Flippie

Privacy Policy

Last updated: March 5, 2026

1. Introduction

Flippie Dashboards ("we", "us", "our") operates a suite of products including the Flippie personal finance application and Power BI templates. We are committed to protecting your privacy and handling your data transparently. This policy explains what data we collect, why, and how we protect it.

2. Data Controller

Flippie Dashboards is the data controller responsible for your personal data. If you have questions about how we process your data, contact us at: hello@flippiedashboards.com.

3. Data We Collect

Account data

  • Email address (for authentication and billing)
  • Full name (if provided during profile setup)
  • Hashed password (we never store plaintext passwords)
  • MFA enrollment data (TOTP secrets, hashed backup codes)
  • OAuth profile information (e.g. name and email from Google sign-in)

Financial data you provide

  • Transactions (amounts, dates, descriptions, categories)
  • Budget configurations
  • Net worth snapshots (asset and liability balances)
  • Account names and categories

Community data

  • Username (publicly visible to other users)
  • Avatar image (if uploaded)
  • Posts and replies in community forums (publicly visible)

Billing data

  • Stripe customer ID and subscription status
  • Chosen plan and billing interval
  • Trial eligibility status

We do not store your credit card number, bank account details, or other payment credentials. All payment processing is handled by Stripe, which is PCI-DSS Level 1 certified.

Automatically collected data

  • IP address and user agent (for security audit logs and rate limiting)
  • Session metadata (login times, authentication assurance level)

4. Legal Basis for Processing (GDPR)

We process your data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR) — processing your financial data is necessary to provide the Service you signed up for, and processing billing data is necessary to manage your subscription.
  • Legitimate interest (Art. 6(1)(f) GDPR) — security measures such as audit logging, rate limiting, and fraud detection protect both you and the Service. Trial abuse prevention (tracking which emails have used a free trial) also falls under this basis.
  • Consent (Art. 6(1)(a) GDPR) — where applicable, such as optional communications. You may withdraw consent at any time.

5. How We Use Your Data

  • Provide the service — display dashboards, charts, budgets, and transaction history.
  • Authentication & security — verify identity, enforce MFA, detect suspicious activity, and rate-limit abuse.
  • Billing — manage subscriptions, process payments via Stripe, and determine trial eligibility.
  • Community — display your username and content in public forums.
  • Audit logging — maintain an immutable record of security-relevant events for incident response.

We do not sell, rent, or share your data with third parties for advertising or marketing purposes.

6. Administrative Access

Authorized personnel at Flippie Dashboards may access user data through our database administration tools for the following purposes only:

  • Providing technical support when requested by you.
  • Investigating security incidents or suspected abuse.
  • Maintaining and improving the Service (e.g. debugging, performance monitoring).
  • Complying with legal obligations.

Administrative access is restricted, logged, and subject to the same data protection obligations described in this policy.

7. Data Storage & Security

  • All data is stored in Supabase (PostgreSQL) with Row Level Security (RLS) ensuring you can only access your own data through the application.
  • Passwords are hashed using bcrypt via Supabase Auth.
  • MFA backup codes are hashed with SHA-256 and a domain-specific salt before storage.
  • All connections use TLS/HTTPS encryption in transit.
  • Content Security Policy, HSTS, and other security headers are enforced.
  • Audit logs are protected with immutability policies (no update or delete).

8. Data Retention

  • Account data — retained for as long as your account is active. If you delete your account, we will delete your personal and financial data within 30 days.
  • Trial eligibility records — we retain a record of email addresses that have used a free trial to prevent abuse. This record persists after account deletion.
  • Audit logs — anonymized audit logs may be retained for up to 90 days for security purposes.

9. Your Rights

Under the GDPR and applicable Dutch law, you have the right to:

  • Access — request a copy of your data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your account and data (note: trial eligibility records are retained to prevent abuse).
  • Portability — export your data in a machine-readable format.
  • Restriction — request restricted processing of your data.
  • Objection — object to specific processing activities.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@flippiedashboards.com. We will respond within 30 days as required by the GDPR.

10. Cookies & Local Storage

We use the following cookies and local storage:

  • Authentication session cookies — essential for keeping you logged in (set by Supabase Auth).
  • MFA trusted device cookie — an optional, signed cookie that remembers your device for 30 days so you can skip MFA verification. You can revoke this from your account settings.
  • Local storage — used for UI preferences (currency, onboarding progress). No tracking data is stored.

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

11. Third-Party Services

We use the following third-party services to operate the Service. We have ensured appropriate data processing agreements are in place where required:

  • Supabase — authentication and database hosting.
  • Stripe — payment processing and subscription management. Stripe receives your email address and payment details directly. See Stripe's Privacy Policy.
  • Upstash — distributed rate limiting (only IP hashes are sent, no personal data).
  • Vercel — application hosting and CDN.
  • Zoho Mail — transactional email delivery (confirmation emails, password resets).

12. International Data Transfers

Some of our third-party service providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

13. Children's Privacy

Flippie is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

14. Supervisory Authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl.

15. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top indicates when the policy was last revised.

16. Contact

For privacy-related questions or requests, contact us at: hello@flippiedashboards.com