Privacy Policy

This Privacy Policy explains how FlowStrike ("FlowStrike," "we," "our," or "us") collects, uses, stores, and protects your personal information when you use our mobile application (the "App"). FlowStrike is operated by Braulio Gabriel Villegas Jiménez, an individual data controller based in Puebla, Mexico.

This Policy is governed by:

• The Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)
• The European Union General Data Protection Regulation (GDPR), for users in the European Economic Area and the United Kingdom
• The California Consumer Privacy Act (CCPA), as amended by the CPRA, for residents of California

By using FlowStrike, you confirm that you have read and understood this Privacy Policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address — required for authentication and account recovery.
• Password (encrypted) — if you sign up with email and password. Passwords are hashed using industry-standard bcrypt and are never stored in plain text.
• Username — chosen by you, lowercase alphanumeric, 3–15 characters. Your username is publicly visible on the in-app leaderboard.

1.2 Sign-in with Google or Apple

If you choose to sign in using Google or Apple, we receive the following information from your provider:

• From Google: your email address, full name, profile picture URL, and a unique Google provider identifier.
• From Apple: your email address (or Apple's relay address if you choose to hide it) and your name. We request only the minimum scopes (email and full name).

We do not receive your Google or Apple password.

1.3 Usage Data

While you use FlowStrike, we collect data generated by your interactions with the App:

• Focus sessions, including task names you enter, selected emotion type, ritual type, session duration, and completion status.
• Streak history (which days you completed sessions).
• Experience points, skill levels, rank, boss progression, and consumable inventory.
• Timestamps of activity (session start/end, account creation, last sign-in).
• Analytics events about how users interact with the App, such as app launches, screen views, paywall views, account sign-in completion, task creation, session starts and completions, purchase-related events, and similar product interaction events.

1.4 Device Information

If you grant permission to receive notifications, we store a push notification token (issued by Apple or Google) so we can deliver reminders and streak alerts. Push notifications are optional; you may decline or revoke this permission at any time in your device settings.

We may also collect app instance identifiers or device-level identifiers used by Firebase Analytics to measure app usage, audience size, product interactions, and basic performance. We do not collect Apple's IDFA or Google's Advertising ID.

If you install FlowStrike after tapping an advertisement we run on TikTok, we use the TikTok Business SDK to measure that installation and the resulting in-app actions. For this purpose, a device- or installation-level identifier (not Apple's IDFA) and a small set of standardized app events are shared with TikTok in aggregated form. We have disabled app-tracking permission requests, so we do not access Apple's IDFA and do not track you across other companies' apps or websites at an individual level. See Section 3.7 for details.

1.5 Purchase Information

When you make an in-app purchase or subscribe to FlowStrike Pro, the transaction is processed entirely by Apple's App Store or Google Play. We do not receive, store, or process your payment card details. We receive only an anonymized purchase confirmation from RevenueCat (our subscription management provider) indicating that a purchase occurred and what product was purchased.

1.6 Information We Do NOT Collect

To be explicit, FlowStrike does not collect:

• Advertising identifiers (such as Apple's IDFA or Google's Advertising ID).
• Location data.
• Contacts, photos, microphone, or camera data.
• Biometric data.
• Browsing history outside of FlowStrike.
• Apple's IDFA or Google's Advertising ID (we do not request app-tracking permission).
• Personal data sold to third parties or shared with data brokers.
• Individual cross-app or cross-site tracking tied to an advertising identifier.

For clarity: we do measure the performance of advertising campaigns we run (for example, on TikTok) using aggregated, privacy-preserving attribution such as Apple's SKAdNetwork and standardized app events. This measurement does not rely on Apple's IDFA and does not identify you individually across other apps. See Sections 3.7 and 9.

2. How We Use Your Information

We use the information we collect to:

• Provide core App functionality (focus sessions, streaks, rituals, leaderboards, rewards).
• Authenticate you and maintain your session across devices.
• Display your username on the public in-app leaderboard.
• Send transactional emails (account verification, password reset, subscription confirmations).
• Deliver optional push notifications you have consented to.
• Process subscriptions and in-app purchases through Apple, Google, and RevenueCat.
• Analyze app usage and product interactions to understand how FlowStrike is used, improve existing features, fix issues, and plan future improvements.
• Investigate and prevent abuse, fraud, or violations of our Terms of Use.

We use a limited set of standardized, anonymized app events (such as completing registration, viewing the paywall, and completing a purchase) to measure the performance of advertising campaigns we run to promote FlowStrike, for example on TikTok. This is aggregated campaign measurement and attribution.

We do not sell your personal information, share it with data brokers, build advertising profiles about you, or track you individually across other companies' apps or websites using an advertising identifier. Because we have disabled app-tracking permission requests, we do not access Apple's IDFA.

2.1 Legal Basis (GDPR)

For users in the European Economic Area and the United Kingdom, our legal basis for processing your data is:

• Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the service you signed up for.
• Consent (Art. 6(1)(a) GDPR): for push notifications and any optional features you explicitly enable.
• Legitimate interest (Art. 6(1)(f) GDPR): for fraud prevention and service improvement, balanced against your fundamental rights.

3. Third-Party Services

FlowStrike relies on the following service providers to operate. Each is bound by their own privacy practices, summarized below.

3.1 Supabase

Our backend (database, authentication, server functions) is provided by Supabase. Your account data and usage data are stored on Supabase's infrastructure. See supabase.com/privacy.

3.2 RevenueCat

Subscription management and purchase verification are handled by RevenueCat. RevenueCat receives anonymized purchase events tied to an internal RevenueCat-issued user identifier. See revenuecat.com/privacy.

3.3 Apple and Google

All payment processing is handled by Apple (App Store) and Google (Google Play). When you make a purchase, you transact directly with Apple or Google under their respective terms. We do not see your payment card details.

If you use Sign in with Apple or Sign in with Google, your authentication credentials are handled by the respective provider.

3.4 Expo Push Service

Push notifications are delivered through Expo's push service, which forwards them to Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android. Your push token is required to receive notifications and is stored in our database.

3.5 Resend

Transactional emails (account verification, password reset) are sent through Resend. Your email address is shared with Resend solely to deliver these transactional messages.

3.6 Firebase Analytics / Google Analytics for Firebase

We use Firebase Analytics, provided by Google, to understand how users interact with FlowStrike and to improve the App. Firebase Analytics may collect app interaction events, screen views, app instance identifiers, device information, and related usage data. We have configured Firebase Analytics without advertising identifier support and do not use it for targeted advertising, third-party advertising, data brokerage, or cross-app tracking. See firebase.google.com/support/privacy.

3.7 TikTok Business SDK

We use the TikTok Business SDK, provided by TikTok, to measure the effectiveness of advertising campaigns we run on TikTok and to attribute app installs and in-app actions to those campaigns. When you use the App, the SDK may share with TikTok a limited set of standardized app events (such as registration, paywall view, and purchase) along with a device- or installation-level identifier and basic device information, in aggregated form.

We have disabled app-tracking permission requests in the App, which means we do not access Apple's IDFA and do not perform individual cross-app tracking through this SDK. Attribution is performed using aggregated, privacy-preserving mechanisms such as Apple's SKAdNetwork. The app events we send do not include the contents of your focus sessions, task names, or your account identity. See tiktok.com/legal/privacy-policy.

4. Data Storage and Security

4.1 Where Your Data Is Stored

Your account information and usage data are stored on Supabase's secure cloud infrastructure. Data is encrypted in transit (TLS/HTTPS) and at rest using industry-standard encryption.

4.2 Local Storage on Your Device

The App stores certain data locally on your device using AsyncStorage:

• Authentication tokens (so you stay signed in).
• A cache of your game state (experience points, streaks, skill levels) for offline access.
• A queue of pending operations when you are offline, which may temporarily include task names you have entered.
• An anonymous device identifier used only when you have not signed in (guest mode).

This local data is removed when you sign out, when you uninstall the App, or when you reset device storage.

4.3 Row-Level Security

Our database enforces row-level security: with the exception of your public username (which appears on the leaderboard), no user can read, modify, or delete another user's data.

4.4 Security Limitations

While we take reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security. If you become aware of any security issue, please contact us at [email protected].

5. Data Retention

We retain your personal information for as long as your account remains active. If you delete your account, all your personal data — including your profile, focus session history, task names, streak history, experience and rank progression, and any in-app purchase records linked to your user identifier — are permanently deleted from our active database. This deletion is automatic and irreversible.

Some information may remain in encrypted backups for a limited period (up to 30 days) before being purged according to our backup retention schedule.

Information that Apple, Google, or RevenueCat retain about your purchases is governed by their respective policies and is outside our control.

6. Your Rights

Regardless of your location, you have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — request that we correct any inaccurate information.
• Deletion — request that we delete your account and all associated data. You can do this directly in the App under Profile → Delete Account, or by emailing us.
• Objection — object to certain processing activities.
• Portability — request a machine-readable copy of your data.
• Withdraw consent — withdraw any consent you have given (e.g., disable push notifications).

To exercise any of these rights, email [email protected]. We will respond within 30 days.

6.1 California Residents (CCPA)

If you reside in California, you also have the right to:

• Know what personal information we collect and how we use it (described in this Policy).
• Request deletion of your personal information.
• Opt out of the sale of personal information. We do not sell your personal information.
• Non-discrimination for exercising your privacy rights.

6.2 EU/UK Residents (GDPR)

If you reside in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection law.

7. Children's Privacy

FlowStrike is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at [email protected], and we will delete such information promptly.

Users between 13 and 18 should review this Policy with a parent or legal guardian before using the App.

8. International Data Transfers

FlowStrike operates from Mexico. Our service providers (Supabase, RevenueCat, Expo, Resend, Apple, Google, Firebase/Google Analytics, and TikTok) may store and process your data in the United States, the European Union, or other countries where they operate. By using FlowStrike, you consent to the transfer of your data to these locations. Where applicable (e.g., GDPR), these transfers are made pursuant to appropriate safeguards such as Standard Contractual Clauses.

9. Cookies and Tracking

FlowStrike is a mobile application and does not use cookies, web beacons, or browser fingerprinting. We do not access Apple's IDFA or Google's Advertising ID, and we do not track you individually across other companies' apps or websites.

We use Firebase Analytics for first-party app analytics, such as understanding app usage and improving product features. We also use the TikTok Business SDK (Section 3.7) to measure the performance of advertising campaigns we run, using aggregated, privacy-preserving attribution (such as Apple's SKAdNetwork) rather than an individual advertising identifier. Authentication tokens stored locally on your device are used solely to maintain your session.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email and/or through an in-app notice at least 30 days before the changes take effect. The "Last updated" date at the top of this Policy reflects the most recent revision. Continued use of the App after changes take effect constitutes acceptance of the revised Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, contact us at:

Data Controller: Braulio Gabriel Villegas Jiménez
Privacy requests: [email protected]
General contact: [email protected]
Location: Puebla, Mexico