Privacy Policy

Last updated: April 17, 2026

This Privacy Policy describes how FlashPan ("we", "us", or "the app") collects, uses, and protects your information when you use the FlashPan mobile application. We designed FlashPan to collect as little personal data as possible, and we do not use advertising or analytics tracking of any kind.

1. Information we collect

We collect the following categories of information:

We do not collect crash reports, device advertising identifiers, analytics events, or diagnostic telemetry.

2. Camera and photo library

FlashPan lets you take a photo of your ingredients with your camera or pick an existing photo from your gallery. Before the image leaves your device, it is resized and re-encoded, which strips EXIF metadata, including any GPS coordinates that may have been embedded by your camera. The image is then sent to our backend, which forwards it to OpenAI for ingredient detection, and the response is returned to you.

We do not store the images. They are processed in transit and discarded after the response is returned. They are not saved in our database, are not used to train any model, and are not shared with third parties beyond the AI provider described in section 5.

3. Location

Location access is optional and off by default. It is only requested when you enable the "prioritize local recipes" toggle in the app's profile screen. When enabled, we read your location only while you are actively using the app and at the lowest accuracy the operating system provides. We resolve it to a country string (for example, "Germany"); we do not read, transmit, or store your precise GPS coordinates. The region/country string is passed to the AI model for the duration of a single recipe request so it can prioritize recipes that reflect local cuisine, and is not retained in our database. You can disable the toggle at any time; revoking the OS-level permission has the same effect.

4. In-app purchases

FlashPan sells consumable tokens through Apple's App Store (StoreKit) and Google Play Billing. Payments are handled entirely by Apple or Google — we do not see or store your payment card details. When you complete a purchase, your device sends the store receipt to our backend; we verify it with Apple or Google, store the receipt together with the associated store transaction ID and platform, and credit the corresponding token balance to your account. FlashPan also grants promotional tokens (for example, a daily reward that you can claim once every 24 hours); these grants are recorded in the same token ledger.

5. AI processing

Requests you make to our AI features (ingredient analysis from photos, recipe generation, and chat with the AI assistant) are routed through our backend (Supabase Edge Functions) to OpenAI, which is currently our only AI model provider. Only the content required to fulfil the request is transmitted — for example, an ingredient photo (with EXIF stripped), a chat prompt together with the recent chat history needed for context, your dietary preferences, the ingredients you have entered, or a coarse region/country string if you have enabled the location toggle. Your email, display name, token balance, and purchase history are never sent to the AI provider. API credentials for the AI provider are held server-side and are never exposed to the app. Processing by OpenAI is subject to OpenAI's own terms and privacy practices.

6. How your data is stored

Account data, saved recipes, favorites, and token balance/purchase/transaction records are stored in our backend, which is hosted on Supabase. Supabase acts as our data processor and provides authentication, database, and edge-function hosting. Data is transmitted over TLS and stored in Supabase's managed infrastructure. Your authentication session token is stored on your device in the operating system's secure storage.

7. Data we do not collect

8. Your rights

You can:

9. Data retention

We keep your account data for as long as your account is active. When you delete your account, your profile, saved recipes, favorites, token balance, and rate-limit records are removed from our live database promptly (via cascading deletes), and from backups in the ordinary course of our backup rotation. Token purchase and transaction records may be retained for longer where required by tax or accounting law (for example, EU VAT regulations); in such cases your account identifier is removed from those records so they are de-identified and can no longer be connected to you.

9a. International transfers

FlashPan uses Supabase for backend hosting and OpenAI for AI processing. Depending on the region of those providers' infrastructure, your data may be processed in countries other than the one you live in, including the United States. Where required by law (for example, under the GDPR), such transfers rely on appropriate safeguards such as the European Commission's standard contractual clauses adopted by the relevant provider.

10. Children

FlashPan is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app or by email. The "Last updated" date above reflects the current version.

12. Contact

Questions about this policy or your data? Email support@flashpan.com.