Privacy Policy

Last updated: April 17, 2026

This Privacy Policy describes how FlashPan ("we", "us", or "the app") collects, uses, and protects your information when you use the FlashPan mobile application. We designed FlashPan to collect as little personal data as possible, and we do not use advertising or analytics tracking of any kind.

1. Information we collect

We collect the following categories of information:

• Account information. When you sign up with email and password, we store your email address and, if you provide it, your display name (full name) and optionally a profile photo URL. If you sign in with Apple, we receive the identifiers Apple provides to us (a user identifier and, if you choose to share them, your name and relay email). Passwords are handled by our authentication provider (Supabase Auth) and are never stored in plain text.
• App content you create. Recipes you save, favorites, and dietary preferences you configure are stored in our backend and linked to your account. Pantry items, shopping lists, chat history with the AI assistant, and the "prioritize local recipes" toggle are stored locally on your device; they are not uploaded to our backend except when their contents are transiently included in an AI request that you initiate.
• Token balance and purchase records. Your in-app token balance, a record of token purchases (platform, store product ID, store transaction ID, and the raw store receipt used to verify the purchase), and a log of AI actions you perform (which edge function was called and how many tokens it consumed). This log does not contain the content of your requests or responses.
• Authentication session. Once you sign in, your session token is stored securely on your device using the operating system's secure storage (Keychain on iOS, Keystore on Android). It is used to keep you signed in.

We do not collect crash reports, device advertising identifiers, analytics events, or diagnostic telemetry.

2. Camera and photo library

FlashPan lets you take a photo of your ingredients with your camera or pick an existing photo from your gallery. Before the image leaves your device, it is resized and re-encoded, which strips EXIF metadata, including any GPS coordinates that may have been embedded by your camera. The image is then sent to our backend, which forwards it to OpenAI for ingredient detection, and the response is returned to you.

We do not store the images. They are processed in transit and discarded after the response is returned. They are not saved in our database, are not used to train any model, and are not shared with third parties beyond the AI provider described in section 5.

3. Location

Location access is optional and off by default. It is only requested when you enable the "prioritize local recipes" toggle in the app's profile screen. When enabled, we read your location only while you are actively using the app and at the lowest accuracy the operating system provides. We resolve it to a country string (for example, "Germany"); we do not read, transmit, or store your precise GPS coordinates. The region/country string is passed to the AI model for the duration of a single recipe request so it can prioritize recipes that reflect local cuisine, and is not retained in our database. You can disable the toggle at any time; revoking the OS-level permission has the same effect.

4. In-app purchases

FlashPan sells consumable tokens through Apple's App Store (StoreKit) and Google Play Billing. Payments are handled entirely by Apple or Google — we do not see or store your payment card details. When you complete a purchase, your device sends the store receipt to our backend; we verify it with Apple or Google, store the receipt together with the associated store transaction ID and platform, and credit the corresponding token balance to your account. FlashPan also grants promotional tokens (for example, a daily reward that you can claim once every 24 hours); these grants are recorded in the same token ledger.

5. AI processing

Requests you make to our AI features (ingredient analysis from photos, recipe generation, and chat with the AI assistant) are routed through our backend (Supabase Edge Functions) to OpenAI, which is currently our only AI model provider. Only the content required to fulfil the request is transmitted — for example, an ingredient photo (with EXIF stripped), a chat prompt together with the recent chat history needed for context, your dietary preferences, the ingredients you have entered, or a coarse region/country string if you have enabled the location toggle. Your email, display name, token balance, and purchase history are never sent to the AI provider. API credentials for the AI provider are held server-side and are never exposed to the app. Processing by OpenAI is subject to OpenAI's own terms and privacy practices.

6. How your data is stored

Account data, saved recipes, favorites, and token balance/purchase/transaction records are stored in our backend, which is hosted on Supabase. Supabase acts as our data processor and provides authentication, database, and edge-function hosting. Data is transmitted over TLS and stored in Supabase's managed infrastructure. Your authentication session token is stored on your device in the operating system's secure storage.

7. Data we do not collect

• We do not sell or rent your personal data.
• We do not use any analytics, tracking, or crash-reporting SDKs (no Google Analytics, Firebase, Sentry, Mixpanel, Segment, or similar).
• We do not use third-party advertising networks or advertising identifiers (IDFA, AAID).
• We do not store the photos you submit for ingredient scanning.
• We do not store your precise GPS coordinates.
• We do not send push notifications and do not request notification, microphone, contacts, or calendar permissions.

8. Your rights

You can:

• Update your display name from the app's profile screen.
• Reset your password via the password reset page.
• Toggle the use of your location at any time from the profile screen, and revoke camera, photo-library, or location permissions from your device's system settings.
• Delete your account from within the app. Account deletion permanently removes your profile, saved recipes, favorites, token balance, and rate-limit data from our backend. Token purchase and transaction records are de-identified (your user ID is removed from them) rather than deleted outright, as they may be subject to legal retention requirements — see Section 9. Locally stored items (pantry, shopping list, chat history, preferences) are removed when you uninstall the app or clear its data.
• Export a copy of all your personal data directly from within the app — tap Export my data on the profile screen to download a JSON file containing your account information, saved recipes, token transaction history, and purchase records.
• Contact us to exercise any other rights granted to you by applicable law (e.g. GDPR right of access, portability, or objection; CCPA requests).

9. Data retention

We keep your account data for as long as your account is active. When you delete your account, your profile, saved recipes, favorites, token balance, and rate-limit records are removed from our live database promptly (via cascading deletes), and from backups in the ordinary course of our backup rotation. Token purchase and transaction records may be retained for longer where required by tax or accounting law (for example, EU VAT regulations); in such cases your account identifier is removed from those records so they are de-identified and can no longer be connected to you.

9a. International transfers

FlashPan uses Supabase for backend hosting and OpenAI for AI processing. Depending on the region of those providers' infrastructure, your data may be processed in countries other than the one you live in, including the United States. Where required by law (for example, under the GDPR), such transfers rely on appropriate safeguards such as the European Commission's standard contractual clauses adopted by the relevant provider.

10. Children

FlashPan is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app or by email. The "Last updated" date above reflects the current version.

12. Contact

Questions about this policy or your data? Email support@flashpan.com.