Last Updated: May 20, 2026
GammaFlip.io is operated by QUANTUMGARDEN - UNIPESSOAL LDA, a private limited company incorporated in Portugal (the "Company", "we", "us"). For the purposes of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the Portuguese Data Protection Law (Lei n.º 58/2019), the Company is the data controller for the personal data described in this Policy.
We have not appointed a Data Protection Officer because we are not required to do so under Art. 37 GDPR. The contact above is the single point of contact for all privacy-related enquiries.
This Policy applies to personal data we process about visitors to gammaflip.io and to registered users of the GammaFlip service. It does not cover third-party websites we link to, nor data processed by independent controllers such as our payment providers (see Section 8).
We deliberately collect as little personal data as possible. The full list:
| Category | Examples | Source |
|---|---|---|
| Account identifier | Email address; display name (optional) | You, at sign-up |
| Authentication metadata | Hashed session tokens, sign-in timestamps, account creation timestamp | Generated by us |
| Anti-fraud device hash | SHA-256 hash of a browser visitor identifier combined with a server-side secret (pepper). The original identifier is not stored. | Computed at sign-up / sign-in |
| Subscription state | Current tier (free / trial / premium), subscription status, period end date, identifiers issued by our payment provider | Synced from Paddle or, for legacy subscriptions, Lemon Squeezy |
| Technical logs | IP address, user-agent string, request paths, error traces | Automatically, when you use the service |
| Support correspondence | Emails you send us and our replies | You, when you contact support |
| Aggregated analytics | Page-view counts, country (city-level not captured), referrer, screen size. No cookies, no cross-site identifiers, no user-level profiles. | Plausible Community Edition, self-hosted on our infrastructure |
We do not collect: payment card data (handled directly by our payment provider — we never see it), government IDs, location more precise than country, biometric data, or special categories of personal data under Art. 9 GDPR.
Each processing purpose has a specific lawful basis under Art. 6 GDPR:
| Purpose | Lawful basis (Art. 6 GDPR) |
|---|---|
| Creating and operating your account; delivering the subscription service you signed up for; processing payments via our payment provider | Art. 6(1)(b) — performance of a contract with you |
| Preventing abuse of free trial offers via device-fingerprint hashing; securing the service against fraud and account takeover | Art. 6(1)(f) — our legitimate interest in operating a financially sustainable service and protecting paying customers from cost-shifted abuse. We have conducted a balancing test and concluded the impact on you is minimal (irreversible hash, 90-day retention, no profiling, no sharing). |
| Aggregated, cookieless website analytics | Art. 6(1)(f) — our legitimate interest in understanding traffic in aggregate. No individual user can be identified from these metrics. |
| Responding to support requests | Art. 6(1)(b) (if related to your contract) or Art. 6(1)(f) (general enquiries) |
| Complying with tax, accounting and other legal obligations | Art. 6(1)(c) — compliance with a legal obligation |
| Sending optional product update emails (if you opt in) | Art. 6(1)(a) — consent (you can withdraw at any time) |
To prevent users from claiming the free trial repeatedly through different email addresses, at sign-up and sign-in we compute a SHA-256 hash of:
We store only the resulting 64-character hash. The hash is irreversible: even with full access to our database, the original identifier cannot be recovered without the pepper. The hash is:
Our anti-fraud system may automatically block a sign-up attempt if the computed device hash matches an existing account that has previously consumed a free trial. This is a narrow automated decision used solely to prevent trial abuse.
You have the right to:
We share personal data only with the following categories of recipients, each under a written agreement that requires GDPR-equivalent protection:
| Recipient | Role | What they receive | Location |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Sub-processor (hosting, database, logs) | All account and technical data | EU (Ireland, region eu-west-1) |
| Paddle.com Market Ltd | Independent controller as Merchant of Record; processes all new subscriptions | Your email, billing address, payment method (which we never see) | United Kingdom (with EU representative) |
| Lemon Squeezy LLC | Independent controller for a small number of legacy subscriptions created before our migration to Paddle. No new subscriptions are sent to Lemon Squeezy. These accounts will be transitioned to Paddle and the relationship will be terminated thereafter. | Your email, billing data (for legacy subscribers only) | United States (transfers covered by Standard Contractual Clauses) |
| Plausible Analytics | None — we run Plausible Community Edition on our own EU infrastructure. No data is sent to Plausible Insights OÜ. | — | Self-hosted (EU) |
We do not sell personal data, do not share it with advertising networks, and do not use it for cross-context behavioural advertising.
Your personal data is stored within the European Union (AWS Ireland). Where data is transferred outside the EEA — currently, only to Lemon Squeezy LLC (USA) for the legacy subscription cohort — the transfer is protected by the European Commission's Standard Contractual Clauses. We do not rely on adequacy decisions for transfers to the United States.
We use only strictly necessary cookies required to keep you signed in (session cookies) and to remember your interface preferences. Under Art. 5(3) of the ePrivacy Directive (transposed into Portuguese law by Lei n.º 41/2004), strictly necessary cookies do not require prior consent, which is why you do not see a cookie banner.
We do not use advertising cookies, third-party tracking pixels, cross-site identifiers, Google Analytics, or any other tracker that would require consent. Our analytics are provided by a self-hosted instance of Plausible Community Edition, which is cookieless by design and does not assign visitor identifiers.
If you are in the EU / EEA, the GDPR gives you the following rights regarding your personal data:
To exercise any of these rights, email support@gammaflip.io. We will respond within one month (extendable by two further months for complex requests, as permitted by Art. 12(3) GDPR). There is no charge unless your request is manifestly unfounded or excessive.
If you believe we have processed your personal data unlawfully, you have the right to complain to a supervisory authority. The competent authority for us is:
You may also lodge a complaint with the supervisory authority of the EU country where you live or work.
We protect personal data using industry-standard measures: TLS encryption in transit; encryption at rest in our AWS database; access controls and least-privilege IAM roles; secret rotation; logging and monitoring of administrative actions. No system is 100% secure, but we work to reduce risk to a reasonable minimum and will notify affected users and the CNPD within 72 hours of any personal data breach that is likely to result in a risk to your rights and freedoms, as required by Art. 33–34 GDPR.
The GammaFlip service is not directed at children under 18 and we do not knowingly collect personal data from anyone under that age. If you become aware that a minor has provided us with personal data, please contact us and we will delete it.
We may update this Policy from time to time to reflect changes in our processing or legal requirements. When we make material changes, we will post the updated version on this page and notify registered users by email before the changes take effect. The "Last Updated" date at the top reflects the date of the most recent revision.
For any privacy-related question or to exercise your rights, contact us at support@gammaflip.io.
