Privacy Policy

1. Introduction

This Privacy Policy explains how Charlie Sabin ("I", "me", "my"), an Australian sole trader, collects, uses, discloses, stores, and protects personal information when you use the Fluxy mobile application ("App", "Service"). Fluxy is not a registered business name — it is a product name used by Charlie Sabin. This policy applies to all users of the App.

I am committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act. If you do not agree to this Privacy Policy, please do not use the App.

2. Who I Am

Fluxy is operated by Charlie Sabin, an Australian sole trader (ABN holder). Fluxy is not a registered business name — it is the product name for this mathematics education application for iOS, designed for students studying secondary-level mathematics. The App is offered as a free-to-download application with an optional premium subscription.

Operator: Charlie Sabin (sole trader)
ABN: 64 151 412 796
Contact: hello@getfluxy.app

3. What Personal Information I Collect

I collect the following categories of personal information:

3.1 Account Information

• Email address — collected when you register with an email and password, or when your Apple ID email is shared through Sign in with Apple.
• Username — a display name you choose at account creation.
• Authentication credentials — managed by Firebase Authentication; your password is never stored or accessible by me in plaintext.
• Apple ID token — a cryptographic identity token provided by Apple when you use Sign in with Apple. Apple may provide a private relay email address rather than your real address.
• Account creation timestamp.

3.2 Usage and Performance Data

• Daily and lifetime question counts — the number of questions you answer correctly per topic each day, and cumulative lifetime totals per topic.
• Streak data — your current streak length (days), whether today's goal has been completed, last active date, and streak lives balance.
• Competition data — Elo rating, matches played, won, lost, and drawn; today's match count.
• Session events — in-app behaviour events sent to Firebase Analytics, including: sign-in method and outcome; onboarding subject selection; paywall views and plan tab selections; purchase failures and subscription restores; topics practised, difficulty levels selected, and incorrect answer occurrences; streak revival interactions; friend request actions (sent, accepted, declined, removed); competition and matchmaking events (matchmaking start, opponent found, bot fallback, cancellation, challenge creation and decline, match forfeits); navigation events (screens visited such as profile, friends, leaderboard, and competition); and account deletion (including streak length and Elo rating at time of deletion). Analytics collection can be disabled via the toggle in Settings within the App.

3.3 Subscription and Purchase Data

• Premium subscription status — whether you hold an active subscription (monthly or yearly) or have earned a permanent Elo-based premium unlock. This is synced to my servers via Firebase.
• Transaction verification — handled entirely by Apple's StoreKit 2 framework. I do not receive or store your payment card details or billing address.

3.4 Notification Data

• FCM (Firebase Cloud Messaging) token — a device-level push token stored against your user account in Firestore so that push notifications (e.g. friend requests, challenge completions) can be delivered to your device. This token is deleted from my servers when you sign out or delete your account.
• Notification permission status — stored locally on your device via UserDefaults only.

3.5 Social and Competition Data

• Friend relationships — usernames and UIDs of users you add as friends, along with request status and timestamps.
• Competition matches — match metadata (topic, difficulty, duration, seed), your answers (question index, chosen option, correctness, answer time), result, and Elo change, stored in Firestore.
• Challenges — async friend challenges including challenger/opponent UIDs, match parameters, and results.

3.6 Customisation Preferences

• Colour theme selection — stored in Firestore against your account.
• Avatar configuration — avatar customisation choices stored in Firestore as a map of string values.

3.7 Device and Technical Data

Firebase automatically collects certain technical data as a standard part of its SDK operation, which may include:

• Device type and operating system version
• IP address (used for geo-routing; not retained by me)
• App version
• Crash reports and performance metrics (via Firebase's built-in mechanisms)

The device and technical data listed above is not linked to your identity in my systems. Firebase may collect this data automatically but I do not associate it with your user account or profile. All data described in Sections 3.1 through 3.6 is linked to your identity via your user account.

I do not use advertising SDKs or sell your data to advertisers.

4. How I Collect Personal Information

I collect information:

• Directly from you — when you create an account, choose a username, answer questions, enter competitions, or add friends.
• From Apple — via Sign in with Apple, which provides a UID and optionally an email address or private relay address.
• Automatically — via Firebase SDKs (Authentication, Firestore, Analytics, Cloud Messaging) as you use the App.

5. Why I Collect Personal Information

I collect and use your personal information to:

I do not use your personal information for direct marketing to third parties or for targeted advertising.

6. Legal Basis for Processing

I process your personal information on the following grounds:

• Performance of a contract — to provide the App and the services you have signed up for.
• Legitimate interests — to improve the App, maintain security, and operate social and competition features.
• Consent — for push notifications (you must explicitly grant permission on your device; you can withdraw consent at any time via iOS Settings → Fluxy → Notifications, and withdrawal takes effect immediately).
• Legal obligation — where required by Australian law.

7. Disclosure of Personal Information

I do not sell, rent, or trade your personal information to third parties for their own commercial purposes. I may disclose your personal information to:

7.1 Service Providers

These providers process data on my behalf under their own privacy policies and security standards. Google Firebase is subject to the Google Cloud Data Processing Addendum and acts as a data processor for the personal information I store. Apple acts as an identity provider for Sign in with Apple (not as a data processor for Fluxy) and processes subscription payments as an independent data controller under Apple's Privacy Policy.

7.2 Other Users

Certain information is visible to other users of the App as part of its social features:

• Your username, Elo rating, current streak length, avatar, and match statistics are publicly visible on your profile and leaderboards.
• Your email address is never visible to other users.

7.3 Legal Requirements

I may disclose your information if required to do so by law, court order, or a request by a government authority in Australia or another applicable jurisdiction.

7.4 Business Transfers

If the App or its associated business is acquired, merged, or transferred, your personal information may be transferred to the new operator. I will notify you before your information is transferred and becomes subject to a different privacy policy.

8. Cross-Border Data Transfers

By using the App, your personal information is stored and processed in the United States by Google Firebase and Apple. Before disclosing personal information to an overseas recipient, I take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information, in accordance with APP 8.

Google maintains Standard Contractual Clauses and other safeguards for international data transfers. Apple processes data in accordance with its own privacy policies and contractual commitments. These transfers are made subject to appropriate safeguards as described in Section 13.5 for EEA, UK, and Swiss users, and in accordance with APP 8 for Australian users.

If you are located in the EEA, UK, or Switzerland, additional transfer safeguards apply — see Section 13.5 below.

9. Data Retention

I retain your personal information for as long as your account is active or as needed to provide the Service. Cancelling your premium subscription does not delete your account or personal information — your data is retained under the free tier. To have your data deleted, you must delete your account (see below) or contact me.

• If you delete your account through the App (Profile → Delete Account), your Firestore user document, username reservation, friend list, and active match data are deleted immediately. Your Firebase Auth account is also deleted immediately. Completed match records that reference your account are anonymised (your UID is replaced with a generic identifier) to preserve the integrity of other users' match history. Automated Firebase backups that may contain residual copies of your data are overwritten within 30 days in accordance with Google Cloud's backup retention schedule.
• If your account is inactive for 24 consecutive months (no sign-in activity), I may delete your account and associated personal information after sending a 30-day advance notice to your registered email address. If you sign in during the notice period, no deletion will occur.
• Firebase Analytics data is retained in accordance with Google's data retention policies (by default, up to 14 months for event-level data).
• FCM tokens are deleted from my servers when you sign out or delete your account.
• I may retain certain records for a reasonable period after account deletion as required by law or to resolve disputes.

10. Security

I implement reasonable technical and organisational measures to protect your personal information, including:

• Firestore security rules that restrict access to your data to your own authenticated UID.
• Firebase Authentication with nonce-based cryptographic verification for Sign in with Apple.
• TLS encryption for all data transmitted between the App and Firebase servers.
• Password hashing managed entirely by Firebase Authentication (I never handle plaintext passwords).

No method of data transmission or storage is 100% secure. I cannot guarantee absolute security.

11. Children's Privacy

The App is designed for students in Years 11–12 of the Victorian Certificate of Education (VCE), typically aged 16–18. The App is not directed at children under the age of 13.

I do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided me with personal information without your consent, please contact me at hello@getfluxy.app and I will take steps to delete that information.

Users aged 13–17 should obtain parental consent before creating an account.

Users in the EEA and UK: Under GDPR Article 8, parental or guardian consent is required for users under the age of 16 in most EU member states (some member states set this threshold as low as 13). If you are under the applicable age of digital consent in your country, you must have your parent or guardian create the account on your behalf or provide verifiable consent. See Section 13.6 for further details.

12. Your Privacy Rights

Under the Australian Privacy Act 1988 and the APPs, you have the right to:

• Access — request access to the personal information I hold about you.
• Correction — request that I correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
• Deletion — request deletion of your account and associated personal information via Profile → Delete Account in the App, or by contacting me.
• Complaint — lodge a complaint with me or directly with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au if you believe I have breached the APPs.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the GDPR — see Section 13 for full details.

To exercise any of these rights, please contact me at hello@getfluxy.app. I will respond within 30 days (or within one calendar month for GDPR requests). I may need to verify your identity before processing your request.

13. European Economic Area, United Kingdom, and Switzerland (GDPR)

This section applies to you if you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland. It supplements the rest of this Privacy Policy with information required by the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR"). In the event of any conflict between this section and other parts of this Privacy Policy, this section prevails for individuals in these jurisdictions.

13.1 Data Controller

The data controller responsible for your personal data is:

Charlie Sabin (sole trader)
Email: hello@getfluxy.app

I am not required to appoint a Data Protection Officer under GDPR Article 37, as I do not carry out large-scale processing of special categories of data and I am not a public authority. You may direct any data protection queries to me at the email address above.

13.2 Legal Bases for Processing

I process your personal data on the following legal bases under GDPR Article 6(1):

Legitimate interests detail: Where I rely on legitimate interests, the specific interests pursued are: (a) understanding how users interact with the App in aggregate so I can improve functionality, fix bugs, and prioritise features (analytics); (b) protecting the integrity of the App and its users against misuse (fraud prevention); and (c) storing optional personalisation preferences (colour themes, avatar configuration) to enhance the user experience across sessions. I have conducted a balancing assessment for each and concluded that these interests are not overridden by your rights and freedoms, given that the processing is limited in scope, does not involve sensitive data, personalisation data is entirely user-initiated and optional, and you can object at any time (see Section 13.3 below).

13.3 Your GDPR Rights

Under the GDPR and UK GDPR, you have the following rights in relation to your personal data:

• Right of access (Art. 15) — request a copy of the personal data I hold about you and information about how it is processed.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17) — request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where you successfully object to processing. Also known as the "right to be forgotten".
• Right to restriction of processing (Art. 18) — request that I restrict processing of your personal data in certain circumstances, such as while I verify its accuracy or assess a valid objection.
• Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, and machine-readable format (JSON), and request that I transmit it directly to another controller where technically feasible. This right applies to data processed on the basis of consent or contract performance.
• Right to object (Art. 21) — object to processing based on legitimate interests (analytics and fraud prevention). I will cease processing unless I demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent (push notifications), you may withdraw consent at any time via iOS Settings → Fluxy → Notifications. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Rights related to automated decision-making (Art. 22) — Fluxy uses an Elo-based skill rating to match you with opponents of similar ability in competition mode. This involves automated profiling (calculating your Elo score based on match outcomes and pairing you accordingly). This profiling does not produce legal effects or similarly significant effects on you — it is used solely to improve the fairness of the in-app competition experience. You have the right to request human review of any automated decision, express your point of view, and contest the outcome by contacting me at hello@getfluxy.app.

13.4 How to Exercise Your Rights

To exercise any of the rights above, contact me at hello@getfluxy.app. I will respond without undue delay and in any event within one calendar month of receiving your request. If your request is complex or I receive a large number of requests, I may extend this period by up to two additional months — I will notify you of any extension and the reasons within the first month. I may need to verify your identity before processing your request. There is no fee for exercising your rights unless a request is manifestly unfounded or excessive.

13.5 International Data Transfers

Your personal data is transferred to and processed in the United States by Google (Firebase) and Apple. These transfers are made under the following safeguards required by GDPR Chapter V:

• EU-US Data Privacy Framework — Google LLC is certified under the EU-US Data Privacy Framework, for which the European Commission granted an adequacy decision on 10 July 2023 (Commission Implementing Decision (EU) 2023/1795). Apple Inc. is also a participant in the EU-US Data Privacy Framework.
• Standard Contractual Clauses (SCCs) — Google's Data Processing Addendum incorporates the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), providing an additional transfer mechanism.
• UK International Data Transfer Addendum — For transfers from the UK, the UK Addendum to the EU SCCs (issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) applies where relevant.
• Swiss-US Data Privacy Framework — For transfers from Switzerland, Google's certification under the Swiss-US Data Privacy Framework applies.

You may request a copy of the relevant transfer safeguards by contacting me at hello@getfluxy.app.

13.6 Children

Under GDPR Article 8, the processing of a child's personal data based on consent is only lawful if the child is at least 16 years old in most EU member states (some member states have set this threshold lower, to a minimum of 13). If you are under the applicable age of digital consent in your country, your parent or guardian must provide consent for your use of the App and the processing of your personal data. I do not knowingly collect personal data from children under 13 in any jurisdiction.

13.7 Right to Lodge a Complaint

If you believe that I have infringed your data protection rights, you have the right to lodge a complaint with a supervisory authority. You may complain to:

• The supervisory authority in your EU/EEA member state of habitual residence, place of work, or place of the alleged infringement. A full list of EEA supervisory authorities is available from the European Data Protection Board at edpb.europa.eu.
• The UK Information Commissioner's Office (ICO) if you are in the United Kingdom — ico.org.uk | Phone: 0303 123 1113.
• The Federal Data Protection and Information Commissioner (FDPIC) if you are in Switzerland — edoeb.admin.ch.

I would appreciate the opportunity to address your concerns before you approach a supervisory authority — please contact me first at hello@getfluxy.app.

13.8 Data Protection Impact Assessment

I have assessed the processing activities described in this policy against the criteria in GDPR Article 35 and the relevant guidelines issued by the European Data Protection Board. I have determined that a formal Data Protection Impact Assessment (DPIA) is not required, as the processing does not involve systematic and extensive profiling producing legal or similarly significant effects, large-scale processing of special categories of data, or systematic monitoring of publicly accessible areas. The Elo-based skill rating used in competition mode is automated profiling used solely to improve the fairness of in-app matchmaking and does not produce legal effects or similarly significant effects on users.

14. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

In the preceding 12 months, I have collected the following categories of personal information (as defined by the CCPA): identifiers (email address, username, UID), commercial information (subscription status), and internet or electronic network activity information (usage data, Firebase Analytics events). For full details, see Section 3.

Your California Rights

As a California resident, you have the right to:

• Know — request that I disclose the categories and specific pieces of personal information I have collected about you, the categories of sources, and the purposes for collection.
• Delete — request deletion of your personal information, subject to certain exceptions.
• Correct — request correction of inaccurate personal information.
• Opt out of sale or sharing — I do not sell or share (as defined by the CCPA) your personal information to third parties for cross-context behavioural advertising. No opt-out is required because no sale or sharing occurs.
• Non-discrimination — I will not discriminate against you for exercising any of your CCPA rights.

How to Exercise Your Rights

To submit a request, contact me at hello@getfluxy.app. I will verify your identity using your account email address and respond within 45 days. You may also designate an authorised agent to submit a request on your behalf.

"Do Not Sell or Share My Personal Information"

Fluxy does not sell or share personal information as defined under the CCPA/CPRA. I have not sold or shared personal information in the preceding 12 months.

15. Push Notifications

The App requests permission to send push notifications for:

• Streak reminders (locally scheduled on your device; no data leaves your device for these)
• Friend request and friend acceptance notifications
• Competition challenge notifications

You can manage or revoke notification permissions at any time via iOS Settings → Fluxy → Notifications. Revoking permission does not affect your account or data.

16. Analytics and Tracking

I use Firebase Analytics to collect data about how users interact with the App. The types of events collected include: authentication events (sign-in method, success/failure); onboarding interactions (VCE subject selection or skip); paywall and purchase events (plan tab changes, purchase failures, subscription restores); practice behaviour (topics entered, difficulty changes, incorrect answers); streak interactions (revival shown, declined, or tapped); social actions (friend requests sent, accepted, declined, and friend removals); competition and matchmaking events (search start, opponent found, bot fallback, cancellation, challenge creation and decline, forfeits, with match type and duration); navigation events (profile, friends, leaderboard, competition, and settings screens viewed); and account lifecycle events (sign-out, account deletion with streak length and Elo at time of deletion). This data helps me understand how the App is used and prioritise improvements. Firebase Analytics data may be processed and stored in the United States by Google.

Tracking: Fluxy does not track you across other companies' apps or websites. I do not use the Identifier for Advertisers (IDFA), I do not display ads, and I do not participate in advertising networks. As a result, the App does not present an App Tracking Transparency (ATT) prompt. The Privacy Manifest (PrivacyInfo.xcprivacy) declares NSPrivacyTracking = false.

Opting out: You can disable analytics collection at any time via the analytics toggle in Settings within the App (Profile → Settings → Analytics). This disables all Firebase Analytics event logging globally. You can also limit Firebase Analytics data collection at the OS level via iOS Settings → Privacy & Security → Analytics & Improvements. If you are located in the EEA, UK, or Switzerland and wish to exercise your right to object to analytics processing under GDPR Article 21, contact me at hello@getfluxy.app and I will disable analytics data collection for your account.

Local storage: The App stores certain data locally on your device using standard iOS storage mechanisms (UserDefaults), including streak cache, notification preferences, and streak revival state. This data does not leave your device and is used solely to improve app responsiveness and reduce unnecessary network requests. It is cleared when you sign out or delete the App.

17. Third-Party Links

The App does not currently contain links to third-party websites. If this changes, third-party sites will have their own privacy policies and I am not responsible for their content or privacy practices.

18. Changes to This Privacy Policy

I may update this Privacy Policy from time to time. I will notify you of material changes by updating the "Last updated" date at the top of this document and, where appropriate, by in-app notification at least 14 days before the changes take effect. Your continued use of the App after the changes take effect constitutes your acceptance of the updated policy. Where I materially expand the scope of processing that is based on your consent, I will seek fresh consent before processing your data for the new purpose.

19. Complaints

If you have a concern or complaint about how I have handled your personal information, please contact me first at hello@getfluxy.app. I will investigate and respond within 30 days (or within one calendar month for GDPR requests).

If you are not satisfied with my response, you may lodge a complaint with the relevant authority for your jurisdiction:

Australia

Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5288, Sydney NSW 2001

European Economic Area

You may lodge a complaint with the supervisory authority in your EU/EEA member state of habitual residence, place of work, or place of the alleged infringement. A directory of all EEA data protection authorities is maintained by the European Data Protection Board at edpb.europa.eu.

United Kingdom

UK Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

Switzerland

Federal Data Protection and Information Commissioner (FDPIC): edoeb.admin.ch

20. Contact Us

For any privacy-related questions, requests, or complaints, please contact:

Charlie Sabin
Email: hello@getfluxy.app