What we collect, where it lives, and what you can do about it.

• Account data. Name, email, phone (optional), birthday (optional), gender (optional). Used to identify you and personalize rewards.
• Transaction data. Orders, points earned and redeemed, membership subscription status, gift-card balances, refunds. Retained for tax and dispute history as required by your clinic.
• Payment metadata.Card brand, last 4 digits, and expiry — but never the full card number, which is held only by your clinic's selected payment processor. We may store Stripe customer IDs, Payroc / Worldnet token references, and saved-payment-method metadata on your behalf so you can pay with a stored card at the clinic.
• Personalization data. If you complete the in-app quiz, your treatment goals, Fitzpatrick score, sun-response, and skin type. Used only to personalize recommendations inside the app.
• Device data. For the mobile app: push-notification token (Expo Push Token), platform (iOS/Android), and a last-seen-at timestamp. For all surfaces: app version, IP address (truncated for rate limiting), user agent.
• Crash and performance data. Stack traces, breadcrumb logs, and (only when an error occurs) anonymized session replays via Sentry. Replays mask all text input + media by default — see third parties.
• Communication preferences. Which notification channels (email, SMS, push) you've opted into per event type. SMS opt-in is logged with timestamp and IP address per TCPA.
• What we do not collect. Protected Health Information (PHI) such as diagnoses, lab results, or clinical notes is not stored on our platform by design. Treatment interests stated in the app are marketing preferences, not medical records. If your clinic additionally uses our platform to store clinical notes, your clinic becomes the controller of that data and Flowmedix becomes a HIPAA business associate under a signed BAA — see your clinic's separate notice of privacy practices.

• Service delivery — render the app, process points and rewards, route payments. Legal basis: contract.
• Account security — authenticate sign-ins, rate-limit abuse, log audit events for sensitive actions. Legal basis: legitimate interest.
• Communication — transactional email + SMS + push notifications you've opted into. Legal basis: consent.
• Product improvement — aggregate, anonymized usage analytics. We do not link analytics to identifying information. Legal basis: legitimate interest.
• Legal and tax compliance — retention of transaction records under your clinic's tax obligations. Legal basis: legal obligation.
• What we do not do — sell your data, share it with advertisers, run cross-app tracking, build look-alike audiences, or use it to train AI models outside of features your clinic has explicitly enabled.

We use the following sub-processors. Each has signed a Data Processing Addendum (or equivalent) covering GDPR Article 28. Where required, we maintain HIPAA Business Associate Agreements (BAAs).

• Supabase (database, authentication) — stores account, transaction, and personalization data. Region: us-east-1. See supabase.com/privacy.
• Stripe (payments, Stripe Connect, Stripe Terminal) — processes card transactions for your clinic. Full card numbers never reach our servers; we only see brand + last 4. See stripe.com/privacy.
• Payroc / Worldnet TPS (alternative payments processor) — used only by clinics that have explicitly connected Payroc instead of Stripe. Same scope as Stripe: full card numbers never reach our servers. See payroc.com/privacy-policy.
• Resend (transactional email) — sends sign-in magic links, receipts, and reward notifications. See resend.com/legal/privacy-policy.
• Twilio (SMS) — sends appointment + reward SMS notifications when you opt in. See twilio.com/legal/privacy.
• Expo Push Service (push delivery) — routes push notifications to Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM). We send Expo a device push token and the message body — never PHI. See expo.dev/privacy.
• Apple Push Notification Service (APNs) — required to deliver push notifications to iOS devices. Apple's privacy policy applies: see apple.com/legal/privacy.
• Firebase Cloud Messaging (FCM, Google) — required to deliver push notifications to Android devices. See firebase.google.com/support/privacy.
• Sentry (error and performance monitoring) — receives stack traces and anonymized session replays. We configure Sentry to mask all text input and block media playback in replays. See sentry.io/privacy.
• Vercel (web hosting + edge network) — serves the app shell + API routes. Vercel processes request logs. See vercel.com/legal/privacy-policy.
• Anthropic (via Vercel AI Gateway) — used only when you interact with the in-app Sage AI assistant. We send the message context (catalog, your first name, your treatment goals if you've completed the quiz) and your message; Anthropic does not retain it or train on it under our zero-retention agreement. See anthropic.com/legal/privacy.

• Account data — kept while you have an active account. On erasure (see your rights below), identifying fields are set to null within minutes; anonymized rows remain for the retention periods listed below.
• Transaction records — retained for 7 years to comply with U.S. tax record-keeping requirements. After anonymization (no name/email/phone link), only the financial values, dates, and clinic association remain.
• Push notification tokens — purged after 90 days without an app launch, or immediately on account erasure.
• Audit log entries — retained for 2 years for compliance and forensic purposes.
• Notification log content — message body and address fields are stripped on account erasure; the channel, status, and event type remain for clinic analytics.
• Backups — encrypted snapshots are retained on a rolling 30-day window. Erasure requests are honored on production; backup copies expire automatically.
• Crash and performance data — Sentry retains for 90 days by default.

Under GDPR (EU/UK) and CCPA/CPRA (California), and as a general matter for all our users, you have the following rights:

• Access and portability (GDPR Art. 15 + 20, CCPA) — download a JSON snapshot of everything we hold about you via Profile → Privacy & Data → Export your data in the iOS app, Android app, or members.medspaloyaltyflow.com. No email request required; the export runs immediately.
• Erasure / "right to be forgotten" (GDPR Art. 17, CCPA) — permanently anonymize your account via Profile → Privacy & Data → Delete your account. Identifying fields are nulled, push tokens deleted, notification history scrubbed, and the auth account removed within minutes. Anonymized transaction records are preserved as described in retention above.
• Rectification (GDPR Art. 16) — correct inaccurate data via Profile → Account details.
• Restriction of processing (GDPR Art. 18) — email privacy@flowmedix.com.
• Objection (GDPR Art. 21) — email privacy@flowmedix.com.
• Withdraw consent — for SMS reply STOP, for email click any unsubscribe link, for push toggle notifications off in your device settings or in Profile → Notifications.
• Non-discrimination — exercising any right above will not result in lost features or punitive treatment.
• Right to lodge a complaint — EU/UK residents may contact their local data protection authority. California residents may contact the California Privacy Protection Agency.

We respond to email requests within 30 days as required by GDPR / CCPA. In practice the in-app self-service flows run immediately.

We do not sell or share your personal information for cross-context behavioral advertising as defined under California law. In the past 12 months we have not sold or shared personal information for targeted advertising.

Categories of personal information collected (per Cal. Civ. Code § 1798.140): identifiers, customer records, commercial information, internet activity (limited to the app), geolocation (approximate, via IP — not GPS), inferences drawn from preferences in the AI personalization quiz.

To exercise your "Right to Know" or "Right to Delete," use the same Profile → Privacy & Data flows above, or email privacy@flowmedix.com. Verifiable consumer requests require us to confirm your identity by matching the email on file before fulfilling.

We protect data with industry-standard controls including:

• TLS 1.2+ in transit for every request to our servers.
• Encryption at rest for Supabase Postgres data and storage buckets.
• Row-Level Security on every database table so a compromised user account cannot read another patient's or clinic's data.
• Hash-based authentication (Supabase Auth) with email OTP — no passwords ever stored.
• HMAC-signed, single-use impersonation tokens for clinic support sessions, with full audit logging.
• Rate limiting on sign-in, OTP verification, AI requests, and money-moving endpoints.
• Daily encrypted backups, 30-day point-in-time recovery.

No system is impenetrable. We will notify affected users + the appropriate regulators within the timelines required by GDPR (72 hours) and applicable state law if a breach occurs.

• App Tracking Transparency (iOS). The Loyalty Flow iOS app does not track you across other companies' apps or websites. We do not show an ATT permission prompt and we do not access the IDFA. Crash and session analytics use the per-vendor identifier (IDFV), which is explicitly exempt from ATT.
• Permissions requested. Camera (to scan the check-in QR code at your clinic — never recorded), Notifications (for reward + appointment alerts when you opt in), Photo Library (only when you choose to save your membership card image).
• Push notifications. Disabled by default. Enabled only when you allow them. Token revocation: turn off in iOS/Android settings or in Profile → Notifications.
• Deep links. The app handles loyaltyflow:// URLs to process magic-link sign-ins. We do not transmit deep-link content to third parties.
• Apple Privacy Manifest. Our iOS build includes a PrivacyInfo.xcprivacy manifest declaring Required Reason API usage (UserDefaults, file timestamps, disk space, system boot time) per Apple's developer requirements.