Privacy Policy

Our Privacy Commitment

At Flip A Coin Free, we are committed to protecting your privacy and ensuring transparency about our data practices. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your personal data.

We believe in privacy by design. Unlike many online services, we've built our platform to minimize data collection from the ground up. Our core principle is simple: we don't track or store your individual coin flip results.

Information We Collect

We believe in radical transparency. Here's exactly what we collect, what we don't collect, and why:

1. Individual Coin Flip Results (NOT COLLECTED)

Your flip history (visible in the statistics panel) is stored exclusively in your browser's localStorage. This data never leaves your device. You can clear it at any time by clicking "Clear History" or clearing your browser data.

2. Aggregate Statistics (Anonymous)

We collect only anonymous, aggregate data that cannot identify individual users:

• Global flip counter: Total number of flips performed across all users (displayed on homepage)
• Page views: Number of visits to different pages (for site optimization)
• Session duration: Average time spent on site (to improve user experience)
• Device category: Desktop vs mobile usage (for responsive design)
• Browser type: Browser compatibility data (for bug fixes and optimization)
• Geographic region: Country-level data only (for localization planning)

This data is fully anonymized and aggregated. We use privacy-focused analytics that do not create user profiles or track individuals across sessions.

3. API Usage Data (For Developers)

If you use our API (optional, for developers), we collect:

• API key: Unique identifier for authentication and rate limiting
• Request count: Number of API calls made (for usage monitoring)
• Request timestamps: Date and time of API calls (for abuse prevention)
• IP address: Temporarily logged for security and DDoS protection (deleted after 30 days)
• HTTP headers: User-agent and referer for debugging (not stored long-term)

Important: API flip results are returned to you via the API response but are NOT stored on our servers. We only track that an API call was made, not the outcome of the flip.

4. Embed Widget Analytics

When you embed our coin flip widget on your website, we collect:

• Embedding domain: The website URL where the widget is embedded
• Widget usage count: Number of flips performed through the embedded widget
• Installation date: When the widget was first embedded
• Widget version: Which version of the embed code is being used

This data helps us improve the widget and provide better support to website owners. Individual flip results from embedded widgets are NOT tracked.

5. Contact Form Submissions (Voluntary)

If you contact us through our contact form, we collect only the information you voluntarily provide:

• Email address (to respond to your inquiry)
• Name (optional)
• Message content

This information is used solely to respond to your inquiry and is deleted after the conversation is concluded (typically 90 days).

6. Information We Do NOT Collect

To be absolutely clear, we do NOT collect:

• ❌ Individual coin flip outcomes or patterns
• ❌ Names, addresses, or demographic information
• ❌ Email addresses (unless you contact us voluntarily)
• ❌ Payment or financial information (our service is 100% free)
• ❌ Social media profiles or login credentials
• ❌ Precise geolocation data (only country-level for analytics)
• ❌ Biometric data
• ❌ Health or medical information
• ❌ Political or religious beliefs
• ❌ Data from children knowingly (we don't collect personal data from anyone)

How We Use Your Data

We use the limited data we collect only for the following purposes:

Service Operation & Improvement

• Display global statistics: Show total flips on the homepage to demonstrate our platform's popularity
• Optimize performance: Identify slow pages and improve loading times
• Fix bugs: Use browser and device data to troubleshoot issues
• Improve UX: Understand how users navigate the site to enhance usability

Security & Fraud Prevention

• Rate limiting: Prevent API abuse and DDoS attacks
• Security monitoring: Detect and block malicious traffic
• Spam prevention: Block automated bots and scrapers

Communication

• Respond to inquiries: Answer questions submitted through our contact form
• Service updates: Notify API users of breaking changes (only if you opt in)

Legal Compliance

• Comply with applicable laws and regulations
• Respond to legal requests and prevent illegal activity
• Enforce our Terms of Service

What We Do NOT Do With Your Data

• ❌ We do NOT sell your data to third parties (we don't collect data to sell)
• ❌ We do NOT share data with advertisers
• ❌ We do NOT use data for targeted advertising
• ❌ We do NOT create user profiles or track you across websites
• ❌ We do NOT use data for AI training or machine learning

Cookies and Tracking Technologies

We use minimal cookies and respect your privacy preferences. Here's exactly what cookies we use and why:

Essential Cookies (Required)

These cookies are necessary for the website to function properly:

Analytics Cookies (Optional)

We use privacy-focused analytics to understand site usage. You can opt out at any time:

Opt Out: You can disable analytics cookies by clicking "Cookie Settings" in the footer or using your browser's privacy settings.

Cookies We Do NOT Use

• ❌ Advertising cookies
• ❌ Social media tracking pixels
• ❌ Third-party behavioral tracking cookies
• ❌ Cross-site tracking cookies

Managing Cookies

You can control cookies through:

• Our cookie consent banner (appears on first visit) - click "Cookie Settings" to customize
• Your browser settings - most browsers allow you to block or delete cookies
• Browser extensions - privacy tools like Privacy Badger or uBlock Origin can block tracking
• Do Not Track (DNT) - we honor DNT browser signals and disable analytics if DNT is enabled

Third-Party Services

We use a minimal number of third-party services to operate our platform. Here's what they are and how they handle data:

1. Vercel (Hosting Provider)

Our website is hosted on Vercel's infrastructure. Vercel may collect standard server logs:

• IP addresses (for security and performance monitoring)
• Request URLs and timestamps
• HTTP status codes

Vercel's Privacy Policy: vercel.com/legal/privacy-policy

2. Random.org (Optional Enhanced Randomness)

If you explicitly enable Random.org integration for atmospheric noise-based randomness, flip requests are sent to Random.org's API:

• Only the number of random bits needed is requested
• Your IP address may be logged by Random.org
• No flip results or personal data is sent

This feature is OFF by default. You must manually enable it in settings.

Random.org Privacy Policy: random.org/privacy

3. Upstash Redis (API Rate Limiting)

We use Upstash to store API rate limit counters. Only the following data is stored:

• API key (hashed)
• Request count per time window
• Last request timestamp

This data is automatically deleted after 24 hours.

Upstash Privacy Policy: upstash.com/privacy

4. Supabase (Database - Aggregate Data Only)

We use Supabase to store:

• Global flip counter (total flips across all users)
• Embed widget usage statistics (domain and count only)
• API keys and usage metadata (no flip results)

No personally identifiable information or individual flip results are stored in the database.

Supabase Privacy Policy: supabase.com/privacy

Data Sharing With Third Parties

We do NOT sell, rent, or share your data with third parties for marketing purposes. We only share data with service providers as necessary to operate the platform, and only under strict data processing agreements.

Data Storage and Retention

Local Storage (Your Device)

Your flip history is stored exclusively in your browser's localStorage:

• Location: Your device only (never transmitted to our servers)
• Retention: Permanent until you clear it
• Control: You can delete it anytime by clicking "Clear History" or clearing browser data

Server Storage (Aggregate Data)

Data stored on our servers is retained as follows:

Data Backup

Our database is backed up daily for disaster recovery. Backups are retained for 30 days and then permanently deleted. Backups contain only the aggregate data mentioned above—no individual flip results.

Data Deletion

You can request deletion of any data we hold about you:

• Local flip history: Click "Clear History" or clear browser storage
• API data: Contact us to delete your API key and usage data
• Contact form data: Request deletion via email (processed within 7 days)

Your Privacy Rights

You have comprehensive rights regarding your data. We respect these rights regardless of your location:

Right to Access

You can request a copy of any data we hold about you. Since we collect minimal data, this is typically:

• API usage statistics (if you use the API)
• Contact form submissions (if you've contacted us)

To request access, email privacy@flipacoinfree.com with the subject "Data Access Request."

Right to Deletion (Right to be Forgotten)

You can request deletion of your data at any time:

• We will delete your data within 30 days of your request
• Some data may be retained if required by law (e.g., for legal compliance)
• Aggregate statistics cannot be deleted (they don't identify individuals)

Right to Rectification

If we hold incorrect information about you, you can request correction. Contact us at privacy@flipacoinfree.com.

Right to Data Portability

You can export your data in machine-readable formats:

• Flip history: Export as CSV directly from the tool
• API usage data: Request JSON export via email

Right to Object

You can object to:

• Analytics tracking - Opt out via cookie settings or browser Do Not Track signal
• Marketing communications - We don't send marketing emails by default

Right to Restrict Processing

You can request that we limit how we process your data while disputes are resolved.

Right to Withdraw Consent

Where we rely on consent (e.g., analytics cookies), you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to file a complaint with your local data protection authority if you believe we've violated your privacy rights.

How to Exercise Your Rights

To exercise any of these rights:

1. Email privacy@flipacoinfree.com with your request
2. Provide sufficient information to identify your data (e.g., API key, email used)
3. We will respond within 30 days (or 45 days for complex requests)
4. There is no charge for exercising your rights

GDPR Compliance (European Users)

We are fully compliant with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), UK, and Switzerland.

Legal Basis for Processing

We process data under the following legal bases:

• Legitimate Interest: Operating and improving our service, security monitoring, fraud prevention
• Consent: Analytics cookies, optional newsletter (if implemented)
• Contractual Necessity: API service provision (for API users)
• Legal Obligation: Compliance with laws, responding to legal requests

Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at dpo@flipacoinfree.com.

Data Transfers

Your data may be processed in the United States (where our servers are located). We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) with service providers
• Encryption in transit and at rest
• Regular security audits

GDPR Rights Summary

As an EU/EEA user, you have the right to:

• ✓ Access your personal data
• ✓ Rectify inaccurate data
• ✓ Erase your data ("right to be forgotten")
• ✓ Restrict processing
• ✓ Data portability
• ✓ Object to processing
• ✓ Withdraw consent
• ✓ Lodge a complaint with your supervisory authority

EU Representative

If required, we will appoint an EU representative as our GDPR point of contact in the EU.

CCPA Compliance (California Users)

We comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents.

California Privacy Rights

If you are a California resident, you have the right to:

• Know: What personal information we collect, use, disclose, and sell
• Delete: Request deletion of your personal information
• Opt-Out: Opt out of the sale of personal information (we don't sell data)
• Non-Discrimination: Equal service regardless of privacy choices
• Correct: Request correction of inaccurate information
• Limit: Limit use of sensitive personal information (we don't collect sensitive data)

Categories of Personal Information Collected

In the past 12 months, we have collected:

• Identifiers: API keys (developer-generated), IP addresses (temporary)
• Internet Activity: Page views, session data, browser information
• Geolocation: Country-level only (not precise location)

Do Not Sell My Personal Information

We do NOT sell personal information to third parties. We never have and never will.

Shine the Light Law

California's "Shine the Light" law allows California residents to request information about disclosure of personal information to third parties for direct marketing. Since we don't share data for marketing, this doesn't apply, but you can still request confirmation at privacy@flipacoinfree.com.

Exercising CCPA Rights

To exercise your California privacy rights:

1. Email privacy@flipacoinfree.com with subject "CCPA Request"
2. We will verify your identity to prevent fraud
3. We will respond within 45 days (or notify you of extension)
4. You can designate an authorized agent to make requests on your behalf

Children's Privacy (COPPA Compliance)

Flip A Coin Free is safe for all ages, including children under 13.

COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA). Our service is designed to be safe for children:

• ✓ We do NOT knowingly collect personal information from children under 13 (or 16 in EU)
• ✓ No registration or account creation required
• ✓ No email collection from users of any age
• ✓ No behavioral advertising or tracking
• ✓ No social media integrations that could leak data
• ✓ No chat features or user-generated content

Educational Use

Many teachers use Flip A Coin Free in classrooms. Our platform is designed to be FERPA-compliant for educational settings:

• No student data is collected
• Classroom Pack feature works entirely client-side
• Teachers can use the tool without student accounts or logins

Parental Rights

Parents have the right to:

• Review any information collected about their child (none in our case)
• Request deletion of any such information
• Refuse further collection or use of their child's information

If you believe we have inadvertently collected information from a child, contact us immediately at privacy@flipacoinfree.com.

Security Measures

We implement industry-standard security practices to protect the limited data we collect:

Technical Security

• HTTPS Encryption: All connections use TLS 1.3 encryption
• API Security: Rate limiting, authentication, and request validation
• Secure Headers: Content Security Policy (CSP), HSTS, X-Frame-Options
• Database Security: Row-level security, encrypted connections
• Input Validation: All user inputs are sanitized and validated
• DDoS Protection: Cloudflare protection against attacks

Operational Security

• Access Control: Principle of least privilege for team members
• Security Audits: Regular code reviews and vulnerability scans
• Incident Response: Documented procedures for security breaches
• Dependency Updates: Automated security patches for libraries

Data Security

• Encryption at Rest: Database encryption for stored data
• Encryption in Transit: All data transfers use HTTPS
• Minimal Storage: We don't store data we don't need
• Secure Deletion: Data is securely wiped when deleted

Security Breach Notification

In the unlikely event of a data breach affecting personal information, we will:

• Notify affected users within 72 hours
• Report to relevant authorities as required by law
• Provide details about what data was affected
• Offer guidance on protective measures

Limitations

While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our protections.

International Data Transfers

Flip A Coin Free is operated from the United States. If you access our service from outside the U.S., your data may be transferred to, stored, and processed in the United States.

Adequacy and Safeguards

For data transfers from the EU/EEA and UK, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU Commission-approved contracts with service providers
• Privacy Shield (where applicable): Although invalidated, we maintain equivalent protections
• Data Minimization: We transfer only the minimum data necessary
• Encryption: All international transfers use encryption

Your Rights Remain Protected

Regardless of where data is processed, you retain all privacy rights described in this policy, including GDPR rights for EU users and CCPA rights for California residents.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

How We Notify You

When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Display a prominent notice on our homepage for 30 days
• Email API users if changes affect API data handling (if you've provided an email)
• Maintain a change log at the bottom of this page (coming soon)

Your Acceptance

Continued use of Flip A Coin Free after policy changes constitutes acceptance of the updated policy. If you disagree with changes, you may discontinue use of the service.

Material Changes

For significant changes (e.g., new data collection practices, third-party sharing), we may require explicit consent before the changes take effect.

Version History

Previous versions of this policy are available upon request.

Contact Information

We're here to answer your privacy questions and address any concerns. You can reach us through:

Privacy-Specific Inquiries

General Contact

• Contact Form: flipacoinfree.com/contact
• General Email: support@flipacoinfree.com

Postal Address

Flip A Coin Free
Privacy Department
[Your Street Address]
[City, State, ZIP]
United States

European Users

For GDPR inquiries, you can also contact your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

California Users

For CCPA inquiries, you can also contact the California Attorney General's Office at oag.ca.gov/contact.