Privacy Policy
Last updated: March 30, 2026
Effective Date: March 30, 2026
Preamble
We, Niklas Amslgruber, Münchner Str. 35, 82069 Schäftlarn, Germany (hereinafter “we” or “us”) are the provider of the app “AI Flashcard & Quiz App - Flashio” (hereinafter “Flashio”), which you can download to your device. Flashio is an AI-powered flashcard and quiz app that helps you study more efficiently using the Leitner algorithm.
The protection of your privacy when using Flashio is very important to us. Therefore, we would like to inform you with the following information about which personal data we process when you use Flashio and how we handle this data. In addition, we will inform you about the legal basis for processing your data and, insofar as processing is necessary to safeguard our legitimate interests, also about our legitimate interests. You can access this privacy policy at any time in the app Settings (Gear Icon -> Privacy Policy).
Controller
We are the controller within the meaning of the General Data Protection Regulation (“GDPR”). Contact details can be found in the imprint of our website. You can contact us via email at support {at} flashio {dot} app or via the postal address from the imprint.
Information on the Processing of Your Data
Certain information is already processed automatically as soon as you make use of Flashio. We have set out below, which personal data is specifically processed:
Data that is processed when downloading Flashio
When downloading Flashio, certain required information is transmitted to the Apple App Store, especially your username, your e-mail address, the customer number of your account, the time of the download, payment information and the individual device identification number (so-called IMEI) may be processed. This data is processed exclusively by the Apple App Store and is beyond our control.
Data Processed While using Flashio
When using Flashio you can create flashcard decks, quizzes, study sets, and upload study materials such as notes, screenshots, and images. All content you upload or create within the app — including images, screenshots, text-based notes, and any other study materials — is transmitted to and stored on our servers operated by Supabase Inc. (see processor table below). This storage is necessary to provide the core functionality of Flashio, including synchronization across your devices and the generation of flashcards and quizzes. In particular, your entries may also contain personal data, which we then process, in particular store. The legal basis for the above data processing is the fulfillment of the contract between you as the data subject and us pursuant to Art. 6 para. 1 lit. b GDPR for the use of Flashio.
Data Processed as a Part of the Flashio Newsletter
When registering for the Flashio Newsletter, we use your e-mail address to subscribe you to our newsletter. we process in particular the data that you entered when subscribing to the newsletter in Flashio, i.e. your email address. We process this data on your behalf in accordance with your instructions using the processors named in section 3 of the data protection declaration. we process the aforementioned data in order to be able to offer you the Flashio Newsletter functionally and contractually. The legal basis for the aforementioned data processing is the fulfillment of the contract between you as the data subject and us pursuant to Art. 6 para. 1 lit. b GDPR for the use of the Flashio Newsletter.
Data Processed in the Context of the use of Flashio AI
To generate flashcards and quizzes from your study materials, the content you upload or create — including text-based notes, images, and screenshots — is transmitted from our servers to OpenAI LP (see processor table below) for processing. OpenAI processes this data solely to generate flashcard and quiz content on your behalf. The generated content is then returned to our servers and stored in your account. We process this data on your behalf in accordance with your instructions. We have no influence on the type of personal data you enter and the categories of data subjects. You should therefore avoid uploading study materials that contain sensitive personal data (e.g. health data, financial information) unless you consent to their processing by OpenAI. We process the aforementioned data in order to be able to offer you Flashio AI in a functional and contractual manner. The legal basis for the above data processing is the fulfillment of the contract between you as the data subject and us pursuant to Art. 6 para. 1 lit. b GDPR for the use of Flashio. Further details can be found in the data processing agreement concluded between you and us before using Flashio AI (DPA).
Data Processed for Advertising Attribution and Marketing Measurement in the App
To understand how users discover Flashio and to measure the effectiveness of our advertising campaigns, we use the Meta SDK within the app. In this context, Meta may receive information about certain events that occur in the app, in particular completed registration, initiated checkout and completed purchases, together with device and app information required for attribution and measurement. The advertising identifier of your Apple device (IDFA) is only made available to Meta if you have granted permission via Apple’s App Tracking Transparency prompt. If you do not grant permission, we disable advertiser ID collection for the Meta SDK. We use this processing exclusively to measure and optimize our marketing activities and to attribute app installs and conversions to advertising campaigns. The legal basis for the above data processing is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You may withdraw your consent at any time with effect for the future by changing the tracking settings for Flashio in the settings of your iOS device.
Data That is Collected When Visiting our website
Each time you access our website, the Internet browser used on your terminal device (computer, laptop, tablet, smartphone, etc.) automatically transmits information to the server of our website. This information is temporarily stored in a log file. The following data is collected without any action on your part and stored until it is automatically deleted the IP address of the requesting computer, as well as device ID or individual device identifier and device type; the name of the retrieved file and the amount of data transferred, as well as the date and time of retrieval the notification of successful retrieval; the requesting domain; the description of the type of Internet browser used and, if applicable, the operating system of your terminal device as well as the name of your access provider; your browser history data and your standard weblog information; your location data, including the location data of your terminal device; Please note that you can control or deactivate the use of location services in the settings menu of many terminal devices. The legal basis for the above processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest in collecting the data is based on the following purposes: ensuring a smooth connection setup and convenient use of the website, evaluation of system security and stability, internal statistical purposes as well as advertising and marketing for our offers. Your IP address is only analyzed in the event of attacks on our network infrastructure and for statistical purposes.
Data That is Processed When Contacting us via our website
When contacting us (e.g. by contact form, email, telephone or via social media), the personal data requested by us or provided by you will be processed to process the contact request and its handling. We delete the inquiries, including the personal data associated with them, if they are no longer required. We review the necessity every two years; the statutory archiving obligations apply. The legal basis for the above data processing is a) the fulfillment of the contract between you as the data subject and us pursuant to Art. 6 para. 1 lit. b GDPR for the use of Flashio or b) our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in the processing of inquiries or other contacts. Our interests outweigh your rights and interests in the protection of your personal data.
Disclosure and Transfer of Data
In addition to the cases explicitly mentioned in this privacy policy, your personal data will only be passed on without your express prior consent if this is permitted or required by law. In these cases, any disclosure of personal data is justified by the fact that a) the processing is necessary to fulfill a legal obligation to which we are subject pursuant to Art. 6 para. 1 lit. f GDPR in conjunction with national legal requirements, or b) we have a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, we have a legitimate interest in disclosing this data to third parties (e.g. courts) if there are indications of abusive behavior or to enforce our terms of use, whereby in such a case your rights and interests in the protection of your personal data do not prevail.
we rely on external companies and external service providers to provide the services set out in Flashio in accordance with the contract. Where these providers act as processors on our behalf, they are strictly bound by our instructions and contractually obligated accordingly.
| Recipient / Service Provider | Purpose of Processing | Level of Data Protection |
|---|---|---|
| Supabase Inc. | Storage of user-uploaded study materials (images, screenshots, notes, flashcard decks, quiz data), forwarding of user content to OpenAI for AI-based flashcard and quiz generation, and storage of newsletter email data | No adequate level of data protection, as processing outside the EU/EEA, guarantee of data protection compliance by concluding standard contractual clauses |
| iCloud, Apple Inc. | Synchronization of data entered by users of Flashio between different terminal devices | No adequate level of data protection, as processing outside the EU/EEA, guarantee of data protection compliance by concluding standard contractual clauses |
| OpenAI LP | Generation of flashcards and quizzes from user-uploaded study materials (images, screenshots, notes) via the Flashio AI feature | No adequate level of data protection, as processing outside the EU/EEA, guarantee of data protection compliance by concluding standard contractual clauses |
| RevenueCat Inc. | Processing of in-app purchases and subscription management | No adequate level of data protection, as processing outside the EU/EEA, guarantee of data protection compliance by concluding standard contractual clauses |
| Sentry Software LLC | Error tracking and performance monitoring | No adequate level of data protection, as processing outside the EU/EEA, guarantee of data protection compliance by concluding standard contractual clauses |
| PostHog Inc. | Anonmoyous Analytics and usage tracking | No adequate level of data protection, as processing outside the EU/EEA, guarantee of data protection compliance by concluding standard contractual clauses |
| Meta Platforms Ireland Limited / Meta Platforms, Inc. | Advertising attribution and marketing measurement using the Meta SDK, including completed registration, initiated checkout and purchase events; collection of the advertising identifier (IDFA) only if you have granted tracking permission on iOS | Processing may involve transfers outside the EU/EEA; data protection is ensured by standard contractual clauses or other appropriate safeguards |
The above service providers and recipients have been carefully selected by us. Where they act as processors on our behalf, they are regularly reviewed and are contractually obliged to process personal data exclusively in accordance with our instructions. Insofar as we also process (or have processed) data in countries outside the EU / EEA in accordance with the above list, we use the standard contractual clauses of the EU Commission or other suitable guarantees in accordance with Section 46 GDPR when structuring the contractual relationships with processors in order to ensure the protection of your personal rights in the context of these data transfers as well.
Duration of Data Retention
we delete or anonymize your personal data as soon as it is no longer required for the purposes for which we collected or used it. Unless otherwise stated, we store your personal data for the duration of the usage or contractual relationship via the app plus a period of 30 days, during which we keep backup copies after deletion, unless this data is required for criminal prosecution or to secure, assert or enforce legal claims.
Your Rights as Data Subject
When processing your personal data, the GDPR grants you certain rights as a data subject. Right of access (Art. 15 GDPR) You have the right to obtain confirmation as to whether or not personal data concerning you is being processed. If this is the case, you have a right of access to this personal data and to the information listed in detail in Art. 15 GDPR. Right to rectification (Art. 16 GDPR) You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and, where applicable, to have incomplete personal data completed. Right to deletion (Art. 17 GDPR) You have the right to demand that personal data concerning you be deleted immediately if one of the reasons listed in Art. 17 GDPR applies. Right to restriction of processing (Art. 18 GDPR) You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have lodged an objection to the processing, for the duration of the examination by the controller. Right to data portability (Art. 20 GDPR) In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request the transmission of this data to a third party. Right to withdraw consent (Art. 7 GDPR) If the processing of data is based on your consent, you are entitled to withdraw your consent to the processing of your personal data at any time in accordance with Art. 7 para. 3 GDPR. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected. Right to object (Art. 21 GDPR) If data is collected on the basis of Art. 6 para. 1 lit. f GDPR (data processing to protect legitimate interests) or on the basis of Art. 6 para. 1 lit. e GDPR (data processing to protect the public interest or in the exercise of official authority), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims. Unless otherwise described above, please contact the office named in the legal notice to assert your rights as a data subject.
Right to Appeal to a Supervisory Authority (Art. 77 GDPR)
In accordance with Art. 77 GDPR, you have the right to appeal a complaint with a supervisory authority if you believe that the processing of data concerning you violates data protection regulations. The right to appeal a complaint can be exercised in particular with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.
Data security
we take technical and organizational measures to protect your data from unauthorized access as comprehensively as possible. We use an encryption process on our websites. Your data is transmitted from your computer to our server and vice versa via the Internet using TLS encryption.