)

  • Account data: the email address and business name you provide on sign-up.
  • OAuth tokens: as described above, encrypted at rest.
  • Audit log: for every tool call your agent makes, we record the tool name, the call arguments (with sensitive values redacted), the result status, latency, and the API key that initiated the call.
  • Ad-platform data: when your agent reads from a connected ad platform, we may briefly hold the response in memory to deliver it to the agent. We do not persist ad-platform data beyond what is necessary to fulfill the request or maintain the audit log.

How long we keep it

  • OAuth tokens: until you revoke; deleted within 7 days of revocation.
  • Audit log entries: 90 days by default. Custom retention available on request.
  • Account data: retained for active accounts; deleted within 30 days of an explicit deletion request.
  • Waitlist emails: retained until you ask us to remove them.
  • Server logs: 30 days.

Sub-processors

We use the following sub-processors to operate FlyWheel:

  • Vercel (United States) — static site hosting and edge functions.
  • Neon (European Union) — Postgres database hosting (encrypted at rest).
  • Plausible Analytics (European Union) — cookieless aggregate analytics.
  • Google Workspace (Ireland / European Union) — operates the hello@flywheelagents.com mailbox.
  • GitHub (United States) — source control. No personal data is committed.

When this list changes, we update this page. Email hello@flywheelagents.com to subscribe to sub-processor change notices.

Analytics

We use Plausible Analytics, a cookieless, privacy-friendly analytics provider hosted in the European Union. Plausible does not set cookies and does not collect personally identifiable information. IP addresses are processed only for the duration of the request and discarded; they are not stored.

Our lawful basis for this processing is legitimate interests (GDPR Art. 6(1)(f)). Because no cookies are set and no personal data is retained, no consent banner is required. We do not use Google Analytics, Facebook Pixel, LinkedIn Insight, Hotjar, or any other advertising or tracking pixel.

Your rights (GDPR / UK GDPR)

If you are in the UK or the EEA, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Have your data deleted ("right to erasure")
  • Restrict or object to processing
  • Receive your data in a portable format
  • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority

Email hello@flywheelagents.com to exercise any of these rights. We respond within 30 days.

California residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, to delete it, and to opt out of any sale or sharing. We do not sell personal information and do not share it for cross-context behavioral advertising. To make a deletion or access request, email hello@flywheelagents.com.

Security

We hash API keys with SHA-256. We encrypt OAuth tokens at rest with AES-256-GCM. We use TLS for all data in transit. Our servers run with strict Content Security Policy, HSTS, and other defense-in-depth controls (see /.well-known/security.txt for our security disclosure contact).

Children

FlyWheel is intended for users aged 18 and older. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email hello@flywheelagents.com and we will delete it.

International transfers

FlyWheel is operated from the United Kingdom. Some of our sub-processors are located in the United States (see list above). When personal data is transferred outside the UK or EEA, we rely on the European Commission's Standard Contractual Clauses or an applicable adequacy decision to ensure appropriate safeguards.

Changes to this policy

We will update this page if our practices change. The "last updated" date at the top of this page reflects the most recent change. Material changes will be announced via email to active users.

Contact

Privacy questions: hello@flywheelagents.com. Security issues: security@flywheelagents.com. Operator: Ben Bowler, United Kingdom.