Privacy Policy
Version 1.1 | Last updated: December 30, 2025
This privacy policy is provided in accordance with Articles 13 and 14 of EU Regulation 2016/679 (GDPR), ePrivacy Directive 2002/58/EC, and Italian Legislative Decree 196/2003.
1. Data Controller
Flahora App
Developer: Francesco Di Tullio
Email: support@flahora.com
Privacy Officer: Francesco Di Tullio (pro tempore)
2. Personal Data Collected
2.1 Data provided voluntarily by the user
- Email, name, username, password (hashed)
- Avatar, bio, friends list, posts, comments, reactions
- Notification and privacy preferences
- 2FA codes (TOTP), phone number for SMS, recovery codes
2.2 Data collected automatically
- IP address, device type, operating system
- App version, access logs, errors, crashes
- Anonymous app events (with consent)
2.3 Data NOT collected
- Real-time GPS location
- Contact list
- Private messages from other apps
- Health, biometric, or judicial data
3. Purpose and Legal Basis
| Purpose | Legal Basis | Article |
|---|---|---|
| Registration and account management | Contract performance | Art. 6.1.b |
| Content publication and social interactions | Contract performance | Art. 6.1.b |
| Security and abuse prevention | Legitimate interest | Art. 6.1.f |
| Anonymous statistical analysis | Explicit consent | Art. 6.1.a |
| Push notifications and updates | Explicit consent | Art. 6.1.a |
| Legal obligations (logs and security) | Legal obligation | Art. 6.1.c |
4. Processing Methods and Security Measures
- Automated digital processing
- Secure servers on Firebase (Google Cloud - EU)
- Firestore Rules and Cloud Functions for server-side validation
- Encrypted passwords (bcrypt), HTTPS/TLS 1.3 connections
- Encrypted daily backups, retained for 90 days
- Two-factor authentication (TOTP / SMS)
5. Data Retention
| Data Type | Duration | Deletion |
|---|---|---|
| Active account | Until user deletes it | Permanent |
| Inactive account >24 months | Automatic deletion | Complete |
| Temporary posts | Until expiration (1 min - 30 days) | Automatic deletion |
| User-deleted posts | Immediate | No backup |
| User archive | Until user deletes it | Permanent deletion |
| Analytics data (with consent) | 14 months | Automatic deletion |
| Security logs | 90 days | Legal obligation |
6. Your Rights (Art. 15-22 GDPR)
- Access: Full view within the app
- Rectification: Edit profile in real-time
- Erasure (right to be forgotten): Deactivation from Settings
- Portability: Export to JSON via app
- Restriction and objection: Disable consents from Settings
- Withdraw consent: Always possible
- Complaint to Authority: www.garanteprivacy.it
7. Data Recipients
7.1 Data Processors
Firebase (Google LLC): database, storage, authentication, analytics
Region: Europe (europe-west1 + europe-west4)
Active SCCs, no extra-EU transfers
7.2 We DO NOT share data with:
- Advertising platforms
- External social networks
- Data brokers
7.3 Disclosure only if:
- Required by law or judicial authority
- Necessary for the protection of rights
8. Extra-EU Transfers
- No transfer of personal data outside the EU
- All servers are in Europe (Google Cloud - EUR3)
- If needed in the future, SCCs and adequate safeguards will be adopted (Art. 46 GDPR)
9. Minors
The app is reserved for users at least 18 years old. If we become aware of underage accounts:
- Account deleted without notice
- Parents can contact us via email to request intervention
10. Changes to this Policy
Any changes will be communicated via:
- In-app notification
- Email (if available)
Continued use of the app implies acceptance of the updated version.
11. Contact
For questions or to exercise your rights:
Email: support@flahora.com
In-app: Settings → Support
Document compliant with: EU Regulation 2016/679 (GDPR) · ePrivacy Directive 2002/58/EC · Italian Legislative Decree 196/2003 (Privacy Code) · Digital Services Act (EU Regulation 2022/2065)