Privacy Policy

1. Overview

FlexScan (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the FlexScan application and website at flexscan.app (the “Service”).

We recognize the highly sensitive nature of the data involved — including body photographs, fitness metrics, and health-related information. This policy is designed to be transparent about our data practices and to ensure compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

By using the Service, you consent to the data practices described in this policy. If you do not agree with any part of this Privacy Policy, you should discontinue use of the Service immediately.

2. Data We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, password (hashed), date of birth, and gender
• Profile Information: Height, weight, fitness goals, activity level, dietary preferences, and health conditions you voluntarily disclose
• Body Photographs: Photos you upload for body composition analysis, progress tracking, and AI-powered fitness recommendations
• Food Photographs: Photos you upload for calorie estimation and nutritional analysis
• Payment Information: Billing address and payment method details (processed and stored by Stripe; we do not store full credit card numbers)
• Communications: Messages and correspondence when you contact our support team

2.2 Information Collected Automatically

• Device Information: Device type, operating system, browser type, screen resolution, and unique device identifiers
• Usage Data: Features accessed, pages viewed, time spent on features, interaction patterns, and click data
• Log Data: IP address, access times, referring URLs, and error logs
• Location Data: Approximate location based on IP address (we do not collect precise GPS location)

2.3 Special Categories of Data

Body photographs and fitness/health-related information may constitute special category data under GDPR (health data). We process this data based on your explicit consent, which you provide when uploading photos and health information to the Service. You may withdraw consent at any time by deleting your data or contacting us.

3. How We Use Your Data

We use the information we collect for the following purposes:

Legal Basis for Processing (GDPR): We process your data based on: (a) your explicit consent (for body photos and health data), (b) performance of a contract (to deliver the Service), (c) legitimate interests (analytics, fraud prevention, service improvement), and (d) legal obligations (tax records, compliance).

4. Photo Data Handling

• Encryption: All photos are encrypted in transit (TLS 1.3) and at rest (AES-256 encryption)
• AI Processing: Photos are securely transmitted to our AI processing partner (currently OpenAI) solely for analysis. We use OpenAI’s zero-data-retention API tier — your photos are not used to train their models
• Storage: Photos are stored temporarily for analysis purposes. They are not stored permanently unless you opt in to progress tracking. You may delete all stored photos at any time
• No Sharing: We never sell, share, license, or distribute your photos to any third party for any purpose beyond providing the Service
• No Human Review: Your photos are processed exclusively by automated AI systems. No FlexScan employees or contractors view your photos unless you explicitly send them to support for troubleshooting purposes
• Deletion: You can permanently delete all your photos from our systems at any time through your account settings. Deletion is processed within 30 days

For comprehensive details, see our Photo & Data Handling Policy.

5. Third-Party Services

We use the following third-party services to operate FlexScan. Each has its own privacy policy and data handling practices:

We carefully vet our third-party service providers and require them to maintain appropriate security measures. We enter into data processing agreements (DPAs) with each provider where required by applicable law.

We do not sell your personal information to any third party. We do not share your personal information with third parties for their own marketing purposes.

6. Data Retention & Deletion

We retain your data for the following periods:

Account Deletion: You may request complete deletion of your account and all associated data at any time by emailing support@flexscan.app or through your account settings. We will process deletion requests within thirty (30) days, except where we are legally required to retain certain information.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data (“right to be forgotten”)
• Right to Restrict Processing (Art. 18): You have the right to request that we limit how we use your data
• Right to Data Portability (Art. 20): You have the right to receive your data in a structured, commonly used, machine-readable format (JSON or CSV)
• Right to Object (Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent (Art. 7): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence

To exercise any of these rights, contact us at support@flexscan.app. We will respond to your request within thirty (30) days. We may ask you to verify your identity before fulfilling your request.

8. Your Rights Under CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the CPRA):

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
• Right to Correct: You have the right to request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA. However, you still have the right to opt out, and we will honor such requests
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights
• Right to Limit Use of Sensitive Information: You may request that we limit the use of sensitive personal information (such as body photos) to what is necessary for providing the Service

Categories of Personal Information Collected: Identifiers (name, email), commercial information (subscription records), biometric-adjacent information (body photos processed by AI), internet activity (usage data), and inferences (AI-generated fitness insights).

To submit a CCPA request, email support@flexscan.app with the subject line “CCPA Request.” We will verify your identity and respond within forty-five (45) days.

9. Cookie Policy

We use the following types of cookies and similar technologies:

We do not use advertising cookies or tracking pixels. We do not participate in cross-site tracking or retargeting.

You can control cookies through your browser settings. Note that blocking strictly necessary cookies may prevent the Service from functioning properly.

10. Children’s Privacy

The Service is strictly intended for users who are at least eighteen (18) years of age. We do not knowingly collect, solicit, or maintain personal information from anyone under 18 years of age. The nature of our Service — which involves body photographs and AI-powered body analysis — makes it particularly important that minors do not use this Service.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at support@flexscan.app. We will take prompt steps to delete such information from our systems.

11. International Data Transfers

FlexScan is based in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our sub-processors to ensure adequate data protection
• Data Processing Agreements: We maintain DPAs with all sub-processors that handle personal data
• Supplementary Measures: We implement additional technical and organizational measures, including encryption and access controls, to protect transferred data

By using the Service, you acknowledge and consent to the transfer of your data to the United States and the processing of your data as described in this Privacy Policy.

12. Security Measures

We implement industry-standard security measures to protect your personal information:

• Encryption in Transit: All data is transmitted over TLS 1.3 encrypted connections
• Encryption at Rest: All sensitive data, including photos, is encrypted at rest using AES-256 encryption
• Access Controls: Strict role-based access controls limit who can access user data
• Authentication Security: Passwords are hashed using industry-standard algorithms; we support multi-factor authentication
• Infrastructure Security: Our infrastructure is hosted on SOC 2 Type II compliant platforms with regular security audits
• Monitoring: We monitor our systems for unauthorized access and security anomalies
• Incident Response: We maintain a data breach response plan and will notify affected users and relevant authorities within 72 hours of becoming aware of a qualifying breach (as required by GDPR Article 33)

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to implementing and maintaining best practices.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will notify you via email and/or a prominent notice within the Service at least thirty (30) days before the changes take effect
• The “Last Updated” date at the top of this policy will be revised
• For changes requiring consent under GDPR, we will obtain your renewed consent before processing your data under the new terms

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

14. Contact Information & Data Protection Officer

For any questions, concerns, or requests regarding this Privacy Policy or your personal data:

We aim to respond to all privacy-related inquiries within thirty (30) days. For CCPA requests, we will respond within forty-five (45) days as required by law.