FlipStash

Privacy Policy

This Privacy Policy explains how Flipstash ("we", "us", "our") collects, processes and protects personal data of users ("you", "your") of the Flipstash web application and any related native mobile applications (collectively, the "Service"). It is issued in compliance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable laws.

1. Data Controller

The controller within the meaning of Art. 4 (7) GDPR is:

FUTR UG (haftungsbeschränkt) [REVIEW: Straße und Hausnummer] [REVIEW: PLZ] Lübeck, Germany Email: basti@futrize.com

Represented by: Sebastian Wiercinski, Managing Director.

We have not appointed a Data Protection Officer because the statutory thresholds of § 38 BDSG do not apply to our organisation. Privacy enquiries can be sent directly to the contact above.

2. Scope of this Policy

This Policy applies to the Flipstash web application at my.flipstash.app, the marketing site, the customer dashboard, and any future native iOS or Android applications. It does not apply to third-party services that you may reach via outbound links from our Service.

3. Categories of Personal Data We Process

| # | Category | Examples | Source | |---|----------|----------|--------| | 3.1 | Account data | Email address, hashed password, display name, account creation date, locale preference | You (registration) | | 3.2 | Authentication data | Session tokens, IP address at login, device fingerprint, OAuth tokens (if you sign in with a provider) | You / OAuth provider | | 3.3 | Subscription data | Subscription tier (Free / Trial / Pro / Founding Member), trial status, renewal date, currency, country code, transaction IDs | RevenueCat / Stripe / Apple / Google | | 3.4 | Content data | PC builds, hardware components, acquisition cost, sale price, build photos, AI-generated analyses, scoreboard entries (if opted in) | You (in-app input) | | 3.5 | Communication data | Email correspondence, support tickets, feedback submissions | You | | 3.6 | Telemetry & product analytics | Page and screen views, feature interactions, performance metrics, anonymised user ID, device class, OS version, browser version, referrer (only with your consent) | Your client | | 3.7 | Marketing data | Email open and click tracking, unsubscribe status (only with your consent for non-transactional messages) | Resend | | 3.8 | Server logs | IP address, request method, URL, status code, user-agent, timestamp | Your client / Vercel |

4. Purposes and Legal Bases of Processing

4.1 Account creation and authentication

  • Purpose: Allow you to register, log in and manage your account.
  • Data: 3.1, 3.2.
  • Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
  • Storage: For the lifetime of the account; deleted within 30 days of account deletion.

4.2 Provision of the core Service (build tracking, AI analysis, photo enhancement)

  • Purpose: Enable you to record PC builds, run AI-supported hardware analyses, enhance photos and view your portfolio.
  • Data: 3.1, 3.4.
  • Legal basis: Art. 6 (1) (b) GDPR.
  • Storage: For the lifetime of the account; build content is deleted within 30 days of account deletion. Photos uploaded to the AI analysis pipeline are deleted from Google's processing endpoints within the retention period defined by Google for Gemini API requests (currently no data retention for paid Gemini API tiers — [REVIEW: re-verify against current Google Gemini API terms before launch]).

4.3 Public scoreboard (optional)

  • Purpose: Display selected build statistics on a public leaderboard if you opt in.
  • Data: Display name, anonymised build statistics, optional avatar.
  • Legal basis: Art. 6 (1) (a) GDPR (consent). You can withdraw consent at any time in Settings → Privacy.
  • Storage: Until you opt out or delete your account.

4.4 Subscription management and payment processing

  • Purpose: Process trial activation, recurring subscription payments, refunds and cancellations.
  • Data: 3.1, 3.3.
  • Legal basis: Art. 6 (1) (b) GDPR; Art. 6 (1) (c) GDPR (compliance with statutory bookkeeping obligations under § 147 AO and § 257 HGB).
  • Storage: Active subscription data for the lifetime of the subscription. Payment-related records are retained for 10 years pursuant to German tax and commercial law.

4.5 Transactional emails

  • Purpose: Send service-critical emails such as account confirmation, password resets, trial expiry notices, payment receipts and security alerts.
  • Data: 3.1, 3.3, 3.5.
  • Legal basis: Art. 6 (1) (b) GDPR.
  • Storage: Email delivery logs are kept for 30 days at Resend; correspondence is retained for the lifetime of the account.

4.6 Marketing emails (optional)

  • Purpose: Inform you about product updates, new features and offers.
  • Data: 3.1, 3.7.
  • Legal basis: Art. 6 (1) (a) GDPR (consent) or § 7 (3) UWG for existing customers.
  • Storage: Until you unsubscribe; unsubscribe records are kept indefinitely to honour your opt-out.

4.7 Product analytics (PostHog)

  • Purpose: Understand how the Service is used so we can improve features and fix bugs.
  • Data: 3.6.
  • Legal basis: Art. 6 (1) (a) GDPR (consent). Analytics is opt-in via the cookie / consent banner. We do not use analytics tracking until you accept it.
  • Storage: 12 months from collection, after which event data is automatically deleted.

4.8 Server logs and security

  • Purpose: Operate the Service securely, prevent fraud and abuse, debug incidents.
  • Data: 3.8.
  • Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in operational security and integrity of the Service).
  • Storage: Up to 30 days for raw server logs; aggregated security telemetry up to 12 months.

4.9 Customer support

  • Purpose: Respond to support enquiries.
  • Data: 3.1, 3.5.
  • Legal basis: Art. 6 (1) (b) GDPR for contract-related enquiries; Art. 6 (1) (f) GDPR for general enquiries.
  • Storage: Up to 24 months after the last message in the thread, unless statutory retention requires longer.

5. Recipients and Sub-processors

We engage carefully selected processors who act on our behalf under data processing agreements (DPAs) compliant with Art. 28 GDPR. The following sub-processors may receive personal data:

| Sub-processor | Function | Location of processing | Transfer mechanism | |--------------|----------|------------------------|--------------------| | Supabase Inc. | Authentication, PostgreSQL database, file storage | EU region (Frankfurt); company headquartered in the United States | EU region for primary data; for any provider-side support access from the US: EU Standard Contractual Clauses (Module 2/3) per Commission Implementing Decision (EU) 2021/914 | | Vercel Inc. | Application hosting and edge delivery | EU and global edge regions; company headquartered in the United States | EU-U.S. Data Privacy Framework (DPF) and EU Standard Contractual Clauses | | Google LLC | Gemini AI API for hardware and parts analysis | Multi-region; company headquartered in the United States | EU-U.S. Data Privacy Framework (DPF) and EU Standard Contractual Clauses | | RevenueCat Inc. | Subscription management and entitlement | United States | EU Standard Contractual Clauses | | Stripe Payments Europe Ltd. (Ireland) / Stripe Inc. (US) | Payment processing (engaged via RevenueCat) | EU (primary); US for limited operational functions | Stripe Payments Europe acts as EU-resident contracting entity; EU Standard Contractual Clauses for any onward transfer to Stripe Inc. | | Resend Inc. | Transactional and (with consent) marketing email delivery | United States | EU-U.S. Data Privacy Framework (DPF) and EU Standard Contractual Clauses | | PostHog Inc. | Product analytics (consent-based) | EU region (Frankfurt) configured by us; company headquartered in the United Kingdom and the United States | EU region for event data; EU Standard Contractual Clauses for any provider-side support access |

[REVIEW: confirm that PostHog EU cloud is configured in production; if not, the transfer mechanism row must be updated.]

We will publish material changes to this list with at least 30 days' notice via in-app notification or email.

6. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we rely on one or more of the following safeguards (Art. 44 ff. GDPR):

  • An adequacy decision of the European Commission (e.g. EU-U.S. Data Privacy Framework for certified US recipients);
  • Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where necessary by additional technical and organisational measures (encryption in transit and at rest, pseudonymisation, transfer impact assessments);
  • In limited cases, your explicit consent under Art. 49 (1) (a) GDPR.

You may request a copy of the safeguards in place by contacting us at basti@futrize.com.

7. Cookies and Local Storage

We distinguish between strictly necessary technologies and optional ones.

7.1 Strictly necessary

These are required for the Service to function and do not require consent (Art. 6 (1) (b) GDPR; § 25 (2) Nr. 2 TDDDG, formerly TTDSG):

  • Supabase auth cookie / local storage entry: Maintains your logged-in session.
  • CSRF token: Protects forms against cross-site request forgery.
  • Consent record: Stores your cookie preferences so we do not re-prompt on every visit.

7.2 Optional (consent-based)

We only set these after you accept them via the consent banner:

  • PostHog analytics: Distinct pseudonymous identifier, session recording flag (disabled by default), feature-flag cache. Maximum lifetime 12 months.

You can withdraw consent at any time in Settings → Privacy or by clearing the consent record in the cookie banner.

8. AI-Specific Disclosures (Google Gemini)

When you use the AI hardware analysis or photo enhancement features:

  • The build descriptions, photos and component data you submit are sent to Google's Gemini API for processing.
  • We use the paid Gemini API tier where Google contractually undertakes not to use customer prompts and outputs to train its general-purpose models. [REVIEW: confirm specific Gemini API SKU/tier and the matching Google Cloud terms before launch.]
  • Outputs are returned to your account and stored as part of your build record.
  • You are advised not to upload personal data of third parties (e.g. photographs of identifiable persons) into the AI features.

9. Storage and Retention Summary

| Category | Retention | |----------|-----------| | Account data | Lifetime of account + max. 30 days for deletion processing | | Build content and photos | Lifetime of account + max. 30 days | | Subscription transaction records | 10 years (§ 147 AO, § 257 HGB) | | Email delivery logs | 30 days | | Server logs | 30 days | | Analytics (PostHog) | 12 months | | Support correspondence | 24 months after last contact | | Backups | Rolling 30-day backup window; deletion requests are honoured in active systems immediately and propagate to backups within the next backup-rotation cycle |

10. Your Rights

Under the GDPR you have the following rights, which you may exercise free of charge by contacting basti@futrize.com:

  • Right of access (Art. 15 GDPR): Obtain confirmation of whether we process data about you and receive a copy.

  • Right to rectification (Art. 16 GDPR): Have inaccurate data corrected.

  • Right to erasure (Art. 17 GDPR): Have your data deleted, subject to statutory retention.

  • Right to restriction (Art. 18 GDPR): Restrict processing in defined circumstances.

  • Right to data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format.

  • Right to object (Art. 21 GDPR): Object to processing based on legitimate interest, including direct marketing.

  • Right to withdraw consent (Art. 7 (3) GDPR): Withdraw any consent you have given, with effect for the future.

  • Right to lodge a complaint (Art. 77 GDPR): Lodge a complaint with a supervisory authority. The competent authority for our establishment is:

    Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) Holstenstraße 98, 24103 Kiel, Germany Web: https://www.datenschutzzentrum.de

You can also exercise account self-service rights directly in Settings → Account (export, deletion, marketing opt-out, analytics opt-out).

11. Account Deletion

You can delete your Flipstash account at any time via Settings → Account → Delete account. Deletion removes account data, build content, photos and analytics identifiers within 30 days from active systems and within the next backup-rotation cycle from backups. Records that we are legally required to retain (e.g. invoices for tax purposes) will be moved into restricted-access storage and deleted at the end of the statutory retention period.

Note: Deleting your Flipstash account does not automatically cancel an active paid subscription. Subscriptions purchased through the web must be cancelled in Settings → Subscription before account deletion. Subscriptions purchased through the Apple App Store or Google Play must be cancelled in the corresponding store account.

12. Automated Decision-Making

We do not use automated decision-making within the meaning of Art. 22 GDPR that produces legal effects on you or significantly affects you. AI-generated outputs (e.g. hardware analyses, suggested resale prices) are informational and do not constitute automated decisions in the legal sense.

13. Security

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR, including:

  • TLS encryption in transit (HTTPS-only);
  • Encryption at rest for stored data and backups;
  • Role-based access control and principle of least privilege;
  • Regular security reviews and dependency vulnerability scanning;
  • Multi-factor authentication on all administrative interfaces.

14. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us and we will delete it.

15. Changes to this Policy

We may update this Privacy Policy to reflect changes in our processing or legal requirements. Material changes will be communicated by email and via in-app notice at least 30 days before they take effect. The current version is always available within the Service.

Last updated: [REVIEW: launch date] Version: 1.0