Privacy Policy

Version 1.2 Last updated: March 2026 Contact: privacy@flash-ask.com

This Privacy Policy describes how flash-ask ("we", "us", or "our") collects, uses, stores, and shares personal data when you use the flash-ask Chrome extension and the flash-ask.com website.

1. Who We Are

This Privacy Policy describes how flash-ask ("we", "us", or "our") collects, uses, stores, and shares personal data when you use the flash-ask Chrome extension and the flash-ask.com website.

Contact for privacy matters: privacy@flash-ask.com

2. Data We Collect

2.1 Data you provide directly

Data	Purpose
Email address	Account identification and transactional emails
Google display name	Displaying your name in the extension popup
Google profile picture	Displaying your avatar in the extension popup

2.2 Data collected automatically

Data	Purpose
Google account ID	Linking your Google sign-in to your flash-ask account
PayPal order/transaction ID	Confirming payment and activating your subscription
Monthly query count	Enforcing the subscription usage limit
Query type (multiple_choice or open)	Aggregated usage analytics — no query content is stored
Approximate IP address	Rate limiting and fraud prevention via server logs
Timestamp of each query	Enforcing monthly limits and detecting abuse
Device session identifier	Enforcing the single active session policy
Temporary authentication code (auth_code)	Single-use code valid for 5 minutes used during the Google sign-in flow. Automatically deleted upon use or expiration.

2.3 Data we do NOT collect

The content of your text queries or screen captures — routed to Groq's API for processing and not stored on our servers.
The URL or title of the page where you use the extension.
Your browsing history.
Credit card numbers, bank details, or billing address — handled exclusively by PayPal.
Device identifiers or hardware fingerprints.

3. How We Use Your Data

We use the data listed above exclusively for the following purposes:

Account management: creating and maintaining your account via Google OAuth.
Service delivery: validating your session and processing queries through the Groq AI API.
Session management: enforcing the single active device policy.
Usage limit enforcement: tracking your monthly query count.
Transactional communications: sending a welcome email after payment confirmation.
Fraud and abuse prevention: IP-based rate limiting.
Legal compliance: retaining payment records as required by applicable law.

We do not use your data for advertising, profiling, or any purpose other than those stated above.

4. Third-Party Services and Data Sharing

Provider	Data shared	Purpose
Groq	Query text and screen captures (not linked to your identity)	AI response generation
Google	OAuth authentication flow	Sign-in authentication
PayPal	Payment processing	Subscription payment
Resend	Your email address	Sending welcome emails
Railway	Hosting infrastructure	Server and database hosting

We do not sell, rent, or trade your personal data to any third party for commercial purposes.

5. Query Text, Screen Captures and the Groq API

When you submit a query through the extension, that content is transmitted to Groq's API via our servers for processing. This transmission:

Is encrypted in transit using HTTPS/TLS.
Does not include your email address, account ID, or any personally identifiable information.
Passes through our servers solely to route the request to Groq — it is not stored at any point.
Is subject to Groq's own data processing terms.

We recommend that you do not submit sensitive personal data or confidential business information through the extension.

6. Data Retention

Data type	Retention period
Email address and Google profile	For the duration of your account, plus 90 days after deletion request
Session tokens	Until expiration (30 days) or logout
Monthly query count	13 months from creation
Query logs (type and timestamp, no content)	6 months from creation
Server access logs (IP, timestamp)	30 days, then automatically deleted
PayPal transaction ID	As required by financial record-keeping obligations (generally 5–7 years)

7. Your Rights

Depending on your location, you may have the following rights:

Access: request a copy of the personal data we hold about you.
Correction: request correction of inaccurate or incomplete data.
Deletion: request deletion of your account and associated data.
Restriction: request that we restrict processing in certain circumstances.
Portability: request your data in a structured, machine-readable format.
Objection: object to processing based on legitimate interests.

To exercise any of these rights, email privacy@flash-ask.com with the subject "Privacy Request". We will respond within 30 days.

If you are located in the European Union, you also have the right to lodge a complaint with your local data protection authority.

8. Data Security

All data transmitted is encrypted using HTTPS/TLS.
Session tokens are generated using cryptographically secure random bytes.
Database access is restricted to the application server and requires authentication.
Google OAuth tokens are never stored — only the resulting session token, Google ID, and email.
We do not log or store query content or screen captures at any point.
Only one active session is allowed per account.

In the event of a data breach, we will notify affected users by email within 72 hours of becoming aware, to the extent required by applicable law.

9. Cookies and Local Storage

The flash-ask Chrome extension does not use cookies. Your session token is stored in chrome.storage.local solely to maintain your authenticated session. This token expires after 30 days and is not used for tracking or advertising.

The flash-ask.com website may use a session token stored in your browser's local storage to maintain your dashboard session, subject to the same conditions above.

10. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, contact privacy@flash-ask.com and we will delete it promptly.

11. International Data Transfers

Your data may be processed on servers located outside your country of residence, including in the United States, where our infrastructure providers (Railway, Groq, Resend) operate. By using the Service, you acknowledge that your data may be transferred to and processed in countries that may have different data protection standards than your own.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version at flash-ask.com/privacy with a revised "Last updated" date. For material changes, we will notify registered users by email at least 7 days before the changes take effect.

13. Contact

Privacy: privacy@flash-ask.com
Support: support@flash-ask.com
Website: flash-ask.com