Privacy Policy

• "Personal Information" — Information that identifies or may identify a specific individual, as defined under applicable privacy law.
• "Processing" — Any operation performed on Personal Information, including collection, recording, storage, use, disclosure, restriction, erasure, or destruction.
• "Merchant" or "Customer" — Any individual or entity that registers for and uses Flamey's Platform, including by installing our integrations on their online store (Shopify, WooCommerce, or any other website).
• "Shopper" — A visitor of a Merchant's online store who interacts with the Viewer (for example, by opening a 3D or AR preview of a product).
• "Data Controller" — The entity that determines the purposes and means of Processing Personal Information.
• "Data Processor" — The entity that Processes Personal Information on behalf of the Data Controller and according to its instructions.
• "Sub-processor" — A third party engaged by Flamey to perform specific Processing activities on its behalf.
• "Services" — The Website, the Platform, the Viewer, the embed script and plugins, APIs, software, technical support, and any other related services offered by Flamey.

It is important to distinguish between our different roles:

1. Flamey as Data Controller: We act as a Data Controller for Personal Information we collect directly from our Merchants and Website visitors (e.g., account details, billing information, Platform usage data). In these cases, we determine the purposes and means of Processing.
2. Flamey as Data Processor: When the Viewer is embedded on a Merchant's store and Shoppers interact with it, the Merchant is the Data Controller of any Shopper data, and Flamey acts as a Data Processor, Processing limited technical and usage data solely to provide the Services. This Policy does not govern the privacy practices of our Merchants.

1. Information provided by Merchants: Full name, company name, email address, authentication details (e.g., via Google sign-in or email magic links), store domain names, billing details (processed and stored by our payment provider, Paddle — Flamey does not store full payment card details), product catalog data (titles, sizes, finishes, product images), support inquiries, and any other information you choose to provide.
2. Technical and usage data (Merchants and Website visitors): IP address, browser type, operating system, interface language, approximate location (derived from IP address), pages viewed, feature usage, and similar diagnostic data.
3. Viewer usage events (as Processor for Merchants): When a Shopper opens the Viewer, we collect minimal, event-level usage data on the Merchant's behalf — such as viewer loads, AR session opens, and QR code scans, together with the connected store's domain. These events are used to provide Merchants with aggregate analytics about their own stores.
4. What we do NOT collect from Shoppers: The AR experience runs on the Shopper's own device using the device's native AR capabilities (Apple Quick Look / Google Scene Viewer). Camera imagery is processed entirely on the device and is never transmitted to, received by, or stored on Flamey's servers. We do not require Shoppers to create accounts, and we do not use the Viewer to build advertising profiles of Shoppers.

• Consent: Where Processing is based on your explicit, freely given, and informed consent (e.g., marketing newsletters).
• Contractual necessity: Processing necessary to provide the Services under our Terms of Service (e.g., account creation, billing, providing the Viewer).
• Legitimate interest: Improving and securing the Services, preventing fraud and abuse, business analytics, and enforcing our terms — balanced against your rights and freedoms.
• Legal obligation: Processing required to comply with legal or regulatory requirements.

1. As Data Controller: To provide, operate, maintain, secure, and improve the Services; manage Merchant accounts, billing, and collection; communicate with Merchants regarding service, support, and updates; send marketing materials (subject to consent or legitimate interest and the right to object); monitor use of the Services for security and compliance; and comply with legal requirements.
2. As Data Processor: Solely to render 3D/AR previews of the Merchant's products to Shoppers, to record aggregate usage events on the Merchant's behalf, and to provide analytics and plan-usage reporting to the Merchant. Flamey will never sell Shopper event data or use it for its own advertising purposes.

• With Sub-processors: We use carefully selected third-party providers to operate the Services, including cloud hosting and deployment (Vercel), database hosting (Neon), content delivery and object storage (Cloudflare), payment processing (Paddle), transactional email (Resend), and authentication (Google, where you choose Google sign-in). These providers Process information only as needed to provide their services to us and under contractual confidentiality and security obligations.
• With third-party integrations: If you connect your Flamey account to external platforms (e.g., Shopify or WooCommerce), relevant information is exchanged between the platforms at your direction and subject to those platforms' terms.
• For legal reasons: Where required by law, court order, or to protect our legal rights, the safety of users, or to investigate fraud or abuse.
• Corporate transactions: In the event of a merger, acquisition, or sale of assets, Personal Information may be transferred subject to continued protection under this Policy or a substantially similar one.
• Aggregated information: We may share statistical, aggregated, or anonymized information that does not identify any individual.

Depending on applicable law, you may have the right to access, rectify, erase, restrict, or port your Personal Information; to object to Processing based on legitimate interest or for direct marketing; to withdraw consent at any time (without affecting prior lawful Processing); and to lodge a complaint with your local supervisory authority. To exercise these rights, contact us at privacy@flamey.com. We will respond within the time limits required by law after verifying your identity.

When you interact with the Viewer on a Merchant's store, the Merchant is the Data Controller. Requests to exercise your rights regarding data held by that Merchant should be directed to the Merchant. Flamey assists its Merchants in fulfilling their obligations as Data Controllers in accordance with our agreements.

The Services are supported by global infrastructure, and Personal Information may be processed on servers located in various countries (including the United States and countries within the EEA). Where Personal Information is transferred across borders, we rely on appropriate safeguards such as adequacy decisions or Standard Contractual Clauses (SCCs) as required by applicable law.

We implement technical and organizational security measures consistent with industry standards, including encryption in transit and at rest, access controls and the principle of least privilege, isolation between customer-facing and merchant-facing systems, and secure development practices. No system is 100% immune; we recommend using strong, unique passwords and protecting access to your sign-in email account.

In the event of a data breach involving Personal Information under our control, we will investigate, mitigate, and notify the relevant supervisory authorities and affected parties without undue delay, in accordance with our legal and contractual obligations.

We retain Personal Information only as long as reasonably necessary for the purposes described in this Policy or as required by law. Criteria include the duration of your active account, legal and tax retention obligations, and the need to resolve disputes. Usage events are retained in identifiable form only as long as needed to provide analytics and billing, after which they may be aggregated or deleted. Information no longer needed is securely deleted or anonymized.

Our Website and Platform use a minimal set of cookies: strictly necessary cookies for authentication and security, and functional cookies for remembering preferences. The Viewer itself does not set advertising or cross-site tracking cookies on Merchants' stores. Where non-essential cookies are used, we will request your consent in accordance with applicable law. You can manage cookies through your browser settings.

The Platform is intended for business users and is not directed to children under the age of 18. We do not knowingly collect Personal Information from children. If you believe such information has been provided to us, please contact us and we will delete it.

We may update this Policy from time to time to reflect changes in the Services, our data practices, or legal requirements. We will post the updated version here with a new Effective Date, and for material changes we will provide more prominent notice. Continued use of the Services after changes take effect constitutes acceptance of the updated Policy.

For questions, comments, or requests regarding this Policy or our data practices, contact us at privacy@flamey.com.