Privacy Policy - Flarasa
Last Updated: February 23, 2026
1. Introduction
Flarasa ("we," "our," or "the Application") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our mobile application.
2. Data We Collect
2.1 Authentication Data
- First name (required)
- Email address (required, unique)
- Password (hashed with bcrypt, never stored in plain text)
- Account creation date
- Last login date
2.2 Product Data
- Barcodes scanned
- Expiry dates entered manually or via OCR
- Product information (name, description, image) from Open Food Facts API
- Quantity and personal notes
- Scan history (date and time)
- Product status (added, consumed, discarded)
2.3 Product Lists
- Name and description of created lists
- Creation date
- Shared members (first name and email)
- List contents (associated products)
2.4 User Preferences
- Selected language (French/English)
- Notification preferences (enabled/disabled, days before alert)
- Onboarding status (first visit)
2.5 Technical Data
- IP address
- Authentication tokens (securely stored on server)
- Device tokens for push notifications (FCM)
- Device information (operating system, version)
- Access logs (login attempts, account modifications)
3. How We Use Your Data
We use your data for the following purposes:
3.1 Core Services
- Authentication: create and secure your account
- Product management: scan, store, organize, and view your products
- Shared lists: share your lists with your roommates
3.2 Notifications
- Expiry alerts: remind you before your products expire
- Compliance: respect your notification preferences
3.3 Service Improvement
- Usage analytics: understand how you use the Application
- Optimization: improve performance and stability
- New features: develop features based on your needs
3.4 Security & Compliance
- Abuse detection: prevent fraudulent or malicious use
- Protection: secure your account against unauthorized access
- Legal compliance: meet legal and regulatory obligations
3.5 Communication
- Support: respond to your help requests
- Updates: inform you of important changes (policy changes, service interruptions)
4. Data Sharing
4.1 Shared Lists
When you share a list with a roommate, they will have access to:
- β Products in the list
- β Expiry dates
- β Your first name (as the list owner)
You remain the owner. You can revoke access immediately by deleting the list or changing permissions.
4.2 Third-Party Service Providers (Data Processors)
We share only the minimum necessary data with:
| Third Party | Data | Purpose | Policy |
|---|---|---|---|
| Supabase | Email, first name, products, lists | Backend hosting, authentication, storage | supabase.com/privacy |
| Open Food Facts | Barcodes | Retrieve product information (public API) | world.openfoodfacts.org |
| Firebase Cloud Messaging | Device token | Send push notifications | firebase.google.com/support/privacy |
4.3 We Do Not Sell Your Data
β We never sell your data to third parties for commercial purposes.
4.4 Legal Requirements
We may disclose your data if required by law:
- Court orders or subpoenas
- Government investigations
- Criminal proceedings
- Legal obligations (public authorities)
We will notify you unless the law prohibits it.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile | While account is active + 30 days after deletion |
| Products and lists | While account is active + 30 days after deletion |
| Scan history | 90 days |
| Access logs (IP, attempts) | 1 year |
| Push notifications | 30 days |
| Backups | Up to 90 days (by Supabase) |
Permanent deletion: After 30 days, your data is permanently and irreversibly deleted.
6. Security
6.1 Technical Measures
We protect your data through:
- π HTTPS/TLS 1.3 encryption for all data transmission
- π Supabase authentication with JWT support and MFA (2FA)
- π Bcrypt password hashing (no plain text storage)
- π‘οΈ Defense-in-depth: systematic server-side validation
- β Strict security checks: no SQL injection, no XSS vulnerabilities
- β±οΈ Rate limiting: login attempt restrictions (5 attempts β 2 min lockout)
- π Dependency audits: regular vulnerability checks of packages
6.2 Limitations
β οΈ No transmission is 100% secure. We are not responsible for:
- Access due to compromised or weak passwords
- Identity theft
- Access by malware on your device
- Interception if you use an unsecured Wi-Fi network
6.3 Your Responsibility
- β Keep your password confidential
- β Use a strong password (minimum 8 characters)
- β Never share your email/password with anyone
- β Sign out after each session (especially on shared devices)
7. Your Rights (GDPR)
You have the right to:
7.1 Access
Obtain a complete copy of all data we have about you.
7.2 Rectification
Correct your inaccurate or incomplete information.
- Example: update your first name, email
7.3 Deletion ("Right to be Forgotten")
Have your account and all associated data permanently deleted.
- This includes: products, lists, scan history, all logs
7.4 Portability
Receive your data in a portable format (JSON/CSV) to transfer elsewhere.
7.5 Object
Object to the processing of certain data (e.g., notifications, analytics)
7.6 Processing Restriction
Request a temporary suspension of data processing.
7.7 How to Exercise Your Rights
Contact us:
- π§ Email:
support@flarasa.app - π± In-app: Menu Profile β Support β Contact Us
- β±οΈ Response time: Within 30 days (maximum 90 days for complex requests)
No fees will be charged to exercise your rights (except for manifestly unfounded requests).
8. Cookies & Tracking
8.1 No Cookies
The Application does not use cookies (web navigation) as this is a native mobile app.
8.2 No Third-Party Tracking
We do not use:
- Google Analytics
- Mixpanel
- Amplitude
- Other tracking analytics tools
8.3 Local Notifications Only
Expiry notifications are 100% local to your phone. No data is sent to tracking services.
9. Sensitive Data
We do not intentionally collect:
- β Medical or health data (beyond product type)
- β Biometric data
- β Genetic data
- β Sexual orientation or religious beliefs
- β Racial or ethnic data
If you accidentally send us sensitive data, we will delete it immediately.
10. Children
10.1 Age Limit
Flarasa is intended for users 13 years and older.
10.2 Minor Protection
We do not intentionally collect data from children under 13 years old.
If you are under 13, ask a parent/guardian to create an account for you.
If we discover a violation, we will immediately delete the child's data.
Contact privacy@flarasa.app if you are a parent with concerns.
11. Changes to This Policy
11.1 Updates
We may update this Policy at any time to:
- Comply with new laws
- Reflect technical changes
- Clarify our practices
11.2 Notification
Major changes will be notified via:
- π§ Email (if you have an account)
- π² In-app banner
- π± Push notification
Minor changes (typos, clarifications) take effect immediately.
11.3 Acceptance
By continuing to use the Application after notification, you accept the modifications.
12. Contact & Complaints
12.1 Questions
For any questions about this Policy or your data:
Email: privacy@flarasa.app
In-app: Menu Profile β Support
Response time: 5 business days
12.2 Complaint to Data Protection Authority
If you are not satisfied with our response, you have the right to file a complaint with the competent data protection authority:
- π«π· France: CNIL (Commission Nationale de l'Informatique et des LibertΓ©s)
- πͺπΊ Other EU countries: Contact your national authority
13. Legal Information
- Operator: Flarasa
- Legal contact email:
support@flarasa.app - Backend server: Supabase (data hosted in Europe by default)
- Compliance: GDPR (EU), CCPA (California, if applicable)
Version: 1.0 Effective Date: February 23, 2026 Next Review: February 2027