Privacy Policy

1

Introduction

FlatFund ("we", "our", "the app") is an apartment management platform that helps residents and administrators manage maintenance billing, water billing, expenses, and community communication. This Privacy Policy explains what data we collect, why we collect it, how we store it, and your rights over it.

By using FlatFund, you agree to the practices described in this policy.

2

Information We Collect

2.1 Account & Identity

Full name
Email address
Phone number
Flat number, floor, and apartment ID
Role within the apartment (Admin, Owner, or Tenant)

2.2 Authentication

One-time passwords (OTPs) — stored as hashed values, auto-expire in 5 minutes
JWT access tokens — short-lived, stored in device secure storage (Android Keystore / iOS Keychain), never shared with third parties
Refresh tokens — stored in device secure storage to maintain your session

We do not store passwords. Login is entirely OTP-based via your registered email.

2.3 Billing & Financial Records

Monthly maintenance payment status (paid / unpaid, amount, due date)
Water meter readings and calculated bill amounts
Apartment-level expense records (e.g. security salary, generator diesel)
UPI payment details configured by the apartment admin (display only — no payment processing happens in-app)

2.4 Notifications

Firebase Cloud Messaging (FCM) tokens — used to deliver push notifications to your device
Notification preferences — your opt-in/opt-out settings per notification type

2.5 Media & Uploads

Profile photo (optional) — uploaded by you via camera or gallery, stored on our own file server (flatfund-storage.nulltheory.in)
Water meter reading photos — uploaded by admin
Expense receipt photos — uploaded by admin

No uploaded files are sent to any third-party image service.

2.6 Community Directory

Resident names, phone numbers, and profile photo URLs are cached locally on your device to enable the community directory feature. This is personal data of your fellow residents and is used solely within the app.

2.7 Device & Usage

Device integrity tokens — verified via Google Play Integrity API to confirm the app is genuine and unmodified. The token is verified server-side and not stored.
Anonymous app usage events via Firebase Analytics (see Section 4) — no personally identifiable information is included
Crash reports via Firebase Crashlytics — includes stack traces, device model, OS version, and app version. No personal data is attached.
IP address and basic request metadata — retained temporarily in server logs for security and debugging

2.8 On-Device Storage

The app stores the following data locally on your device:

Encrypted (Android Keystore / iOS Keychain):

JWT access token and refresh token

App preferences (shared preferences):

User ID, role, flat details, apartment details, email, phone number, login state, theme preference, FCM token

Offline cache (SQLite):

Billing summaries, payment history, maintenance and water records, expense records, security contact, community directory (floor/flat structure, resident names, phone numbers, profile photo URLs)
All cached data originates from our own backend and is cleared on logout

3

How We Use Your Information

Purpose	Data Used
Authenticate you securely	Email, OTP hash, JWT, refresh token
Show you your billing history	Maintenance & water records
Send payment due reminders	FCM token, billing data
Notify you of community updates	FCM token, name, flat details
Allow admin to manage residents	Name, email, flat, role
Deliver invitation emails	Email, flat number, invitation code
Display community directory	Name, phone number, profile photo
Improve app quality	Anonymous analytics events, crash reports
Account deletion processing	Email, apartment ID

We do not sell, rent, or share your personal data with advertisers or third parties for marketing purposes.

4

Analytics Events

FlatFund uses Firebase Analytics to track anonymous in-app events. No user identity (setUserId) is set — all events are device-level and contain no personally identifiable information.

Events tracked include: login, logout, tab navigation, admin billing actions (dues generation, water reading updates, expense logging), resident directory interactions, and notification screen views.

5

Third-Party Services

FlatFund uses the following third-party services to operate:

Service	Purpose	Data Shared
Resend	Transactional emails (OTP, invitations, welcome)	Email address, apartment name
Firebase FCM	Push notifications	FCM device token
Firebase Analytics	Anonymous usage analytics	Anonymous event names, device metadata
Firebase Crashlytics	Crash and error reporting	Stack traces, device model, OS version, app version
Google Play Integrity API	App authenticity verification	Device integrity token (verified server-side, not stored)
AWS S3-compatible storage	Profile photos, meter images, receipts	Uploaded files
Statuspage.io	Service uptime monitoring	Anonymised response time metrics
Google Play In-App Updates	Automatic app updates	No personal data collected

Each of these services operates under their own privacy policies.

6

Device Permissions

Permission	Platform	Purpose
`POST_NOTIFICATIONS`	Android 13+	Push notifications via FCM
`CAMERA`	Android & iOS	Profile photo capture
`READ_EXTERNAL_STORAGE`	Android ≤ 12	Photo picker (gallery fallback)
`ACCESS_NETWORK_STATE`	Android	Check connectivity before API calls

7

Data Retention

Data Type	Retention Period
OTP records	Auto-deleted after expiry (5–30 minutes)
Refresh tokens	Until logout or session expiry
Billing records (maintenance, water, expenses)	Retained for the lifetime of the apartment account
FCM tokens	Until you log out or uninstall the app
Uploaded media	Until deleted by you or the admin
Account deletion requests	Processed within 30 days; request record retained for audit
On-device cache (SQLite)	Cleared on logout
Server logs	Up to 30 days

8

Account Deletion

You have the right to request deletion of your account and associated personal data.

How to request

Use the "Delete My Account" option within the app, or
Submit a request via the data deletion form at the link provided in your app store listing

What happens

Your request is logged with a 30-day processing window (as required by Google Play)
After 30 days, your user record, FCM tokens, notification preferences, OTP records, and refresh tokens are permanently deleted
Billing history records associated with your flat may be retained for apartment administrative purposes

9

Data Security

All data is transmitted over HTTPS (TLS)
OTPs are stored as one-way hashes (SHA-256) — we cannot recover the original code
JWT tokens are stored in device secure storage (Android Keystore / iOS Keychain) and signed server-side
Biometric authentication (if enabled) uses Android BiometricPrompt / iOS LocalAuthentication — biometric data never leaves your device OS; the app only receives a pass/fail result
Database access is restricted to the application server only
File storage is access-controlled and not publicly listable

10

Children's Privacy

FlatFund is designed for use by apartment residents and administrators. We do not knowingly collect data from children under 13. If you believe a child has submitted personal information, contact us at team.nulltheory@gmail.com.

11

Your Rights

You have the right to:

Access the personal data we hold about you
Correct inaccurate information (via profile settings or by contacting us)
Delete your account and personal data (see Section 8)
Object to processing — contact us and we will review your request

To exercise any of these rights, email us at team.nulltheory@gmail.com

12

Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via in-app notification or email. Continued use of the app after changes constitutes acceptance.