Privacy Policy
Last updated: February 28, 2026
1. General information
This Privacy Policy sets out the rules for processing and protecting personal data of users of the Flash application and the website available at flash.appfly.pl (hereinafter: Service).
This Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: GDPR) and the Polish Act of 10 May 2018 on the protection of personal data.
Personal data collected through the Service and the Flash application are processed only to the extent necessary for the specified purposes and on the basis of the applicable legal provisions.
2. Data controller
The controller of personal data is:
Flying Pixel Sebastian Urbaniak
ul. Serbska 15/119, 61-696 Poznań
NIP: 7811875368
REGON: 362220474
Email: kontakt@appfly.pl
3. Purposes and legal bases for processing
Personal data are processed on the following legal bases under Article 6(1) GDPR:
- Art. 6(1)(b) GDPR - processing is necessary for the performance of a contract, i.e. the provision of the Flash service (including activation of Flash Pro subscriptions, user account management, and payment processing);
- Art. 6(1)(a) GDPR - processing based on the user's voluntary consent (e.g. sending marketing communications, future analytics tools);
- Art. 6(1)(f) GDPR - processing is necessary for the purposes of the legitimate interests pursued by the controller, such as ensuring service security, preventing abuse, and analyzing and improving application performance;
- Art. 6(1)(c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. maintaining accounting and tax documentation).
4. Categories of data collected
Depending on how you use the Flash application, we process the following categories of data:
Email address
Collected upon registration for a Flash Pro subscription. Used for account management, sending confirmations, and service-related communications.
Payment data
Processed exclusively by the payment operator Stripe, Inc. The controller does not store credit card numbers or banking details.
Audio recording (voice)
Processed in real time solely for the purpose of speech-to-text transcription. In cloud transcription mode (Flash Pro), audio data is sent to OpenAI for speech recognition — audio is not stored by the provider. Audio recordings are not stored either on the user's device or on the controller's servers. In offline Whisper mode, transcription is performed 100% locally on the user's device — no audio data leaves the computer.
Transcription text
In the Pro version, transcription text is sent to external AI providers (OpenAI, Google Gemini, Groq) for punctuation, grammar, and style correction. The text is processed in real time and is not permanently stored on our servers. In offline Whisper mode, the text does not leave the device.
Technical device data
macOS version, Flash application version, processor type. Collected for error diagnostics and ensuring compatibility.
Anonymous analytics data
Aggregated usage statistics (recording duration ranges, word count ranges) collected via TelemetryDeck. The data does not allow user identification and does not contain dictation content.
5. Data retention period
- Account data (email) - for the duration of the subscription and for the period necessary to pursue claims arising from the contract (up to 6 years from the end of the contract, in accordance with the general limitation period under the Polish Civil Code).
- Audio recordings - not stored. Processed only in working memory in real time.
- Transcription text - processed in real time, not permanently stored on the controller's servers.
- Accounting and tax data - stored for 5 years from the end of the calendar year in which the tax payment was due, in accordance with Art. 86 Section 1 of the Polish Tax Ordinance.
- Technical device data - stored for the period necessary for diagnostic purposes, no longer than 12 months.
6. Data recipients and international transfers
Personal data may be disclosed to the following data processors with whom the Controller has entered into appropriate data processing agreements:
| Entity | Location | Purpose | Transfer mechanism |
|---|---|---|---|
| Stripe, Inc. | USA | Payment processing | EU-US Data Privacy Framework |
| Vercel, Inc. | USA | Website hosting | EU-US Data Privacy Framework |
| Resend, Inc. | USA | Transactional emails | Standard Contractual Clauses (SCC) |
| CloudFlare, Inc. | USA | CDN, DDoS protection | EU-US Data Privacy Framework |
| TelemetryDeck GmbH | Germany (EU) | Anonymous usage statistics | EU processing - no transfer |
| OpenAI / Google / Groq | USA | Cloud voice transcription (OpenAI), AI text correction (Flash Pro) | EU-US DPF / Standard Contractual Clauses |
| Google LLC (reCAPTCHA) | USA | Anti-spam form protection (reCAPTCHA v3) | EU-US Data Privacy Framework |
Transfers of data to third countries (USA) are carried out on the basis of mechanisms provided for in Article 46 GDPR, including adequacy decisions (EU-US Data Privacy Framework) or Standard Contractual Clauses approved by the European Commission.
7. User rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15 GDPR) - you have the right to obtain confirmation as to whether your data are being processed and to receive a copy thereof.
- Right to rectification (Art. 16 GDPR) - you have the right to request the correction of inaccurate data or the completion of incomplete data.
- Right to erasure (Art. 17 GDPR) - you have the right to request the deletion of your data ("right to be forgotten") when they are no longer necessary for the purposes for which they were collected.
- Right to restrict processing (Art. 18 GDPR) - you have the right to request the restriction of data processing in certain situations.
- Right to data portability (Art. 20 GDPR) - you have the right to receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR) - you have the right to object to the processing of data based on the controller's legitimate interest.
- Right to withdraw consent (Art. 7(3) GDPR) - if processing is based on consent, you have the right to withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.
- Right to lodge a complaint - you have the right to lodge a complaint with the supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (PUODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.
To exercise any of the above rights, please contact us at kontakt@appfly.pl. The Controller may verify your identity before fulfilling your request.
8. Cookies and tracking technologies
The Flash website does not currently use cookies for analytics or marketing purposes. Cookies may only be set by the hosting infrastructure (Vercel, CloudFlare) for technical purposes necessary for the proper functioning of the website.
The Flash macOS application does not use cookies. The application uses TelemetryDeck - a European analytics tool based in Germany that collects only anonymous, aggregated usage data (no dictation content, no user identification).
The website uses Google reCAPTCHA v3 to protect forms against automated submissions (bots). reCAPTCHA analyzes user behavior on the page and may set cookies. Data processed by reCAPTCHA is subject to the Google Privacy Policy and Terms of Service.
In the future, we may implement additional analytics tools - in such case, we will update this Privacy Policy and implement a consent mechanism (consent banner) in accordance with Art. 173 of the Polish Telecommunications Act of 16 July 2004 and the GDPR guidelines on consent for data processing.
9. Changes to the Privacy Policy
The Controller reserves the right to update this Privacy Policy to adapt it to legal, technological, or organizational changes. The revised Policy will be published on this page with a new effective date. Continued use of the Service or the Flash application after the publication of changes constitutes acceptance thereof. In the event of significant changes to data processing, Flash Pro users will be notified by email.
10. Privacy contact
For matters related to the protection of personal data, please contact us at: kontakt@appfly.pl. We respond to inquiries within 30 days of receipt, in accordance with GDPR requirements.