Privacy Policy – Annex 2: US States Privacy Notice
Scope
This notice supplements our Privacy Policy and provides the disclosures required by United States state privacy laws – primarily the California Consumer Privacy Act (CCPA), as amended by the CPRA, and the comparable laws of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, and Minnesota.
It applies to residents of those states. Other state laws may apply when they come into force; we may update this notice when they do.
For US residents, the controllers of your personal information are Flipper Devices, Inc. (Delaware) and Flipper FZCO (UAE), each for the activities described in our Controllers Page (Annex 1).
Categories of personal information we collect
In the 12 months before the date of this notice, we have collected the following CCPA categories. “Yes” means we have collected it; “ – ” means we have not.
| CCPA category (Cal. Civ. Code §1798.140(v)) | Collected? | Examples |
| A. Identifiers | Yes | name, email, postal address, phone, IP address, account identifier, device identifier |
| B. Cal. Civ. Code §1798.80(e) records | Yes | name, address, phone, payment-card token (no full card number stored) |
| C. Protected classifications | – | not collected (age confirmation only) |
| D. Commercial information | Yes | products purchased, order history, returns |
| E. Biometric information | – | not collected |
| F. Internet or network activity | Yes | browsing on our website, interaction with ads, app usage |
| G. Geolocation | Yes – approximate only | derived from IP; we do not collect precise GPS |
| H. Audio, electronic, visual, thermal, olfactory, similar | Limited | content of your messages to us when you contact support; images and media you choose to upload through the BUSY app for display on your device; activity indicators from your computer’s microphone and camera used by the BUSY desktop app to set your status (no audio or video content is captured or transmitted); no microphone, camera, or sensor recordings from the BUSY Bar device |
| I. Professional / employment | Limited | only if you apply for a job with us |
| J. Education | – | not collected |
| K. Inferences | Limited | aggregated usage patterns to operate and improve the service |
| L. Sensitive personal information | Yes – limited (see below) | account log-in credentials |
Sensitive personal information
We collect the following sensitive personal information under CCPA §1798.140(ae): account log-in credentials (email + password, or the equivalent identifier for social sign-in or passkey).
We use this information only to authenticate you and to secure your account – purposes permitted by §1798.121(a) and §7027(m) of the CCPA regulations without your further consent. If we ever use it for other purposes, we will offer you the right to limit such use.
We do not currently collect precise geolocation, government identifiers, racial or ethnic origin, religious beliefs, union membership, genetic data, biometric identifiers, or health information.
Sources, purposes, recipients
Sources – directly from you; automatically from your device or browser when you use our service; from third parties acting on your direction (social sign-in providers, calendar integrations); from service providers acting on our behalf (payment processor, fulfilment, fraud-prevention).
Business and commercial purposes (CCPA §1798.140(e)) – operating the service; processing your orders, payments, and warranty; security, fraud, and abuse prevention; analytics and product improvement; communications you request; marketing to which you have consented; complying with law.
Categories of recipients – our service providers; advertising and analytics partners (with your consent); third parties at your direction; recipients required by law; counterparties in a corporate transaction; other Flipper group entities (see Privacy Policy, Section 5).
Sale and sharing of personal information
Sale (for money): No. We do not sell personal information for monetary consideration.
Sharing for cross-context behavioural advertising: Yes. When you consent, we use advertising technologies on our website that send identifiers and browsing events to advertising platforms so that we can show you more relevant ads. Under California law these activities qualify as “sharing” of personal information, even though we receive no money for them.
| Category shared | Recipients | Purpose |
| Identifiers (online identifiers, cookie IDs) and Internet activity (browsing, ad interaction) | Advertising and measurement partners listed in our Cookie Policy | Cross-context behavioural advertising and ad measurement |
We do not knowingly sell or share personal information of consumers under 16.
You can opt out of this sharing at any time:
- through the “Do Not Sell or Share My Personal Information” link in our website footer and on this page;
- by enabling the Global Privacy Control (GPC) signal in your browser – we treat a GPC signal as a valid opt-out request;
- through our consent banner, by refusing or withdrawing consent for advertising cookies.
How long we keep your information
We keep personal information for the periods set out in Section 7 of our Privacy Policy, or, where no fixed period applies, for as long as we need it for the purposes set out above and then we delete or de-identify it.
Your rights
If you are a resident of a covered US state, you have the right to:
- Know what personal information we have collected about you, the sources, the purposes, and the categories of recipients;
- Access a copy of the personal information we have collected. Where technically feasible, we will provide specific pieces of personal information in a portable, readily usable format;
- Correct inaccurate personal information;
- Delete personal information we hold about you, subject to exceptions allowed by law (including to complete transactions, detect security incidents, comply with legal obligations, and establish, exercise or defend legal claims);
- Opt out of sale or sharing of your personal information and of targeted/cross-context behavioural advertising;
- Limit use of sensitive personal information beyond purposes permitted by law;
- Non-discrimination – we will not deny our service, charge a different price, or provide a different level of quality because you exercised a right.
Colorado, Connecticut, Virginia, Delaware, Indiana, Iowa, Minnesota, Montana, New Hampshire, New Jersey, Oregon, Tennessee, and Texas additionally give you the right to appeal an unfavourable response from us. Oregon, Delaware, and Minnesota give you the right to know the specific third parties to whom we have disclosed personal information; Texas gives you the right to know the categories of such third parties.
How to exercise your rights
- Email: privacy@flipper.net
Because our business operates exclusively online, we provide an email address in lieu of a toll-free number – our service is online-only, and California regulations (Cal. Code Regs. tit. 11 §7020(d)) allow online-only businesses to provide an email address instead.
Verification. Before we act on a request to know, access, correct, or delete, we verify your identity in a manner proportionate to the sensitivity of the data – typically by matching information you provide against records associated with your account. We do not ask for more information than we need.
Authorized Agent. You can use an authorized agent to submit a request on your behalf. The agent must provide either (i) written, signed permission from you or (ii) a valid Power of Attorney under California Probate Code §§4000–4465. We may also ask you to verify your identity directly with us or to confirm the agent’s authority. We may deny requests from agents that do not meet these requirements.
Response time. For California requests, we acknowledge within 10 business days. We respond to verifiable requests within 45 days (extendable by another 45 days where reasonably necessary, with notice to you). We may decline requests that are manifestly unfounded, excessive, or where an exemption applies, and we explain why.
Appeals. If your state grants you a right to appeal a denial, you can do so by emailing privacy@flipper.net. We respond within the deadline set by your state’s law (typically 45–60 days; up to 90 days in Iowa).
“Shine the Light” (California Civil Code §1798.83)
California residents may request, once per year, a list of the categories of personal information disclosed to third parties for the third parties’ own direct marketing purposes in the preceding calendar year. We do not share personal information for third-party direct marketing purposes, so the list is empty.
Do Not Sell or Share My Personal Information
You can opt out of sharing for cross-context behavioural advertising:
- using this link: “Do Not Sell or Share My Personal Information”;
- by enabling Global Privacy Control in your browser – we treat a GPC signal as a valid opt-out request;
- through our consent banner.
State-specific additions
- California: Sensitive personal information disclosure and the right to limit are set out above.
- Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Utah: rights and procedures are as set out above. We rely on consent for processing that requires consent under your state’s law.
- Children under 16 – see Privacy Policy, Section 9. We do not sell or share personal information of consumers we know to be under 16 without the affirmative authorisation required by law.
Contact
- Email: privacy@flipper.net
- Mail: see entity addresses on our Controllers Page (Annex 1).