Privacy Policy

This Privacy Policy explains what personal information Flicker collects when you use our website, mobile applications, and services (collectively, the "Services"), how we use and share that information, and the choices and rights you have.

We've tried to write this in plain language. Where the law uses specific terms — like "controller," "legal basis," or "Sale" — we use them too, because regulators expect that.

1. Who We Are

Flicker is an independent project, currently operated informally pending formal entity formation, based in Armenia. For privacy, legal, or billing matters, contact us at [email protected] — we respond within 5 business days. For data-subject requests under GDPR, CCPA/CPRA, or similar laws, please use the same address with "Privacy Request" in the subject line.

2. Information We Collect

We collect information in three ways: information you give us, information we collect automatically when you use the Services, and information we receive from third parties.

2.1 Information you provide

• Account information — your email address and password (stored as a salted hash, never in plaintext).
• Profile and preferences — display name (if you set one), language, watchlist, favorite assets, and notification settings.
• Portfolio and exchange data (optional) — if you choose to connect a supported exchange, we collect read-only trading and balance data via your exchange API key. We do not request, store, or use withdrawal permissions. You can disconnect at any time.
• Subscription and billing data — for web (crypto) subscriptions: the wallet address, transaction hash, plan, and amount. For App Store / Google Play subscriptions: a purchase token or receipt that we use to verify entitlement. We do not see or store your card or bank-account details — Apple, Google, or the crypto network handles that.
• Communications — when you contact support, we keep the messages, your email address, and any attachments you send.

2.2 Information collected automatically

• Device and connection data — device type, operating system and version, browser type, app version, language, time zone, IP address, and (for mobile apps) crash logs and performance metrics.
• Usage data — pages and screens you view, features you interact with, search queries inside the app, the time and order of those events, and referring URLs.
• Session recordings (web) — through PostHog, we record web sessions to debug issues and understand how features are used. All form inputs are masked at capture time (you can see this in our instrumentation-client.ts), so we don't see what you type into password, search, or any other input fields.
• Cookies and similar technologies — see Section 9.

2.3 Information from third parties

• Market data providers — we receive cryptocurrency price, volume, and market data from public sources and licensed data providers; this data is about markets, not about you.
• Authentication providers — if you sign in with a third-party identity provider, we receive the basic profile information that provider returns (email, identifier, locale).
• Payment confirmation — Apple and Google return purchase confirmations to verify your subscription entitlement.

3. How We Use Your Information and Why (Legal Basis)

For users in the EU/UK, GDPR requires us to identify a legal basis for each processing activity. The table below maps what we do, why, and the legal basis we rely on.

We don't use your personal information to make legally significant or similarly significant decisions about you by automated means without human review.

4. How We Share Your Information

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under California's CCPA/CPRA. We share information only as described below.

4.1 Service providers (sub-processors)

We use a small number of third-party providers to operate the Services. They process information on our behalf, under written contracts that limit them to the purposes we specify.

We use a small set of third-party providers for hosting, email delivery, push notifications, and (where applicable) crypto-payment verification. The composition of this list changes as our infrastructure evolves. For the current named list, email [email protected] — we respond within 5 business days.

4.2 Legal and safety disclosures

We may disclose information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, a binding court order, subpoena, or government request;
• Enforce our Terms of Service;
• Detect, prevent, or investigate fraud, security issues, or abuse;
• Protect the rights, property, or safety of Flicker, our users, or the public.

Where lawful and not legally prohibited, we will try to notify users of legal-process requests directed at their account.

4.3 Business transfers

If we are involved in a merger, acquisition, reorganization, financing, or sale of all or part of our business or assets, your information may be transferred to the successor or acquirer. We will notify you and let you exercise applicable rights before your information becomes subject to a different privacy policy.

4.4 Aggregated and de-identified information

We may share aggregated or de-identified information that cannot reasonably be used to identify you (for example, "Bitcoin signal accuracy on the platform was X% over the last quarter"). We don't try to re-identify de-identified data.

5. International Data Transfers

We are based in Armenia. Some of our service providers (notably PostHog) are located in the United States, and we and our providers may process your information in the U.S. or other countries that may have different data-protection rules from your home country.

When we transfer personal information of EU/EEA, UK, or Swiss users to a country that the European Commission (or the UK Government, as applicable) has not deemed adequate, we use Standard Contractual Clauses (SCCs) approved by the European Commission (and the UK International Data Transfer Addendum, where applicable), or another lawful transfer mechanism. You can request a copy of the relevant safeguards by emailing [email protected].

6. How Long We Keep Your Information

We keep personal information only as long as we need it for the purposes described in this policy, then delete or de-identify it. Specifically:

7. Security and Breach Notification

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

• Encryption in transit — TLS 1.2+ for all client-server traffic;
• Encryption at rest — managed-database encryption for stored data;
• Password protection — passwords are stored as salted hashes (never in plaintext);
• Access control — least-privilege, role-based access for our team; production access requires multi-factor authentication;
• Input masking — session recordings mask all form inputs at capture time;
• Logging and monitoring — security-relevant events are logged and reviewed.

No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach affecting you, we will notify the relevant supervisory authority within 72 hours where required by GDPR, and we will notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (or otherwise where required by applicable law).

8. Your Rights

Depending on where you live, you have some or all of the following rights with respect to your personal information. To exercise them, email [email protected] with "Privacy Request" in the subject line — we'll verify your request and respond within the time frame required by your local law (typically 30 days under GDPR, 45 days under CCPA/CPRA).

8.1 Rights available everywhere we operate

• Access and portability — request a copy of the personal information we hold about you, in a portable format where applicable.
• Correction — ask us to correct information that is wrong or out of date. Most fields can be edited directly in account settings.
• Deletion — ask us to delete your account and personal information. You can also delete your account in-app (in account settings). Some information may be retained as described in Section 6.
• Objection / opt-out of marketing — every promotional email has an unsubscribe link. You can also disable push notifications in your device or app settings. Service-related messages (e.g., security, billing) cannot be opted out of while you have an account.

8.2 Additional rights for EU/UK/EEA users (GDPR)

• Right to restriction of processing in certain cases.
• Right to object to processing based on legitimate interests, including profiling, on grounds relating to your particular situation. We will stop unless we can show compelling legitimate grounds that override your interests.
• Right to withdraw consent at any time, for any processing based on consent. Withdrawal does not affect the lawfulness of processing that already happened.
• Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. We don't make such decisions about you without human review.
• Right to lodge a complaint with your local data-protection supervisory authority. A list of EU authorities is at https://edpb.europa.eu/about-edpb/board/members_en. UK users can contact the Information Commissioner's Office (ICO) at https://ico.org.uk/make-a-complaint/.

8.3 Additional rights for California residents (CCPA/CPRA)

If you are a California resident, you have the rights below in addition to those in 8.1. Categories follow CCPA terminology.

• Right to know — what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it. The information in Sections 2, 3, and 4 of this policy is the answer.
• Right to access specific pieces of personal information we hold about you.
• Right to delete personal information we collected from you, subject to permitted exceptions.
• Right to correct inaccurate personal information.
• Right to opt-out of "Sale" or "Sharing." We do not sell your personal information, and we do not share it for cross-context behavioral advertising. There is therefore no opt-out to exercise. If this ever changes, we will post a "Do Not Sell or Share My Personal Information" link on the site and inside the app.
• Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right under CPRA.
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights (e.g., we will not deny service or charge a different price).
• Authorized agents. You may use an authorized agent, with your written authorization, to submit a request on your behalf.

Categories of personal information collected in the past 12 months (CCPA categories): identifiers (email, account ID, IP address); commercial information (subscription history); internet/network activity (usage logs, device/browser data, session recordings with masked inputs); geolocation (approximate, derived from IP); inferences (preferences derived from your watchlist and usage). We disclose these categories only to the service providers listed in Section 4.1, only for the purposes described, and not for monetary or other valuable consideration.

8.4 Additional rights elsewhere

If you live in another jurisdiction with comprehensive privacy law (Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, India's DPDP, Japan's APPI, etc.), you may have rights similar to those above. Email us — we will treat your request consistent with the applicable law.

9. Cookies and Similar Technologies

We and our service providers use cookies, local storage, and similar technologies for the purposes below.

When you visit our web product from the EU, EEA, UK, Switzerland, or Brazil, a cookie consent banner appears before any non-essential cookies are set, and you can grant or refuse Analytics & product-improvement at any time. You can change your choice later via the Cookie settings link in the footer. Strictly necessary and functional cookies are always set; analytics and session-recording cookies fire only with your consent.

You can also block or delete cookies in your browser, and reset your mobile advertising identifier in your device settings. Disabling strictly-necessary cookies will prevent the Services from working correctly.

10. Children's Privacy

The Services are not directed to and are not intended for children. We do not knowingly collect personal information from:

• children under 13 (United States, in line with COPPA);
• children under 16 (European Union, in line with GDPR Art. 8 — note that some EU member states set this lower, between 13 and 16, and we follow the local minimum where required);
• minors under the age of majority in any other jurisdiction where we offer the Services.

If you believe we may have collected information from a child under the applicable threshold, please contact [email protected] and we will delete it.

11. Third-Party Links and Services

The Services may link to third-party sites (exchanges, news sources, market-data pages). We are not responsible for the privacy practices of those sites — please read their policies before sharing any information with them.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

• Post the new version on this page;
• Update the "Last updated" date at the top;
• For material changes, give you reasonable advance notice (typically by email or in-app notice).

If you do not agree with changes, you should stop using the Services and may delete your account.

13. Contact Us

For privacy questions or to exercise any of the rights described above:

Email: [email protected] (use subject line "Privacy Request" for data-subject requests)
Web: https://flicker.finance