Cookie Policy



1) Scope & definitionsThis Cookie Policy explains how we and our partners use cookies, pixels/web beacons, local storage, mobile identifiers (e.g., IDFA/GAID) and software development kits (SDKs) (collectively, “Tracking Technologies”) on our website and app.
For purposes of applicable privacy laws, cookie/SDK identifiers, IP (including truncated or hashed), advertising IDs and similar identifiers are treated as personal information/personal data where they relate to an identifiable individual.
We apply data minimization: we typically process pseudonymous identifiers and device/usage data needed to run and improve the Services. We do not combine advertising/analytics data with your meal photos/notes or other content that could reveal health status.
2) What these technologies areCookies: small text files placed by your browser.
  • Local storage (incl. HTML5): key–value storage in your browser/app.
  • Pixels / web beacons: tiny tags that register loads/opens/clicks.
  • Mobile SDKs / IDs: app libraries that may access OS-level identifiers (IDFA/GAID) for analytics/attribution.
Typical data points: cookie/SDK IDs, truncated or hashed IP, user-agent/OS/app version, timestamps, referrer/UTM, coarse region (derived from IP), feature usage, crash/diagnostics.
3) What we use them for (purposes & categories)
A. Strictly necessary / functional
Authentication and session management; load balancing; security/anti-abuse (e.g., bot detection); consent logging; remembering essential preferences.
Lawful basis: legitimate interests (GDPR/UK GDPR); necessary for providing the service (ePrivacy/PECR).
B. Analytics & product improvement
Traffic measurement; funnels/flows; A/B tests; diagnostics; crash reporting.
Lawful basis: consent in EEA/UK/CH; legitimate interests where permitted elsewhere.
C. Advertising / remarketing (Flovy only)
Showing/suppressing Flovy ads; frequency capping; campaign measurement; attribution (e.g., install → subscription); limited cross-device/cookieless matching where partners enable it using pseudonymous IDs and—only where disclosed and permitted—hashed email.
Lawful basis: consent in EEA/UK/CH; opt-out rights under U.S. state laws (see §6).
D. Lookalike/Similar audiences
Only where legally permitted and subject to required consent/opt-outs; no sensitive/health segments.
We prohibit partners from using our data for unrelated purposes (e.g., building independent profiles). Some ad/measurement partners may act as independent controllers for delivery; their practices are governed by their notices.
4) Consent model & button parity (EEA/UK/CH) + global frameworksEEA/UK/CH (GDPR, ePrivacy/PECR): We deploy non-essential Tracking Technologies (analytics, advertising, email open/click pixels) only with your prior consent via our Consent Management Platform (CMP).
  • First-layer button parity: the CMP shows equally prominent “Reject All” and “Accept All” for non-essential items, plus granular controls. We keep verifiable consent logs (timestamp, version, jurisdiction) solely to demonstrate compliance.
  • Other regions (e.g., U.S., Canada, Australia, New Zealand): We rely on consent where required or on legitimate interests where allowed, and provide easy opt-out controls (see §6).
  • Apple App Tracking Transparency (ATT): Where required, we show the ATT prompt and respect your choice for any tracking that requires ATT permission.
  • 5) Boundaries for health & precise locationWe do not create or target ad segments based on diagnoses, conditions, or other special-category/sensitive data.
  • We do not use precise geolocation for ad personalization.
  • We do not combine ad/analytics data with your meal photos/notes or similar content that could reveal health status.
  • 6) Your choices & how to opt outCookie banner / CMP (EEA/UK/CH): Manage consent at any time via Cookie Settings (site footer or in-app privacy settings). Withdrawing consent is as easy as giving it and does not affect access to core features that rely only on essential cookies/SDKs.
  • U.S. state privacy (CPRA/CCPA and similar): Use our “Do Not Sell or Share My Personal Information” link to opt out of cross-context behavioral advertising.
  • Scope: this choice applies to “sale”/“sharing” and any materially similar disclosures; where applicable, we extend it to offline data linked to your account.
  • Global Privacy Control (GPC): We honor GPC signals for the specific browser regardless of whether you are signed into your Flovy account.
  • Email tracking pixels: Decline non-essential email pixels in the CMP (EEA/UK/CH) or unsubscribe via the email footer or by contacting hello@flovy.crils.site.
  • Device/browser controls: Block/clear cookies; reset/limit advertising IDs on iOS/Android; use tracking-prevention features.
  • Industry opt-outs: DAA/AdChoices, NAI, EDAA/YourOnlineChoices, and AppChoices (availability varies).
  • Do Not Track (DNT): DNT is not standardized; we rely on the mechanisms above and GPC.
7) Cookie/SDK table (name, provider, purpose, lifetime)We maintain a live cookie/SDK table showing name, provider, purpose, category, lifetime/TTL (incl. session), type (first/third-party; persistent/session), and lawful basis. It’s accessible via the CMP and on our Cookie Policy page.
Session cookies expire when you close your browser. Individual lifetimes per item are listed in the table.
  • 8) Where data is processed (hosting, vendors) & securityPrimary hosting/infrastructure: Google Cloud (regions may vary).
  • Database: MongoDB Atlas on Google Cloud.
  • Attachments (e.g., optional meal photos): Google Cloud Storage.
  • AI assistance (product features only): selected free-text you provide may be processed by OpenAI strictly as our processor; training on user data is disabled where controls exist; not used for advertising.
  • Email/CRM & analytics/ad tech: vetted providers under DPAs or equivalent contracts.
Security: encryption in transit (TLS 1.2+) and at rest (AES-256 or provider-equivalent), cloud KMS key management, least-privilege access, audit logging, environment segregation.
Cookie flags: Where we set first-party cookies, we apply Secure and HttpOnly flags and an appropriate SameSite attribute, unless a different setting is strictly necessary for core functionality.
Sub-processors / Partner Register: A current list of analytics/ad tech partners (with roles and primary processing locations) is available via the footer/CMP, with deep links to each partner’s privacy notice and processing locations.
9) International transfers & safeguardsIf processing involves cross-border transfers (e.g., EEA/UK/US/Canada/Australia/NZ), we rely—where required—on EU Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum, conduct Transfer Impact Assessments (TIAs), and implement supplementary measures (encryption, access controls, vendor due diligence). We also rely on adequacy decisions where available.
  • 10) Retention & deletionNon-essential cookie/SDK identifiers: retained by us/partners only as long as necessary and consistent with your choices; typical lifetimes for non-essential cookies do not exceed 13 months unless you consent again.
  • Consent & preference logs: retained only to demonstrate compliance and manage disputes, then deleted or irreversibly de-identified.
  • Suppression lists (opt-out records): retained solely to ensure we don’t re-contact you after you unsubscribe.
  • Backups: encrypted rolling backups; when you withdraw consent or opt out, related items are queued for removal on the next rotation unless a legal hold applies.
11) Children & minorsOur Services are intended for adults 18+ and are not directed to children. We do not knowingly use advertising/analytics tools to profile or market to minors. If we learn a child’s data was processed, we disable advertising/analytics tracking for that user context and expedite deletion per our Use by Children (Minors) section.
12) Social plug-ins & embedded contentSocial plug-ins, widgets, pixels, and embeds (e.g., like/share buttons, embedded posts/videos) are provided by third-party platforms and may set/read identifiers when you view or interact with them. In the EEA/UK/CH, non-essential social plug-ins load only after your prior consent via the CMP; where feasible, we use a two-click model (placeholder first; the actual frame loads only after you activate it). Outside the EEA/UK/CH, we rely on consent where required or legitimate interests where allowed; you retain opt-out controls (see §6).
13) Your rights & how to exercise themDepending on your location, you may have rights of access, deletion/erasure, correction, restriction, objection (including to profiling for interest-based advertising), portability, and withdrawal of consent. U.S. residents may also opt out of sale/sharing and targeted advertising and limit use/disclosure of Sensitive PI (we do not use Sensitive PI for inferring characteristics or advertising; if this changes, we’ll provide a “Limit Use of Sensitive PI” control).
How to exercise:
  • In-app: Settings → Privacy Requests
  • Email: hello@flovy.crils.site (subject: e.g., “Access Request”, “Deletion Request”, “Objection to Profiling”)
We may verify requests with a one-time code sent to your account email. Authorized agents (U.S.) may act with proof of authorization plus user verification. Household requests may require joint verification.
Free of charge: Privacy requests are free, unless manifestly unfounded or excessive; if so, we may charge a reasonable fee or refuse to act, as permitted by law.
14) De-identified & aggregated dataWe may maintain de-identified or aggregated statistics for analytics and service improvement. We apply technical and organizational measures to prevent re-identification, keep such data separate from direct identifiers, and will not attempt to re-identify individuals.
15) Changes to this Cookie PolicyWe may update this Policy to reflect legal, technical, or business changes. For material changes (e.g., new categories/purposes; new partners; new international transfers), we will provide prominent notice (e.g., in-app banner/modal, website banner, and/or email), update the “Last updated” date, and—where required—seek/renew consent (e.g., via the CMP).
We maintain a public archive of prior versions and a concise change log (e.g., new partners/purposes, transfer mechanisms, retention windows).
For cookie- and SDK-specific details, see this Cookie Policy and the in-product Consent Management Platform (CMP).
16) Contact & regulatorsPrivacy contact: hello@flovy.crils.site
In-app: Settings → Help & Support → Privacy/Legal
For technical/app support, contact support@flovy.crils.site or use In-app → Help & Support. For privacy/data matters, use the contacts above.
You may lodge a complaint with your data protection authority (EEA/UK) or your local regulator. We encourage contacting us first so we can address your concern promptly.
Data Protection Officer (DPO). As of the date below, Flovy has not appointed a DPO because our activities do not meet the criteria under Article 37 GDPR/UK GDPR. If this changes, we will update this section with the DPO’s contact details. Where appointed, our DPO acts independently, reports to senior management, and may be contacted by you and by supervisory authorities regarding all issues related to personal data processing.
Last updated: 12.09.2025
Always-current version: https://flovy.crils.site/privacy
Print/Save: You can print or save this page to PDF.
  • Appendix — Quick controlsCookie Settings/CMP (EEA/UK/CH): footer link or in-app privacy settings
  • U.S. opt-out: Do Not Sell or Share My Personal Information (footer) — GPC honored
  • Industry opt-outs: DAA/AdChoices, NAI, EDAA/YourOnlineChoices, AppChoices
  • Device settings: iOS/Android advertising ID reset/limit; browser cookie controls
If you want, I can also generate a cookie/SDK table template (CSV/Excel) you can maintain and surface via the CMP and this page.
Made on
Tilda