Privacy Policy - Smoshy (GDPR Compliant)

Effective Date: January 1, 2025

Last Updated: January 1, 2025

Smoshy ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our mobile application and services (the "Service").

By using Smoshy, you agree to this Privacy Policy. If you don't agree, please don't use the Service.

1. Information We Collect

We collect the following types of information:

1.1 Information You Provide Directly

Account Information:

  • Email address
  • Username
  • Password (encrypted)
  • Date of birth (to verify you are 18+)
  • Profile photo (optional)
  • Bio information (optional)

User Content:

  • Videos you upload
  • Challenge information (title, description, category, start date)
  • Comments and likes
  • Messages to support

Payment Information:

  • Processed by Google Play or Apple App Store
  • We do NOT store credit card numbers or payment details
  • We only receive confirmation of payment status

1.2 Information Collected Automatically

Device Information:

  • Device type, model, and operating system
  • Unique device identifiers
  • IP address
  • Mobile network information
  • App version

Usage Information:

  • Videos you watch and interact with
  • Search queries
  • Features you use and how you use them
  • Time spent on the app
  • Crash reports and performance data

Location Information:

  • Approximate location based on IP address (city/country level)
  • We do NOT collect precise GPS location

Camera and Microphone:

  • We access your camera and microphone ONLY when you are recording videos
  • We do not access these outside of video recording
  • We do not record audio or video without your explicit action

1.3 Information from Third Parties

Analytics Providers:

  • Amplitude provides usage analytics
  • They may collect device and usage information

Service Providers:

  • Supabase (database, authentication)
  • Cloudflare (video storage and processing)
  • Bunny CDN (video delivery)
  • Firebase (push notifications)

These services have their own privacy policies. We recommend reviewing them.

2. How We Use Your Information

We use your information for the following purposes:

2.1 Provide and Improve the Service

Legal Basis: Necessary for contract performance

  • Create and manage your account
  • Process and store your videos
  • Enable you to follow other users and view their content
  • Display your videos to other users
  • Process subscriptions and payments
  • Provide customer support
  • Send service-related notifications (account updates, technical issues)

2.2 Personalization and Recommendations

Legal Basis: Legitimate interest

  • Recommend challenges and users you might be interested in
  • Customize your explore feed
  • Show you content relevant to your interests
  • Improve video quality based on your device

2.3 Analytics and Improvements

Legal Basis: Legitimate interest (you can opt out)

  • Analyze how users interact with the Service
  • Identify bugs, errors, and performance issues
  • Understand user preferences and behavior
  • Improve features and develop new features
  • Generate aggregated, anonymized statistics

2.4 Safety and Security

Legal Basis: Legitimate interest

  • Detect and prevent fraud, spam, and abuse
  • Enforce our Terms of Service
  • Moderate content for prohibited material
  • Verify user age (18+ requirement)
  • Protect against security threats

2.5 Legal Compliance

Legal Basis: Legal obligation

  • Comply with laws and regulations
  • Respond to legal requests (subpoenas, court orders)
  • Protect our rights and property
  • Investigate and prevent illegal activity

2.6 Marketing and Communications

Legal Basis: Consent (you can opt out anytime)

  • Send you newsletters and product updates (if you opt in)
  • Notify you about new features
  • Send promotional offers

You can unsubscribe from marketing emails using the link in each email or in your account settings.

2.7 Advertising (Free Tier)

Legal Basis: Legitimate interest

  • Display advertisements to free users
  • Measure ad performance
  • Provide aggregated analytics to advertisers (no personal identification)

Paid subscribers do not see advertisements.

2.8 Future AI Training (Potential)

Legal Basis: Consent (will require explicit opt-in)

Currently, we do NOT use your videos to train AI models. In the future, we may:

  • Use anonymized video data to improve content recommendations
  • Train AI for content moderation
  • Develop new features like automatic progress tracking

If we implement this, we will:

  • Notify you via email and in-app notification
  • Request explicit consent
  • Allow you to opt out
  • Use only videos from users who have opted in

3. How We Share Your Information

We share your information in the following circumstances:

3.1 Public Information

ALL videos and challenges on Smoshy are PUBLIC by default. This means:

  • Anyone (including non-users) can view your videos
  • Your username, profile photo, and bio are visible to all users
  • Your challenge progress and statistics are publicly visible
  • Your videos may appear in search results and explore feeds
  • Other users can comment on and like your videos

What is NOT public:

  • Your email address
  • Your date of birth
  • Your payment information
  • Your IP address and device information
  • Your private messages to support

3.2 Service Providers

We share information with trusted third-party service providers who help us operate the Service:

Supabase (Database & Authentication):

  • Account information, videos, user data
  • Located in: US/EU (depending on region)
  • GDPR-compliant with Data Processing Agreement

Cloudflare (Video Storage & Processing):

  • Videos you upload
  • Video metadata (duration, size, format)
  • Located in: Global CDN
  • GDPR-compliant with Data Processing Agreement

Bunny CDN (Video Delivery):

  • Videos for streaming to users
  • IP addresses for delivery optimization
  • Located in: Global CDN
  • GDPR-compliant with Data Processing Agreement

Firebase (Push Notifications):

  • Device tokens for notifications
  • Notification preferences
  • Located in: US
  • GDPR-compliant

Amplitude (Analytics):

  • Usage data, device information
  • Anonymized behavior analytics
  • Located in: US
  • GDPR-compliant with Data Processing Agreement

Google Play / Apple App Store (Payments):

  • Payment processing only
  • We do not receive your payment card details
  • Located in: US

All service providers are contractually obligated to protect your data and use it only for the services they provide to us.

3.3 Legal Requirements

We may disclose your information if required by law:

  • In response to subpoenas, court orders, or legal process
  • To comply with applicable laws and regulations
  • To protect our rights, property, or safety
  • To protect users' rights, property, or safety
  • To investigate fraud, security issues, or Terms violations

3.4 Business Transfers

If Smoshy is acquired, merged, or sold:

  • Your information may be transferred to the new owner
  • We will notify you via email 30 days before transfer
  • The new owner must continue to protect your data per this Privacy Policy
  • You may delete your account before the transfer if you prefer

3.5 With Your Consent

We may share information with third parties when you explicitly consent, such as:

  • Sharing your videos on other platforms (if we add this feature)
  • Partnering with brands for challenges (with your opt-in)

3.6 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you:

  • Statistics about app usage ("100,000 videos uploaded this month")
  • Analytics for business purposes
  • Research and trend analysis

4. Your Privacy Rights

You have the following rights regarding your personal information:

4.1 Access Your Data

Right to Access:

You can request a copy of all personal data we hold about you.

How to exercise:

  • Email privacy@smoshy.app with your username and data access request
  • We will provide your data in JSON format within 30 days

What you'll receive:

  • Account information
  • All videos you've uploaded
  • Comments and likes
  • Challenge data
  • Usage history

4.2 Correct Your Data

Right to Rectification:

You can correct inaccurate or incomplete information.

How to exercise:

  • Update your profile directly in Settings
  • For other corrections, email privacy@smoshy.app

4.3 Delete Your Data

Right to Deletion ("Right to be Forgotten"):

You can request deletion of your personal data.

How to exercise:

  • Email support@smoshy.app with your username and deletion request
  • Confirm deletion (this is permanent after 30 days)

What happens:

  • Account deactivated immediately
  • Videos removed from public view immediately
  • 30-day grace period to recover account
  • After 30 days, all data permanently deleted
  • Some data may be retained for legal compliance (90 days max)

Exceptions:

  • Data required by law may be retained longer
  • Anonymized data used in aggregated statistics may be retained

4.4 Download Your Data

Right to Data Portability:

You can download your data in a machine-readable format.

How to exercise:

  • Email privacy@smoshy.app with your username and data download request
  • Receive a JSON file with all your data within 30 days

4.5 Object to Processing

Right to Object:

You can object to certain types of data processing.

How to exercise:

  • For analytics: Email privacy@smoshy.app to opt out
  • For marketing emails: Click "Unsubscribe" in any email or email privacy@smoshy.app
  • Essential processing (account, videos) cannot be disabled without deleting your account

4.6 Restrict Processing

Right to Restriction:

You can request we limit how we use your data.

How to exercise:

4.7 Opt-Out of Marketing

Right to Opt-Out:

You can stop receiving marketing communications.

How to exercise:

Note: You will still receive essential service emails (password resets, payment confirmations, Terms updates). (password resets, payment confirmations, Terms updates).

4.8 California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

  • Right to Know: What personal information we collect and how we use it
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of sale of personal information (we do NOT sell personal information)
  • Non-Discrimination: We will not discriminate against you for exercising your rights

How to exercise CCPA rights:

Email privacy@smoshy.app or call [PHONE NUMBER]

4.9 EU/UK Privacy Rights (GDPR)

If you are in the EU or UK, you have additional rights:

  • Right to lodge a complaint with your local data protection authority
  • Right to appoint a representative for data requests
  • Right to withdraw consent at any time (for consent-based processing)

EU Data Protection Authorities:

https://edpb.europa.eu/about-edpb/board/members_en

5. Data Security

We take data security seriously and implement industry-standard measures:

5.1 Security Measures

Encryption:

  • Data in transit: HTTPS/TLS encryption for all communications
  • Data at rest: AES-256 encryption for stored videos and data
  • Passwords: Bcrypt hashing (never stored in plain text)

Access Controls:

  • Limited employee access to personal data
  • Two-factor authentication for internal systems
  • Regular security audits and penetration testing

Infrastructure Security:

  • Secure cloud hosting (Supabase, Cloudflare)
  • DDoS protection
  • Regular security updates and patches
  • Automated backup systems

5.2 Data Breach Notification

In the event of a data breach:

  • We will investigate and contain the breach immediately
  • We will notify affected users within 72 hours via email
  • We will notify relevant data protection authorities as required by law
  • We will provide information about what data was affected and steps to protect yourself

5.3 Your Responsibility

You are responsible for:

  • Keeping your password secure
  • Not sharing your account credentials
  • Using a strong, unique password
  • Logging out on shared devices
  • Notifying us immediately of unauthorized access

We are NOT responsible for:

  • Security breaches caused by your failure to protect your credentials
  • Content you voluntarily make public
  • Third-party website security (if you click external links)

6. Data Retention

We retain your data as follows:

Account Information:

  • Retained while your account is active
  • Deleted 30 days after account deletion (with grace period)

Videos:

  • Retained permanently until you delete them or your account
  • Deleted immediately from public view when you delete
  • Permanently deleted 30 days after account deletion

Comments and Likes:

  • Retained while your account is active
  • Deleted 30 days after account deletion

Usage Data:

  • Retained for 24 months for analytics
  • Then anonymized and aggregated (cannot identify you)

Payment Records:

  • Retained for 7 years for tax and accounting compliance (as required by law)
  • Only transaction records, not payment card details

Legal Holds:

  • Data subject to legal holds, investigations, or disputes may be retained longer

Backups:

  • Deleted data may persist in backups for up to 90 days
  • Backups are encrypted and not accessible for normal operations

7. International Data Transfers

Smoshy operates globally. Your data may be transferred to and processed in countries other than your own.

7.1 Where Your Data is Processed

Primary Locations:

  • United States (Supabase, Firebase, Amplitude)
  • European Union (Cloudflare EU data centers for EU users)
  • Global CDN (Bunny CDN, Cloudflare)

7.2 Legal Safeguards for International Transfers

For EU/UK users:

We comply with GDPR requirements for international data transfers:

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs with all US-based service providers
  • Adequacy Decisions: We transfer data to countries with EU adequacy decisions where possible
  • Data Processing Agreements: All service providers sign DPAs with GDPR-compliant terms

For other users:

We use appropriate safeguards to protect your data regardless of where it's processed.

8. Children's Privacy

Smoshy is NOT intended for users under 18 years old.

  • We do not knowingly collect information from anyone under 18
  • You must be 18+ to create an account
  • If we discover a user is under 18, we will immediately delete their account and data
  • Parents: If you believe your child has created an account, contact us at privacy@smoshy.app and we will delete it

9. Cookies and Tracking Technologies

Mobile App:

The Smoshy mobile app does NOT use cookies. We use local storage for:

  • Session authentication (keeping you logged in)
  • App preferences and settings
  • Cached videos for offline viewing

Website (smoshy.app):

Our website uses cookies:

Essential Cookies (Always On):

  • Authentication and security
  • Remember your preferences
  • These cannot be disabled

Analytics Cookies (Can Opt-Out):

  • Amplitude analytics
  • Usage statistics
  • Performance monitoring

How to Manage Cookies:

  • Browser settings: Block or delete cookies
  • Cookie banner: Reject non-essential cookies
  • Settings → Privacy → Cookie Preferences

10. Third-Party Links

The Service may contain links to third-party websites, services, or content:

  • We are NOT responsible for third-party privacy practices
  • Third-party sites have their own privacy policies
  • We recommend reviewing their policies before providing information
  • We do not control or endorse third-party content

Examples:

  • Links in user bios or video descriptions
  • Links to social media platforms
  • Links to challenge resources or guides

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

When we make changes:

  • We will update the "Last Updated" date at the top
  • For material changes, we will notify you via:
    • Email to your registered email address
    • In-app notification
    • Prominent notice on the app
  • You will have 30 days to review changes before they take effect
  • Continued use after changes means you accept the new Privacy Policy
  • If you don't agree, you may delete your account

Material changes include:

  • New ways we use your data
  • Sharing data with new third parties
  • Changes to your privacy rights
  • Changes to data retention periods

12. Contact Us

Questions about this Privacy Policy or your data?

Email: privacy@smoshy.app

Support: support@smoshy.app

Response Time:

  • General inquiries: Within 7 days
  • Data access/deletion requests: Within 30 days
  • Data breach notifications: Within 72 hours

13. Legal Basis for Processing (GDPR)

For EU/UK users, here's the legal basis for each type of processing:

| Data Type | Purpose | Legal Basis | | --- | --- | --- | | Account info | Provide Service | Contract | | Videos | Host and display | Contract | | Device info | Security, fraud prevention | Legitimate Interest | | Usage data | Analytics, improvements | Legitimate Interest (can opt-out) | | Email for marketing | Promotional emails | Consent (opt-in required) | | Payment records | Legal compliance | Legal Obligation | | IP address | Security, location | Legitimate Interest |

By using Smoshy, you acknowledge that you have read and understood this Privacy Policy.

Last Updated: January 1, 2025