Privacy Policy

Effective Date: January 15, 2025
Last Updated: January 15, 2025

This Privacy Policy describes how Flevv ("we," "our," or "us") collects, uses, and protects your personal information when you use our mobile application and services. This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Introduction

Flevv is a comprehensive professional services platform that provides resume creation, course management, visiting card (V-Card) creation, and e-commerce store functionality. We are committed to protecting your privacy and handling your personal data with transparency and security.

2. Data Controller Information

Data Controller: Flevv
Email: privacy@flevv.com
Data Protection Officer: dpo@flevv.com

3. Information We Collect

3.1 Personal Information You Provide

• Account Information: First name, last name, email address, mobile phone number (optional for Google/Apple login)
• Authentication Data: Google ID (for Google Sign-In), Apple ID (for Apple Sign-In), authentication type
• Profile Information: Unique user slug, country, country code, currency preference, profile image
• Resume Data: Professional experience, education, skills, certifications, personal statements, uploaded resume files (PDF format)
• Course Information: Course enrollments, progress data, completion certificates
• Visiting Card Data: Business name, contact details, professional information, business logo
• Store Information: Business details, product catalogs, shipping address, delivery address, customer orders
• Payment Information: Billing address, payment method details (processed by Razorpay - we do not store full payment card details)
• Communication Data: Support inquiries, feedback, notifications preferences

3.2 Automatically Collected Information

• Device Information: Device ID, device type (iOS/Android), operating system version, app version
• Usage Data: Features accessed, pages viewed, time spent, interaction patterns
• Technical Data: IP address, browser type, API request logs, error logs
• Push Notification Data: FCM (Firebase Cloud Messaging) tokens, device tokens
• Location Data: Country and region based on IP address (not precise geolocation)
• Cookies and Tracking: Session cookies, authentication tokens, analytics cookies

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contractual Necessity: To provide services you've subscribed to (Article 6(1)(b) GDPR)
• Legitimate Interests: To improve our services, prevent fraud, and ensure security (Article 6(1)(f) GDPR)
• Consent: For marketing communications and optional data processing (Article 6(1)(a) GDPR)
• Legal Obligations: To comply with tax, accounting, and legal requirements (Article 6(1)(c) GDPR)

5. How We Use Your Information

• Service Provision: To provide resume creation, course access, V-Card hosting, and store management
• AI-Powered Features: Your uploaded resume files are processed through OpenAI's GPT models to generate improved content, extract information, and provide intelligent suggestions
• Account Management: To create, maintain, and authenticate your account via Google/Apple login or phone authentication
• Subscription Management: To process monthly and annual subscription payments, manage billing cycles
• Order Fulfillment: To process store orders, share delivery addresses with you for product dispatch
• Communication: To send push notifications, service updates, subscription reminders, and support responses
• Analytics and Improvement: To analyze usage patterns, improve features, and optimize performance
• Security: To protect against fraud, unauthorized access, and abuse
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

6. Third-Party Data Processors and Sharing

We do not sell your personal data. We share data with the following third-party processors:

• OpenAI (ChatGPT): Resume content and uploaded PDF files are sent to OpenAI's API for AI-powered content generation and improvement. OpenAI processes this data according to their Data Processing Agreement and GDPR-compliant terms. Data is not used to train OpenAI models.
• Google Sign-In: Google ID and email for authentication purposes (Google Privacy Policy applies)
• Apple Sign-In: Apple ID for authentication purposes (Apple Privacy Policy applies)
• Razorpay (Payment Processor): Payment information, billing address, subscription data (Razorpay Privacy Policy applies)
• Firebase Cloud Messaging (FCM): Device tokens and push notification data (Google Privacy Policy applies)
• Cloud Hosting Providers: Infrastructure hosting for data storage and application services
• Digital Ocean Spaces: Image and file storage for uploaded content

Store Address Sharing: When customers place orders through your store, their delivery addresses are shared with you (the store owner) to enable product dispatch. You are responsible for protecting this customer data and using it solely for order fulfillment.

Legal Disclosures: We may disclose your information when required by law, court order, government request, or to protect our legal rights and user safety.

7. International Data Transfers

Your data may be transferred to and processed in countries outside your residence, including the United States (OpenAI, Google, Apple) and India (our primary servers). We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with GDPR-compliant third parties
• Adequacy decisions where applicable

8. Data Retention

• Active Accounts: Data retained while your account is active and subscription is valid
• Account Deletion: Upon account deletion request, personal data is scheduled for deletion within 7 days. If you log back in during this period, deletion is cancelled and your account is reactivated
• Backup Retention: Deleted data may remain in backups for up to 90 days before permanent deletion
• Legal Requirements: Financial records and transaction data retained for 7 years as required by tax and accounting laws
• Usage Logs: Anonymized analytics data retained for up to 2 years

9. Your Rights Under GDPR and Data Protection Laws

You have the following rights:

• Right to Access (Article 15): Request a copy of all personal data we hold about you
• Right to Rectification (Article 16): Correct inaccurate or incomplete data
• Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Article 18): Request limitation of data processing
• Right to Data Portability (Article 20): Receive your data in machine-readable format (JSON/CSV)
• Right to Object (Article 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Article 7): Withdraw consent for marketing or optional processing
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise your rights: Email privacy@flevv.com or use the in-app "Delete Account" feature. We will respond within 30 days.

10. Data Security Measures

• Encryption: TLS 1.3 for data in transit, AES-256 encryption for sensitive data at rest
• Authentication: JWT token-based authentication with secure session management
• Access Controls: Role-based access controls, principle of least privilege
• Infrastructure Security: Firewalls, intrusion detection, regular security audits
• Secure Development: Code reviews, security testing, vulnerability scanning
• Incident Response: 72-hour breach notification process as required by GDPR Article 33

11. Data Collection and Tracking in Mobile App

Note: Flevv is a mobile application (Flutter). We do not use traditional browser "cookies" but use mobile-equivalent tracking technologies:

11.1 Local Storage and Tokens

• Authentication Tokens: JWT tokens stored securely on your device for login sessions
• Session Data: Temporary data stored locally while you use the app
• User Preferences: Language, theme, and display settings stored on device

11.2 Device Identifiers

• Device ID: Unique identifier for your mobile device (used for security and analytics)
• FCM Token: Firebase Cloud Messaging token for push notifications
• Device Type: iOS or Android identification for app compatibility

11.3 Analytics and Tracking

• Usage Analytics: Features accessed, screens viewed, time spent in app
• Performance Monitoring: App crashes, errors, loading times
• User Behavior: Interaction patterns to improve user experience

11.4 Managing Tracking

• Device Settings: Manage app permissions in iOS/Android settings
• Logout: Removes authentication tokens from your device
• Uninstall: Removes all locally stored data from your device
• iOS Tracking: Use "Ask App Not to Track" (iOS 14.5+) or "Limit Ad Tracking"
• Android Tracking: Reset advertising ID or opt out of personalized ads

Legal Basis: Essential tracking (authentication, security) is based on contractual necessity (GDPR Article 6(1)(b)). Analytics tracking is based on legitimate interests (GDPR Article 6(1)(f)).

12. Children's Privacy

Flevv is not intended for users under 16 years of age (or 13 in certain jurisdictions). We do not knowingly collect data from children. If we discover such collection, we will delete the data immediately. Parents/guardians can contact us at privacy@flevv.com.

13. Marketing Communications

You can opt out of marketing communications by:

• Clicking "unsubscribe" in email communications
• Disabling push notifications in app settings
• Emailing privacy@flevv.com with "Opt-Out" in the subject

You will continue to receive essential service communications (subscription confirmations, account updates, security alerts).

14. Account Deletion Process

To delete your account:

1. Use the "Delete My Account" option in the app settings
2. Your account will be scheduled for deletion in 7 days
3. If you log in during this period, deletion is cancelled
4. After 7 days, your account and associated data are permanently deleted
5. You will not receive any refund for unused subscription periods upon account deletion

15. California Privacy Rights (CCPA)

California residents have additional rights:

• Right to Know: Request disclosure of data collection and sharing practices
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of data "sales" (we do not sell data)
• Non-Discrimination: No discrimination for exercising CCPA rights

16. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. Changes will be communicated via:

• In-app notification
• Email to registered users
• Updated "Last Updated" date on this page

Material changes will be notified 30 days in advance. Continued use after changes constitutes acceptance.

17. Contact Information

General Privacy Inquiries: privacy@flevv.com
Data Protection Officer: dpo@flevv.com
Support: support@flevv.com
Legal: legal@flevv.com

EU Representative: [If applicable, provide EU representative details per GDPR Article 27]

18. Data Protection Authority

If you are located in the EU/EEA, you have the right to lodge a complaint with your local supervisory authority. Find your authority at: EDPB Member List

19. Accessibility

This privacy policy is available in accessible formats. For assistance, contact accessibility@flevv.com.

Acknowledgment: By using Flevv, you acknowledge that you have read, understood, and agree to this Privacy Policy and our processing of your personal data as described herein.