Privacy Policy of Flovy
Effective date: 12.09.2025

1. Who We AreFlovy is a mobile application and related website at https://flovy.crils.site (together, the “Services”), owned and operated by Individual Entrepreneur Kyrylo Omelchenko (“Flovy”, “we”, “us”).
Privacy contact: hello@flovy.crils.site
Medical & nutrition disclaimer. Flovy provides informational nutrition guidance only and does not provide medical care or medical advice. You are solely responsible for your health decisions. Always consult a clinician before changing diet or activity, especially if you have medical conditions, allergies, are pregnant/nursing, or take medications.
2. Information We CollectWe practice data minimization and typically collect only:
  • Email address (for account access and communication).
  • Optional nickname (no surname).
  • Age band (10-year ranges, e.g., 40–49 or 50–59).
  • Height.
  • Device/technical data (IP, user-agent/OS, app version, crash logs, cookie/SDK IDs).
  • Optional user content you provide (e.g., meal photos, notes, comments).
We do not request exact dates of birth, legal names, or national IDs.
3. How We Use Your InformationWe use personal data to:
  1. Provide & improve the Services (including AI-assisted, non-medical nutrition suggestions; progress tracking).
  2. Authenticate users; prevent abuse/fraud; secure accounts and our infrastructure.
  3. Communicate service notices, in-app messages, and transactional emails.
  4. Process subscriptions & payments (via App Store/Google Play/Stripe).
  5. Measure performance, debug, and analyze product usage (privacy-respecting analytics).
  6. Comply with legal obligations (tax, accounting, data retention, regulatory requests).
We do not sell personal information.
Data Mapping Overview. A matrix linking each category of data to its purposes, legal bases (where applicable), and categories of recipients is available in our Partner Register/CMP and upon request at hello@flovy.crils.site.
  • 4. Health & Nutrition Disclaimer (Reiterated)Guidance in Flovy is AI-assisted and educational only; outputs may be incomplete or inaccurate.
  • AI (OpenAI acting as our processor) is used solely for product features (e.g., text classification/summarization); training on user data is disabled where controls exist; not used for advertising.
  • You accept full responsibility for how you use any guidance. Flovy disclaims liability for any health or dietary consequences to the fullest extent permitted by law.
5. Legal Bases for ProcessingDepending on your jurisdiction:
  • EEA/UK (GDPR/UK GDPR): Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation; Art. 6(1)(a) consent where required (e.g., non-essential cookies/SDKs via CMP).
  • US state laws (e.g., CPRA/CCPA, CO/CT/VA/UT): we process for disclosed business purposes; you may opt-out of “sale”/“sharing” and targeted advertising (see §11).
  • Brazil (LGPD): contract, legal obligation, or consent.
  • Canada (PIPEDA): meaningful consent proportionate to context.
  • 6. Storage & SecurityPrimary hosting: Google Cloud (regions may vary).
  • Database: MongoDB Atlas on Google Cloud.
  • Attachments (e.g., photos): Google Cloud Storage.
  • AI processor: OpenAI (processor under our instructions; training disabled where available).
  • Email/CRM/analytics: vetted vendors under DPAs or equivalent contracts.
Security measures: TLS 1.2+ in transit; AES-256 (or provider-equivalent) at rest; cloud KMS key management; least-privilege access; audit logging; environment segregation.
Security/anti-fraud logs are retained no longer than 12 months (shorter where required by local law) and then deleted or irreversibly de-identified.
7. Sharing of InformationWe may share personal data with:
  • Service providers/processors (hosting, storage, email/CRM, analytics, support) acting under written DPAs and our instructions.
  • Payment processors (Apple, Google, Stripe) to process transactions and combat fraud.
  • Regulators or law enforcement where required by law.
  • Independent controllers you interact with (e.g., social media platforms via embeds); see §16 and the Partner Register/CMP.
We do not share your meal photos, health-related notes, or AI-generated suggestions with advertisers.
8. Resetting of User AccountWhat “Reset” means. Reset provisions a fresh account while preserving only minimal non-sensitive preferences you choose (language, units, notifications, high-level goal band). We do not migrate historical food logs, photos, prior weight entries, device sync history, or AI suggestions.
What happens to the original record. We delete or de-link the original email/nickname and rotate in-product analytics IDs so past event history is not linked to the new account. Any third-party identifiers previously tied to the original record (e.g., payment, wearable integrations, mobile attribution IDs) are revoked and re-bound only if operationally required; otherwise they are deleted from the original record. The sanitized original record enters the backup removal queue (§9/§14).
Purchases & billing. Active subscriptions remain associated via your app-store/processor and are re-linked to the new account; legal/tax records are retained as required by law.
How to request a reset. In-app: Settings → Account → Reset Account (where available) or email hello@flovy.crils.site (subject: “Account Reset”). We will verify via a one-time code.
Irreversibility. Once completed and backup rotations progress, reset cannot be undone.
Abuse prevention. We may delay/decline a reset to prevent fraud/abuse or comply with a legal hold.
9. Erasure of User Data (Deletion Requests & Right to Be Forgotten)How to request deletion.
  • In-app: Delete Account / Remove my data (where available).
  • Email: from your account email to hello@flovy.crils.site (subject: “Deletion Request”).
  • We verify via a one-time code. For online deletion in the US, we use a two-step confirmation flow (initial request + separate confirmation).
What we delete (active systems).
  • Account basics (email, optional nickname, age band, height).
  • App/server events reasonably linkable to your account.
  • User content you provided (e.g., meal photos/notes).
  • In-product analytics IDs tied to your account.
  • Marketing profiles (if any).
What may be retained temporarily or by law.
  • Security & anti-fraud logs (short, rotating; max 12 months unless shorter by law).
  • Transactional/financial records (to satisfy tax/accounting/fraud obligations).
  • Legal holds (to establish, exercise, or defend legal claims).
  • Suppression lists (your email solely to prevent future re-contact after unsubscribe).
  • Aggregated/de-identified statistics (with safeguards; we will not re-identify).
Backups. Deleted items in active systems are queued for removal from encrypted rolling backups on the next scheduled cycle. Backups are for disaster recovery only.
Timeframes & SLAs.
  • We aim to complete deletion from active systems within 10 business days after verification.
  • EEA/UK: respond within 1 month (extendable by 2 for complexity).
  • US: within 45 days (extendable once, with notice; appeal instructions included).
  • Brazil: within 15 days. Canada: target 30 days.
Children. If we learn a child’s data was collected, we disable access and expedite deletion (§15).
10. Your Privacy Rights (EEA/UK/US & Global)Your rights may include (depending on location): access, deletion/erasure, correction/rectification, restriction (e.g., accuracy contested; processing unlawful; legal claims; pending objection), objection (including profiling for interest-based ads; for direct marketing—objection is absolute), portability (machine-readable export/transfer where technically feasible), and withdrawal of consent (where processing is consent-based).
US-specific rights. Opt-out of “sale”/“sharing” and targeted advertising; limit use/disclosure of sensitive personal information (we do not use sensitive PI for inferring characteristics or advertising; if this changes, a “Limit Use of Sensitive PI” control will be provided).
Definitions (U.S.).Sale” = exchange of personal information for monetary or other valuable consideration; “sharing” = disclosure for cross-context behavioral advertising; “targeted advertising” has the meaning under applicable state laws. We honor your opt-out choices across these definitions.
Authorized agents & households (U.S.). You may designate an authorized agent (proof required; we independently verify you). For household requests, we may require joint verification by members. You can revoke an agent’s authority by notifying us from your account email.
How to exercise rights. In-app Privacy/Settings → Privacy Requests; or email hello@flovy.crils.site with a clear subject (e.g., “Access Request”, “Deletion Request”, “Objection to Profiling”). We verify via one-time code.
Response times. EEA/UK: 1 month (extendable); US: 45 days (extendable once); Brazil: 15 days; Canada: reasonable time (~30 days target). We confirm completion or explain lawful exceptions and include appeal instructions where required.
Non-discrimination & financial incentives (U.S.). We will not discriminate against you for exercising your rights (e.g., no denial of services, different prices/quality), except as permitted by law. If we offer a financial incentive (e.g., a discount for marketing sign-ups), we will disclose the material terms, the value of the data, how to opt-in, and how to withdraw without penalty.
De-identified & aggregated data. We may keep de-identified/aggregated data with safeguards (separation from direct identifiers; no re-identification). U.S. state privacy rights generally do not apply to such information.
  • 11. Managing Marketing, Cookies & TrackingEmail marketing. Unsubscribe via the link in our emails or email hello@flovy.crils.site. Opt-outs are processed without undue delay.
  • CMP (EEA/UK/CH). Manage Advertising/Analytics/Functional categories via our cookie banner/Consent Management Platform (CMP) (footer/in-app).
  • Cookie/SDK retention (EEA/UK/CH). We cap the lifetime of non-essential cookies and SDK identifiers at 13 months (or shorter where required by law). Essential cookies may have different lifetimes consistent with their purpose.
  • U.S. opt-outs. Use our “Do Not Sell or Share My Personal Information” link; we also honor Global Privacy Control (GPC) signals. We apply targeted-ads opt-outs consistently across applicable U.S. state laws.
  • Device/browser controls. You can block/clear cookies; reset/limit advertising IDs (iOS/Android); use tracking-prevention features.
  • Industry tools. DAA/AdChoices, NAI, EDAA/YourOnlineChoices, AppChoices (availability varies).
  • DNT. “Do Not Track” is not standardized; we rely on mechanisms above and GPC.
Minors (California). We do not “sell” or “share” personal information of consumers we know are under 16. For users 13–16, we would obtain opt-in consent before any such practice; for users under 13, we do not permit account creation.
12. Profiling & Automated Decision-Making (ADM)We do not make decisions with legal or similarly significant effects based solely on automated processing. Any AI-assisted guidance is educational and not medical advice. You may object to profiling for interest-based advertising at any time (§11).
If we ever introduce ADM with legal/similarly significant effects, we will provide meaningful information about the logic involved and offer the ability to request human review.
13. International TransfersFor cross-border processing (e.g., EEA/UK/US/Canada/Australia/NZ), we rely—where required—on EU Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum, conduct Transfer Impact Assessments (TIAs), and implement supplementary measures (encryption, access controls, vendor diligence). We also rely on adequacy decisions where available.
  • 14. Data RetentionActive accounts: retained while you use the Services for the purposes described.
  • Inactive/closed accounts: data is deleted or irreversibly de-identified following reset/erasure or at the end of the applicable retention purpose.
  • Backups: encrypted rolling backups; deleted automatically on the next scheduled rotation; not used for production processing (see §9).
  • Security/anti-fraud logs: retained ≤12 months (shorter where required) then deleted or de-identified.
  • Financial/tax/transaction records: retained as required by law.
We do not retain personal data “just in case”; when a lawful basis ends, associated personal data is deleted or irreversibly de-identified without requiring a separate user request.
15. Children & MinorsThe Services are intended for adults 18+ and are not directed to children. We do not knowingly collect children’s data. If we learn a child’s data was provided, we will disable access and expedite deletion (and notify parents/authorities where required).
16. Social Media Plug-Ins & Embedded ContentScope. Our Services may include plug-ins, widgets, pixels, and embeds (e.g., Like/Share buttons; embedded posts/videos) from platforms such as Meta (Facebook/Instagram), X (Twitter), Pinterest, TikTok, and YouTube.
Consent & activation. In the EEA/UK/CH, non-essential plug-ins load only after your prior consent via our CMP; where feasible we use a two-click model (placeholder first, then user-activated load). Outside those regions we rely on consent where required or legitimate interests where allowed; you retain opt-out controls (§11).
Data they may receive. Technical identifiers (IP, user-agent, device/OS, cookie/SDK IDs, referrer/URL, timestamp), interaction data (e.g., play/like/share), account linkage if you are logged into that platform, and coarse location (IP-based). We do not intentionally send your meal photos/notes or other health-revealing content to plug-ins. If you choose to share via a platform, that content is governed by that platform’s terms and privacy policy.
Roles & partners. Social platforms generally act as independent controllers for their downstream use; for specific technologies deemed joint controllership (e.g., some Meta tech), we maintain an Art. 26 GDPR arrangement and publish the essence in our Partner Register. The CMP Partners list links to each partner’s privacy notice and shows processing locations and purposes.
Your choices. Manage categories in Cookie Settings (CMP), use platform-native settings, log out of platform accounts to avoid linkage, and use browser/device tracking-prevention.
17. Versioning & Updates to This Privacy PolicyWhy we update. Legal changes (GDPR/UK GDPR, ePrivacy/PECR, US state laws, LGPD, PIPEDA), product/data changes (new purposes/categories/retention/security), partner/processor changes, transfer mechanisms (SCCs/IDTA/TIAs), and editorial clarifications.
Types of updates.
  • Editorial/non-material: formatting/clarity; effective when posted; we update the “Last updated” legend.
  • Material: changes that meaningfully affect privacy (new sensitive uses, new purposes or recipients, new locations/transfers, expanded profiling/targeted ads, altered rights/opt-outs). For material updates we provide prominent notice (in-app banner, email, site banner, and/or push), and where required seek fresh consent (e.g., CMP in EEA/UK/CH).
Effective date & acceptance. Unless stated otherwise, changes are effective on posting. For material changes we may set a future effective date (e.g., 15–30 days). Continued use after the effective date constitutes acceptance and does not limit your statutory rights (object/withdraw/opt-out).
Review cadence. We review this Policy at least quarterly and update it without undue delay following material legal developments.
Version archive & current links.
  • Current version URL: https://flovy.crils.site/privacy
  • You can print or save a PDF from your browser. Prior versions are also available on request at hello@flovy.crils.site. Our CMP “Partners” list/Sub-processors Register (footer/in-app) reflects current providers, roles, locations, and links to their privacy notices.
18. Complaints & RegulatorsYou may lodge a complaint with your data protection authority (EEA/UK) or the relevant regulator in your jurisdiction (e.g., ICO in the UK, Office of the Privacy Commissioner in Canada, ANPD in Brazil, or your state Attorney General in the U.S.). We encourage contacting us first at hello@flovy.crils.site so we can address your concerns promptly.
19. Contact UsFlovy — Privacy Contact
Email: hello@flovy.crils.site
Website: https://flovy.crils.site
If we appoint a Data Protection Officer (DPO), we will publish the DPO’s contact details here.
Storage & vendor snapshot (cross-reference): Hosting: Google Cloud · Database: MongoDB Atlas on Google Cloud · Attachments: Google Cloud Storage · AI processor: OpenAI (training disabled where settings allow; processor acting under our instructions; product features only, not for advertising) · Email/CRM & analytics/ad tech: vetted partners under DPAs/appropriate contracts; partner roles/locations and consent toggles available via our footer/CMP.
Note: Where this Policy references features exposed via our app or site (e.g., Privacy Requests, Cookie Settings, “Do Not Sell/Share”), those controls will be available in regions where legally required and are applied more broadly where feasible.
Made on
Tilda