Privacy Policy

1. Who We Are

Phylasso ("we", "us", "our") is an preparedness application available on iOS, Android, and the web. Our service helps households track supplies, generate plans, and receive real-time alerts.

For questions about this policy or your personal data, contact us at: hello@creativeflight.co.uk

2. Data We Collect

Account Data

• Email address
• Password (stored as a one-way hash — we cannot read it)
• Subscription plan (Free or Pro)
• Account creation date

Household Profile

• Household size and member details (ages, dietary needs, medical considerations) — entered voluntarily
• Location (city, region, country, and approximate latitude/longitude) — used to deliver relevant threat alerts
• Alert profile preferences (e.g. flooding, severe weather, earthquake)
• Notification preferences

Inventory Data

• Supply item names, quantities, expiry dates, categories, and notes

Contacts

• Contact names, phone numbers, and relationships — entered voluntarily and used only to enable the SOS feature

Usage and Technical Data

• Device push notification tokens (FCM) — used to deliver alerts to your device
• API request logs — for service reliability monitoring (no personal content)

Payment Data

Payments are processed by Stripe, Inc. We do not store your card number, CVV, or full payment details. Stripe provides us with a transaction reference and your subscription status. See Stripe's Privacy Policy for details of how they handle your payment data.

3. How We Use Your Data

• To provide the service — account management, inventory tracking, plan generation, and SOS functionality
• To deliver alerts — your location is used to query third-party alert APIs (EA Flood, NOAA, FEMA, USGS, and others) and send relevant push notifications
• To generate AI content — your household profile and inventory data are sent to Anthropic's Claude API to generate personalised plans and tips. No data is used to train AI models.
• To process payments — subscription billing via Stripe
• To improve the service — aggregated, anonymised usage metrics
• To communicate with you — service notifications, subscription receipts, and support responses

4. Legal Basis for Processing (UK & EU Users)

Under UK GDPR and EU GDPR, we process your personal data on the following legal bases:

• Contract — processing necessary to provide the service you have signed up for
• Legitimate interests — service reliability monitoring, fraud prevention, and improving the app
• Consent — push notifications (you may withdraw consent at any time in your device settings)
• Legal obligation — where required by applicable law

5. Third-Party Services

We share data with the following third parties only to the extent necessary to deliver the service:

Stripe (Payments)

Subscription billing. Stripe processes payment card data on our behalf. Stripe Privacy Policy

Anthropic (AI Features)

Your household profile and inventory data are sent to Anthropic's Claude API to generate plans, AI tips, and seasonal reminders. Anthropic does not use this data to train models. Anthropic Privacy Policy

Google (Infrastructure)

Our backend runs on Google Cloud operated by Google LLC. Google Privacy Policy

Google Firebase Cloud Messaging (Push Notifications)

Device push tokens are processed via Google Firebase to deliver threat alert notifications to your device.

Data APIs

Your approximate location (latitude/longitude) is sent to the following public APIs to retrieve relevant alerts. These are read-only queries — no personal data is transmitted beyond coordinates:

• UK Environment Agency Flood Monitoring API
• NOAA National Weather Service (USA)
• FEMA Disaster Declarations API (USA)
• USGS Earthquake Hazards Program (USA)
• NASA FIRMS Fire Information (USA/Global)
• AirNow Air Quality API (USA)
• GDACS Global Disaster Alert (Global)
• SEPA Flood Alerts (Scotland)
• Natural Resources Wales Flood Warnings (Wales)
• UK Met Office Weather API
• NOAA Space Weather Prediction Center (Global)

Barcode Lookup

When you scan a product barcode, the barcode number is sent to Open Food Facts, Open Products Facts, and/or UPC Item DB to retrieve product information. No account or personal data is transmitted.

6. Data Retention

• Account and profile data — retained while your account is active and for 30 days after deletion
• Inventory and contacts — deleted immediately upon account deletion
• Push tokens — deleted on logout or account deletion
• AI usage logs — retained for 180 days, then automatically purged
• API request logs — retained for 90 days, then automatically purged
• Payment records — retained as required by financial regulations (typically 7 years)

7. Data Security

All data in transit is encrypted using TLS. Passwords are hashed. Our backend infrastructure runs within Google Cloud's security environment. We do not store payment card data.

While we take reasonable precautions, no method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at hello@creativeflight.co.uk.

8. Your Rights

UK & EU Users (GDPR)

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your account and personal data
• Portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests
• Restrict processing — request that we limit how we use your data
• Withdraw consent — withdraw push notification consent at any time via device settings

To exercise any of these rights, contact hello@creativeflight.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

California Users (CCPA / CPRA)

California residents have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact hello@creativeflight.co.uk.

9. Account & Data Deletion

You can delete your Phylasso account and all associated personal data at any time. Deletion is permanent and cannot be undone.

How to delete your account in the app

• If you have an active Pro subscription, cancel it first via your Stripe billing portal (accessible from Profile → Manage Subscription) to avoid further charges
• Open the Phylasso app and go to Profile
• Scroll to the bottom and tap Delete Account
• Confirm the deletion — your account and all personal data will be permanently removed

What gets deleted

• Your account, email address, and password
• Household profile and member details
• All inventory items, emergency plans, and contacts
• Push notification tokens and AI usage logs

Payment transaction records are retained as required by financial regulations (see Section 6 — Data Retention).

Need help?

If you are unable to delete your account within the app, email us at hello@creativeflight.co.uk and we will delete your account and data within 30 days.

10. Cookies

Our marketing website (phylasso.com) does not use tracking or advertising cookies. The Phylasso app uses local storage and IndexedDB on your device to store your data offline — this data does not leave your device except as described in this policy.

11. Children's Privacy

Phylasso is not directed at children under 13 (or under 16 in the UK/EU). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you via the app or email. Continued use of Phylasso after changes take effect constitutes acceptance of the updated policy. The "Last updated" date at the top of this page will always reflect the most recent version.

13. Contact Us

For any privacy-related questions, requests, or complaints: