Privacy Policy

1. Scope and Who We Are

floref is provided by M.Y.O.C.. This Privacy Policy applies to floref.com, app.floref.com, related account and billing pages, and support interactions connected to the Service.

This policy is meant to help users in Australia, the United States, the European Economic Area, and the United Kingdom understand our data practices. Some rights and obligations vary by jurisdiction.

2. Information We Collect

The information we collect depends on how you use floref, whether you create an account, whether you sync content to the cloud, and whether you contact us.

• account and profile information, such as your email address, display name, sign-in method, and basic account identifiers
• content and sync data, such as canvases, images, notes, uploads, cloud file metadata, encryption metadata, and related settings
• billing and transaction information, such as plan, subscription status, invoices, customer identifiers, and payment-related metadata from Stripe; we do not receive your full payment card number from Stripe
• device, browser, and usage information, such as IP address, approximate location derived from IP, browser or device details, timestamps, app events, and crash or diagnostic data
• browser storage and local persistence data, such as localStorage, sessionStorage, IndexedDB, and similar local identifiers used to keep the app working offline
• communications and support information, such as messages you send us and any information you include in support, deletion, billing, or security requests
• security information, such as login events, session activity, and anti-abuse challenge data from Cloudflare Turnstile

3. How We Collect Information

We collect information directly from you when you create an account, sign in, upload content, configure cloud sync or encryption settings, buy a subscription, respond to emails, or contact support.

We collect information automatically when you use the Service, including through browser storage, authentication sessions, analytics events, error reports, and server or security logs.

We also receive information from third parties that help us operate floref, such as Stripe for subscription status, Supabase for authentication, Google if you use Google sign-in, Cloudflare for anti-abuse checks, and our infrastructure or monitoring providers.

4. How We Use Information

We use personal information to provide and maintain the Service, including local-first syncing, authentication, billing, account management, support, and abuse prevention.

We also use information to troubleshoot issues, monitor performance, improve features, understand broad product usage, comply with legal obligations, enforce our terms, and communicate with you.

• to create and manage accounts, including email and password sign-in, magic links, password resets, and optional Google sign-in
• to store, encrypt, sync, and deliver cloud content and related metadata
• to process subscriptions, invoices, payment issues, and plan changes
• to send transactional emails such as sign-in, verification, password reset, billing, service, and security notices
• to send marketing emails or product updates where permitted by law and subject to your opt-out choices
• to detect fraud, spam, abuse, suspicious logins, and service misuse
• to analyze product usage and reliability so we can improve the Service

5. Legal Bases for EEA and UK Users

If EEA or UK data protection law applies to a particular processing activity, we generally rely on one or more of the following legal bases: contract performance, legitimate interests, consent, and legal obligation.

For example, we usually process account, sync, billing, and support data because it is necessary to provide the Service you request. We may rely on legitimate interests for security, service reliability, internal analytics, and defending legal claims. We rely on consent where required for optional analytics, certain marketing communications, or similar processing that depends on consent under applicable law.

6. How We Share Information

We do not sell your personal information for money. We share personal information only as needed to operate floref, comply with law, protect rights and security, or complete transactions you request.

Our current service providers and processors include the following categories and named providers:

• Supabase for authentication, account sessions, and related account infrastructure
• Stripe for subscriptions, checkout, invoices, and payment administration
• Backblaze B2 for cloud object storage and file delivery related to synced content
• Cloudflare, including Turnstile, for network and security services and anti-bot checks
• Sentry for diagnostics, crash reporting, and operational monitoring
• our analytics provider, currently loaded from bunseki.fengsight.workers.dev in an Umami-style setup, for optional product analytics in production
• Google if you choose Google sign-in
• authorities, advisors, insurers, or counterparties where reasonably necessary for legal compliance, dispute resolution, or protecting the Service

7. International Transfers

Because we and our providers operate online infrastructure, personal information may be stored in, processed in, or accessed from Australia, the United States, and the European Union, and possibly other countries where our providers maintain systems or personnel.

Where applicable law requires it, we take reasonable steps to ensure overseas recipients handle personal information with appropriate protections. For EEA and UK users, that can include contractual safeguards or another lawful transfer mechanism where required.

8. Data Retention, Account Deletion, and Local-Only Data

We keep personal information for as long as reasonably necessary to provide the Service, run the business, resolve disputes, enforce agreements, meet legal obligations, and protect the integrity and security of floref.

Account records, cloud content, and subscription records are generally kept while your account is active and for a limited period afterward where reasonably needed for operational, legal, tax, backup, fraud-prevention, or dispute purposes.

You can request account deletion and deletion of cloud data by emailing support@floref.com. We may need to verify your identity before acting on a request.

If data exists only in your browser or on your device, you control that local data. We cannot remotely clear every browser cache, local database, or device copy that remains under your control or outside our systems. Browser or device cleanup may also remove local-only data on its own.

9. Your Rights and Choices

Depending on where you live, you may have rights to request access to personal information, ask us to correct inaccurate information, request deletion, object to or restrict certain processing, obtain a portable copy of certain data, withdraw consent, or opt out of marketing communications. You can make these requests by emailing support@floref.com.

We aim to respond within 30 days where reasonably practicable and will respond within the period required by applicable law. We may ask for information needed to verify your identity and understand the scope of your request.

You can unsubscribe from marketing emails using the unsubscribe link in the message or by contacting us. Transactional and service emails are still sent where needed to operate your account or meet our obligations.

• Australia: you may request access to and correction of personal information, and you may complain to us or to the Office of the Australian Information Commissioner if you believe your privacy rights were breached
• EEA and UK: you may have additional rights under data protection law, including rights to object, restrict processing, data portability, and to complain to your local supervisory authority
• United States: depending on your state, you may have rights to know, access, correct, delete, or obtain a copy of certain personal information, subject to exceptions

10. Cookies, Browser Storage, and Optional Analytics

floref relies heavily on browser storage because it is an offline-first app. We use cookies and similar technologies for authentication, security, subscription flows, settings, sync, and local persistence.

Our Cookie Policy explains these technologies in more detail. Where applicable law requires consent for non-essential analytics or similar technologies, we aim to ask for consent before enabling them. In the app, users can choose whether to allow optional analytics and can later change that preference in settings.

11. Security and Encryption

We use technical and organizational measures intended to protect personal information, including access controls, encrypted transport, monitoring, and cloud-storage protections. However, no system is perfectly secure and we cannot guarantee absolute security.

floref also supports client-managed encryption options. If you choose a client-managed PIN or passphrase, we may be unable to decrypt or recover cloud content protected by that secret if you lose it. That design increases privacy, but it can also make recovery impossible.

12. Children's Privacy

floref is a general-audience productivity tool and is not directed to children under 13. We do not knowingly collect personal information from children under 13.

If you believe a child under 13 has provided personal information to us, contact us and we will take reasonable steps to investigate and delete the information where appropriate.

13. Changes to This Policy

We may update this Privacy Policy from time to time as the Service, our providers, or legal requirements change. When we do, we will post the updated version with a new "Last updated" date and may provide additional notice where reasonably appropriate.

14. Contact Us and Complaints

For privacy questions, rights requests, account deletion requests, or cloud-data deletion requests, email support@floref.com.

If you have a privacy complaint, please contact us first so we can investigate. If you are not satisfied with our response, you may have the right to complain to the OAIC or another competent supervisory authority in your jurisdiction.