Privacy Policy

The operator of the cFlash application and website (hereinafter: "Service") is committed to protecting the personal data of users. This notice describes how we collect, use, and protect your data in accordance with the European Union General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data Controller

The data controller is established in the European Union (Hungary), therefore no EU representative designation is required.

2. Data We Collect

2.1 Data Provided During Registration

• Username – account identification; also functions as your unique referral code
• Email address – communication, account recovery
• Password – stored encrypted (bcrypt hash), we have no access to the original password
• Referral code (optional) – if you registered using another user's referral code, we store this relationship for the reward program

2.2 Data Collected During Use

• Settings and preferences – language, theme, notification settings
• Saved content – bookmarked news
• Push token (device identifier) – for sending notifications
• Telegram chat ID – if you connect your Telegram account for notifications
• Referral program data – the number of users you have invited and the number of those who became active Premium subscribers (for operating the reward program)

2.3 Automatically Collected Data

• IP address – for security purposes, abuse prevention
• Device type and platform – application optimization

2.4 Payment-Related Data

If you purchase a Premium subscription, the payment transaction is handled by Apple Inc. (iOS) or Google LLC (Android). We have no access to payment card data, the name on the card, or the billing address – these are managed by Apple and Google in accordance with their own data processing policies.

For subscription management, we receive and store the following data:

• Transaction identifier
• Product identifier (monthly or yearly subscription)
• Purchase date and expiration date
• Subscription status (active, cancelled, expired, trial period)
• RevenueCat customer identifier (to verify Premium access)

3. Purpose and Legal Basis for Processing

Purpose	Legal Basis (GDPR)
Account creation and operation	Performance of contract (Art. 6(1)(b))
Sending push notifications	Consent (Art. 6(1)(a))
Sending Telegram notifications	Consent (Art. 6(1)(a))
Subscription management, payment processing	Performance of contract (Art. 6(1)(b))
Sending transactional emails	Performance of contract (Art. 6(1)(b))
Operating the referral program and distributing rewards	Performance of contract (Art. 6(1)(b))
Security protection, abuse prevention	Legitimate interest (Art. 6(1)(f))
Service improvement	Legitimate interest (Art. 6(1)(f))

3.1 Legitimate Interest Assessment

For processing based on legitimate interest, we have balanced our interests against your fundamental rights. Our legitimate interest in maintaining service security and improvement does not override your rights to personal data protection. Security-related processing (e.g., IP address logging, login attempt limitations) is essential for protecting the service and our users.

4. Data Processors

We do not sell your personal data to third parties. We use the following data processors to operate the Service:

Provider	Status	Purpose	Data Transferred	Location
Sybell Kft.	Data Processor	Website hosting	Website visit data	Hungary
Szerverplex Kft.	Data Processor	Backend servers, database	All user data	Hungary
Expo (Expo.dev)	Data Processor	Push notification delivery	Push token, platform	USA
Resend Inc.	Data Processor	Email delivery	Email address	USA
Google LLC (Firebase Cloud Messaging)	Data Processor	Delivery of Android push notifications	Push token, notification content	USA
RevenueCat, Inc.	Data Processor	Subscription management and IAP event processing	Subscription status, transaction ID, RevenueCat customer ID	USA
OpenAI, L.L.C.	Data Processor	AI-powered news summarization and similarity detection	Public RSS article content (no user data)	USA
xAI Corp. (Grok)	Data Processor	Alternative AI provider for news summarization	Public RSS article content (no user data)	USA
CoinGecko	Independent Service	Public crypto market data	No user data transmitted	Germany
Apple Inc.	Independent Controller	In-App Purchase (iOS)	Subscription status	USA
Google LLC	Independent Controller	In-App Purchase (Android)	Subscription status	USA

5. International Data Transfers

Some of our data processors (Expo, Resend, OpenAI, xAI, Firebase, RevenueCat) operate in the United States. Data transfers are made based on Standard Contractual Clauses (SCC) approved by the European Commission or adequacy decisions, ensuring GDPR-compliant protection of your data.

For Hungarian providers (Sybell, Szerverplex) and the German provider (CoinGecko), no transfers to third countries occur.

6. Data Retention Period

• Active account: As long as your account is active, or for 2 years from last login in case of inactivity.
• After account deletion: Deletion is immediate in our primary database. Server-side caches are cleared within 24 hours. If backups are created, they are purged within 30 days.
• Security logs (IP addresses, login attempts): Retained for 90 days, then automatically deleted.
• Transaction and billing data: In accordance with legal requirements (generally 8 years under accounting laws).
• Support communication: May be retained for quality assurance and legal purposes until account deletion, or for 2 years from the communication.

7. User Rights

Under the GDPR, you have the following rights:

• Right of access (Art. 15): You may request information about what data we process about you.
• Right to rectification (Art. 16): You may request correction of inaccurate data.
• Right to erasure (Art. 17): You may request deletion of your data ("right to be forgotten").
• Right to restriction (Art. 18): In certain cases, you may request restriction of processing.
• Right to data portability (Art. 20): You may request your data in a machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7): You may withdraw your consent to notifications (push, Telegram) at any time in the app settings or device settings.

To exercise your rights, email support@cflash.app. We will respond to your request within 30 days. If we cannot clearly identify the requester, we may ask for additional identity verification before processing the request (e.g., a confirmation sent from the registered email address).

8. Account and Data Deletion

You can delete your account and all associated personal data at any time:

• In the app: Settings → Manage Account → Delete Account
• On the web: cflash.app/delete-account.html
• By email: support@cflash.app (if you cannot sign in)

In-app deletion is immediate: your personal data is removed from our primary database at once, server-side caches are cleared within 24 hours. If backups are created, they are purged within 30 days. Data subject to legal retention requirements (e.g., billing data) is retained for the statutory period.

9. Cookies and Tracking

The cFlash website and application does not use cookies and does not employ tracking technologies for user tracking.

The website uses third-party fonts (Google Fonts), which may transfer minimal technical data (e.g., IP address) during loading. This is a necessary technical process, not for user tracking purposes.

The application uses local storage (AsyncStorage, SecureStore) for storing settings and login data on the device. This data is not transferred to third parties and does not constitute cookies.

10. Automated Decision-Making

cFlash does not employ solely automated decision-making or profiling that would produce legal effects concerning you or similarly significantly affect you (GDPR Art. 22).

11. External Services

11.1 Telegram Integration

If you connect your Telegram account to the cFlash application, Telegram's own privacy policy also applies to communication with the Telegram platform. We only store your Telegram chat ID for sending notifications, which you can delete at any time in the app settings.

11.2 App Store and Google Play

When downloading the app and during In-App Purchase transactions, Apple's and Google's own privacy policies apply:

• Apple Privacy Policy
• Google Privacy Policy

11.3 AI Processing (OpenAI and xAI)

The Service uses artificial intelligence to generate short summaries of public crypto news articles and to detect duplicate content. The following applies:

• Only the publicly available content of RSS news articles is sent to AI providers for processing. No user account data, search queries, preferences, or any personally identifiable information is shared.
• AI providers used: OpenAI (primary) and xAI / Grok (alternative).
• AI processing happens server-side on our backend; it is not triggered by your individual actions in the app.
• AI-generated summaries may contain inaccuracies or misinterpretations. Always refer to the original source for critical decisions.

11.4 Firebase Cloud Messaging (FCM)

On Android devices, push notifications are delivered through Google's Firebase Cloud Messaging service. The push token generated by your device and the notification payload (title, body) are transferred to FCM for delivery. You can disable push notifications at any time in the app settings or in your device's system settings. See Firebase Privacy Information.

11.5 RevenueCat (Subscription Management)

We use RevenueCat, Inc. (USA) for managing Premium subscriptions. RevenueCat receives Apple App Store and Google Play purchase events (via webhooks), tracks subscription status, and forwards it to our backend system for Premium access verification. RevenueCat does NOT store or process payment card data. The service is GDPR-compliant, and data transfer is made based on Standard Contractual Clauses (SCC). See: RevenueCat Privacy Policy.

12. Support Communication

Communication at support@cflash.app may be retained for quality assurance and legal purposes. This includes the email address, message content, and any attachments. Support communication retention period is until account deletion, or 2 years from the communication.

13. Data Security

To protect your data, we implement the following technical and organizational measures:

• Encrypted connection (SSL/TLS) for all data transfers
• Secure password storage (bcrypt hash algorithm)
• Access restriction and logging on servers
• Regular security backups
• Login attempt limitation (brute-force protection)
• API rate limiting for abuse prevention

14. Children's Data Protection

Legal capacity under applicable law is required to use the Service. We do not knowingly collect data from persons lacking legal capacity. If we become aware that we are processing such a person's data, we will delete it immediately.

15. Data Breach Incidents

In case of a data breach, we act in accordance with GDPR Articles 33 and 34:

• We report the incident to the National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours if it is likely to result in a risk to the rights and freedoms of data subjects.
• If the incident results in high risk, we notify affected users without undue delay.

16. Supervisory Authority

If you believe we have violated your data protection rights, you may file a complaint with the competent supervisory authority:

You may also seek judicial remedy before the competent court at your place of residence or habitual residence.

17. Changes

We reserve the right to modify this Privacy Policy. We will notify you of significant changes via the application or email. The modified policy takes effect on the date of publication. We recommend reviewing this page regularly.

18. Contact

For privacy questions, exercising your rights, or complaints, please contact us: