Privacy Policy

By using the website (“service”), or any services of Bullet Train Ltd, you are agreeing to be bound by the following privacy policy (“privacy policy”). If you are entering into this agreement on behalf of a company or other legal entity, you represent that you have the authority to bind such entity, its affiliates and all users who access our services through your account to these terms and conditions, in which case the terms “you” or “your” shall refer to such entity, its affiliates and users associated with it. If you do not have such authority, or if you do not agree with these terms and conditions, you must not accept this agreement and may not use the services.

Who Are We?

Flagsmith is a Software-as-a-Service (SaaS) platform provider that serves companies looking to implement feature flags in their overall software development lifecycle. Feature flags allow software developers to change application behavior from outside of the application without redeploying their code. This has a number of benefits including a separation of risks, ability to deliver different experiences in a targeted manner, and the lower administrative burden of software release. Flagsmith provides a turnkey robust feature management solution that offers high availability, scalability, and audit control.

Because Flagsmith customers themselves have customers, language can get very confusing. In this document, we refer to our customers (Companies who utilize our platform in their software) as members (team members). We refer to the customers of those members to be “users” or “end-users”. When the generic pronoun “you” is used, it is meant to refer to anyone reading this policy and can generically mean anyone who interacts with our website, a member of our services, or a user of one of our members.

This policy largely deals with members, how we keep their data safe, and how we are allowed to use their data. If you are an end-user of one of our member’s services, then you should consult their privacy policy instead, as the member policy applies to the information collected instead of this policy. Flagsmith collects data from our members about their user under their direction, but we do not have a direct relationship with users themselves. This policy applies to the data as long as we retain the data.

This policy does not cover third party websites, products, or services even if they link to our services—you should consider their own privacy policies carefully. If you disagree with the practices described in this policy, then you should (a) take necessary steps to remove cookies from your computer after leaving our website, and (b) discontinue your use of our services.

How Do We Use Data?

The data we collect depends on how our services are used. We receive some data directly, like when you visit one of our web properties, sign up for a trial, or send us email. Other times, we get data indirectly, like when we record that you visited one of our websites using technologies like cookies. We also get data from third parties, like from our members when they pass data to us to process.

The collection and use of data is essential to the value that we provide as a service, as well as improve on the services we provide; but we aim to do our best to keep data safe and secure.

Data We Collect

  1. Personal Data. {‘ ‘} We call data that identifies, or could be used to reasonably identify you as “Personal Data”. We collect Personal Data in various ways, like when you register for trial accounts or interact with our sales team. Personal Data does not include data that has been anonymized, psuedonymised, or minimized such that it cannot be reasonably associated with a person.
  2. Service Data. {‘ ‘} We call data that our members send to us about their users “Service data”. Flagsmith’s core service allows our members to submit details about their end-users to enrich their experiences through our platform. Our members have a responsibility to understand the data they send to us and to take the appropriate disclosures, precautions, and responsibilities regarding the content of the service data they provide to us.
  3. Other Data. {‘ ‘} We call any other data that is not Personal Data or Service Data “Other Data”. We collect Other Data through a variety of sources. One of those sources are cookies and other technologies that record data about the use of our website. Other data that we may collect include:
    • Browser and device data , such as IP address, device type, operating system and internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons and the version of the Services you are using;
    • Transaction data , such as purchases, purchase amount, date of purchase, and payment method that you have submitted to us as a course of ordering our services;
    • Cookie and tracking technology data , such as time spent on the Services, pages visited, language preferences, and other anonymous traffic data; and
    • Company data , such as a company’s legal structure, product and service offerings, jurisdiction, company records, and information submitted to us by you in interacting with our sales team.
    • Browser and device data , such as IP address, device type, operating system and internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons and the version of the Services you are using;

How We Use Data

We collect information about our customers for the following reasons and not for other reasons:

  1. Personal Data. {‘ ‘} We and our service providers use Personal Data to provide our Service. Examples of how we use personal data include:
    • Enumerating you and your team for the purposes of access to our platform
    • To deliver information to your subscribed applications in order to provide service
    • To respond to inquiries, send service notices, and provide customer support
    • For audits, regulatory purposes, and compliance with industry standards
    • To develop new products
    • To send marketing communications
    • To improve or modify our services
    • To conduct analysis and develop insights that enable us to operate, protect, make informed decisions and report on our business.
  2. Service Data. {‘ ‘} We utilize service data for no purpose except to deliver the functionality that our platform provides to our members.
  3. Other data. {‘ ‘} We utilize other data in a number of ways, but we comply with applicable law and contractual agreements. In some areas, like the European Economic Area Countries, we may be required to treat Other Data like Personal data. In areas where this is the case, we will process this data as if it were Personal data under our privacy policy.

How We Disclose Data

Flagsmith does not sell Personal Data or Service Data to marketers or unaffiliated third parties. Data collected by Flagsmith will only used for the purposes of furthering, improving, and expanding the Flagsmith business. We share Personal and Service Data with the following third parties:

  1. To Flagsmith Service Providers. {‘ ‘} In order to deliver the services that make up the Flagsmith Product, we rely on service providers (e.g. infrastructure providers, and affiliated) to provide key functionality both in the operation of our product as well as the operation of the Flagsmith company.
  2. To our members. {‘ ‘} We process and collate service data that is provided to us by our members in order to deliver the services to our members.
  3. To third parties. {‘ ‘} In the event of a reorganization, merger, sale, joint venture, assignment, transfer of any part of our business to third parties.
  4. Safety, Legal and Law Enforcement. {‘ ‘} We use and disclose data as we believe necessary under the applicable law, to enforce our own terms and conditions, to protect our rights, privacy, safety, or property, as well as to respond to requests from courts, law enforcement, regulatory agencies, and government authorities, which may include countries outside of your country of residence.

Security and Notification of Breaches

Flagsmith takes security very seriously, and if you have reason to believe that your data or someone elses data is no longer secure, please contact

In the event of a security breach, we will take take necessary measures to ensure the continued safety of data and contact affected parties within a reasonable amount of time about the scope and scale of the unauthorized disclosure.

Retention Period

We retain data as necessary to provide the services as described in this policy unless a longer retention is required by law. For personal data, we retain information about you until are no longer a customer, though some data is retained for the purposes of audit. Service data is retained for a period of no more than 30 days, save for data that is required as a part of audit control.

The above principals of how we will manage the data, use the data, protect the data, and remove the data will apply for as long as we control the Personal data.

User of Service by Minors

Flagsmith’s core services are not directed to minors and we request that minors do not provide to us any Personal Data. We rely on our members, when acting in the role of a Data controller, to take responsibility for making sure their users’ privacy rights are respected and ensuring that the appropriate disclosures are made about third party collection and use.

Right to Access, View, or Remove Your Information

You have a right to access the personal information we hold about you. Whenever you use our site or Flagsmith Services, we strive to make sure that your Personal Information is correct. If that information is wrong, we give you tools and methods to update it quickly or delete it, unless that information is necessary for legal or business purposes. When updating your Personal Information, we may ask you to verify your identity before making changes. We may reject requests that are unreasonably repetitive, require disproportionate technical effort (for example, developing new systems or fundamentally changing our existing practice), risk the privacy of others, or would be extremely impractical (e.g. requests concerning information on our backup systems). Because we protect information from accidental or malicious destruction, after data is removed from our servers, it can take some time for that data to be purged.

To request removal of your Personal Information from our site or services, contact us at Flagsmith cares deeply about the sanctity of your data and our privacy team will manage each request on a case by case basis.

We totally understand your right to have us stop contacting you. We endeavor to give you the ability to control the way we contact you. You may use the the links at the bottom of each communication to opt-out of further communications.

If you are a user of one of our member’s services and need to correct, amend, or delete inaccurate data about you, please contact the member—in this case, they are the data controllers. We will comply with the wishes of our members should they direct us to take action about the modification/removal of collected data.


Our services are global and Data (of all classifications) may be stored and processed anywhere where we or one of our service providers has services. We may transfer data to countries outside of your country of residence, which may have different rules applicable to your data. Flagsmith will take measures to ensure that any transfers comply with applicable laws and your data remains protected as per this policy.

How do I contact the Flagsmith Data Privacy Officer?

Flagsmith’s Data Privacy Officer is Matthew Elwell, and you can contact him at

Is Flagsmith compliant with the General Data Protection Regulation (GDPR)?

Flagsmith has taken steps to elect a Data Privacy Officer, to ensure that we have adequate data protection policies, procedures, and practices. We believe that we are fully in compliance with the provisions and principles of GDPR.