Privacy Policy

1. Introduction

Welcome to Flipzi! This Privacy Policy applies to the Flipzi mobile application (iOS and Android) and website (flipzi.io), operated by Nexa Lumen LTD, a company registered in Bulgaria (Registration: BG207736544).

We are committed to protecting your privacy and being transparent about how we handle your personal data. This policy complies with:

EU General Data Protection Regulation (GDPR)
Bulgarian Personal Data Protection Act
Apple App Store Guidelines
Google Play Store Requirements

                    In Short: We only collect what's necessary to provide Flipzi's services. We never sell your data. You have full control over your information.
                

2. Information We Collect

2.1 Information You Provide

Account Registration

When you create a Flipzi account, we collect:

Email Address (required) - For login, account recovery, and notifications
Password (encrypted) - Stored using industry-standard bcrypt hashing
Name (optional) - For personalization

Watchlist & Portfolio Data

Cards you track
Price alert thresholds you set
Your watchlist organization preferences

Payment Information

If you subscribe to Flipzi Pro:

We do NOT store credit card numbers or full payment details
In-app purchases are processed by Apple (App Store) or Google (Google Play)
RevenueCat manages subscription status and receipt validation on our behalf
For web purchases (if available), payments may be processed by Stripe
We store: subscription status, platform (Apple/Google/Stripe), transaction identifiers, and expiration dates

2.2 Information Automatically Collected

Device & Usage Data

Data Type	What We Collect	Why
Device Info	Device model, OS version, app version	Bug fixes, compatibility
IP Address	Your internet IP (anonymized after 30 days)	Security, fraud prevention
Push Token	Device notification token (Firebase)	Send price alerts

Website Analytics (flipzi.io only)

On flipzi.io (our website), we may use analytics tools to understand website performance and improve the site experience. This is website-only and is not used for advertising or cross-site tracking.

Google Analytics – Aggregated website metrics (e.g., page views, referral source, approximate location at a country/city level, device/browser type).
Microsoft Clarity – Website UX analytics (e.g., heatmaps and session replays) to understand usability issues.

Important: We do not use these tools for ad targeting, remarketing, or building advertising profiles. We do not enable Google Analytics advertising features (such as remarketing, Google Signals, or "Demographics & Interests" reporting) for Flipzi analytics.

Where required by law, analytics cookies are used only after you provide consent via our cookie banner. See our Cookie Policy for details.

2.3 Information We Do NOT Collect

Precise GPS location (we never request location access)
Contacts or address book
Photos or camera access
Microphone or camera
Third-party app usage
Browsing history outside Flipzi

3. How We Use Your Information

3.1 Core Service Functionality

Account Management - Login authentication, password resets
Price Tracking - Monitor card prices from Cardmarket and other sources
Price Alerts - Send notifications when target prices are reached
Portfolio Analytics - Calculate collection value and trends

3.2 Service Improvements

Analyze which features are most/least used
Fix bugs and technical issues
Optimize app performance and speed
Develop new features based on user behavior

3.3 Communications

Type	Examples	Can Opt Out?
Transactional	Account verification, password resets, billing receipts	No (required)
Service Updates	New features, critical security alerts	No (important)
Price Alerts	Your custom card price notifications	Yes (in settings)
Marketing	Product tips, promotions, newsletters	Yes (unsubscribe link)
Product Feedback & Research	Occasional invitations to share feedback, take part in surveys, or join user-research interviews	Yes (reply to opt out, or unsubscribe link)

We may occasionally contact you for product feedback or research — for example, a short survey or an invitation to a user interview. These messages are infrequent and you can opt out at any time.

3.4 Legal Compliance & Security

Prevent fraud and abuse
Comply with legal obligations (tax, GDPR, etc.)
Respond to law enforcement requests (only when legally required)
Enforce our Terms of Service

                    We do NOT: Sell or rent your data, share it with data brokers, use it for targeted advertising, or track you across other companies' apps or websites.
                

4. Who We Share Data With

4.1 Service Providers (Processors)

We share limited data with trusted third-party service providers only as necessary to operate Flipzi. These providers act as data processors on our behalf, under contractual obligations to protect your data and to use it only to provide services to us.

Hosting & Infrastructure: DigitalOcean (EU datacenter) – to host our servers and databases.
In-App Purchases: Apple App Store & Google Play Store – to process subscription payments. RevenueCat – to manage subscriptions and validate purchase receipts.
Web Payments (if available): Stripe – to process web-based payments (we do not store card numbers).
Email Delivery: Amazon SES – to send transactional emails (e.g., verification, receipts).
Push Notifications: Firebase Cloud Messaging – to deliver price alerts to your device (push token only).
Website Analytics (website only): Google Analytics and Microsoft Clarity – to improve flipzi.io (not used for advertising).

                    No advertising tracking: We do not share your personal data with third parties for targeted advertising, data brokering, or tracking you across other companies' apps or websites.
                

4.2 Legal Requirements

We may disclose your data if:

Required by law or valid legal process (subpoena, court order)
Necessary to protect our legal rights or prevent fraud
Required to protect safety of users or the public

Your Right: We will notify you of legal requests unless prohibited by law.

4.3 Business Transfers

If Nexa Lumen LTD is acquired or merged:

Your data may transfer to the new owner
This Privacy Policy will continue to apply
You will be notified via email 30 days in advance
You may delete your account before the transfer

4.4 What We NEVER Share

We do NOT sell your data to data brokers or advertisers
We do NOT share your watchlist with card sellers
We do NOT provide email lists to third parties for marketing
We do NOT participate in ad networks that track you across apps

5. How We Protect Your Data

5.1 Technical Security Measures

Encryption in Transit - All data transmitted via HTTPS/TLS 1.3
Encryption at Rest - Database encrypted with AES-256
Password Security - Hashed with bcrypt (industry standard)
Firewall Protection - Restricted access to our servers
Regular Security Audits - Quarterly vulnerability scans
Access Controls - Only authorized engineers can access production data

5.2 Data Retention

Data Type	Retention Period	Reason
Account Data	Until account deletion	Provide service
Watchlist & Alerts	Until account deletion	Core functionality
Transaction Records	7 years	Tax/legal compliance
Crash Logs	90 days	Bug fixes
Analytics Data	26 months (Google Analytics default)	Product improvements
IP Addresses	30 days (anonymized after)	Security

5.3 Your Responsibility

You can help protect your account by:

Using a strong, unique password
Not sharing your login credentials
Logging out on shared devices
Reporting suspicious activity to [email protected]

5.4 Data Breach Response

In the unlikely event of a data breach:

We will notify affected users within 72 hours
We will notify relevant data protection authorities (GDPR requirement)
We will provide details about what data was affected and steps taken
We will offer guidance on protective measures you can take

6. Your Privacy Rights (GDPR)

Under GDPR and Bulgarian law, you have the following rights:

6.1 Right to Access

What it means: Request a copy of all data we hold about you.

How to exercise: Email [email protected] with subject "Data Access Request"

Response time: Within 30 days (free of charge)

You'll receive: JSON export of your account, watchlist, alerts, transaction history

6.2 Right to Rectification

What it means: Correct inaccurate data about you.

How to exercise: Update directly in app settings, or email [email protected]

Response time: Immediate (in-app) or within 7 days (via email)

6.3 Right to Erasure ("Right to be Forgotten")

What it means: Delete your account and all associated data.

How to exercise:

In-app: Settings → Account → Delete Account (instant)
Email [email protected] with subject "Delete My Account"

What gets deleted:

Account credentials (email, password)
Watchlist and price alerts
Usage history
Profile information

What we retain:

Transaction records (7 years - legal requirement for tax purposes)
Anonymized analytics (no personal identifiers)

6.4 Right to Data Portability

What it means: Get your data in a machine-readable format to transfer to another service.

How to exercise: Email [email protected] with subject "Data Portability Request"

Format provided: JSON file with all your data

6.5 Right to Restrict Processing

What it means: Ask us to limit how we use your data.

Example: "Don't use my data for analytics, only for core features"

How to exercise: Email [email protected]

6.6 Right to Object

What it means: Object to processing based on legitimate interests (e.g., marketing).

How to exercise: Unsubscribe from emails, or contact [email protected]

6.7 Right to Withdraw Consent

What it means: Change your mind about data processing you previously agreed to.

Example: Turn off price alert emails in Settings

6.8 Right to Lodge a Complaint

If you're unhappy with how we handle your data:

Contact us first: [email protected] - we'll work to resolve it
File official complaint: Commission for Personal Data Protection (Bulgaria)
- Website: https://www.cpdp.bg/
- Email: [email protected]
EU Residents: Contact your local data protection authority

7. Cookies & Analytics Technologies

7.1 Website Cookies (flipzi.io)

We use cookies on our website for:

Essential Cookies - Security and basic site functionality (required).
Analytics Cookies (optional) - To understand website usage and improve flipzi.io (e.g., Google Analytics, Microsoft Clarity).

Where required by law, analytics cookies are enabled only after you provide consent via our cookie banner.

7.2 Mobile App (No Cross-App Tracking)

The Flipzi mobile app does not use third-party advertising SDKs, does not use the IDFA (Identifier for Advertisers), and does not track you across other companies' apps or websites.

Local Storage - The app may store login/session tokens and preferences on your device.
Push Notifications - If enabled, we store a push token to send your price alerts.

7.3 What "Tracking" Means (Apple ATT)

For clarity, "tracking" (as defined by Apple) generally means linking your data collected in the app with data from other companies' apps/websites for advertising or sharing it with data brokers. Flipzi does not do this.

Full details in our Cookie Policy.

8. Children's Privacy

8.1 Age Requirement

Flipzi requires users to be at least 13 years old. We do not knowingly collect data from children under 13.

8.2 Parental Consent

If you are under 18, you must have permission from a parent or legal guardian to use Flipzi.

8.3 If We Discover Under-Age Use

If we learn a user is under 13:

We will immediately delete their account
We will delete all associated data
We will notify the email address on file (parent/guardian)

8.4 For Parents

If you believe your child under 13 created an account, contact us immediately at [email protected] with subject "Underage Account Removal".

9. International Users & Data Transfers

9.1 Where Your Data is Stored

Primary Servers: Germany (DigitalOcean Frankfurt datacenter)
Database Backups: EU region (GDPR-compliant)
Email Service: Amazon SES (EU-West-1, Ireland)

9.2 Data Transfers Outside EU

Some service providers may process data in the USA:

Google (Firebase, Analytics): Uses Standard Contractual Clauses (SCCs) approved by EU Commission
Apple: Uses Standard Contractual Clauses (SCCs) for data transfers
RevenueCat: Uses Standard Contractual Clauses (SCCs) for data transfers
Stripe: Certified under EU-US Data Privacy Framework

All transfers comply with GDPR Article 46 (appropriate safeguards).

9.3 Bulgarian Law Compliance

As a Bulgarian company, we comply with:

Personal Data Protection Act
Commission for Personal Data Protection (CPDP) regulations
EU GDPR (directly applicable in Bulgaria)

9.4 California Users (CCPA)

While Flipzi is EU-based, we respect California privacy rights:

Right to know what data we collect (see Section 2)
Right to delete data (see Section 6.3)
Right to opt-out of data "sales" (we don't sell data)
Right to non-discrimination for exercising rights

10. Changes to This Privacy Policy

10.1 When We Update

We may update this Privacy Policy when:

We add new features or services
We integrate new third-party providers
Laws or regulations change
User feedback requires clarification

10.2 How You'll Know

For material changes (e.g., new data collection, changed purpose):

Email notification to all users
In-app notification
Banner on website
30 days notice before changes take effect

For minor changes (clarifications, typo fixes):

We'll update the "Last Updated" date at the top
No separate notification required

10.3 Your Options

If you disagree with updated policy:

You may delete your account before changes take effect
Continued use after effective date means you accept the changes

11. Contact Us

Questions About Your Privacy?

We're here to help. Reach out anytime:

Email: [email protected]

Response Time: Within 3 business days

Data Protection Officer

For privacy-specific inquiries, contact our DPO:

Email: [email protected] (Subject: "Privacy Inquiry")

                    Thank you for trusting Flipzi with your data. We take privacy seriously and are committed to protecting your information. If you have any concerns or questions, please don't hesitate to reach out.
                