Privacy Policy
FlashLeap ("we", "our", or "the app") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use the FlashLeap mobile application and the flashleap.app website.
1. Information We Collect
Account Information: When you create an account, we collect your email address, display name, and optional profile picture and username. If you sign in with Apple or Google, we receive only the basic identity information those providers share — typically your email and display name. Passwords are handled securely by Firebase Authentication and are never stored in plaintext or visible to us.
User Content: Flashcard decks, cards, and associated media (images, audio, drawings) that you create within the app. This content is stored locally on your device and, if you enable cloud sync, also synced to your private cloud storage.
AI Generation Inputs: When you use AI card generation, the source text, topic, or context you submit is sent through our backend to Google's Generative Language API for processing. We do not retain the submitted text after the response is returned. See Section 4 for details.
Subscription & Purchase Data: All payments are processed by Apple. We never see your payment card information. We receive only the anonymous transaction identifier and entitlement status from Apple's StoreKit needed to verify and unlock your Pro features and grant consumable in-app purchases (heart packs, AI generation packs).
Advertising Identifier: The app may show optional rewarded video ads served by Google AdMob. If you grant App Tracking Transparency permission, AdMob may use Apple's Identifier for Advertisers (IDFA) to deliver personalised ads. If you decline, AdMob serves non-personalised ads. Pro subscribers are never shown ads.
Device Attestation: To prevent fraud and abuse, the app uses Apple's App Attest / DeviceCheck via Firebase App Check. Apple generates an anonymous device-integrity token that our backend validates. This token does not contain personal information and cannot be used to identify or track you across apps.
Website Waitlist: If you sign up to the waitlist on flashleap.app, we collect the email address you submit, an approximate signup timestamp, and a hashed IP-derived rate-limiting key. This data is used solely to notify you when FlashLeap launches and is deleted on request.
Usage Data: We may collect anonymous usage analytics such as study session frequency, feature usage, ad interactions, and crash reports to improve the app.
2. How We Use Your Information
- To provide and maintain the FlashLeap service
- To sync your flashcards across your devices (when cloud sync is enabled)
- To generate AI flashcards on your request, by forwarding your input to Google's Gemini API
- To verify and unlock Pro features and consumable purchases after a successful App Store transaction
- To serve and measure rewarded video ads (Google AdMob), only when you choose to watch one
- To send transactional emails — password reset, email verification, waitlist launch notifications — delivered through our email provider Resend (resend.com)
- To enforce per-user rate limits and prevent abuse
- To improve app performance, fix bugs, and analyze aggregate usage
- To display your public profile (display name, avatar) to other users when you share a deck
3. Data Storage & Security
Your data is stored using Apple's CoreData framework on your device and, when cloud sync is enabled, on Google Firebase servers (Firestore, Firebase Storage) located in the United States. All cloud data is encrypted in transit using TLS and at rest on Firebase servers.
Media references are encrypted before being stored in the cloud. Firestore Security Rules and Storage Security Rules are configured so that only you can read or write your own data, and Pro-status fields are writable only by our server, never by client devices.
4. AI Processing (Google Gemini)
FlashLeap's AI card generation is powered by Google's Gemini language model. When you tap an AI generation action:
- The text or topic you provide is sent from the app to our Firebase Cloud Function over a TLS-encrypted connection.
- Our backend forwards the request to Google's Generative Language API (
generativelanguage.googleapis.com) using a server-side API key. Your Firebase user ID is used only to count the request against your monthly quota, and is not sent to Google. - Google processes the prompt and returns generated flashcard JSON, which we forward back to your device.
- FlashLeap does not log, persist, or train any model on the prompt body or the generated response. Google's data handling is governed by the Gemini API Additional Terms of Service and Google's privacy policy.
Please do not submit confidential, private, or sensitive personal information as input to AI generation.
5. Rewarded Ads (Google AdMob)
The app may offer optional rewarded video ads to grant additional in-app benefits (such as +1 AI generation or a streak save). Ads are entirely opt-in — you choose when to watch one. Pro subscribers are never shown ads. Daily and weekly caps prevent excessive ad consumption.
When you choose to watch an ad, Google AdMob may collect device information (model, OS version, language) and, if you have granted App Tracking Transparency permission, your Identifier for Advertisers (IDFA) to serve personalised ads. If ATT is denied, ads are served as non-personalised. Google's data handling for AdMob is governed by Google's advertising policy.
6. Third-Party Services
FlashLeap uses the following third-party services to operate:
- Firebase Authentication — user accounts and sign-in (Google LLC)
- Sign in with Apple — optional third-party sign-in (Apple Inc.)
- Sign in with Google — optional third-party sign-in (Google LLC)
- Cloud Firestore — cloud data storage and sync (Google LLC)
- Firebase Storage — media file storage (Google LLC)
- Firebase Cloud Functions — backend logic, AI proxy, scheduled cleanup (Google LLC)
- Firebase App Check — anti-abuse device attestation (Google LLC + Apple Inc. App Attest/DeviceCheck)
- Firebase Analytics & Crashlytics — anonymous usage analytics and crash reports (Google LLC)
- Google Gemini API — AI text generation (Google LLC)
- Google AdMob — rewarded video advertising (Google LLC)
- Apple App Store / StoreKit — subscription and in-app-purchase billing (Apple Inc.)
- Resend — transactional email delivery (Resend, Inc.)
Each provider has its own privacy policy. We encourage you to review Firebase's Privacy Policy, Google's Privacy Policy, Apple's Privacy Policy, and Resend's Privacy Policy.
7. Data Sharing
We do not sell, trade, or rent your personal information to third parties. Your flashcard content is private unless you explicitly choose to share a deck using a share code, in which case any user with the share code can import a copy until the code expires (30 days).
Shared decks include your display name as the author. We may disclose information when required by law, valid legal process, or to protect the safety, rights, or property of FlashLeap, our users, or the public.
8. Data Retention & Deletion
Your data is retained for as long as your account is active. If you delete your account from within the app (Settings → Account → Delete Account), your cloud data enters a 90-day recovery period, after which it is permanently deleted from Firestore and Firebase Storage. Local data on your device is removed when you uninstall the app.
Shared deck records are auto-deleted after their 30-day expiration by a scheduled backend job. AI usage counters are reset monthly and contain no flashcard content. Waitlist signups are retained until launch notifications are sent and may be deleted on request at any time by emailing support@flashleap.app.
9. Children's Privacy
FlashLeap is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us so we can delete it.
10. International Users
FlashLeap's servers and backend infrastructure are operated by Google Cloud in the United States. By using the app, you consent to the transfer of your data to the United States, which may have data-protection laws different from those in your country of residence.
11. Your Rights
You have the right to:
- Access, update, or delete your personal information
- Export your flashcard data
- Disable cloud sync at any time
- Delete your account from within the app (90-day recovery, then permanent deletion)
- Opt out of AI generation by simply not using it — the rest of the app works without it
- Decline App Tracking Transparency to receive non-personalised ads only
- Request deletion of waitlist or support correspondence by emailing us
If you are a resident of the EU, UK, California, or another jurisdiction with comparable data-protection laws, you may have additional rights under GDPR, UK GDPR, CCPA/CPRA, or similar frameworks. Contact us to exercise any of these rights.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or via email. Continued use of FlashLeap after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise any of your data rights, please contact us at support@flashleap.app.