Privacy Policy

1. Who We Are

FlexToast is operated by Socialflex LLC (North Carolina, USA) (\"we\", \"us\", \"our\"). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use FlexToast.

If you are looking for the contract terms that govern your use of the Service, please see our Terms and Conditions.

2. What We Collect

2.1 Information You Provide

• Intake data: goals, basics, training constraints, equipment, and related responses
• Photos: images you upload for plan personalization
• Email address: if you provide one at checkout or when contacting support
• Support communications: messages you send us (and our replies)

2.2 Information Collected Automatically

Like most websites, we may collect limited technical data such as device type, browser type, IP address, approximate location (derived from IP), timestamps, and usage logs to maintain security, prevent fraud, and improve reliability.

2.3 Payment Information

We use Stripe, Inc. to process payments. When you make a purchase, your payment card details (card number, expiration date, CVV, billing address) are entered directly into Stripe's secure payment form and transmitted to Stripe using TLS encryption. We do not receive, see, or store your full payment card number or CVV at any point.

We receive limited transaction data from Stripe, such as: a masked card number (last 4 digits), card brand, transaction ID, purchase amount, currency, and status. We may also receive the billing email address you provide at checkout if you choose to provide one.

Stripe Radar: As part of its fraud prevention and security services, Stripe may automatically collect certain device and behavioral signals from your browser during checkout, including IP address, browser type, device identifiers, and interaction patterns (such as typing cadence and mouse movements). This data is processed by Stripe under its own privacy policy.

For information about how Stripe collects and uses data, please review: Stripe Privacy Policy.

2.4 Advertising and Conversion Measurement

We use TikTok, Google, and Meta (Facebook/Instagram) APIs and tags to measure the effectiveness of our advertising and to attribute conversions (e.g. when a visit leads to a purchase). This may involve sharing limited data such as conversion events (e.g. checkout started, purchase completed), device and browser information, IP address, and advertising identifiers (such as click IDs). These providers process this data under their own privacy policies. We do not sell your personal information; we use these tools only to understand how our ads perform and to improve our marketing.

For more information, see: TikTok Privacy Policy, Google Privacy Policy, and Meta Privacy Policy.

3. How We Use Information

• Provide the Service: generate and deliver your plan and related outputs
• Support: respond to requests and troubleshoot issues
• Security and fraud prevention: detect abuse, prevent unauthorized access, handle disputes
• Product improvement: improve reliability and user experience (typically using aggregated or de-identified data where feasible)
• Legal compliance: comply with applicable laws and enforce our Terms

3.1 Email Communications

If you provide an email address (for example at checkout), we may send you emails related to the Service, such as plan delivery messages, important service notices, and support communications. Stripe may also send payment receipts or billing-related communications directly to you as part of their payment processing services.

If we send optional reminder emails (for example, to help you complete checkout or as a periodic check-in), you can opt out at any time by emailing team@flextoast.com with your request. We do not send marketing newsletters as a primary business model.

4. AI Processing and Photos

To generate your plan, we transmit certain inputs (including any photos you choose to upload and your intake data) from your device to our servers and on to third-party AI provider(s) for automated processing. This is done by software; we do not use this process to identify you as a person or verify your identity, and we do not have humans manually reviewing or browsing your photos in the ordinary course of providing the Service.

On our side, photo data is handled in encrypted transit and short-lived processing buffers only as needed to call the AI and deliver your plan. We do not persist original photo files in our primary databases or long-term storage. We generally retain only the derived analysis outputs and plan data needed to provide the Service. Third-party AI provider(s) may temporarily retain inputs/outputs for a limited period for abuse and security monitoring, then delete them.

Do not upload photos or information you consider highly sensitive or that you do not have the right to share.

5. How We Share Information

We may share personal information with:

• Stripe, Inc.: We share necessary transaction data (such as purchase amount, currency, and email if provided) with Stripe to facilitate payment processing. Stripe acts as our payment processor and is a data processor acting on our behalf for this purpose. Stripe is independently responsible for data it collects directly (such as card details and Radar signals) under its own privacy policy.
• Advertising and measurement partners (TikTok, Google, Meta): We share limited data with these platforms (e.g. conversion events and related identifiers) to measure ad effectiveness and attribute conversions. Their processing is governed by their respective privacy policies (see Section 2.4 and the links there).
• Service providers: AI processing, hosting, databases, email delivery, and analytics providers who help us operate the Service
• Legal and safety: if required by law, to respond to legal process, or to protect rights, safety, and security

We do not sell personal information. We also do not share personal information for cross-context behavioral advertising as a business model.

6. International Transfers

We are based in the United States. We may process and store information in the United States and other countries where we or our service providers (including Stripe and our AI providers) operate. Data protection laws may differ from those in your jurisdiction.

If you are located in the European Economic Area (EEA) or United Kingdom, please note that your personal data may be transferred to the United States. Where required, we rely on appropriate legal transfer mechanisms, such as Standard Contractual Clauses or applicable adequacy decisions. Stripe complies with international data transfer requirements under the EU-US Data Privacy Framework and uses Standard Contractual Clauses where applicable. For more details, see Stripe's GDPR resources.

7. Data Retention

We retain personal information only as long as reasonably necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Typical retention periods include:

• Plan and intake data: retained for the duration of your active plan access and a reasonable period thereafter for dispute resolution and support
• Transaction records (payment metadata): retained for up to 7–10 years as required by applicable accounting, tax, and financial regulations
• Support communications: retained for a reasonable period for support quality and compliance
• Photos: original photo data is handled transiently for processing and not kept as standalone image files; we retain only derived analysis/plan data needed for the Service. See Section 4 above.

Stripe retains payment transaction records independently under its own data retention policies and legal obligations.

8. Security

We use reasonable administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Your Rights and Choices

Depending on where you live, you may have rights to access, correct, delete, or object to certain processing of your personal information. To make a request, contact us at team@flextoast.com.

If you are in the EEA/UK, you may also have the right to lodge a complaint with your local data protection authority.

10. Children

FlexToast is not intended for individuals under 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last Updated” date at the top indicates when it was most recently revised.

12. Contact

If you have questions about this Privacy Policy or our data practices, contact us at team@flextoast.com.