Privacy Policy (TheFlashMate)

Effective date: 23/01/2026

This Privacy Policy explains how TheFlashMate (“we”, “us”, “our”) collects, uses, shares, and protects personal data when you use our Service.

1) Data controller and contact

Data controller: TheFlashMate
Address: Stentoften 2, Mariager, 9550 Denmark
Email: support@theflashmate.com

2) Personal data we collect

We collect and process only what is needed to provide and secure the Service. Depending on how you use the Service, we may process:

A) Account and authentication data

• Email address
• Name (if you provide it)
• Password hash (we do not store your plaintext password)
• Email verification status and related verification/security tokens (typically stored securely/hashed)
• Session identifiers/cookies needed to keep you logged in

B) Learning and progress data (sync across devices)

• Learning content you enter (if you choose to store it with your account)
• Progress and usage states related to flashcards and learning sessions (e.g., which items were shown and when, progress metrics)

C) License/entitlement data

• Subscription/entitlement status for access control
• Signed tokens used for offline/limited entitlement proof (where applicable)

D) Technical and log data (security and reliability)

• IP address (for security, abuse prevention, and troubleshooting)
• Basic request logs (timestamps, endpoints accessed, error logs)
• Device/app details only if required for licensing/security or diagnostics (for example, app version). We currently aim to minimize device identifiers; if we introduce additional identifiers, we will update this policy.

E) Payment and billing data (handled by Paddle)

Payments are processed by Paddle as Merchant of Record. We may receive limited data from Paddle such as:

• Paddle customer identifiers
• Subscription status, plan, renewal/cancellation events
• Transaction-related metadata needed to validate entitlement

We do not store full payment card details.

3) How we use your data

We use your data to:

• Provide the Service, including creating and managing your account
• Authenticate you and secure access
• Sync your learning progress across devices
• Validate your subscription entitlement (including periodic license checks)
• Send essential messages (verification, password reset, security notices, support)
• Detect, prevent, and investigate fraud, abuse, and security incidents
• Maintain and improve reliability (e.g., debugging errors)

4) Legal bases (EEA/UK GDPR)

Where applicable, we process personal data under these legal bases:

• Contract: to provide the Service you request (account, sync, entitlement)
• Legitimate interests: security, fraud prevention, and service reliability
• Consent: where required (e.g., optional marketing emails)
• Legal obligation: where we must comply with applicable laws

5) Marketing emails

We generally avoid marketing emails. If we send occasional marketing messages, we will do so where permitted by law and you can opt out using the unsubscribe method (if provided) or by contacting support.

Transactional and security emails (verification, password reset, account/security notices) are not marketing and may still be sent as needed.

6) Sharing and disclosure

We do not sell your personal data.

We may share data with service providers (“processors”) who help us operate the Service, such as:

• Paddle (payments, subscriptions, tax handling; Merchant of Record)
• Hosting and infrastructure providers
• Email delivery providers (to send verification and reset emails)

We may also disclose data if required by law, or to protect our rights, users, and the Service (e.g., investigating fraud/abuse).

7) International transfers

Your data may be processed in countries other than where you live, depending on where our providers operate. Where required, we rely on appropriate safeguards (such as standard contractual clauses) to protect transfers.

8) Data retention

We keep personal data only as long as necessary for the purposes described above.

• Account and progress data: retained while your account is active.
• Deletion requests: you can request deletion by contacting support; we will delete your account and associated learning/progress data promptly.
• Payment/billing records: Paddle may retain billing and tax records longer as required by law and for legitimate business purposes, even after you request deletion from us.
• Security logs: may be retained for a limited period to protect the Service and investigate abuse.

9) Your rights

Depending on your location, you may have rights to:

• Access your personal data
• Correct inaccurate data
• Delete your data
• Restrict or object to certain processing
• Receive a copy of your data (portability)
• Withdraw consent (where processing is based on consent)
• Lodge a complaint with a supervisory authority

To exercise rights, contact: support@theflashmate.com.

10) Security

We use reasonable technical and organizational measures to protect personal data, including secure password hashing and access controls. No method of transmission or storage is 100% secure; you use the Service at your own risk.

11) Cookies and similar technologies

Our website/API may use cookies or similar technologies primarily for:

• Maintaining sessions (keeping you logged in)
• Security (preventing abuse)

If you use the desktop app, it may store local configuration and authentication state on your device to keep you signed in and to operate the Service.

12) Children’s privacy

The Service is not specifically directed to children. If you believe a child has provided personal data without appropriate permission, contact us and we will take steps to delete it.

13) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will make reasonable efforts to notify you (e.g., email or in-app notice). The updated policy takes effect on the effective date listed above.