Privacy Policy

Effective date: May 14, 2026 · Last updated: May 14, 2026

This Privacy Policy explains how Xcelerate International, Inc. (“Xcelerate,” “we,” “us,” or “our”) collects, uses, shares, and protects information about you when you use the FFLOW PAY mobile application (the “App”), the website at fflowpay.com (the “Site”), and related services (collectively, the “Services”). It applies to all users of the Services.

By creating an account or using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

1. Information We Collect

Information you provide to us

  • Account information — username, email address, first name, last name, and password when you register or sign in.
  • Profile information — optional profile fields you choose to add, such as profile picture or display preferences.
  • Transaction information — merchant selections, purchase amounts entered in the App, gift card purchases, FFLOW Pay balance activity, and conversion or withdrawal requests you initiate.
  • Payment information — when you make a card purchase through the App, payment card details are collected directly by our payment processor (Stripe, Inc.) and never stored on our servers. We receive only a token and transaction metadata (last four digits, card brand, amount, status).
  • Wallet addresses — if you initiate an external cryptocurrency withdrawal, the destination wallet address you provide.
  • Support communications — the contents of any message you send to us through support channels.

Information we collect automatically

  • Authentication tokens — after sign-in, we issue a session token that is stored encrypted on your device using the operating system’s secure storage (Keychain on iOS, Keystore on Android) so you stay signed in.
  • Device and diagnostic data — device model, operating system version, App version, language, time zone, and crash and performance logs. This is used to fix bugs and improve reliability.
  • Usage information — screens viewed, actions taken in the App, approximate timestamps, and outcomes of operations such as logins or purchases. We do not use third-party advertising or cross-app tracking SDKs.

Information we do not collect

  • We do not collect your precise geolocation.
  • We do not access your contacts, photos, microphone, or camera unless you explicitly grant permission for a specific feature.
  • We do not use third-party advertising identifiers or cross-app tracking. We do not display third-party advertisements.
  • We do not sell your personal information.

2. How We Use Your Information

We use the information we collect to:

  • create and maintain your account and authenticate your sessions;
  • process the transactions you initiate (purchases, conversions, withdrawals, gift card requests);
  • display your balances, transaction history, and the merchants and offers available to you;
  • provide customer support and respond to your inquiries;
  • detect, prevent, and respond to fraud, abuse, and security incidents;
  • comply with legal obligations including anti-money-laundering, tax, and consumer protection laws;
  • improve the Services through diagnostic and aggregated usage analysis; and
  • send transactional communications (e.g., password reset, receipts, service notices).

3. How We Share Your Information

We share your information only as described below. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

  • Service providers who process information on our behalf and under contract, including:
    • Stripe, Inc. — card payment processing.
    • Railway Corp. — cloud hosting of our backend API and website.
    • Expo, Inc. — mobile app build infrastructure, over-the-air update delivery, and crash reporting.
    • Apple Inc. and Google LLC — app store distribution and platform services (e.g., push notifications when enabled).
  • Merchants and gift card providers — when you complete a purchase, we transmit the minimum information necessary to fulfill that purchase (such as the order amount and a transaction reference). We do not share your email, password, or full transaction history with merchants.
  • Legal and safety — we may disclose information if we believe in good faith that disclosure is required by law, legal process, or governmental request, or is necessary to protect our rights, the rights of users, or public safety.
  • Business transfers — in the event of a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.
  • With your consent — for any other disclosure, with your explicit consent.

4. Data Retention

We retain your account information for as long as your account is active and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce our agreements. Transaction records are retained for at least seven (7) years to meet financial recordkeeping requirements. Diagnostic and crash data are retained for up to ninety (90) days.

You may request deletion of your account at any time (see Section 7). Some information may be retained in backups for a limited period, or where required by law.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information. Network traffic between the App and our servers is encrypted in transit using TLS. Authentication tokens are stored encrypted on your device using OS-level secure storage. Passwords are hashed using industry-standard algorithms and are never stored in plain text.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at privacy@fflowpay.com.

6. International Data Transfers

Our servers are operated in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States and other jurisdictions where we or our service providers operate. Where required, we rely on appropriate transfer mechanisms such as the EU Standard Contractual Clauses.

7. Your Rights and Choices

Depending on where you live, you may have the following rights with respect to your personal information:

  • Access — request a copy of the information we hold about you.
  • Correction — request that we correct inaccurate or incomplete information.
  • Deletion — request that we delete your account and associated personal information, subject to legal retention requirements.
  • Portability — request an export of your information in a portable format.
  • Objection / Restriction — object to or restrict certain processing of your information.
  • Withdraw consent — withdraw consent at any time where we rely on consent to process your information.
  • Complaint — lodge a complaint with a supervisory authority.

To exercise any of these rights, email us at privacy@fflowpay.com. We will respond within the timeframes required by applicable law. We may need to verify your identity before fulfilling your request.

You can also delete your account directly from within the App at Profile → Settings → Delete Account, or by writing to us.

8. Children’s Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us information, please contact us at privacy@fflowpay.com.

9. Your California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information, and the right to limit use of sensitive personal information.

We do not sell or share your personal information for cross-context behavioral advertising. To exercise your rights, email us at privacy@fflowpay.com. We will not discriminate against you for exercising these rights.

10. Your European Privacy Rights (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the rights listed in Section 7 apply to you. The legal bases on which we rely to process your information are: (a) performance of a contract with you (to provide the Services), (b) compliance with legal obligations(such as anti-money-laundering and financial record-keeping rules), (c) legitimate interests (such as detecting fraud, securing the Services, and improving the App), and (d) your consent where we ask for it (for example, before sending push notifications).

11. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates when it was last revised. If we make material changes, we will notify you through the App or by other reasonable means before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the revised policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your information, please contact:

Xcelerate International, Inc.
Privacy Office
Email: privacy@fflowpay.com
Website: https://fflowpay.com

© 2026 Xcelerate International, Inc. All rights reserved.