Privacy Policy — Flintnet

🔒

Your Data Stays Local

All network data is processed on your own infrastructure. Nothing is transmitted to Flintnet.

📡

No Telemetry

Flintnet contains no analytics, usage tracking, or telemetry of any kind.

👤

You Are the Controller

As a self-hosted operator, you are the data controller for all data your deployment processes.

Overview

This Privacy Policy explains how Flintnet handles data in connection with your use of the Flintnet software. Flintnet is a self-hosted network monitoring product — it runs entirely on infrastructure you own and control.

Flintnet does not collect, transmit, store, or process any data on our servers. We have no visibility into your network, your devices, or your traffic. This Privacy Policy is therefore primarily concerned with your obligations as the operator of a Flintnet deployment, not ours.

This policy should be read alongside our Terms and Conditions.

Who We Are

Flintnet is developed and distributed by its creator as a self-hosted network monitoring product for MSPs and SMBs. For any privacy-related enquiries, please contact us at legal@flintnet.io.

For the purposes of applicable data protection law, Flintnet is not a data processor in relation to any data your deployment handles. You, as the operator, are the sole data controller for all data processed by your Flintnet installation.

Data We Do Not Collect

The following is an explicit list of data that Flintnet does not collect from your deployment under any circumstances:

Network traffic, packet captures, or flow records from your network.
Device inventory, IP addresses, MAC addresses, or SNMP data from your monitored devices.
Security alerts, anomaly detections, or topology data generated by your deployment.
Configuration values, environment variables, API tokens, or SMTP credentials.
Usage statistics, feature usage, session durations, or any form of analytics.
Crash reports or diagnostic telemetry.
Log files or error output from the agent or UI.
Any personally identifiable information about users of the Flintnet UI.

Flintnet contains no outbound network calls to Flintnet servers, analytics platforms, or any third-party data collection service. You can verify this by inspecting the source code or monitoring outbound connections from your deployment.

Data Processed Locally by Flintnet

The following data is processed entirely within your infrastructure by the Flintnet agent and stored in your local InfluxDB instance. None of this data leaves your network.

Data Type	Description	Storage Location
Network flows	Source/destination IPs, ports, protocol, byte and packet counts	InfluxDB (local)
Device inventory	IP addresses, MAC addresses, SNMP system descriptions, device type	Local JSON file
ARP records	MAC/IP associations, manufacturer, first and last seen timestamps, IP history	In-memory (agent)
Interface metrics	Per-interface utilisation percentages from SNMP polling	InfluxDB (local)
Security alerts	ARP spoof, rogue device, duplicate IP events with associated MACs and IPs	In-memory ring buffer
Anomaly records	Flow-level traffic anomalies with EWMA deviation data	InfluxDB (local)
Topology data	LLDP/CDP neighbour relationships between devices	In-memory (agent)

Your Role as Data Controller

Because Flintnet is self-hosted and all data remains on your infrastructure, you are the data controller for all personal data processed by your deployment. This means you are responsible for:

Establishing a lawful basis for monitoring network traffic, particularly where that traffic belongs to employees, customers, or other identifiable individuals.
Providing appropriate notice to data subjects whose traffic may be captured and analysed.
Implementing appropriate data retention policies — including configuring InfluxDB retention periods to align with your legal obligations.
Responding to data subject access requests, deletion requests, and other rights exercised under applicable law.
Ensuring appropriate technical and organisational security measures are in place for your deployment.
Complying with all applicable data protection legislation in your jurisdiction, including GDPR (where applicable), POPIA (South Africa), and any other relevant frameworks.

Important: If your Flintnet deployment monitors a network used by employees or third parties, you may have legal obligations to notify those individuals that their network activity is being monitored. Please seek legal advice appropriate to your jurisdiction before deploying Flintnet in such environments.

Network Traffic Data

Flintnet captures network packets and derives flow records from them. This data may include:

Source and destination IP addresses, which may identify individual users or devices.
Source and destination port numbers, which may reveal the type of application or service in use.
Protocol information (TCP/UDP).
Traffic volumes and timing information.

Flintnet does not capture or store packet payloads — only flow-level metadata is retained. However, even flow-level metadata can constitute personal data under applicable law if it is capable of identifying an individual.

ARP data collected by Flintnet includes MAC addresses, which may in some circumstances be linked to specific devices or individuals. MAC addresses are stored locally in the ARP registry and in your InfluxDB instance.

Email Alerting

If you configure SMTP email alerting, Flintnet will send alert notifications to the address specified in FLINTNET_ALERT_EMAIL. These emails are sent directly from the agent on your infrastructure to your configured SMTP server — they do not pass through Flintnet's systems.

Alert emails may contain network data such as IP addresses, MAC addresses, and device information relating to the security event that triggered the alert. You should consider this when configuring the recipient address and ensure the email account is appropriately secured.

Your SMTP credentials are stored only in your local .env file and are never transmitted to or stored by Flintnet.

Data Retention

Flintnet does not impose any data retention policy on your deployment. You are responsible for configuring appropriate retention periods for data stored in your InfluxDB instance.

The following data is held in memory only and is lost when the agent is restarted:

ARP table and device security alert ring buffers.
Network topology data.
Active flow table.

The following data is persisted to disk and will accumulate until manually removed or until InfluxDB retention policies expire it:

Flow metrics in InfluxDB.
Interface utilisation metrics in InfluxDB.
Anomaly records in InfluxDB.
Device registry in /var/lib/flintnet/devices.json.

We recommend configuring an InfluxDB retention policy appropriate to your legal obligations. For most deployments a 90-day retention period provides sufficient operational history while limiting data accumulation.

Data Security

As a self-hosted product, the security of your Flintnet deployment and all data it processes is your responsibility. We recommend the following as a minimum:

Deploy Flintnet on a dedicated, hardened host with restricted access.
Configure a strong, unique API token via FLINTNET_API_TOKEN and rotate it regularly.
Do not expose the Flintnet web interface or REST API directly to the internet. Use a VPN or authenticated reverse proxy.
Restrict access to the InfluxDB instance to the Flintnet agent only.
Store the .env file with restrictive file permissions (chmod 600).
Keep the Flintnet agent and UI updated to the latest release.

Third-Party Services

Flintnet itself does not integrate with any third-party data services. However, the following optional integrations may involve third parties depending on your configuration:

SMTP provider — if you configure email alerting, alert emails are delivered via your chosen SMTP provider. Your SMTP provider's privacy policy applies to those emails.
MAC address manufacturer lookup — device manufacturer names are resolved from the MAC address OUI prefix using a locally bundled lookup table. No external API calls are made for this lookup.

Flintnet does not use any advertising, analytics, or tracking services.

Your Rights

Because Flintnet does not collect or hold any personal data about you or your end users, most data subject rights (access, rectification, erasure) are not applicable to Flintnet as a data processor — we hold nothing to provide, correct, or delete.

If you are an end user of a network monitored by a Flintnet deployment operated by a third party (such as your employer or MSP), your data subject rights should be directed to that operator as the data controller, not to Flintnet.

If you have a privacy concern specifically relating to the Flintnet software itself, please contact us at legal@flintnet.io.

Children

Flintnet is a professional network monitoring product intended for use by network administrators and IT professionals. It is not directed at, and should not be used by, individuals under the age of 18. We do not knowingly collect any information from children.

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in the product, applicable law, or our practices. The current version will always be available at flintnet.io/privacy.

Where changes are material, we will provide notice via our website or through the product release notes. Your continued use of Flintnet following such notice constitutes acceptance of the updated policy.

Contact

For any privacy-related questions or concerns, please contact us:

Email: legal@flintnet.io
Website: /#support

We will respond to all legitimate privacy enquiries within a reasonable timeframe.