Privacy Policy

Flash.co
Last Updated: August 20, 2025

Introduction

Flashmonk Private Limited, a private limited company with its registered office at Fifth Floor, North Tower, Vaishnavi Tech Park, Sy. No. 16/1 and 17/2, Bellandur Gate, Sarjapur Main Road, Ambalipura, South Wing, Vaishnavi Tech Park, Bengaluru -- 560103, India (CIN: U72900KA2022PTC157982), operates the website www.flash.co, web app page https://webapp.flash.co/, the mobile application 'Flash.co' and AI-powered shopping assistant,Flash AI (collectively, the "Platform"). The Company, referred to as "Flash," "We," "Us," or "Our," is committed to protecting the privacy of users, referred to as "You" or "Your," and the information You share while using the Platform, including our AI-powered shopping assistant, Flash AI.

PRIVACY POLICY

This Privacy Policy outlines how We collect, use, store, process, disclose, and protect Your personal data when You interact with the Platform via WhatsApp, web, or mobile app, including through text queries, product images, or links (including those prefixed with Flash.co). This Privacy Policy is an electronic record under applicable information technology and privacy laws, including but not limited to the Information Technology Act, 2000 (India), General Data Protection Regulation - GDPR (EU), California Consumer Privacy Act - CCPA (US), Personal Information Protection and Electronic Documents Act - PIPEDA (Canada), Privacy Act 1988 (Australia), Lei Geral de Proteção de Dados - LGPD (Brazil), UK Data Protection Act 2018, and other applicable privacy laws in jurisdictions where our services are offered, generated by a computer system without requiring physical, electronic, or digital signatures.

By visiting the Platform, creating an account, or using Flash AI, and clicking the "I Accept" button during signup, You accept and agree to be bound by this Privacy Policy, which is incorporated into Our Terms of Use ("Terms") and must be read in conjunction with them. This Privacy Policy does not apply to information provided to or collected by third-party sites accessed through the Platform.

Collection of Information

We collect information to provide and improve the Services offered through the Platform, such as deep product research, price and product comparisons, purchase recommendations, and post-purchase support (e.g., cancellations, returns, and warranty claims), in accordance with applicable data protection principles including data minimization and purpose limitation.

Information You Provide

When You register or create an account on the Platform, You may voluntarily provide:

Personal Information: Mobile number, email address (including Flash.co ID or third-party email), name, gender, date of birth, address, photograph (e.g., selfie), identity and address proof (e.g., Aadhaar, passport, driver's license, national ID cards, social security numbers where applicable), and payment details (e.g., bank account, UPI ID, IFSC code, credit/debit card information, PayPal, digital wallets) for processing transactions in accordance with applicable financial regulations.

Flash AI Inputs: Text queries (natural language), images of products, or links (including Flash.co-prefixed links) shared via WhatsApp, web, or mobile app for product research, comparisons, or post-purchase support.

User Communications: Feedback, reviews, or queries submitted via contact forms, customer support, or public posts on the Platform.

The above information is collectively referred to as ("Personal Information"). All information is provided willingly, and the Company is not liable for its authenticity, accuracy, or legality, except as required by applicable law. Certain features may be restricted if You choose not to provide required information, and We will inform You of such restrictions in accordance with transparency requirements under applicable privacy laws.

Automatically Collected Information

We collect non-personal information that does not directly identify You, including:

Device and Usage Data: IP address, browser type, operating system, device identifiers, web requests, pages visited, cookie data, and usage analytics to analyze Platform performance and user trends, in accordance with applicable laws including ePrivacy Directive (EU) and similar regulations.

Location Data: With Your explicit consent where required by applicable law, We may collect location data to provide personalized services (e.g., local product availability, regional pricing, shipping options). You can disable location tracking through device settings, but this may limit some functionalities. For users in the EU, location data is processed under Article 6(1)(a) GDPR (consent) or Article 6(1)(b) GDPR (contract performance).

Email and SMS Data: With Your consent where required by applicable law, We access Your linked email accounts (Flash.co ID or third-party email) and SMS inbox to extract e-commerce transaction details (e.g., order value, delivery status, tracking information). We use automated processes to read only transaction-related emails and SMS, not personal communications, in compliance with applicable telecommunications privacy laws.

Cookies and Tracking

We use cookies and similar technologies to enhance Your experience, such as:

  • Storing session data to prevent loss of progress during network issues
  • Analyzing user behavior to improve the Platform
  • Enabling seamless login with Your registered email ID
  • Providing personalized content and advertisements (with consent where required)

You may decline cookies via browser settings, but this may limit access to certain features. Session cookies are deleted at the end of Your session, while persistent cookies remain for a defined period. For users in the EU and UK, We comply with ePrivacy Directive requirements and obtain appropriate consent for non-essential cookies. For users in California, We honor Do Not Track signals where technically feasible.

Cookie Categories:

  • Strictly Necessary: Essential for Platform functionality (no consent required)
  • Performance: Analytics and usage monitoring (consent required in EU/UK)
  • Functional: Enhanced features and preferences (consent required in EU/UK)
  • Marketing: Advertising and promotional content (consent required in most jurisdictions)

Use of Information

We use Your information to provide Flash AI services, including product research via reviews from marketplaces, blogs, and videos globally, price and product comparisons across international e-commerce platforms, purchase recommendations, and post-purchase support in accordance with consumer protection laws in various jurisdictions. We facilitate account creation and login using Flash.co ID on the Platform or third-party e-commerce sites, provide order tracking across multiple regions, and analyze Your shopping patterns to offer spending insights and personalized recommendations.

Your information helps resolve disputes, troubleshoot issues, ensure Platform security through fraud detection and prevention, communicate updates or service-related notices, and respond to Your queries in multiple languages where applicable. We comply with legal obligations under applicable laws including anti-money laundering regulations, tax reporting requirements, consumer protection laws, and other regulatory frameworks in the jurisdictions where we operate.

Flash AI processes Your inputs (text, images, links) using AI algorithms, including third-party providers like OpenAI, Google Gemini, Anthropic, and other AI services, to generate responses in compliance with applicable AI governance frameworks and data protection laws. We log interactions in anonymized form for one month to troubleshoot, prevent abuse, improve AI performance, and ensure service quality, but We do not use Your data to train AI models without explicit consent, in accordance with emerging AI regulations and ethical guidelines.

With Your consent where required, We share Your information with selected third parties only as required to provide our Services and in compliance with applicable privacy regulation.

Legal Basis for Processing (applicable in GDPR jurisdictions):

  • Consent (Article 6(1)(a)): Marketing communications, optional features, AI model training
  • Contract Performance (Article 6(1)(b)): Account management, service delivery, payment processing
  • Legitimate Interests (Article 6(1)(f)): Platform security, fraud prevention, service improvement
  • Legal Obligation (Article 6(1)(c)): Compliance with applicable laws and regulations

We may process Your information without consent in specific cases, such as complying with applicable laws (including court orders, regulatory investigations, tax obligations), responding to legal requests from authorities, protecting safety during emergencies, or fulfilling obligations under public health measures, in accordance with applicable legal frameworks.

Sharing of Information

Access to Your personal information is restricted to authorized employees on a need-to-know basis and subject to confidentiality obligations. With Your consent where required by applicable law, We may disclose Your information to third-party vendors, such as:

  • Payment Processors: For transaction processing (e.g., Stripe, PayPal, regional payment gateways)
  • AI Providers: For generating responses (OpenAI, Google, Anthropic, etc.)
  • Cloud Services: For data storage and processing (AWS, Google Cloud, Microsoft Azure)
  • Analytics Providers: For usage analysis and service improvement
  • Customer Support: For query resolution and assistance
  • Logistics Partners: For order tracking and delivery information

All such vendors are bound by data processing agreements and confidentiality obligations to provide Services in accordance with applicable data protection laws.

We do not share Your personal information with third parties for their marketing purposes without explicit consent, except as permitted by applicable privacy laws. We may disclose Your information to:

  • Comply with laws, regulations, court orders, or government requests
  • Protect Our rights, property, or users' safety
  • Respond to emergencies or public health requirements
  • Prevent fraud, security threats, or illegal activities
  • Fulfill obligations under applicable legal frameworks

In case of mergers, acquisitions, or restructuring, Your information may be transferred to another entity under strict confidentiality and with appropriate legal safeguards, and We will notify You as required by applicable laws.

International Data Transfers: When We transfer Your data outside Your country of residence, We implement appropriate safeguards such as:

  • EU: Standard Contractual Clauses, Adequacy Decisions, or other approved transfer mechanisms under GDPR
  • UK: International Data Transfer Agreement (IDTA) or other approved mechanisms
  • Other jurisdictions: Equivalent protections as required by applicable laws

AI-Specific Privacy Practices

Flash AI uses AI algorithms, including third-party providers like OpenAI, Google Gemini, Anthropic, and other AI services, to process your inputs (text, images, links) for product research, comparisons, recommendations, and post-purchase support in compliance with applicable AI governance frameworks including EU AI Act, proposed US AI regulations, and other emerging AI legal frameworks.

We log interactions in anonymized form for one month to improve services, with access restricted to authorized personnel and subject to appropriate security measures. We do not use Your data to train AI models without explicit consent, and You can opt-out from such use by writing to support@flash.tech

Flash AI provides automated responses generated by Artificial Intelligence (AI) models based on algorithmic processing of user inputs, including text, images, or links. While we strive for accuracy and implement quality assurance measures, these AI-generated responses may contain inaccuracies, errors, biases, or incomplete information due to the inherent limitations of current AI technology. We do not guarantee, warrant, or assume responsibility for the accuracy, completeness, reliability, or suitability of the information generated by Flash AI, in accordance with applicable AI transparency and explainability requirements.

Users are strongly advised not to share sensitive personal information or confidential data within their queries, as privacy and security of shared information cannot be fully guaranteed in automated interactions. We expressly disclaim any liability arising from any reliance on AI-generated information provided by Flash AI, except where liability cannot be excluded under applicable mandatory consumer protection laws.

Users are advised to independently verify all critical information and seek professional advice, as necessary, before acting upon any content provided by Flash AI. By using Flash AI, you expressly acknowledge and agree that we shall not be held liable for any monetary losses, fraudulent activities, damages, harm, or any other consequences resulting directly or indirectly from your use or misuse of AI-generated content or recommendations, except as required by applicable mandatory liability laws.

You can opt out of data sharing for non-essential purposes, request access to or correction of Your data, or delete Your AI interaction logs by emailing support@flash.tech. These rights are provided in accordance with applicable data subject rights under GDPR, CCPA, PIPEDA, and other applicable privacy laws.

We do not share Your data with third-party AI providers for their own use without permission. Data sent to providers is limited to what is necessary for processing, securely transmitted using encryption and other security measures, and deleted after processing (e.g., within 30 days for OpenAI's API, in accordance with each provider's data retention policies). We comply with applicable data protection laws including GDPR, CCPA, PIPEDA, LGPD, and other regional privacy regulations, ensuring lawful processing, data minimization, and user rights. Cross-border data transfers are subject to stringent protections including Standard Contractual Clauses, adequacy decisions, and other approved transfer mechanisms.

If a third-party AI provider experiences a data breach, We will notify affected users per applicable laws including GDPR breach notification requirements (within 72 hours to authorities and without undue delay to affected individuals), CCPA breach notification requirements, and other applicable breach notification laws.

Security Precautions and Measures

We implement reasonable security measures in accordance with applicable data protection laws including Section 43A of the Information Technology Act, 2000 (India), GDPR Article 32 (EU), CCPA security requirements (California), and other applicable security frameworks. These measures include:

  • Encryption: Data encryption in transit and at rest using industry-standard protocols
  • Access Controls: Role-based access controls and multi-factor authentication
  • Secure Servers: Infrastructure security including firewalls, intrusion detection, and monitoring
  • Regular Audits: Security assessments and vulnerability testing
  • Employee Training: Data protection and security awareness programs
  • Incident Response: Procedures for detecting, responding to, and reporting security incidents

Our use of Gmail data via Google APIs complies with Google API Services User Data Policy and limited use requirements. However, no system is entirely secure, and You must safeguard Your account credentials. We will notify You of any data breaches in accordance with applicable breach notification laws.

Data Breach Response: In the event of a personal data breach, We will:

  • Assess the breach and take immediate containment measures
  • Notify relevant supervisory authorities within required timeframes (e.g., 72 hours under GDPR)
  • Notify affected individuals without undue delay where required by law
  • Provide clear information about the breach and recommended protective measures
  • Cooperate with authorities and take corrective actions as required

Third-Party Sites

The Platform may link to third-party sites that collect Your information, but We are not responsible for their privacy practices or content. These may include e-commerce platforms, payment processors, social media sites, analytics providers, and other service providers operating under different privacy laws and jurisdictions. Review their privacy policies before sharing information, and note that different data protection standards may apply.

Flash AI aggregates data from public sources globally but does not verify their accuracy, authenticity, or compliance with applicable intellectual property or privacy laws. Users should independently verify information from third-party sources.

Manage Access to Your Gmail Account

You can manage access to Your Gmail account and review permissions granted to Us by visiting the security section of Your Google account at myaccount.google.com/security. For more information on safe data sharing, refer to Google's privacy resources. You can revoke access at any time, though this may limit certain features of our service.

This access is governed by Google's API Services User Data Policy and our compliance with limited use requirements, ensuring that Gmail data is used only for the specific purposes disclosed in this Privacy Policy.

Public Posts

Feedback, reviews, or testimonials You share on publicly viewable portions of the Platform will be visible to other users globally and must comply with the Terms and applicable laws including defamation, intellectual property, and content regulations in various jurisdictions. We reserve the right to remove non-compliant posts in accordance with applicable laws and due process requirements, and use, reproduce, or share Your posts for any purpose in accordance with applicable intellectual property and privacy laws.

Deleted posts may remain in archived pages, search engine caches, or be copied by other users. We cannot guarantee complete removal of public posts from all locations, including third-party archives or user copies.

Your Rights and Choices

Data Subject Rights (applicable globally with variations by jurisdiction):

Right to Access: You may request information about what personal data We process, how We use it, and with whom We share it. We will provide this information in a commonly used electronic format.

Right to Rectification/Correction: You can correct or update Your personal information online through Your account settings or by contacting support@flash.tech.

Right to Erasure/Deletion: You may request deletion of Your data by emailing support@flash.tech, and We will delete it within legally required timeframes (e.g., 7 days where technically feasible), except where retention is legally required under applicable laws including tax, financial, consumer protection, or other regulatory requirements.

Right to Restrict Processing: You may request restriction of processing in certain circumstances, such as when You contest the accuracy of data or object to processing.

Right to Data Portability: Where technically feasible, You may request Your data in a structured, commonly used, machine-readable format for transfer to another service provider.

Right to Object: You may object to processing based on legitimate interests, including for direct marketing purposes. We will honor such requests unless we have compelling legitimate grounds.

Right to Withdraw Consent: Where processing is based on consent, You may withdraw it at any time by emailing support@flash.tech, though this may limit Service access, and We may delete or de-identify Your information.

Right to Nominate: You may nominate an individual to exercise Your rights in case of death or incapacity, as prescribed by applicable laws.

Use of a Consent Manager: You can manage Your consent through registered consent managers where available under applicable laws such as the DPDP Act, 2023 (India) and similar frameworks in other jurisdictions.

California Residents (CCPA/CPRA Rights):

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (We do not sell personal information)
  • Right to non-discrimination for exercising privacy rights
  • Right to correct inaccurate personal information

EU/UK Residents (GDPR/UK GDPR Rights):

  • All rights listed above under GDPR Articles 15-22
  • Right to lodge a complaint with supervisory authorities
  • Right to effective judicial remedy

Other Jurisdictions: We extend similar rights to users in other jurisdictions in accordance with applicable local privacy laws.

How to Exercise Your Rights: Contact us at support@flash.tech with your request. We will verify your identity and respond within legally required timeframes (e.g., 30 days under GDPR, 45 days under CCPA). There is no fee for most requests, though We may charge a reasonable fee for excessive or repetitive requests where permitted by law.

Changes To Our Privacy Policy

We reserve the right to update this Privacy Policy by posting changes on the Platform. Material changes will be notified through prominent notices on the Platform or via email, with advance notice where required by applicable laws (e.g., 30 days notice under some jurisdictions). Check the "Last Updated" date above for recent changes.

Your continued use and access of the Platform after the effective date of changes shall signify Your acceptance of the amended Privacy Policy and Your consent to be legally bound by the same, except where additional consent is required by applicable law.

For material changes affecting Your rights, We may require renewed consent or provide opt-out mechanisms in accordance with applicable privacy laws.

Data Retention and Deletion

We shall retain Your Information for such duration as may be required for the purposes specified herein or for such other periods as may be required under applicable laws including:

  • Account Data: While Your account is active and for a reasonable period thereafter
  • Transaction Records: As required by applicable financial, tax, and consumer protection laws (typically 7-10 years)
  • Marketing Data: Until You withdraw consent or as required by applicable laws
  • Legal Obligations: As required by court orders, regulatory requirements, or applicable laws
  • AI Interaction Logs: In anonymized form for up to one month for service improvement

We may continue to retain Your Personal Information in anonymized or pseudonymized form for analytical and research purposes, statistical analysis, and service improvement, in compliance with applicable data protection principles.

You acknowledge that if We determine that any information You have provided or shared violates the terms of this Privacy Policy or applicable laws, We have the right, subject to applicable due process requirements, to delete or destroy such Personal Information.

Upon account deletion or data retention period expiry, We will securely delete or anonymize Your personal information unless retention is required by applicable laws. Some information may remain in backup systems for a limited period for technical reasons.

International Compliance and Supervisory Authorities

Supervisory Authorities: You have the right to lodge complaints with relevant data protection authorities:

European Union: Contact your local Data Protection Authority or the Irish Data Protection Commission (our lead supervisory authority in the EU)

United Kingdom: Information Commissioner's Office (ICO)

United States:

  • Federal Trade Commission (FTC) for general privacy matters
  • State Attorneys General for state-specific privacy laws
  • Consumer Financial Protection Bureau (CFPB) for financial data

Canada: Privacy Commissioner of Canada or provincial privacy commissioners

Australia: Office of the Australian Information Commissioner (OAIC)

Other Jurisdictions: Relevant local privacy or data protection authorities

Cross-Border Data Transfers: We implement appropriate safeguards for international data transfers including:

  • EU Standard Contractual Clauses for transfers outside the EEA
  • UK International Data Transfer Agreement (IDTA) for transfers from the UK
  • Adequacy decisions where available
  • Other approved transfer mechanisms under applicable laws

Children's Privacy

Flash AI is intended for users who are at least 18 years of age. We do not knowingly collect personal data from users under 18 without verifiable parental or guardian consent.

If You are under 18, You must have verifiable parental or guardian consent to use the Platform. Parents/guardians can contact support@flash.tech to review, update, or delete their child's information, set up parental controls, or report concerns. Contact support@flash.tech immediately to report underage data collection, and We will promptly investigate and delete such information in accordance with applicable laws.

Grievance Officer and Contact Information

Global Grievance Officer: Sugath Surendran
Email: sugath@flash.tech
Address: Flashmonk Private Limited, Fifth Floor, North Tower, Vaishnavi Tech Park, Bengaluru - 560103, India

Questions and Contact Information

For questions about this Privacy Policy, Your data, or Our privacy practices, contact us at:

Email: support@flash.tech
Privacy Email: hello@flash.tech
Address: Flashmonk Private Limited, Fifth Floor, North Tower, Vaishnavi Tech Park, Bengaluru - 560103, India

We will respond to Your inquiries within reasonable timeframes as required by applicable laws (typically within 30-45 days depending on jurisdiction and nature of request).

Last Updated: August 20, 2025

This Privacy Policy is available in multiple languages for users in different jurisdictions. In case of conflicts between translations, the English version shall prevail except where local law requires otherwise.