Flashd
EN DE

Privacy Policy

Last updated: March 2026

Introduction

Flashd is a bouldering session tracker that helps you log climbs, track progress, and connect with other climbers. This policy explains what data we collect, how we use it, and your rights regarding your information.

Information We Collect

Account Data

When you create an account, we store your email address, display name, and authentication method (email, Google, or Apple). If you sign up with email, your password is stored as a bcrypt hash — we never store plain-text passwords.

Climbing Data

We store the sessions and routes you log, including grades, attempt counts, duration, whether a route was topped or flashed, and computed statistics such as points and session totals.

Location Data

When you search for a climbing gym, the app sends your current GPS coordinates to our server, which queries the Google Places API to find nearby gyms. The gym name, address, and coordinates are saved with your sessions so you can see where you climbed. Your raw GPS position is not stored with your account.

Social Data

If you use the social features, we store friend connections (who you sent requests to, who accepted). Friends can see your public session data and climbing statistics.

Profile Picture

If you upload a profile picture, it is stored on AWS S3 in the EU West 1 (Ireland) region. When you upload a new picture, the previous one is deleted.

Advertising Data

The app displays interstitial ads powered by Google AdMob. AdMob may collect your device's advertising identifier (Ad ID on Android, IDFA on iOS) and device information to serve and measure ads. Subscribers who purchase Flashd Pro do not see ads, and AdMob is not loaded for subscribers.

Analytics & Attribution

We use AppsFlyer, a mobile attribution and analytics platform, to understand how users discover the app and to measure the effectiveness of marketing campaigns. AppsFlyer may collect device identifiers (Advertising ID on Android, IDFA on iOS), install attribution data (e.g. which ad or link led to the install), app events (such as installs and opens), IP address (for geographic attribution), and basic device information. You can opt out of AppsFlyer tracking by limiting ad tracking in your device settings.

Subscription & Purchase Data

If you subscribe to Flashd Pro, your purchase is processed through Google Play (Android) or the Apple App Store (iOS). We use iaptic to validate purchase receipts. Your Flashd user ID is linked to your purchase for validation purposes. We store your subscription status in our database but do not store payment details — those are handled entirely by Google or Apple.

Contact Form

If you contact us through the app, your name, email, and message are sent to us via email. We do not store contact form submissions in our database.

Information We Do Not Collect

  • No cookies — we use browser localStorage only for authentication tokens and app preferences
  • No IP address logging in our database
  • No crash reporting services
  • No access to your microphone, camera, or contacts

How We Use Your Information

We use your data to provide the core functionality of the app: authenticating your account, displaying your climbing sessions and statistics, finding nearby gyms, enabling social features, managing subscriptions, and responding to support inquiries. We display ads to support the free tier of the app. We do not sell or share your personal data with third parties for their own marketing purposes.

Data Storage and Security

Your data is stored in a MongoDB database and transmitted over HTTPS. Passwords are hashed with bcrypt. Authentication uses short-lived JWT access tokens (15 minutes) and refresh tokens (30 days), both stored in your browser's localStorage. Profile pictures are stored on AWS S3 in the EU West 1 region.

Third-Party Services

  • Google OAuth / Apple Sign-In — used for authentication only; we receive your email and name
  • Google Places API — used server-side to find climbing gyms near you; your coordinates are sent to Google's servers for this search
  • AWS S3 — stores profile pictures in the EU West 1 (Ireland) region
  • Google AdMob — serves interstitial ads to free-tier users; may collect device advertising identifiers and device information (see Google's Privacy Policy)
  • Google Play / Apple App Store — processes subscription payments; payment data is handled entirely by Google or Apple
  • iaptic — validates purchase receipts to confirm subscription status; receives your purchase token and Flashd user ID
  • AppsFlyer — mobile attribution and analytics; collects device identifiers, install source, and app events to measure marketing campaigns (see AppsFlyer's Privacy Policy)

Data Retention and Deletion

You can delete your account at any time from the app settings. Account deletion permanently removes all of your data: your profile, authentication tokens, climbing sessions and routes, saved locations, friend connections, and profile picture.

Empty sessions (with no routes logged) are automatically deleted after 24 hours. Idle sessions are automatically closed after 24 hours. Refresh tokens expire after 30 days and access tokens after 15 minutes.

Children's Privacy

Flashd is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us so we can delete it.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date. Continued use of the app after changes constitutes acceptance of the revised policy.

Contact

If you have questions about this privacy policy or your data, please reach out through our contact page.