Last updated: April 18, 2026
VMFlow is a vending machine management platform developed by Nodestark. This policy describes what personal data the VMFlow Android app and web dashboard collect, why, and how it is handled.
| Data type | Purpose | Collected by |
|---|---|---|
| Email address | Account creation, login, password reset | Android app & web dashboard |
| Password | Authentication — transmitted securely, never stored in plain text | Android app & web dashboard |
| Authentication token | Maintains the user session after login | Android app (stored locally on device) |
| OpenAI API key (optional) | Used to generate AI insights for vending machines; stored per account | Web dashboard |
We do not collect location data, contacts, device identifiers, advertising IDs, browsing history, or any financial information.
All data is transmitted over HTTPS (encrypted in transit) to our backend,
which runs on Supabase (self-hosted at supabase.vmflow.xyz).
Supabase acts as a data processor under our control — your data is not shared with
Supabase's cloud services or any third party.
The authentication session token is stored locally on your Android device using
Android SharedPreferences. It is never transmitted to any party other than
our own Supabase backend for session validation.
We do not sell, rent, or share your personal data with third parties, advertisers, or analytics providers. Data is used exclusively to operate the VMFlow platform.
Account data is retained for as long as your account is active. You may request deletion at any time (see section 6). Upon deletion, your email, authentication records, and any stored API keys are permanently removed from our servers.
You have the right to request access to, correction of, or deletion of your personal data at any time. To submit a deletion request, contact:
Email: leonardobsi@gmail.com
Subject: VMFlow — Data Deletion Request
We will process your request within 30 days and confirm once completed.
All communication between the app and our servers uses TLS encryption. Passwords are hashed server-side by Supabase Auth and are never accessible in plain text by us.
VMFlow is intended for business operators and is not directed at children under the age of 13. We do not knowingly collect data from children.
VMFlow is open-source software. The full source code, including the Android app and backend, is publicly available for inspection at github.com/nodestark/mdb-esp32-cashless . You can verify exactly what data is collected and how it is handled by reviewing the code directly.
We may update this policy as the app evolves. The "Last updated" date at the top of this page will reflect any changes. Continued use of the app after changes constitutes acceptance.
For any questions about this privacy policy: leonardobsi@gmail.com