Privacy Policy

1. Overview

FlowCheck ("we," "our," or "us") is a personal finance application ("App") operated by FlowCheck. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our mobile application and related services (collectively, the "Service").

By using FlowCheck, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create a FlowCheck account, we collect:

• Email address (for account authentication and notifications)
• Display name (optional, set by you)
• Authentication identifiers (Firebase Auth UID)
• Device token for push notifications (optional, if you grant permission)

2.2 Financial Data (via Plaid)

If you choose to connect a bank account, we receive the following data from Plaid on your behalf:

• Account balances (checking, savings, credit, investment)
• Transaction history (merchant name, amount, date, category)
• Account metadata (institution name, account type, last 4 digits of account number)

We never receive or store your bank username, password, or full account numbers. These credentials are handled exclusively by Plaid's secure infrastructure.

2.3 Manually Entered Data

You may optionally enter:

• Manual account balances (savings accounts, debts not connected via Plaid)
• Financial goals (name, target amount, target date)
• Bill reminders (name, amount, due date)
• Monthly budget limits by category
• A manually entered credit score (if you choose not to use Experian)

2.4 Device & Usage Data

We may automatically collect:

• Device type, operating system version, and app version
• Crash reports and error logs (for debugging purposes)
• App feature usage patterns (aggregated, not personally identifiable)
• IP address (used for fraud prevention only, not stored long-term)

3. Plaid — Bank Connection

FlowCheck uses Plaid Technologies, Inc. to securely connect to your financial institutions. When you connect a bank account:

• You authenticate directly with Plaid — your credentials never reach FlowCheck servers
• Plaid provides us with an access token, which we store securely on our backend (never in the app or on your device)
• We use this token only to sync your accounts and transactions
• When you disconnect your bank or delete your account, we immediately revoke the Plaid access token and delete all associated financial data

Plaid's data practices are governed by their own privacy policy, available at plaid.com/legal/privacy-policy. By using the bank connection feature, you agree to Plaid's End User Privacy Policy.

4. Experian — Credit Score

If you use the credit score feature, FlowCheck securely contacts Experian (a leading credit bureau) to retrieve your credit profile. In this process:

• Your request is sent through our secure backend — your data is never sent directly from your device to Experian
• We do not store your Social Security Number (SSN) on our servers. Any SSN submitted is used solely for the single credit pull request and immediately discarded
• Your credit score, risk class, and score factors are cached in your account for up to 24 hours to avoid unnecessary credit bureau queries, then refreshed on your next request
• We do not perform hard inquiries on your credit — credit score lookups through FlowCheck are soft pulls and do not affect your credit score

Experian's privacy practices are governed by their privacy policy at experian.com/privacy.

5. Firebase (Google)

FlowCheck uses Google Firebase for the following purposes:

• Firebase Authentication: Securely manages your account login (email/password and Apple Sign-In). Firebase handles credential storage and session management.
• Firestore Database: Stores your account data, financial summaries, goals, bills, and app preferences in a secure, encrypted database. Access is restricted by Firebase Security Rules — only you can read your own data.
• Firebase Cloud Messaging (FCM): Used to deliver budget alerts and bill reminders to your device (only if you grant notification permission).

Google's data practices for Firebase are governed by the Google Privacy Policy. Your data is stored in the United States on Google Cloud infrastructure.

6. RevenueCat — Subscriptions

FlowCheck uses RevenueCat to manage in-app subscriptions (FlowCheck Pro). RevenueCat receives:

• A random anonymous user ID (not your email or name)
• Subscription status and product identifiers from Apple's App Store
• Purchase timestamps for subscription management

RevenueCat does not receive your financial data. Their privacy policy is at revenuecat.com/privacy. All payment processing is handled by Apple — FlowCheck never touches your payment card information.

7. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the FlowCheck app and services
• Display your accounts, transactions, balances, and financial summaries
• Send budget alerts, bill reminders, and important account notifications
• Authenticate you securely and prevent unauthorized access
• Respond to your support requests and inquiries
• Detect and prevent fraud, security threats, and abuse
• Comply with legal obligations

We do not use your data for advertising, behavioral profiling, or selling to third parties.

8. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

• Service Providers: We share data with Plaid, Experian, Firebase (Google), and RevenueCat solely to operate the features described in this policy. Each provider is bound by data processing agreements and their own privacy policies.
• Legal Requirements: We may disclose information if required by law, court order, or to protect the rights, safety, or property of FlowCheck, our users, or the public.
• Business Transfer: If FlowCheck is acquired or merges with another company, your data may be transferred. We will notify you and give you the opportunity to delete your account before any such transfer is finalized.

9. Security

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted using TLS 1.2 or higher (HTTPS)
• All data at rest is encrypted using AES-256 encryption
• Firebase Security Rules restrict database access to authenticated users and only their own data
• Plaid access tokens are stored only on our backend servers, never in the app or on your device
• Our backend API requires authentication (Firebase ID token) on every request
• Rate limiting is applied to all API endpoints to prevent abuse
• The app uses biometric authentication (Face ID / Touch ID) to prevent unauthorized device access

While we take strong precautions, no system is completely secure. If you become aware of any security issue, please contact us immediately at security@getflowcheck.app.

10. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you delete your account:

• Your Plaid connection is immediately revoked and all synced financial data is deleted
• Your Firestore data (goals, bills, budgets, settings) is deleted within 30 days
• Your Firebase Auth account is deleted immediately
• Transaction data cached for the purposes of displaying your history is deleted within 30 days
• Backup copies may persist for up to 90 days in encrypted backup storage before being permanently purged

---

11. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights regarding your personal information:

• Right to Know: You may request information about the categories and specific pieces of personal data we have collected about you.
• Right to Delete: You may request that we delete your personal data. You can do this at any time through Settings → Delete Account in the app.
• Right to Opt-Out of Sale: We do not sell personal information. There is nothing to opt out of.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

To exercise your CCPA rights, contact us at privacy@getflowcheck.app or via our Support page. We will respond to verified requests within 45 days.

12. Your Rights Under GDPR (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate personal data.
• Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data (available in-app via Settings → Delete Account).
• Right to Restriction of Processing: Request that we restrict how we process your data in certain circumstances.
• Right to Data Portability: Request a copy of your data in a structured, machine-readable format.
• Right to Object: Object to processing of your personal data for legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

The lawful bases for our data processing are: contract performance (providing the app features you've signed up for), legitimate interests (security, fraud prevention, and service improvement), and legal obligation (compliance with applicable laws).

To exercise GDPR rights, contact: privacy@getflowcheck.app. You also have the right to lodge a complaint with your local Data Protection Authority.

13. Children's Privacy

FlowCheck is not directed to children under the age of 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at privacy@getflowcheck.app and we will delete such information promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email (if you have provided one) or via an in-app notification
• Where required by law, obtain your consent before making changes effective

Your continued use of FlowCheck after any changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:

• Email: privacy@getflowcheck.app
• Support: getflowcheck.app/support
• General: hello@getflowcheck.app

We aim to respond to all privacy inquiries within 5 business days.