Privacy Policy

Flashfo ("we," "us," or "our") operates the Flashfo platform — an AI-powered study and teaching workspace at flashfo.org — including all related web pages, mobile experiences, APIs, and services (the "Service"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and the rights you have regarding your information. By creating an account or otherwise using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service. Special notices: If you are under 13, see Section 11 (Children's Privacy). If you are a teacher, school administrator, or using Flashfo on behalf of an educational institution, see Section 12 (Educational Institutions and FERPA). If you are located in the European Economic Area, UK, or Switzerland, see Section 13 (GDPR and International Users).

We collect information in three ways: information you provide, information generated by your use of the Service, and information from third parties. Information you provide: — Account information: email address, hashed password (via Supabase Auth), display name, and role (student, teacher, or parent/guardian). — Profile information: optional profile photo, banner image, school name, grade level, and subject preferences. — Content you create: flashcard decks, quizzes, study guides, summaries, lesson plans, curriculum entries, assignment submissions, and any text, notes, or files you paste, type, or upload. — Communications: messages you send to our support team. Information we generate or collect automatically: — Usage data: pages visited, features used, session duration, navigation paths, search queries within the Service, and study activity (e.g., which cards you reviewed, your quiz scores, spaced-repetition performance). — Device and technical data: browser type and version, operating system, device type, screen resolution, truncated IP address, and general geographic region (country or city level — we do not collect precise geolocation). — Cookies and local storage: session tokens, login state, theme preference, and feature flags. See Section 9 (Cookies) for details. Information from third parties: — If you sign in using a third-party identity provider (e.g., Google OAuth), we receive your name and email address from that provider in accordance with their privacy policy.

We use your information only for the following purposes: — Service operation: to provide, maintain, and improve the features you use, including Nova AI generation, spaced-repetition scheduling, live quiz sessions, class management, and assignment tracking. — Personalisation: to tailor your study experience, surface relevant content, and remember your preferences. — AI processing: when you use Nova, your prompts and pasted content are transmitted to our AI providers (see Section 5) to generate flashcards, quizzes, guides, and summaries. We do not use your personal content to train AI models, and we do not retain your prompts on AI provider servers beyond what is needed to complete the generation. — Analytics: to understand aggregate usage patterns and improve the Service. Analytics are based on anonymised or pseudonymised data. — Communications: to send you account-related notices (required), and, where you have opted in, product updates and educational tips. You can unsubscribe from non-essential communications at any time. — Security and abuse prevention: to detect, investigate, and prevent fraud, unauthorised access, and other harmful activity. — Legal compliance: to comply with applicable laws, regulations, and lawful requests from authorities. We do not use your content to train AI models. We do not sell your personal data. We do not serve targeted or behavioural advertising. We do not build advertising profiles. We do not use student data for any purpose other than providing the educational Service.

For users in the European Economic Area, United Kingdom, or Switzerland, we process personal data on the following lawful bases under GDPR: — Contract performance: processing necessary to provide the Service you have signed up for (account creation, content generation, class features). — Legitimate interests: analytics for product improvement, security monitoring, and fraud prevention — where our interests are not overridden by your rights. — Legal obligation: compliance with applicable laws. — Consent: for optional communications such as marketing emails. You may withdraw consent at any time. For student data processed under a school's instructions, the school is the data controller and Flashfo acts as a data processor under a Data Processing Agreement.

We do not sell, rent, or trade your personal information. We share it only as described below. Service providers (data processors): — Supabase: authentication, database storage, and row-level security (US). — OpenAI: AI content generation for Nova (US). OpenAI's API is subject to their data usage policies; we have API-level agreements that prohibit training on our data. — Anthropic: additional AI model access for Nova (US). Same protections as OpenAI. — Vercel: hosting and edge delivery (US and global CDN). All service providers are bound by contractual data processing agreements requiring them to protect your data and use it only to provide services to us. Teachers and class features: — If you join a teacher's class or participate in a live quiz, your teacher can see your name, assignment submissions, and quiz scores for that class. — Teachers cannot see your private flashcard decks, private quizzes, or study activity outside their class unless you explicitly share it. Publicly shared content: — Decks or resources you make public or share via link are accessible to any Flashfo user or anyone with the link. Legal requirements: — We may disclose information when required by applicable law, court order, or government authority, or when necessary to protect the rights, property, or safety of Flashfo, our users, or the public. Business transfers: — If Flashfo is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will provide at least 30 days' notice before your data becomes subject to a different privacy policy.

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods: — Account and profile data: retained until you delete your account, then deleted or anonymised within 30 days. — Content (decks, quizzes, lesson plans, etc.): deleted within 30 days of account deletion. — Usage and analytics data: retained in anonymised aggregate form for up to 3 years for product improvement. — Support correspondence: retained for 2 years from last contact. — Billing records: retained for 7 years as required by financial regulations. — Student data in class context: deleted within 30 days of account deletion, or upon a verified school request. We may retain data longer where required by applicable law or for the establishment, exercise, or defence of legal claims.

Depending on your location, you may have the following rights regarding your personal data: — Access: request a copy of the personal data we hold about you. — Correction: request correction of inaccurate or incomplete data. — Deletion: request deletion of your account and associated personal data. — Portability: request a machine-readable export of your data. — Restriction: request that we restrict processing of your data in certain circumstances. — Objection: object to processing based on legitimate interests. — Opt-out of sale: we do not sell personal data. If this changes, you will have the right to opt out. To exercise any of these rights, email privacy@flashfo.org with your request. We will respond within 30 days (or 45 days for California residents under CCPA). We may verify your identity before fulfilling a request. You may delete your account at any time from Settings → Account. Account deletion triggers the 30-day deletion process described in Section 6.

We implement and maintain technical and organisational measures to protect your personal data: — All data in transit is encrypted using HTTPS/TLS (minimum TLS 1.2). — Passwords are hashed using industry-standard algorithms and are never stored in plain text. — Database access is protected by Supabase's row-level security policies and restricted to authorised personnel. — We conduct periodic security reviews and vulnerability assessments. — Access to production systems is limited and logged. Data breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and, where required, the relevant supervisory authority within 72 hours of becoming aware of the breach (for GDPR-covered processing) or as required by applicable US state law. No method of transmission or storage is 100% secure. For security concerns or to report a vulnerability, contact security@flashfo.org.

We use the following types of cookies and local storage: Essential cookies (no consent required): — Session token: keeps you logged in during your session. — Auth cookie: set by Supabase Auth for authentication state. — Theme preference: stores your light/dark mode choice in localStorage. We do not use: — Third-party advertising or tracking cookies. — Analytics cookies that identify you personally (we use server-side, anonymised analytics only). — Social media tracking pixels. Because we use only essential cookies, we do not display a cookie consent banner for users where such banners are required only for non-essential cookies. If you disable cookies, you will not be able to stay logged in to the Service.

Flashfo is operated from the United States. Our service providers (Supabase, OpenAI, Anthropic, Vercel) also primarily operate in the US. If you access the Service from outside the US — including from the European Economic Area, UK, or other jurisdictions — your personal data may be transferred to and processed in the US, which may not provide the same level of data protection as your home jurisdiction. Where required, we rely on the following transfer mechanisms: — Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA/UK to the US. — The UK International Data Transfer Agreement (IDTA) for UK-to-US transfers. You may request a copy of the relevant transfer safeguards by emailing privacy@flashfo.org.

The Service is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If a school or educator creates accounts for students under 13 or invites such students to use the Service, the school acts as the agent of parental consent and represents that it has obtained all necessary parental consents under the Children's Online Privacy Protection Act (COPPA) and applicable state law. We do not: — Serve behavioural advertising to anyone under 18. — Collect more data from students than is reasonably necessary for the educational purpose. — Allow students' personal data to be used for commercial purposes. If you believe we have inadvertently collected personal data from a child under 13 without appropriate consent, please contact privacy@flashfo.org and we will promptly delete it.

When Flashfo is used by US schools or districts, we recognise our obligations under the Family Educational Rights and Privacy Act (FERPA). School official status: When operating under a school's direction, Flashfo functions as a "school official" with a "legitimate educational interest" as defined by FERPA. We access student education records only as directed by and for the benefit of the school. Our commitments to schools: — We use student data only to provide and improve the educational Service, not for advertising or unrelated commercial purposes. — We do not build profiles of students for non-educational purposes. — We will provide schools with access to, corrections of, and deletion of student records upon verified request. — We will not disclose student education records without school authorisation, except as required by law. — We support schools' ability to comply with parents' FERPA rights. Schools are responsible for ensuring their use of Flashfo complies with FERPA, COPPA (for students under 13), and any applicable state student privacy laws (including, but not limited to, SOPIPA in California, and equivalent laws in other states).

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent legislation: — Right to lodge a complaint: you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have processed your data in violation of applicable law. — Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. — Right not to be subject to automated decisions: we do not make solely automated decisions that produce legal or similarly significant effects on you. Our data protection contact: privacy@flashfo.org For UK users: Flashfo's processing is subject to the UK GDPR and the Data Protection Act 2018. The Information Commissioner's Office (ICO) is the relevant supervisory authority.

California residents have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA): — Right to know: the categories and specific pieces of personal information we collect, use, disclose, and sell (we do not sell personal information). — Right to delete: request deletion of your personal information, subject to certain exceptions. — Right to correct: request correction of inaccurate personal information. — Right to opt out of sale or sharing: we do not sell or share personal information for cross-context behavioural advertising. — Right to limit use of sensitive personal information: we collect only what is necessary to provide the Service. — Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights. To submit a verifiable consumer request, email privacy@flashfo.org. We respond within 45 days, with a possible 45-day extension where reasonably necessary. You may make a request up to twice per 12-month period. Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing. We do not disclose personal information for direct marketing purposes.

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no industry consensus on how to respond to DNT signals, we do not currently alter our data practices based on them. We do not engage in cross-site tracking. If a universal opt-out mechanism is established that we are required to honour, we will update this policy accordingly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on the Service and, where required by law or where changes are material to how we handle your data, by email at least 14 days before the changes take effect. Continued use of the Service after a change takes effect constitutes acceptance of the updated policy. We will maintain prior versions of this policy and make them available upon request.

Flashfo privacy@flashfo.org flashfo.org For security concerns: security@flashfo.org For legal enquiries: legal@flashfo.org We aim to respond to all privacy enquiries within 5 business days and to complete requests within 30 days.