Privacy Policy

Effective date: February 24, 2026
Fivly — operated by LimitWaste Sp. z o.o. · fivly.app · See also: Terms of Service

      This Privacy Policy explains how LimitWaste Sp. z o.o. ("we," "us," "our") collects, uses, stores, and protects your information when you use the Fivly mobile application. We are committed to protecting your privacy and being transparent about our data practices.
    

1. Data Controller

The data controller responsible for your personal data is:

LimitWaste Sp. z o.o.
ul. Wspólna 19, 25-003 Kielce, Poland
NIP: 5272905462 · REGON: 384349430 · KRS: 0000803658
Email: hello@fivly.app
Website: fivly.app

As a Poland-based company operating within the European Union, we process personal data in compliance with the General Data Protection Regulation (GDPR) and applicable Polish data protection laws.

2. Information We Collect

2.1 Account Data

When you use the App, we automatically create an anonymous account and collect the following:

User ID (UUID): A unique, randomly generated identifier for your account
Subscription tier: Your current plan (free or premium)
Preferred language: Your selected language (English or Polish)
Notification time preferences: Your preferred time for daily brief notifications
Timezone: Automatically detected from your device
Onboarding status: Whether you have completed the onboarding flow

2.2 Authentication Data

If you choose to link your account, we receive limited data from the authentication provider:

Sign in with Apple: Apple-provided unique identifier, and optionally your name and email (you can choose to hide your email)
Sign in with Google: Google account identifier, name, and email address
Sign in with Email: Your email address

Account linking is entirely optional. The App is fully usable with an anonymous account.

2.3 User Interests

We store your selected news categories (such as world, business, technology, AI, and markets) to personalize your content experience.

2.4 Usage and Reading History

To provide features like streaks and personalized recommendations, we collect:

Brief completion records (which briefs you completed)
Number of stories read per brief
Whether you used audio playback
Reading time in seconds
Completion timestamps
Streak data (consecutive days of usage)

2.5 Subscription Data

For users with premium subscriptions, we receive from RevenueCat:

Product identifier of the purchased plan
Subscription expiration date

We do not receive or store your payment card details, billing address, or other financial information. All payment processing is handled by the Apple App Store or Google Play Store.

2.6 Push Notification Data

Device tokens: Firebase Cloud Messaging (FCM) tokens for delivering push notifications
Platform: Whether you use iOS or Android
Enabled status: Whether notifications are enabled
Notification log: Records of notifications sent to your device

2.7 Analytics Data

We use Amplitude for analytics. The following user properties are tracked:

Whether your account is anonymous
Account creation date
Subscription tier

Events tracked include interactions with app lifecycle, onboarding, brief reading, audio playback, paywall, archive, settings, and navigation. Events include contextual properties (e.g., story count, brief date, category selected) but do not include content of stories you read.

2.8 Local Storage

The App stores limited data locally on your device:

Language preferences (using shared preferences)
Home screen widget data (using App Groups on iOS)

This data remains on your device and is not transmitted to our servers unless noted otherwise.

3. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Legal Basis (GDPR)
Provide and operate the Service (deliver briefs, audio, personalization)	Performance of contract (Art. 6(1)(b))
Manage your account and authentication	Performance of contract (Art. 6(1)(b))
Process and manage subscriptions	Performance of contract (Art. 6(1)(b))
Send push notifications for daily briefs	Consent (Art. 6(1)(a))
Analyze usage to improve the Service	Legitimate interest (Art. 6(1)(f))
Track reading history and streaks	Performance of contract (Art. 6(1)(b))
Ensure security and prevent abuse	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations	Legal obligation (Art. 6(1)(c))

4. Third-Party Services

We use the following third-party services to operate the App. Each processes data as described below:

Service	Purpose	Data Shared
Supabase	Backend infrastructure, database, authentication, and file storage	All user data described in Section 2
RevenueCat	Subscription management and entitlement tracking	User UUID, purchase data from App Store / Google Play
Amplitude	User behavior analytics	User UUID, event data with properties (see Section 2.7)
Firebase / FCM	Push notification delivery	Device token, notification content
Google Fonts	Font loading for the App	Standard HTTP request data (IP address, user agent)

4.1 Backend-Only Services (No User Data Shared)

The following services are used exclusively on our backend for content generation. No user data is transmitted to these services:

Perplexity AI — News search and research
Anthropic Claude — Story summarization
Deepgram — Text-to-speech audio generation

5. Data Storage and Security

5.1 Where We Store Your Data

Your data is primarily stored and processed using Supabase infrastructure. Data may be transferred to and processed in countries outside the European Economic Area (EEA) where our third-party service providers operate. Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

5.2 Security Measures

We implement industry-standard security measures to protect your data:

Row Level Security (RLS): Enforced on all user data tables, ensuring users can only access and modify their own data
Access controls: Backend-only tables are inaccessible to client applications
Encryption: Data is encrypted in transit using TLS/SSL
Authentication: Secure authentication through Supabase Auth with support for industry-standard providers (Apple, Google)

While we take reasonable precautions to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

Account data: Retained for the lifetime of your account
Reading history: Retained for the lifetime of your account to support features like streaks and archive access
Analytics data: Retained according to Amplitude's data retention policies
Push notification tokens: Retained while notifications are enabled; deleted when disabled or when the token becomes invalid
Notification logs: Retained for operational purposes for up to 90 days

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes).

7. Your Rights (GDPR)

As a user, particularly if you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

Right of access: You can request a copy of the personal data we hold about you.
Right to rectification: You can request correction of inaccurate or incomplete data.
Right to erasure: You can request deletion of your personal data ("right to be forgotten").
Right to restriction: You can request that we limit the processing of your data.
Right to data portability: You can request your data in a structured, commonly used, and machine-readable format.
Right to object: You can object to processing based on legitimate interests, including analytics.
Right to withdraw consent: Where processing is based on consent (e.g., push notifications), you can withdraw consent at any time.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO).

To exercise any of these rights, please contact us at hello@fivly.app. We will respond to your request within 30 days.

8. Children's Privacy

The App is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us at hello@fivly.app and we will take steps to delete such data promptly.

9. Cookies and Tracking Technologies

The Fivly mobile app does not use browser cookies. However, we use the following technologies:

Amplitude SDK: Uses device identifiers for analytics tracking
Firebase/FCM: Uses device tokens for push notification delivery
Local storage: The App uses shared preferences and App Groups to store settings locally on your device

If you access our website at fivly.app, standard web technologies including Google Fonts may process basic HTTP request data such as your IP address.

10. AI-Generated Content

Fivly uses artificial intelligence to generate news summaries and audio narrations. This processing occurs entirely on our backend servers:

News sources are searched and retrieved using Perplexity AI
Summaries are generated using Anthropic Claude
Audio narrations are synthesized using Deepgram

No user personal data is sent to these AI services. Only news content is processed. The resulting AI-generated content is stored on our servers and delivered to you through the App.

11. International Data Transfers

Some of our third-party service providers are located outside the EEA, including in the United States. When your data is transferred outside the EEA, we ensure compliance with GDPR through appropriate safeguards such as:

Standard Contractual Clauses (SCCs) approved by the European Commission
The EU-U.S. Data Privacy Framework, where applicable
Other legally recognized transfer mechanisms

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Posting the updated policy within the App
Updating the "Effective date" at the top of this policy
Sending a notification through the App for significant changes

We encourage you to review this Privacy Policy periodically. Your continued use of the App after changes take effect constitutes acceptance of the updated policy.

13. California Privacy Rights (CCPA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including:

The right to know what personal information we collect, use, and disclose
The right to request deletion of your personal information
The right to opt-out of the sale of your personal information
The right to non-discrimination for exercising your privacy rights

We do not sell your personal information. To exercise your California privacy rights, please contact us at hello@fivly.app.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: hello@fivly.app
Website: fivly.app

For GDPR-related inquiries, we aim to respond within 30 days of receiving your request.