Privacy Policy
Effective date: July 16, 2026 · Version 1.1
1. Introduction and scope
This Privacy Policy describes how Florin ("Florin", "we", "us") collects, uses, stores, discloses, and protects information in connection with the Florin website, application, reports, monitoring features, and related services (collectively, the "Service"). It applies to account holders, visitors who view shared reports, and anyone who contacts us. By using the Service you acknowledge this Policy. If you do not agree with it, please do not use the Service.
The short version, in plain language: we read your ad reporting data with read-only permission to find revenue leaks; we store the conclusions (findings, reports, alerts, verification results) but not your raw revenue data; we never sell personal data; and you can revoke our access at any moment from your Google account.
2. Information we collect
2.1 Account information. When you sign in with Google we receive your name, email address, and profile picture from Google, which we use to create and identify your account and to communicate with you about the Service.
2.2 OAuth credentials. We store the OAuth access and refresh tokens issued by Google that allow the Service to read your AdMob reporting data on your behalf, including for daily monitoring where you have enabled it. Tokens are used exclusively to call Google APIs under the read-only scopes you granted: admob.readonly, and — only if you separately connect Google Analytics — analytics.readonly, used to read aggregated engagement metrics (active users, session duration, retention cohorts) so reports can weigh revenue against user experience. We cannot modify your ad or analytics configuration with these scopes. You can revoke access at any time via your Google account permissions; revocation immediately invalidates our credentials.
2.3 Reporting data (processed, not retained).When an audit or monitoring pass runs, aggregated reporting rows (for example, revenue, impressions, requests and rates by date, country, format, platform, app, ad unit, ad source, or app version) are retrieved from the applicable API, analyzed in memory, and then discarded. We retain only derived outputs: findings, evidence summaries (small aggregated excerpts such as "US · Rewarded eCPM $4.12"), impact estimates, narrative text, account vitals, alerts, and fix-verification deltas (together, "Derived Results").
2.4 Files you provide. If you supply report exports (for example, Google Ad Manager CSV files), we process them in the same manner: the file is parsed, Derived Results are stored, and the file itself remains where you placed it under your control.
2.5 Contact and support data. If you contact us through the Service or by email, we retain the correspondence, including your name, email address, and message content, to respond and to keep a record of support history.
2.6 Technical and usage data. We collect limited technical information necessary to operate and secure the Service, such as timestamps of audits and sign-ins, report identifiers, and error logs. We do not run third-party advertising or cross-site tracking on the Service.
3. How we use information
We use the information described above to:
- provide the Service: run audits, generate reports, operate daily monitoring, verify fixes;
- maintain and secure accounts, authenticate requests, and prevent abuse;
- respond to inquiries and provide support;
- improve detection quality — including, only with your explicit opt-in consent, contributing anonymized aggregates to benchmark statistics (Section 6);
- comply with legal obligations and enforce our Terms of Use.
We do not use your information for advertising, and we do not sell or rent personal data to anyone.
4. Google API Services — Limited Use disclosure
Florin's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular:
- we only use Google user data to provide and improve the user-facing auditing and monitoring features you request;
- we do not transfer Google user data to third parties except as necessary to provide those features, for security purposes, to comply with applicable law, or as part of a merger, acquisition, or asset sale with equivalent data protections;
- we do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising;
- we do not permit humans to read Google user data unless we have your affirmative agreement, it is necessary for security (such as investigating abuse), it is required to comply with applicable law, or the data has been aggregated and anonymized for internal operations.
5. Third-party service providers (subprocessors)
We rely on a small number of providers to operate the Service:
- Google LLC — identity (Sign in with Google), the AdMob API, and — where you connect it — the Google Analytics Data API, each as authorized by you;
- Anthropic PBC — the Claude API generates the narrative section of reports from already-computed, aggregated figures produced by our analysis engine; we do not send Google user identifiers to Anthropic;
- hosting and infrastructure providers engaged to run the Service, bound by confidentiality and data-protection obligations.
6. Benchmarks and aggregated statistics
The Service compares your metrics against industry benchmarks. We may build aggregated, anonymized benchmark statistics (for example, median rewarded eCPM for tier-1 countries) from audited accounts only where the account holder has given explicit opt-in consent. Aggregates are constructed so that they do not identify you, your apps, your ad units, or your revenue, and cannot reasonably be re-identified. You may withdraw consent at any time with effect for future aggregation.
7. Legal bases (EEA/UK users)
Where the GDPR or UK GDPR applies, we process personal data on the following bases: performance of a contract (providing the Service you request); consent (optional benchmark aggregation; marketing communications, if any); and legitimate interests (securing the Service, preventing abuse, and improving detection quality in ways that do not override your rights).
8. Data retention
Derived Results are retained for as long as your account is active so that report links keep working and monitoring baselines remain meaningful. OAuth tokens are retained until you revoke access, delete your account, or they are invalidated. Support correspondence is retained as long as reasonably necessary for support history. Upon verified deletion requests we delete or irreversibly anonymize personal data within 30 days, except where retention is required by law.
9. Security
We apply technical and organizational measures appropriate to the risk, including least-privilege access scopes (read-only by design), encrypted transport (TLS) for all API traffic, access controls on stored credentials, and separation between raw reporting data (processed transiently) and stored Derived Results. No method of storage or transmission is completely secure; we cannot guarantee absolute security, and we will notify affected users of a personal-data breach where required by law.
10. Your rights
Depending on your jurisdiction, you may have rights to access, correct, export, restrict, object to processing of, or delete your personal data, and the right to lodge a complaint with a supervisory authority. You can exercise these rights by contacting us (Section 13). Two self-service controls always apply: revoking Google access stops all data collection immediately, and requesting account deletion removes your stored Derived Results and credentials.
11. International transfers
We may process data in countries other than your own. Where required, transfers are protected by appropriate safeguards such as standard contractual clauses or equivalent mechanisms.
12. Children
The Service is a business tool intended for adults and is not directed to children under 16. We do not knowingly collect personal data from children; if you believe a child has provided us data, contact us and we will delete it.
13. Contact
Privacy questions, rights requests, and deletion requests: [email protected] or the contact form.
14. Changes to this Policy
We may update this Policy from time to time. The effective date above reflects the latest revision; material changes will be communicated to signed-in users before they take effect. Continued use of the Service after the effective date constitutes acknowledgment of the updated Policy.