This Privacy Policy has been prepared in English and translated into the following languages. The English version is the official version, and the other versions are provided for reference. In the event of any inconsistency or conflict between the two versions, the English version shall prevail.
Controller: Flame Apps (“we”, “us”)
Email: info@flameappsdevelopment.com
Address: Flame Apps, Postfach 53 04, 97003 Würzburg, Germany
Effective date: November 30, 2025
This Privacy Policy explains how we collect, use, share, and protect information when you use the Meditation App (the “App”) and our related websites, landing pages, or help pages (the “Sites”, together with the App, the “Services”).
The App is a general wellbeing and meditation app, not a medical device and not a substitute for professional diagnosis or treatment. We are not acting as a healthcare provider, clinic, or hospital, and we are not subject to HIPAA as a covered entity or business associate.
This Privacy Policy is designed to satisfy applicable privacy and data-protection laws in:
The European Union / European Economic Area (EU/EEA), the United Kingdom (UK), and Switzerland (including GDPR, UK GDPR, and ePrivacy rules),
Switzerland’s nFADP,
Applicable U.S. federal and state privacy laws (including California CPRA/CPRA Regulations and similar laws in other states),
Google Play requirements, including Data safety, account/data deletion, and consent/CMP rules for EEA/UK/CH.
Where local laws provide stronger protections or additional rights, we intend to follow them.
Table of contents
What we collect
Why we process your data (purposes & legal bases)
AI features and automated decision-making
Ads, consent, and your choices
What we share and with whom
International transfers
Retention
Security
Your privacy rights
Children’s privacy
Cookies and similar technologies (Sites & App)
Do Not Track / Global Privacy Control
Changes to this Policy
Contact & complaints
Annex A — Summary table
We collect only the data we need for the purposes described in this Policy. Some data is collected directly from you, some is collected automatically by your device or by our SDK partners, and some may come from third parties (for example, stores or integration partners).
If you consent (where required) or choose to view ads, our advertising / mediation SDKs may collect:
Identifiers & device info: Advertising ID (AAID/IDFA), app instance ID, IP address, user-agent, device model, OS version, language, network, coarse location derived from IP.
Ad interaction data: Ad requests, impressions, clicks, viewability, frequency capping, crash/diagnostic logs related to ad delivery.
Consent data: Your choices from our Google-certified CMP (IAB TCF v2.2) for EEA/UK/CH.
See Section 14 and Annex A for our Ad Technology Partners and links to their privacy notices.
We may collect anonymized or aggregated telemetry to keep the App stable and improve quality, for example:
Session start and end time,
Session duration,
Feature usage (which screens or functions are used),
Crash logs and performance data.
Telemetry may be collected by our own code and/or by platform services (e.g., Google Play services, Firebase Analytics, or ad SDKs). Where this is the case, we disclose it here and in the Google Play Data safety section.
In particular, we may use Google Firebase Analytics to generate aggregated app usage statistics. In the EU/EEA, UK, and Switzerland, Firebase Analytics is disabled by default and is only activated after you have given consent to analytics/measurement in our Google User Messaging Platform (UMP) consent dialog. If you do not consent to analytics in that dialog, Firebase Analytics remains disabled.
If the App offers account creation or subscriptions, we may process:
Account identifiers: username, email address, hashed password or authentication token.
Profile info (optional): language, time zone, basic preferences (e.g., preferred voice type, reminder settings).
Subscription and transaction metadata: plan type, start/end dates, renewal status, store or payment provider and transaction IDs (we do not store full card numbers; see “Payment data” below).
If accounts are not yet available, this section describes how data will be processed if we introduce them later.
D. Support and communication data
If you contact us (for example via email or a form), we process:
Your email address or other contact details,
The content of your message and any attachments,
Technical metadata (time, IP, mail headers) where provided by your email or our provider.
We use this strictly to respond to you, improve support quality, and to establish or defend legal claims if needed.
Some features are optional and disabled by default. If you enable them, we may process:
Wellbeing inputs & journaling: notes, moods, tags, subjective ratings, or goals you enter. These are stored on your device by default.
If you choose to enable cloud sync/backup, we will clearly identify the storage provider, location (e.g. EU data centre, US-based provider with SCCs), and additional safeguards before activating the feature.
Any data that reveals or relates to your health, mental wellbeing, or similar special categories is treated as sensitive data. We only process it if you knowingly provide it and only for the feature you chose, based on your explicit consent (EU/UK/CH) or opt-in (certain U.S. states). We never use such data for targeted advertising or for “sale”/“sharing” under U.S. state laws.
F. Microphone / voice assistant (optional)
If you enable an in-app voice assistant or voice interaction:
Real-time audio is processed on-device by default to recognise basic commands or guide you through exercises.
If we later offer optional cloud-based voice processing (for example, to offer more advanced AI coaching), we will display a separate notice and obtain your consent before any audio is sent to our servers or third-party AI providers.
We do not record or store your raw microphone audio unless this is clearly shown in the feature and you explicitly choose to save or send it (for example, sharing a feedback recording).
G. Camera / posture guidance (optional)
If you enable posture or motion guidance using your camera:
Images/video are processed on-device to detect posture or movement.
We do not store or upload media unless you explicitly choose to save a screenshot or share content.
We do not use camera content for ads or profiling.
H. Wearables and health integrations (optional)
If you connect a wearable device or health service (e.g., Google Fit, Apple Health, or another provider), we process only the signals you permit (e.g., heart rate, step count, sleep duration) to provide the connected feature.
We never use wearables/health data for advertising or for “sale”/“sharing” under U.S. state law.
The third-party provider’s own terms and privacy policy apply to their processing of data; please review them carefully before connecting.
I. Website & app usage data (Sites)
When you visit our Sites or web help pages, we may collect:
Technical data: IP address, browser type and version, device type, operating system, approximate location (country/region), time zone.
Usage data: pages and links visited, referring/exit URLs, time on page, clicks and scrolls, cookie identifiers and similar online identifiers.
This may be collected by our own logs and/or by analytics tools or web CMPs. See “Cookies and similar technologies” below for more detail.
J. Payment data (if/when applicable)
If, in the future, you purchase a subscription or in-app product directly from us (outside the app store payment system):
We will use third-party payment processors (e.g. Stripe, PayPal).
Those processors collect and process your payment card or bank details on our behalf. We do not store full card numbers.
We may receive limited information from those processors, such as:
the last few digits of your card,
card type, expiry month/year,
billing address,
transaction date, amount, and status.
Where payments are processed solely through app stores (e.g. Google Play billing), their terms and privacy policies apply.
K. Data from third parties
We may receive personal data about you from other sources, such as:
App stores and distribution platforms (e.g., installation and purchase confirmation, crash logs).
Analytics or monitoring providers (aggregated or pseudonymous identifiers).
Integration partners (e.g., health/fitness platforms, if you connect them).
In the future, employer or wellness-program partners (“benefit sponsors”) if we offer such plans.
Where we act as a processor for such partners, we will process your data in line with their instructions and our agreement with them, and such processing may be further described in separate privacy notices they provide.
L. Aggregated, anonymized, and de-identified data
We may create aggregated, anonymized, or otherwise de-identified data from personal information by removing or altering components that could identify you. We maintain such de-identified data separately and do not attempt to re-identify individuals, except to test our anonymisation processes.
De-identified data is not considered personal data and is not subject to this Privacy Policy. We may use it for statistical analysis, product development, research, and informing our business decisions.
Under EU/UK laws, we must also tell you the legal bases we rely on.
A. Purposes
We may use your data for the following purposes:
Serve ads / monetize the App
To show personalized or non-personalized ads depending on your choices and local law (see section 4).
Measure ad performance & prevent fraud/abuse
To count impressions, enforce frequency caps, detect invalid traffic, and prevent fraudulent or abusive use of our monetization stack.
Provide core App functionality, stability & security
To run the App, remember your settings, keep the App stable, detect and fix bugs, and protect our systems from attacks.
Provide optional wellbeing features
To store and show your journaling entries, moods, goals, posture hints, or wearable data where you enabled those features.
Support & communication
To respond to your support requests, feedback, or bug reports; to send critical notices about availability, security, or changes to this Policy or the Terms.
Product development, analytics & research
To understand how the App is used (in aggregated form), prioritise improvements, test new features (e.g., A/B tests), and evaluate effectiveness of our meditation content.
AI-based features and improvements
To provide AI-driven features such as voice interactions, adaptive guidance, motion/posture hints, or personalised recommendations (see section 3).
We do not currently use personal data from the App (such as your journal entries, wellbeing inputs, or account data) to train or fine-tune our AI models. If we ever want to do this in the future, we will update this Policy in advance and, where required, ask for your explicit consent or provide an opt-out before using your personal data for training.
Marketing & information about our Services (limited)
To contact you with in-app messages or emails about new features, content, or products we think may be relevant, within the boundaries of consent and legitimate interests under applicable law.
Compliance, legal obligations & defence of claims
To comply with statutory retention duties, respond to law-enforcement or regulatory requests where legally required, and establish, exercise, or defend legal claims.
B. Legal bases (EU/EEA, UK, Switzerland)
Depending on the activity, we rely on one or more of the following legal bases:
Consent (Art. 6(1)(a) GDPR; ePrivacy)
For personalised ads and non-essential cookies/trackers.
For optional wellbeing features and any processing of special-category data (health/wellbeing).
For optional AI features that process sensitive data or rely on cloud services.
For direct electronic marketing where required by law.
Contract (Art. 6(1)(b) GDPR)
To provide the App features you request; to respond to your support requests; to process payments and manage subscriptions if you purchase from us.
Legitimate interests (Art. 6(1)(f) GDPR)
To ensure security, prevent fraud/abuse, keep the App stable and functional, develop and improve features, and perform aggregated analytics.
To communicate with you about non-marketing service related matters (e.g., availability, changes, support follow-ups).
Legal obligation (Art. 6(1)(c) GDPR)
To comply with bookkeeping and tax law, respond to valid law-enforcement or regulatory requests, and comply with data-protection obligations such as responding to data-subject requests.
Where we rely on legitimate interests, we balance our interests against your rights and freedoms and process your data only where our interests are not overridden.
You can withdraw consent at any time in the Consent or Privacy screen in the App, or via our web preferences (see section 9). Withdrawal does not affect prior lawful processing.
We use “artificial intelligence” (AI) and machine-learning techniques in some parts of our Services. This may include:
Behind-the-scenes use, e.g.:
security and fraud detection,
recommendation of content (which meditations to show first),
quality and performance monitoring.
Optional features where you interact directly with AI, e.g.:
a conversational meditation assistant
posture guidance,
adaptive meditation flows based on your inputs.
Whenever you use a feature that involves direct interaction with AI and that goes beyond basic app logic, we will:
clearly label the feature as AI-driven,
explain what data it uses, and
give you clear choices (such as turning the feature on/off and controlling how your data is used for that feature).
We do not currently make decisions about you that are based solely on automated processing and that produce legal or similarly significant effects (for example, no automated denial of a legal right or financial service).
If we ever introduce such processing, we will:
inform you in advance,
explain the logic and possible consequences, and
tell you about your rights to obtain human intervention, express your point of view, and contest the decision, as required by law.
At this time, we do not use your personal data from the App to train or fine-tune our AI models. Any training is done on separate datasets that are not linked to your Meditation App usage, journal entries, or account data.
We may, however, use fully anonymised or aggregated data (which no longer identifies you) to evaluate and improve our AI systems.
AI-generated narration (EU AI Act transparency)
The guided meditation narration in the App is generated by an on-device text-to-speech artificial intelligence system. The voice you hear is synthetic and not a recording of a real person.
We inform users in the App, at the latest at the time of the first playback/exposure, that the narration is AI-generated, and we display a visible “AI-generated” label on the player screen or next to the relevant feature. This is intended to meet transparency expectations for synthetic audio, in particular under the EU Artificial Intelligence Act.
We do not currently apply technical watermarking or machine-readable marking to the audio generated by the App. We may introduce additional technical measures in future versions to support detectability of AI-generated audio.
As explained in section 2 (purpose 7) and elsewhere in this Policy, we do not currently use your personal data from the App (including how you listen to meditations) to train or fine-tune our AI models.
We use a Google-certified consent management platform (CMP) integrated with the IAB TCF v2.2 framework. You can Accept, Reject, or Customize purposes and vendors.
Without the necessary consent, we only serve non-personalised (contextual) ads or restrict ad serving where required.
Switzerland is included in our CMP configuration in line with Google’s policies.
The same CMP (Google’s User Messaging Platform, UMP) also controls whether certain analytics tools in the App, such as Firebase Analytics, are activated in the EU/EEA, UK, and Switzerland. By default, these analytics tools are switched off. They are only activated if you give consent to analytics/measurement in the CMP. If you refuse or later withdraw that consent, those analytics tools remain disabled or are deactivated.
Your choices are stored and can be changed at any time in the App’s Privacy/Consent screen.
For residents of California and many other U.S. states with comprehensive privacy laws, you may opt-out of:
“Sale” or “Sharing” of personal information (including cross-context behavioural advertising), and
Targeted advertising and certain types of profiling.
We honour recognised browser/OS opt-out preference signals, such as Global Privacy Control (GPC) and Colorado’s Universal Opt-Out Mechanism (UOOM), where required by law. You can also use in-App privacy controls.
We do not use your meditation content, wellbeing inputs, or journaling for ads personalisation.
This App is intended only for adults aged 18 and over and is not directed at children or teens (see also the section “Children’s privacy”).
If we ever change our target audience and offer content clearly aimed at under-18 users (which we do not plan at the moment), we will:
apply the appropriate child/teen flags in ad settings (e.g., COPPA tags / AdMob settings),
show only contextual ads to those users, and
use SDK settings compatible with Google Play Families policies and other applicable laws.
We share your personal data only where necessary, under appropriate safeguards, and never for our partners’ own independent advertising without legal basis and your choices in the CMP.
A. Ad technology partners
We share limited data with ad technology partners (SDKs, mediation platforms, exchanges) for:
serving ads,
measuring performance,
enforcing frequency caps,
preventing fraud/abuse,
ensuring that your consent/opt-out settings are honoured.
Our current partners are listed in Section 10 and Annex A, with links to their privacy notices.
We do not sell your personal information for money. In some U.S. states, disclosures for cross-context behavioural advertising are deemed “sharing”; you may opt out (see section 4).
B. Service providers (processors)
We use carefully selected third-party service providers to help us run the Services, for example:
cloud hosting and content delivery,
crash logging and error monitoring,
analytics,
email or helpdesk providers.
These providers:
act as our processors,
may only process personal data on our documented instructions,
are bound by contracts that require confidentiality and appropriate technical and organisational measures, and
may not use your data for their own independent purposes.
C. Integration partners (wearables, health platforms, app stores)
If you connect the App to third-party services (for example, a wearable or health platform):
We share only the data you authorise through the integration.
Their own privacy policy and terms govern their handling of that data.
You can disconnect integrations at any time via their settings or ours.
App stores and platforms (e.g. Google Play) may receive metadata such as installation status, purchase confirmations, crash reports, or aggregated usage data according to their own terms.
D. Affiliates and corporate transactions
If we create or join a group of companies (e.g., a Flame Apps UG or GmbH, or future affiliates), we may share your personal data within that group where necessary for the purposes listed in section 2, under the same protections.
If we are involved in a merger, acquisition, reorganisation, asset sale, or similar corporate transaction, your personal data may be transferred to the acquiring or surviving entity. If such a transfer results in a material change to the way your data is used, we will inform you in advance and, where legally required, obtain your consent.
E. Legal obligations and harm prevention
We may disclose personal data where we believe it is necessary to:
comply with applicable law, regulations, legal processes, or enforceable governmental requests,
enforce our terms and other agreements,
protect the rights, property, or safety of Flame Apps, our users, or the public (for example, fraud prevention, security incidents).
Where we are legally permitted, we will try to notify you before sharing data in response to a legal request, if doing so is not prohibited or would not create a risk of harm.
Our main operations and infrastructure are located in Germany and/or the EU. However, some of our service providers and ad partners are located or store data outside the EU/EEA, UK, or Switzerland.
Where we transfer personal data to a country without an EU/UK “adequacy decision”, we rely on:
Standard Contractual Clauses (SCCs) approved by the European Commission,
and, where applicable for the UK, the International Data Transfer Agreement (IDTA) or the UK addendum to the SCCs.
Where required, we conduct transfer impact assessments and, if needed, implement additional technical and organisational safeguards.
You can contact us for more information about specific transfer mechanisms that apply to your data.
We retain personal data only as long as necessary for the purposes described in this Policy or as required by law. In particular:
Ad & telemetry data
Kept only for the time needed to serve ads, measure performance, prevent fraud, and operate the App. Retention windows may be defined by our partners’ policies (typically short periods).
Support emails and communication data
Retained while your request is open and for a reasonable period thereafter, especially if needed to establish or defend legal claims (subject to statutory limitation periods).
Optional wellbeing & journaling data (on device)
Stored locally until you delete it in the App or uninstall the App. If you enable cloud sync, retention will be explained in-App and may depend on the storage provider and your settings.
Account and subscription data (if/when available)
Retained as long as your account is active. Certain information (e.g., proof of transactions) may be kept longer due to tax, accounting, or legal obligations.
When we no longer need your data, we will delete or anonymise it. Where this is not immediately possible (e.g., because it is stored in backups), we will securely store it and isolate it from further processing until deletion is feasible.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These may include:
encryption in transit and, where appropriate, at rest,
access controls and role-based permissions,
secure development practices and regular security updates,
logging and monitoring of critical systems.
No system is 100% secure. If you believe your data has been exposed or that our App is being misused, please contact us promptly at info@flameappsdevelopment.com so we can investigate.
A. EU/EEA, UK, Switzerland
If you are in the EU/EEA, UK, or Switzerland, you have the following rights under data-protection laws:
Access: obtain confirmation whether we process your data and, if so, receive a copy.
Rectification: correct inaccurate or incomplete data.
Erasure: ask us to delete your data in certain circumstances (“right to be forgotten”).
Restriction: request that we temporarily restrict processing in certain cases.
Objection: object to processing based on legitimate interests, including profiling.
Data portability: receive certain data in a structured, commonly used, machine-readable format and transmit it to another controller.
Withdraw consent: where processing is based on consent, withdraw that consent at any time (without affecting prior lawful processing).
Lodge a complaint: with your local supervisory authority. For Bavaria (our location):
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany (online complaint forms available).
B. U.S. states with privacy laws
Depending on your state, you may have rights to:
access or copy personal information we hold about you,
correct inaccuracies,
delete certain data,
receive data in portable form,
opt-out of targeted advertising, “sale”, and certain profiling.
Some states require us to provide an appeals process if we deny your request. You can appeal by replying to our decision email; we will review and respond within the time limits imposed by law.
We also honour recognised opt-out signals (e.g., GPC, Colorado UOOM) for targeted advertising and “sale/sharing” where required by law.
C. Non-discrimination / no retaliation
We will not discriminate against you, or otherwise retaliate, because you exercise your privacy rights. This means we will not:
deny you access to the App,
provide a different level or quality of services,
charge different prices,
solely because you exercised a right under applicable law. However, some features may not be available if they depend on processing you have refused or asked us to delete.
D. Exercising your rights and verification
To exercise any of your rights, you can:
use the Privacy/Consent controls in the App,
use our web form [INSERT LINK IF YOU HAVE ONE], or
email us at info@flameappsdevelopment.com.
We may need to verify your identity before acting on your request (for example, by confirming access to your device, sending a verification link to your email, or asking for additional information).
Under GDPR and other laws, we generally do not charge a fee to handle your request. We may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive, especially due to its repetitive nature, as permitted by law. If so, we will explain why.
Our Services are intended for adults aged 18 and over. We do not knowingly collect personal data from children or minors under 18.
You should not use the App if you are under 18.
We do not knowingly allow under-18 users to create accounts or use features that involve the collection of personal data.
We configure our ads and SDKs on the basis that the audience is 18+.
If we become aware that we have collected personal data from a child or minor under 18 without appropriate consent, we will take reasonable steps to delete that data as soon as possible.
If you believe that a child or minor under 18 has provided us with their personal data, please contact us at info@flameappsdevelopment.com so we can investigate and, where appropriate, delete the data.
If we ever introduce offerings specifically for teens or children, we will update this Policy, implement additional safeguards (including parental consent where required), and adjust our ad and SDK settings accordingly.
A. Cookies and web tracking on our Sites
When you visit our Sites, we and our service providers may use cookies and similar technologies (such as local storage, pixels, tags, or scripts) to:
make the Sites work (e.g., page navigation, security, basic functionality),
remember your preferences (such as language),
perform analytics (e.g., which pages are visited, time on page, clicks), and
support advertising and measurement as described in sections 2 and 4.
Where required by law (in particular in the EU/EEA, UK, and Switzerland), we obtain your consent for non-essential cookies and similar technologies via a cookie banner or consent management platform (CMP). You can change your cookie choices at any time via the cookie settings link on the Site (where available) or by adjusting your browser settings.
B. SDKs and similar technologies in the App
In the App, advertising and analytics SDKs may perform functions similar to cookies, for example by:
assigning your device an advertising ID or app instance ID,
storing limited data locally (such as configuration and frequency-capping data), and
sending technical information to their servers to deliver ads, measure performance, or detect fraud.
These SDKs are listed in the “Ad Technology Partners” section and in Annex A.
We may also use analytics SDKs such as Firebase Analytics to measure aggregated app usage. In the EU/EEA, UK, and Switzerland, such analytics SDKs are only activated after you have given consent to analytics/measurement via our Google UMP consent dialog and otherwise remain disabled. See section 4 for more information on how you can manage your consent.
In the EEA/UK/CH we rely on the in-App CMP to obtain consent and manage your choices for these technologies. Without the necessary consent, we only use SDK settings that deliver non-personalised (contextual) ads or disable certain tracking features, as required by law and by our partners’ policies.
C. Your choices
Depending on your device and browser, you can also:
disable or reset the mobile advertising ID (e.g., in Android settings),
configure your browser to block or delete cookies,
use recognised preference signals like Global Privacy Control (GPC) to opt out of certain data uses, as described in the “Do Not Track / Global Privacy Control” section.
Please note that blocking cookies or disabling advertising IDs may affect how some parts of the Services function.
We do not respond to legacy “Do Not Track” (DNT) browser headers, because there is no common standard for doing so.
However, we honour Global Privacy Control (GPC) and other recognised technical signals as opt-out requests for “sale/sharing” and targeted advertising where required by law.
A. If you do not have an account (current situation)
At the moment, the App does not offer login-based accounts. Most data is stored locally on your device (for example, downloaded content and wellbeing/journaling entries) or in our support systems (for example, when you email us).
You can delete local App data by using the operating system settings (e.g., “Clear data” / “Delete storage”) and by uninstalling the App.
You can ask us to delete support and communication data that we hold about you by emailing info@flameappsdevelopment.com. We will delete it unless we are required or permitted to keep it for legal reasons (for example, to comply with tax or accounting obligations, or to establish or defend legal claims).
These options exist in addition to your privacy rights described in the section “Your privacy rights”.
B. If we introduce accounts in the future
If the App ever offers account creation, we will comply with Google Play’s account deletion and Data safety requirements by providing:
An in-App path to delete your account and associated personal data, and
A web link you can use even if you have uninstalled the App.
When you request deletion of an account, we will delete or anonymise associated personal data unless retention is required by law (for example, to prevent fraud or comply with bookkeeping rules).
We monetize with ads through the following partners (including mediation/exchange). The App is intended for adults aged 18 and over, and we configure these SDKs on that basis. Please review their notices to learn how they process data and how to opt out:
Google AdMob – Privacy Policy: https://policies.google.com/privacy?hl=en
Meta Audience Network – Privacy Policy: https://www.facebook.com/privacy/policy/
InMobi Exchange (über AdMob Open Bidding) – Privacy Policy: https://www.inmobi.com/mweb/yes-privacy
Liftoff Monetize (Vungle) – Privacy Policy: https://liftoff.ai/privacy-policy/
AppLovin – Privacy Policy: https://legal.applovin.com/privacy/
OneTag Exchange – Privacy Policy: https://www.onetag.com/privacy-platform/
Mobfox – Privacy Policy: https://www.mobfox.com/privacy-policy/
We may update this list as we add or remove SDKs; the in-app CMP vendor list (EEA/UK/CH) will always reflect the current vendors shown to you at consent time.
We may update this Privacy Policy as our App and legal obligations evolve. We will:
post the updated version on the Sites and/or in the App, and
change the “Effective date” at the top.
If changes materially affect your rights or how we use your data, we will provide a more prominent notice (for example, an in-App notification or email) and, where legally required, seek your consent again.
Controller: Flame Apps
Email: info@flameappsdevelopment.com
Mail: Flame Apps, Postfach 53 04, 97003 Würzburg, Germany
Supervisory authority (Germany/Bavaria, private sector):
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Online complaint forms are available on their website.
If you have questions, concerns, or complaints about this Policy or our data practices, please contact us first. We will do our best to resolve them. You also have the right to contact or complain directly to your local data-protection authority.
Category:
Device/Ad IDs & network data
Examples:
Advertising ID (AAID/IDFA), app instance ID, IP address, user-agent, device model, OS version, language, network, coarse location derived from IP.
Purpose:
Serve ads (personalised or contextual depending on consent), cap frequency, measure performance, detect fraud/abuse, security and stability of the App.
Legal basis:
Consent (for personalised ads and certain tracking in EEA/UK/CH); legitimate interests (security, fraud prevention, basic measurement); opt-out rights for “sale/sharing” and targeted advertising in certain U.S. states.
Typical retention:
As short as partners permit for ad delivery and measurement (typically limited windows as defined in each partner’s policy).
Recipients:
Ad technology partners (see “Ad Technology Partners” section) and service providers supporting ad delivery and measurement.
Category:
Ad events & interaction logs
Examples:
Ad request, impression, click, viewability metrics, engagement with ad units, error/crash logs related to ad serving.
Purpose:
Monetisation of the App, reporting, campaign optimisation, fraud prevention.
Legal basis:
Consent where required (EEA/UK/CH for ad personalisation and measurement); legitimate interests (fraud/security, aggregate reporting).
Typical retention:
Short windows defined by each partner’s policies (for example, days to months, not permanent).
Recipients:
Ad technology partners and mediation platforms listed in the “Ad Technology Partners” section.
Category:
App telemetry & diagnostics
Examples:
Session start/end time, session duration, feature usage (screens/functions used), crash logs, performance metrics.
Purpose:
Maintain and improve App stability and performance; detect and fix bugs; security monitoring.
Legal basis:
Legitimate interests (Art. 6(1)(f) GDPR) in running and improving the App safely and efficiently.
Typical retention:
Short operational windows and limited historical logs needed for debugging and security; longer where needed in anonymised/aggregated form.
Recipients:
Our own infrastructure and selected service providers (e.g., crash logging or error monitoring tools).
Category:
Account and subscription data (if/when available)
Examples:
Username, email address, hashed password or token, language, time zone, basic preferences (e.g., preferred voice type, reminder settings), subscription plan, renewal status, store or payment provider, transaction IDs.
Purpose:
Provide and manage user accounts and subscriptions; authenticate users; remember preferences; manage entitlements; prevent fraud; provide support.
Legal basis:
Contract (Art. 6(1)(b) GDPR) for providing the account and subscription; legitimate interests (security, fraud prevention); legal obligation (e.g., tax/accounting for transaction records).
Typical retention:
For as long as the account is active and as required by law (e.g., statutory retention for invoices). Some security logs may be retained for a limited period after account closure.
Recipients:
Us (controller), app stores and payment processors, selected service providers (e.g., hosting).
Category:
Support & communication data
Examples:
Email address or other contact details, contents of messages and attachments, technical metadata (time, IP, mail headers) from email systems.
Purpose:
Respond to support requests, feedback, or bug reports; improve support quality; establish or defend legal claims.
Legal basis:
Contract (if you contact us about your use of the App); legitimate interests (customer support, defending legal claims).
Typical retention:
While the request is open and for a reasonable period thereafter, especially if relevant to legal obligations or disputes (subject to limitation periods).
Recipients:
Email and helpdesk providers, and our internal support team.
Category:
Optional wellbeing & journaling data
Examples:
Notes, moods, tags, subjective ratings, goals, posture hints, wearable-related inputs you enter in optional features.
Purpose:
Provide the specific optional feature you enabled (e.g., journaling, mood tracking, personalised guidance); present your own history back to you.
Legal basis:
Explicit consent / opt-in (for special-category data under EU/UK/CH law); contract (to provide the chosen feature).
Typical retention:
Stored on-device until you delete entries or uninstall the App. If you enable cloud sync, retention is as described in-App for that feature and may depend on the storage provider and your settings.
Recipients:
By default, stored locally only. If you enable cloud sync or backup, the relevant storage provider may receive data under that feature’s notice.
Category:
Microphone / voice assistant data (optional)
Examples:
Audio commands processed on-device; any audio you explicitly choose to record, save, or send (e.g., feedback recordings).
Purpose:
Provide voice-based interaction and guidance; improve usability of optional voice features.
Legal basis:
Consent (for enabling microphone-based features and, if applicable, recording/sending audio); contract (to provide the feature once you enable it).
Typical retention:
Real-time audio is processed on-device and not retained by us by default. Any recordings you choose to save are kept until you delete them; if you send audio to us (e.g., for support), it is retained as part of support communications.
Recipients:
On-device processing. If cloud-based voice processing is added in the future, only with separate notice and your consent; support providers if you send audio in support requests.
Category:
Camera / posture guidance data (optional)
Examples:
Images or video frames processed on-device to detect posture or movement; screenshots or images you explicitly choose to save or share.
Purpose:
Provide posture or motion guidance features you enable.
Legal basis:
Consent (for enabling camera-based features); contract (to provide the feature once you enable it).
Typical retention:
Images/video used for real-time posture detection remain on-device and are not stored by us. Screenshots or images you choose to save or share persist until you delete them.
Recipients:
On-device processing only, unless you explicitly share content (e.g., via another app or service chosen by you).
Category:
Wearables & health integrations (optional)
Examples:
Heart rate, step count, sleep duration or similar signals received from connected wearables or health services (e.g., Google Fit, Apple Health), subject to your permissions.
Purpose:
Provide the integration feature (e.g., adapting sessions to your activity or sleep patterns); show basic statistics to you.
Legal basis:
Explicit consent / opt-in (for health data); contract (to provide the integration you enabled).
Typical retention:
As described in the integration settings or feature description; typically as long as you keep the integration enabled and do not revoke permissions.
Recipients:
Us (controller); the third-party platform providing the wearable/health data continues to process data under its own privacy policy.
Category:
Website & app usage data (Sites)
Examples:
IP address, browser type/version, device type, OS, approximate location (country/region), time zone, pages visited, clicks, scrolls, referring/exit URLs, cookie identifiers and similar online identifiers.
Purpose:
Operate the Sites; security; aggregate analytics; improve content; support consent management and advertising choices.
Legal basis:
Legitimate interests for strictly necessary and security-related processing; consent for non-essential cookies/trackers and certain analytics/advertising functions in EEA/UK/CH.
Typical retention:
Cookie lifetimes vary (see cookie or CMP settings); aggregated analytics may be kept longer in a de-identified form.
Recipients:
Web hosting and analytics providers; consent management platform (CMP) provider; ad technology partners where relevant.
Category:
Payment data (if/when applicable)
Examples:
Payment card type, truncated card number, expiry month/year, billing address, transaction date/amount/status, payment provider or store transaction IDs (no full card numbers stored by us).
Purpose:
Process payments, manage subscriptions, handle refunds and billing queries, comply with tax and accounting requirements, prevent fraud.
Legal basis:
Contract (to process your payment and provide the service); legal obligation (tax/accounting); legitimate interests (fraud prevention, security).
Typical retention:
As required by tax and accounting law (often several years from the end of the fiscal year); longer if needed for fraud prevention or legal claims.
Recipients:
Payment processors (e.g., Stripe, PayPal) and/or app stores (e.g., Google Play), and our accounting systems.
Category:
Aggregated, anonymised, and de-identified data
Examples:
Statistics about app usage that do not identify you, such as total number of sessions per day, average session length per country, or anonymised metrics used for product decisions.
Purpose:
Product development, research, statistical analysis, business planning, improving AI systems without identifying individuals.
Legal basis:
Once data is truly anonymised/de-identified, it is no longer personal data and not subject to GDPR or this Policy. The anonymisation itself is based on the legal bases for the underlying personal data (see categories above).
Typical retention:
We may retain anonymised/de-identified data for as long as needed for the purposes described, as it no longer relates to an identified or identifiable individual.
Recipients:
Us and, where relevant, research or analytics partners who receive only anonymised/de-identified data.