Privacy Policy

1.1 Information You Provide

• Account Information: When you create an account, we collect your email address and any profile information you choose to provide (display name, bio, reading preferences).
• Payment Information: If you subscribe to a paid plan, payment details are processed by our payment processor (Stripe). We do not store your credit card information on our servers.
• Uploaded Content: If you choose to upload your own text files (.txt, .epub) for use with the RSVP reader, we process this content locally in your browser.

1.2 Information Collected Automatically

• Reading Statistics: We collect data about your reading activity, including words read, reading speed (WPM), session duration, and reading history.
• Progress Data: Your reading position, completed chapters, and book progress are stored to allow you to resume where you left off.
• Achievements and XP: We track your earned XP, unlocked achievements, reading streaks, and level progression.
• Device and Browser Information: We may collect basic technical information such as browser type, device type, and operating system for service optimization.

1.3 Information Stored Locally

The following data is stored locally in your browser using localStorage:

• Reading progress and session statistics
• Theme preferences (light/dark mode)
• Guest session counts (for the 3-session free trial)
• Onboarding tour completion status
• User settings and preferences

We use cookies and similar tracking technologies to enhance your experience and analyze site usage. Our consent management system ensures compliance with privacy laws including the California Invasion of Privacy Act (CIPA).

2.1 Cookie Categories

We classify cookies into the following categories:

2.2 Consent Management

We use a Consent Management Platform (CMP) that:

• Blocks all non-essential scripts until you provide explicit consent
• Honors your "Decline" choice by preventing tracking scripts from loading
• Stores your preferences in your browser's local storage
• Allows you to change your preferences at any time

2.3 Third-Party Tracking Tools

We may use the following third-party services (only with your consent):

• Google Analytics: For website traffic analysis and user behavior tracking
• Meta Pixel: For advertising campaign measurement (if applicable)
• Session Replay Tools: For understanding user interactions (if applicable)

Important: These tools are NOT loaded until you explicitly consent to the relevant cookie category. If you decline, these tools will not be loaded and no data will be transmitted to these third parties.

2.4 Managing Your Cookie Preferences

You can manage your cookie preferences at any time by:

• Clicking the cookie settings link in the footer of our website
• Using your browser's built-in cookie management tools
• Clearing your browser's local storage

Note: Disabling certain cookies may affect the functionality of our service.

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve the Flash-Read application, including saving and restoring your reading progress.
• Personalization: To customize your experience, such as remembering your preferred reading speed, theme, and font settings.
• Gamification: To calculate and display XP, achievements, streaks, and reading statistics.
• Billing: To process subscription payments and manage your paid plan through Stripe.
• Communication: To send you important account notifications, service updates, and (with your consent) marketing communications.
• Analytics: To understand how users interact with the service and identify areas for improvement.

Flash-Read relies on the following third-party service providers to deliver our service. These providers process data on our behalf and are contractually obligated to protect your information.

4.1 Supabase

Purpose: Database storage, user authentication, and cloud functions

Data Processed:

• Email address and encrypted password (for authentication)
• Reading progress, XP, level, and streak data
• Account settings and preferences
• Uploaded content metadata (not the content itself, which stays local)

Security: PostgreSQL database with row-level security, encryption at rest and in transit, SOC 2 Type II certified

Privacy Policy: https://supabase.com/privacy

4.2 Stripe

Purpose: Payment processing and subscription management

Data Processed:

• Payment card information (processed directly by Stripe, not stored on our servers)
• Billing address and contact information
• Subscription status and payment history

Security: PCI DSS Level 1 certified (the highest level of payment security certification)

Privacy Policy: https://stripe.com/privacy

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: We use third-party services to operate Flash-Read, including:
  • Supabase (supabase.com): For database storage, user authentication, and cloud functions. Supabase stores your email address, encrypted password, reading progress, XP/level data, and account settings. Supabase uses PostgreSQL with row-level security and encryption at rest and in transit. See Supabase Privacy Policy.
  • Stripe (stripe.com): For payment processing and subscription management. Stripe processes your payment card information, billing address, and subscription status. We do not store your full credit card details on our servers. See Stripe Privacy Policy.
• Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
• Protection of Rights: We may disclose information to protect the rights, property, or safety of Flash-Read, our users, or others.

Storage: Your account data and reading statistics are stored in Supabase, a PostgreSQL-based cloud database. Supabase employs industry-standard security measures including encryption at rest and in transit.

Security Measures: We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include:

• Encrypted connections (HTTPS) for all data transmission
• Secure authentication via Supabase Auth
• Row-level security policies in our database
• Regular security audits and updates

No Guarantee: While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

We retain your personal data for as long as your account is active or as needed to provide you with the service. If you delete your account, we will delete or anonymize your personal data within 30 days, unless we are required to retain it for legal, tax, or legitimate business purposes.

Local data stored in your browser (localStorage) is removed when you clear your browser data or use your browser's site data management features.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to legal obligations.
• Portability: Request a copy of your data in a machine-readable format.
• Objection: Object to the processing of your personal data for certain purposes.
• Withdrawal of Consent: Where processing is based on consent, withdraw consent at any time.

To exercise any of these rights, please contact us through the application or via our support channels. We will respond to your request within 30 days.

California Residents (CCPA): You have the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell personal information.

European Economic Area (GDPR): If you are located in the EEA, you have additional rights under the General Data Protection Regulation, including the right to lodge a complaint with a supervisory authority.

The California Invasion of Privacy Act (CIPA) (California Penal Code §§ 630-638) is a state law that protects the privacy of communications. We take CIPA compliance seriously and have implemented the following measures:

9.1 Our CIPA Compliance Measures

• No Pre-Consent Tracking: We do not load any tracking scripts (including Google Analytics, Meta Pixel, or similar tools) until you explicitly consent to their use.
• Hard Block on Decline: If you click "Decline" or opt out of non-essential cookies, we implement a hard block that prevents those tracking scripts from loading.
• No Data Transmission Without Consent: No user data is transmitted to third parties without your explicit consent.
• Script Blocking Technology: We use a script manager that intercepts and blocks unauthorized script injections.
• Consent Verification: All data transmissions are verified against your consent preferences before being sent.

9.2 What This Means for You

Under CIPA, unauthorized interception of electronic communications can result in significant penalties. Our compliance measures ensure that:

• Your browsing activity is not tracked without your knowledge and consent
• Third-party tracking tools cannot access your data unless you explicitly allow it
• You have full control over what data is collected and shared
• Your "Decline" choice is respected and enforced at the technical level

9.3 CIPA and "Digital Wiretapping"

Recent legal interpretations have characterized certain tracking technologies as "digital wiretaps" under CIPA. These include:

• Session replay tools (e.g., Hotjar, FullStory)
• Marketing pixels (e.g., Meta Pixel, Google Ads)
• Analytics tools that collect detailed user behavior

Our commitment: We do not use any of these tools without your explicit consent. If you decline tracking, these tools are completely blocked and cannot collect any data about your session.

9.4 Reporting Concerns

If you believe that tracking tools are being loaded without your consent, or if your "Decline" choice is not being honored, please contact us immediately. We take all such reports seriously and will investigate promptly.

You can verify our compliance by:

• Checking your browser's Developer Tools (Network tab) to see what scripts are loaded
• Using browser extensions that block trackers to verify they are not firing
• Contacting us for a copy of our consent audit logs

Flash-Read is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us so we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The most current version will always be available on this page with an updated revision date.

For material changes, we will notify users via email or through a prominent notice within the application at least 30 days before the changes take effect.

If you have questions or concerns, please contact us at{' '} [email protected] .