Privacy Policy
Effective: March 10, 2026
The operator of the cFlash application and website (hereinafter: "Service") is committed to protecting the personal data of users. This notice describes how we collect, use, and protect your data in accordance with the European Union General Data Protection Regulation (GDPR) and applicable data protection laws.
1. Data Controller
[COMPANY NAME]
Address: [ADDRESS]
Email: support@cflash.app
The data controller is established in the European Union (Hungary), therefore no EU representative designation is required.
2. Data We Collect
2.1 Data Provided During Registration
- Username – account identification
- Email address – communication, account recovery
- Password – stored encrypted (bcrypt hash), we have no access to the original password
2.2 Data Collected During Use
- Settings and preferences – language, theme, notification settings
- Saved content – bookmarked news
- Push token (device identifier) – for sending notifications
- Telegram chat ID – if you connect your Telegram account for notifications
2.3 Automatically Collected Data
- IP address – for security purposes, abuse prevention
- Device type and platform – application optimization
2.4 Payment-Related Data
If you purchase a Premium subscription:
- App Store / Google Play purchase: Payment is handled by Apple or Google. We only receive subscription status and expiration date. We have no access to payment card data.
- Cryptocurrency payment: The transaction is handled by CoinPayments. We receive the transaction ID and status.
3. Purpose and Legal Basis for Processing
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account creation and operation | Performance of contract (Art. 6(1)(b)) |
| Sending push notifications | Consent (Art. 6(1)(a)) |
| Sending Telegram notifications | Consent (Art. 6(1)(a)) |
| Subscription management, payment processing | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails | Performance of contract (Art. 6(1)(b)) |
| Security protection, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Service improvement | Legitimate interest (Art. 6(1)(f)) |
3.1 Legitimate Interest Assessment
For processing based on legitimate interest, we have balanced our interests against your fundamental rights. Our legitimate interest in maintaining service security and improvement does not override your rights to personal data protection. Security-related processing (e.g., IP address logging, login attempt limitations) is essential for protecting the service and our users.
4. Data Processors
We do not sell your personal data to third parties. We use the following data processors to operate the Service:
| Provider | Status | Purpose | Data Transferred | Location |
|---|---|---|---|---|
| Sybell Kft. | Data Processor | Website hosting | Website visit data | Hungary |
| Szerverplex Kft. | Data Processor | Backend servers, database | All user data | Hungary |
| Expo (Expo.dev) | Data Processor | Push notification delivery | Push token, platform | USA |
| Resend Inc. | Data Processor | Email delivery | Email address | USA |
| CoinPayments Inc. | Independent Controller | Cryptocurrency payments | Transaction data | Canada |
| Apple Inc. | Independent Controller | In-App Purchase (iOS) | Subscription status | USA |
| Google LLC | Independent Controller | In-App Purchase (Android) | Subscription status | USA |
5. International Data Transfers
Some of our data processors (Expo, Resend) operate in the United States, and CoinPayments operates in Canada. Data transfers are made based on Standard Contractual Clauses (SCC) approved by the European Commission or adequacy decisions, ensuring GDPR-compliant protection of your data.
For Hungarian providers (Sybell, Szerverplex), no transfers to third countries occur.
6. Data Retention Period
- Active account: As long as your account is active, or for 2 years from last login in case of inactivity.
- After account deletion: We permanently delete all your personal data within 30 days.
- Security logs (IP addresses, login attempts): Retained for 90 days, then automatically deleted.
- Transaction and billing data: In accordance with legal requirements (generally 8 years under accounting laws).
- Support communication: May be retained for quality assurance and legal purposes until account deletion, or for 2 years from the communication.
7. User Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): You may request information about what data we process about you.
- Right to rectification (Art. 16): You may request correction of inaccurate data.
- Right to erasure (Art. 17): You may request deletion of your data ("right to be forgotten").
- Right to restriction (Art. 18): In certain cases, you may request restriction of processing.
- Right to data portability (Art. 20): You may request your data in a machine-readable format.
- Right to object (Art. 21): You may object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7): You may withdraw your consent to notifications (push, Telegram) at any time in the app settings or device settings.
To exercise your rights, email support@cflash.app. We will respond to your request within 30 days. We may request identity verification before processing your request.
8. Account and Data Deletion
You can delete your account and all associated personal data at any time:
- In the app: Settings → Delete Account
- By email: support@cflash.app
After receiving your deletion request, we will permanently remove your data from our systems within 30 days, except for data subject to legal retention requirements (e.g., billing data).
9. Cookies and Tracking
The cFlash website and application does not use cookies and does not employ tracking technologies for user tracking.
The website uses third-party fonts (Google Fonts), which may transfer minimal technical data (e.g., IP address) during loading. This is a necessary technical process, not for user tracking purposes.
The application uses local storage (AsyncStorage, SecureStore) for storing settings and login data on the device. This data is not transferred to third parties and does not constitute cookies.
10. Automated Decision-Making
cFlash does not employ solely automated decision-making or profiling that would produce legal effects concerning you or similarly significantly affect you (GDPR Art. 22).
11. External Services
11.1 Telegram Integration
If you connect your Telegram account to the cFlash application, Telegram's own privacy policy also applies to communication with the Telegram platform. We only store your Telegram chat ID for sending notifications, which you can delete at any time in the app settings.
11.2 App Store and Google Play
When downloading the app and during In-App Purchase transactions, Apple's and Google's own privacy policies apply:
12. Support Communication
Communication at support@cflash.app may be retained for quality assurance and legal purposes. This includes the email address, message content, and any attachments. Support communication retention period is until account deletion, or 2 years from the communication.
13. Data Security
To protect your data, we implement the following technical and organizational measures:
- Encrypted connection (SSL/TLS) for all data transfers
- Secure password storage (bcrypt hash algorithm)
- Access restriction and logging on servers
- Regular security backups
- Login attempt limitation (brute-force protection)
- API rate limiting for abuse prevention
14. Children's Data Protection
Legal capacity under applicable law is required to use the Service. We do not knowingly collect data from persons lacking legal capacity. If we become aware that we are processing such a person's data, we will delete it immediately.
15. Data Breach Incidents
In case of a data breach, we act in accordance with GDPR Articles 33 and 34:
- We report the incident to the National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours if it is likely to result in a risk to the rights and freedoms of data subjects.
- If the incident results in high risk, we notify affected users without undue delay.
16. Supervisory Authority
If you believe we have violated your data protection rights, you may file a complaint with the competent supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Phone: +36 1 391 1400
Email: ugyfelszolgalat@naih.hu
Web: naih.hu
You may also seek judicial remedy before the competent court at your place of residence or habitual residence.
17. Changes
We reserve the right to modify this Privacy Policy. We will notify you of significant changes via the application or email. The modified policy takes effect on the date of publication. We recommend reviewing this page regularly.
18. Contact
For privacy questions, exercising your rights, or complaints, please contact us:
Email: support@cflash.app