Privacy Policy

Version 3.4 | Last Updated: 26 April 2026 | Effective Date: 26 April 2026

Plain-language summary (not legally binding). This Policy explains what personal data SocialGryd collects, why, how long we keep it, who we share it with, and what rights you have. Key points: we are the data controller (based in Estonia); we do not sell your data and we do not use your content to train third-party AI models; some features rely on algorithmic ranking and AI categorisation, and we disclose how; you have extensive rights (access, deletion, correction, portability, objection) and can contact our DPO at dpo@socialgryd.com; we notify regulators within 72 hours of a qualifying data breach. Read the full policy below. The summary is a guide, not the agreement.

This Privacy Policy describes how SocialGryd Limited collects, uses, stores, discloses, and protects personal data when you use the SocialGryd website (socialgryd.com), the marketplace portal (marketplace.socialgryd.com), the partner portal, the mobile applications, community features, messaging, events, meetups, stories, professional profiles, the Creator Hub, brand-matching features, partner tools, AI-powered features, the Club Card, administrator tools, and all related services (the "Platform").

It applies to all users, partners, ambassadors, brands, event hosts, creators, website visitors, and anyone else whose personal data we process in connection with the Platform.

Read this Policy together with our Terms and Conditions, Cookie Policy, AI and Automated Decision-Making Notice, Sub-processors List, Community Guidelines, Child Safety Standards, and, where applicable, our Partner Data Processing Agreement, Brand Data Processing Agreement, Marketplace Terms, and Creator Hub Terms.

1. Who We Are and How to Contact Us

1a. Data Controller

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the UK Data Protection Act 2018, the Brazilian Lei Geral de Protecao de Dados (Law No. 13.709/2018, "LGPD"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and all other applicable data protection laws, the data controller (or "business" under US state laws, or "controller" under LGPD) is:

SocialGryd Limited
Narva mnt 5, Kesklinna linnaosa, Tallinn, Harju maakond 10117, Estonia
Company email: hello@socialgryd.com

1b. Data Protection Officer (DPO)

Our Data Protection Officer can be reached at dpo@socialgryd.com. You may contact the DPO on any question about how we handle your personal data, including rights requests, breach concerns, and policy interpretation.

1c. EU Establishment and UK Representative

SocialGryd Limited is established in the European Union (Estonia) and is subject to direct GDPR supervision by the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). Because we are established in the EU, no EU Article 27 representative is required for EU data subjects.

For users in the United Kingdom, UK GDPR Article 27 requires us to appoint a UK representative because we are established outside the UK and offer services to data subjects in the UK. We are in the process of appointing a UK Article 27 representative; this appointment will be made and published on this page, and the representative's details will replace this paragraph, before the Platform is actively launched to UK users. In the interim, UK data subjects may send any enquiry or rights request to our Data Protection Officer at dpo@socialgryd.com and we will action it under the UK GDPR within the statutory timeframes, without prejudice to the ICO's competence under section 115 and Schedule 13 of the UK Data Protection Act 2018.

1d. Dedicated Contact Channels

Privacy / data subject rights: privacy@socialgryd.com
Data Protection Officer: dpo@socialgryd.com
Safety, abuse, and CSAE reports: report@socialgryd.com
Legal notices, IP, and law enforcement: legal@socialgryd.com
Security disclosures and vulnerabilities: security@socialgryd.com
General support: support@socialgryd.com

2. Quick Reference Summary

Topic	Summary
Controller	SocialGryd Limited, Estonia
DPO	dpo@socialgryd.com
Minimum age	16 (higher in some jurisdictions; see Section 22)
Do we sell personal data?	No.
Do we share data for cross-context behavioural advertising?	No.
Do we use your content to train AI models?	No. We prohibit sub-processors from using your data to train their foundation models.
Automated decisions with legal effect?	No. See Section 7 for algorithmic ranking and AI categorisation disclosures.
International transfers?	Yes, primarily to the US, under SCCs, the UK IDTA, and adequacy decisions (see Section 19).
Standard retention	Backup copies up to 90 days after deletion; fraud-prevention/deletion-feedback records up to 24 months (see Section 20).
How to exercise your rights	Email privacy@socialgryd.com or use the in-app deletion tool.
Supervisory authority	Estonian Data Protection Inspectorate (www.aki.ee) and/or your local DPA.

3. Categories of Personal Data We Collect

The categories of personal data we collect depend on how you use the Platform and which features you enable. The list below is comprehensive and intended to satisfy GDPR Articles 13 and 14, UK GDPR, LGPD Article 9, and US state transparency requirements.

3a. Account and Authentication Data

Full name, username (handle), email address, phone number (if provided)
Date of birth (collected to verify minimum-age eligibility; only age and jurisdiction-relevance retained after verification)
Authentication method (email/password, email magic-link, Google Sign-In, Sign in with Apple)
Authentication tokens, session identifiers, and device bindings
Password hash (where password authentication is used)
Account creation date, last sign-in timestamp, and sign-in history for security monitoring
Account status (active, suspended, deleted, pending verification)

3b. Profile Data

Profile photo, banner photo, bio/about section
City, region, or country (if provided), occupation, website URL
Social media handles (Instagram, X/Twitter, Threads, YouTube, TikTok, Facebook, LinkedIn, Twitch, Pinterest, Snapchat)
Content interest categories you select
Language and locale preferences
Membership tier, membership status, and plan details
Marketing consent preferences and communication channel preferences

3c. Professional (Work) Profile Data

Job title, professional summary, work email and phone
Skills and mastery levels; languages and proficiency levels
Work experience (company, position, dates, descriptions)
Education (school, degree, graduation year, descriptions)
Certifications and attached professional documents
Open-to-work status, position preferences, and availability indicators

3d. Community Content

Posts (text, images, videos, polls), comments, likes, reactions, shares, reshares
Stories (photos, videos, audio captured via microphone during video story creation). Stories are automatically hidden from the Platform approximately 24 hours after creation. On Android, story uploads may continue as a foreground service after you leave the app to ensure full upload.
Story views, replies, and ephemeral reactions
Direct messages, group chats, event chats: text, media, reactions, reply threads, edits, forwards, pins, read receipts, typing indicators
Reviews, ratings, partner interactions, partner questions and answers
Event listings you create, RSVPs, event chats, event feedback, and event-related communications
Deep-link content you generate (share-to-app links for profiles, posts, events, partner pages)

3e. Networking, Signals, and Meetup Data

Network Signal details (intent type such as coffee, coworking, meetup, etc.; mode; visibility; radius; meeting place; expiry)
Signal participant data and confirmed/declined connections
Location data associated with signals (see Section 3k)
Signal acceptance and response history

3f. Engagement, Ranking, and Inferred Data

Gryd Score: a composite engagement metric computed from your posts, likes, comments, shares, connections, and activity. Used to rank content and surface profiles.
Profile visibility boost: if an administrator applies a ranking boost to your profile, we store the boost multiplier (typically between 1.5x and 5x), expiry date, reason, and which administrator applied it. See Section 8.
Algorithmic feed signals: post impression counts, dwell time, watch time on videos, scroll behaviour, tap/click events, recency weights, and similarity signals.
AI-assigned content categories: labels such as "tech", "travel", "business", assigned to each post by our AI sub-processor and stored with the post (see Section 7).
Connection, follow, and block graphs.
Inferred interests derived from your activity, which may be used to rank feed content, suggest signals, surface events, and recommend profiles.
Video view counts, story view counts, reshare counts, and other engagement metrics.
Notification and communication preferences (note: certain safety, proximity-signal, and service notifications cannot be disabled; see Section 15).

3g. Membership, Subscription, and Payment Data

Subscription plan, billing status, renewal dates, cancellation timestamps
Transaction references, receipt identifiers, app-store original transaction IDs
Partial payment metadata (we do not receive full card numbers; card data is processed by Stripe, Apple App Store, or Google Play directly)
Club Card identifiers, perk eligibility status, membership issue date
Billing country for tax and compliance purposes
Refund, chargeback, and dispute records

3h. QR, Redemption, and Perk Data

QR scan records: member display name, partner location, perk redeemed, timestamp
Scan history and redemption status (e.g., day-pass used, discount redeemed)
Anti-fraud signals including unusual scan frequency, device mismatch, and geographic anomalies
Member-partner visit patterns used to populate partner analytics dashboards

3i. Device and Technical Data

IP address, approximate location derived from IP, and network operator
Device type, device model, operating system, OS version, app version, and build number
Browser type and version (for website visitors)
Firebase Cloud Messaging (FCM) push notification tokens (stored server-side and rotated on sign-in/sign-out)
Firebase App Check attestation tokens for client integrity validation
Firebase Installation IDs for analytics and service continuity
Crash reports and performance diagnostics (stack traces, device state at crash time)
Google Advertising ID (Android) or Apple IDFV/IDFA (iOS) where permitted and disclosed in the OS-level tracking prompt. We use the Advertising ID only for measurement and crash attribution, never for third-party ad personalisation.
Shorebird installation identifier and patch-delivery telemetry (see Section 3n).

3j. Local Device Storage

The app stores limited data locally on your device to improve performance and reduce network requests, including:

Cached profile data loaded at app startup
Membership status and plan details
Tutorial and onboarding completion flags
Profile statistics (post and connection counts)
Invite history (which device contacts you have invited)
Cached feed content (recent posts, automatically expiring after 1 hour)
Selected city, coordinates, and map defaults
User preferences (search radius, messaging settings, read receipts, theme, language)
Story upload queue (pending uploads for background processing)
Image cache (capped at 100 MB)
Session tokens and refresh tokens provided by Firebase Auth

This data is stored in your device's local storage (SharedPreferences, Keychain/Keystore, or application cache) and is protected by your operating system's encryption where available. Clearing app data or uninstalling the app will remove it.

3k. Location Data

Approximate device location (from GPS, Wi-Fi, cellular network, or IP-based geolocation) when you enable location features
On some devices, Wi-Fi network name (SSID) and router identifier (BSSID) used by the operating system to improve location accuracy
Precise coordinates when you actively use location-dependent features (Signals, Spaces discovery, map views, event RSVPs to location-based events)
Geohash spatial index (low-precision geographic grid cells, approximately 111 km at 1-character precision, used to query nearby content without exposing precise coordinates to other users)
City/region you provide in your profile
Venue-level location at the moment of a QR scan or partner check-in
If you grant "Always" location permission on iOS, background location may be collected intermittently for proximity Signal notifications. This is optional.

Precise geolocation is treated as sensitive personal information under California law and as a special category or elevated-risk category under several other jurisdictions. You can disable or restrict location access at any time in your device settings.

3l. Contacts and Calendar Data

Contacts: If you grant contacts permission, the Platform accesses your device contacts (names and phone numbers) locally on your device to help you find and invite people. Contact data is processed locally and is not uploaded to or stored on SocialGryd servers. A record of which contacts you have invited (hashed phone numbers) is stored locally on your device only.

Calendar: If you grant calendar permission, the Platform may add event details to your device calendar when you RSVP. Calendar writes are performed locally via the OS calendar API and are not transmitted to SocialGryd servers. The Platform may also generate URLs to add events to third-party calendar services (e.g., Google Calendar) at your request. These URLs are generated client-side and we do not call Google Calendar APIs server-side on your behalf.

3m. Safety, Moderation, and Support Data

Reports you submit or that are submitted about you (report type, target, reason, content, timestamp)
Moderation actions, appeals, statements of reasons, and audit trails
Correspondence with our Trust and Safety, Support, or Legal teams
Evidence preserved under legal hold for investigations, regulatory requests, or anticipated litigation
Account deletion feedback (optional free-text reason you may provide at deletion)
Trusted Flagger and Out-of-Court Dispute Settlement body correspondence (DSA Articles 21-22)

3n. Software Update and Shorebird Telemetry

We deliver certain Dart code updates to the mobile app over the air using Shorebird Code Push. When a Shorebird patch is checked or applied, our Shorebird sub-processor receives your installation ID, app version, patch version, operating system, and approximate country. No profile, content, or identifying account information is transmitted to Shorebird. Patch telemetry is retained by Shorebird in accordance with its sub-processor contract.

3o. Administrator and Partner Data

Business details, legal entity name, trade name, venue information, operational contacts
Event information, capacity, pricing, cancellation policy, and analytics
Account permissions, role assignments, and dashboard access logs
Audit logs of administrative actions (content moderation, user suspensions, boosts applied, refund actions)

3p. Creator Hub and OAuth Data

If you connect external social platforms via the Creator Hub (YouTube, TikTok, Instagram, Facebook, X, LinkedIn, Twitch, Snapchat, Pinterest, Threads, or any other platform we support), we receive:

The OAuth access and refresh tokens issued by the external platform, stored encrypted at rest
The scopes you approved at consent (we never request more than you approve)
Public profile metrics (e.g., follower count, video views, engagement rate) on an ongoing basis
Private data (e.g., direct messages) only if you have enabled the dedicated "Read DMs" toggle, which is default-off; you may revoke it at any time and we purge cached DMs on revocation

You may disconnect any linked platform at any time from the Creator Hub settings. Revoking our access in the external platform's own settings is also honoured. We monitor token validity and clean up data tied to revoked connections.

3q. Marketplace and Brand Data

If you use the brand marketplace (as a brand buyer or a creator participant), we collect:

Brand entity name, business contact, billing information, domain for verification, and authorised-user email addresses
Campaign briefs, requirements, budgets, and matching criteria
Messages exchanged between brands and creators through the marketplace messaging feature
Creator "opted-in" status for brand visibility (a creator's profile is only visible in brand search when that creator has enabled Marketplace visibility)
Agreements, approvals, content submissions, and performance metrics

See our Marketplace Terms and Section 9 of this Policy for the full data-flow explanation.

3r. Website Visitor Data

Visitors to socialgryd.com who do not hold an account are subject to more limited data collection: IP address, browser user agent, referrer URL, pages visited, and, with consent, non-essential analytics cookies. See our Cookie Policy.

3s. What We Do Not Collect

We do not knowingly collect:

Biometric identifiers (facial geometry, fingerprints, voiceprints, retina scans) from photos, videos, or stories
Full payment card numbers (processed by Stripe, Apple, and Google directly; we store only last-four and brand where provided by the processor)
Government-issued identifier numbers (passport, national ID, driving licence) unless you voluntarily provide them in support of a specific compliance, tax, or age-verification matter
Precise health, religious, political, trade union, sexual orientation, or genetic data. If you voluntarily include such information in free-text fields, you do so at your own initiative and are responsible for the choice to publish it.

4. Sources of Personal Data

We collect personal data from the following sources:

Directly from you: when you register, complete your profile, post content, send messages, RSVP to events, connect external platforms, redeem perks, or contact support.
Automatically from your device: device, network, location, crash, and usage telemetry generated by your interactions with the Platform.
Third-party authentication providers: Google and Apple provide name and email when you use social sign-in. Magic-link sign-in (brand marketplace) transmits only the email address you provide.
External platforms via Creator Hub OAuth: YouTube, TikTok, Instagram, Facebook, X, LinkedIn, Twitch, Snapchat, Pinterest, Threads. See Section 10.
App stores and payment providers: Apple App Store, Google Play, and Stripe provide subscription and transaction data.
Email and webhook providers: Resend and Svix return delivery events (opens, bounces, clicks, webhook receipts).
Third-party event sources: Ticketmaster Discovery API and Eventbrite (API plus public HTML scraping where terms permit) provide event listings.
Map, places, and geocoding providers: Google Maps Platform (Places, Geocoding, Maps SDK).
Other users and partners: when they message you, report you, tag you, include you in chats or events, or provide information relevant to a shared interaction.
Brands and advertisers: when they register for the Marketplace, verify their domain, or engage with creators.
Trusted Flaggers, regulators, law enforcement, and courts in the course of compliance and enforcement.
Inferred from your activity: engagement scores, interest categories, and content affinities derived by automated systems.

5. Purposes of Processing and Legal Bases

The table below sets out each purpose for which we process personal data, the categories of data involved, and our legal basis under GDPR Article 6 (and GDPR Article 9 where applicable).

Purpose	Data categories	Legal basis (GDPR Art. 6)
Create and administer your account; authenticate sign-in; enforce minimum age	Account, authentication, DOB	Performance of contract (6(1)(b)); legal obligation (6(1)(c)) for age and sanctions compliance
Display your profile, content, messages, events, and RSVPs; deliver Platform features	Profile, work profile, community content, networking data	Performance of contract (6(1)(b))
Operate the algorithmic feed, Gryd Score, and ranking; apply administrator boosts; AI content categorisation	Engagement, inferred, AI category, engagement signals	Legitimate interests (6(1)(f)): interest in running a functional feed and providing a relevant, safe product; balanced against your rights. You may object (see Section 24).
Send service and safety notifications; operate non-disableable safety/proximity alerts	FCM tokens, notification preferences	Performance of contract (6(1)(b)); legitimate interests (6(1)(f)) for safety and service integrity
Send marketing and promotional communications	Email, consent preferences	Consent (6(1)(a)); in some EU jurisdictions, soft opt-in legitimate interest for similar products under PECR Regulation 22(3) where applicable
Process payments, subscriptions, tax, and refunds	Payment metadata, billing country	Performance of contract (6(1)(b)); legal obligation (6(1)(c))
Verify Club Card, process QR redemptions, operate partner analytics, prevent double-redemption and fraud	QR, redemption, membership	Performance of contract (6(1)(b)); legitimate interests (6(1)(f))
Moderate content, review reports, preserve evidence, enforce Terms, comply with DSA and child-safety law	Safety, moderation, reports	Legitimate interests (6(1)(f)); legal obligation (6(1)(c))
Operate security, detect abuse, prevent fraud, protect the Platform and other users	Device, IP, session, App Check	Legitimate interests (6(1)(f)); legal obligation (6(1)(c))
Analyse usage, measure performance, improve the product	Usage analytics, crash, device	Legitimate interests (6(1)(f)); consent where required by local cookie law
Operate the Marketplace, match creators and brands, facilitate campaign communications	Creator profile (opted-in only), brand data, messages, agreements	Performance of contract (6(1)(b)); consent (6(1)(a)) for creator marketplace visibility
Operate Creator Hub OAuth, fetch public metrics, surface cross-platform analytics	OAuth tokens, public metrics	Consent (6(1)(a)); performance of contract (6(1)(b))
Import third-party event data for Platform discovery	Event metadata from Ticketmaster/Eventbrite	Legitimate interests (6(1)(f)): not personal data of our users; any user-level personal data is only obtained when a user separately RSVPs
Respond to legal requests, regulatory enquiries, court orders, law enforcement, and NCMEC reporting	Account, content, device, report data as specified in request	Legal obligation (6(1)(c)); legitimate interests (6(1)(f)); public interest (6(1)(e)) where applicable
Corporate transactions (mergers, acquisitions, reorganisations)	Any category, subject to confidentiality safeguards	Legitimate interests (6(1)(f))

Where we rely on legitimate interests, we document a balancing test. You may request a summary of any balancing test at dpo@socialgryd.com.

6. Sensitive and Special Category Data

We generally do not process special categories of personal data as defined in GDPR Article 9 (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation).

Exceptions may arise where:

You voluntarily include such information in a free-text profile field, post, story, message, or review. In that case, you are manifestly making that data public and the processing is permitted by Article 9(2)(e) to the extent you have done so.
A safety report or evidence preservation incidentally includes such information. In that case, we rely on Article 9(2)(f) (establishment, exercise, or defence of legal claims) and/or Article 9(2)(g) (reasons of substantial public interest for safety).

Precise geolocation is treated as sensitive personal information under California law (Cal. Civ. Code 1798.140(ae)) and similar state laws. You may limit our use of precise geolocation by disabling location permissions in your device settings.

7. Algorithmic Ranking, AI, and Automated Processing

7a. AI-Powered Content Categorisation (Anthropic)

When you create or update a post, the Platform automatically sends (a) the text content of your post truncated to approximately 1,000 characters and (b) a machine-generated description of any attached media to Anthropic PBC, operating the Claude family of models (currently Claude Haiku 4.5), to assign one or more content category labels (such as "tech", "travel", "business", "lifestyle").

Your name, username, profile photo, email, and account identifiers are not transmitted to Anthropic.
We require Anthropic by contract not to use our customer data to train its foundation models (under Anthropic's Commercial Terms and the Anthropic Zero Data Retention policy applicable to our account, where enabled).
Anthropic may retain processed data for limited periods for abuse monitoring and service provision in accordance with its own data-processing terms. We publish the current Anthropic DPA and data-residency terms in our Sub-processors List.
The categorisation influences where your post may appear in the algorithmic feed (posts whose AI category matches a viewer's selected interest categories may appear more prominently).

The AI categorisation does not produce legal or similarly significant effects on you. You can request manual re-categorisation or object to AI-assisted ranking of your content by contacting privacy@socialgryd.com.

7b. Algorithmic Feed and Ranking Parameters (DSA Article 27)

SocialGryd uses automated systems to rank content in certain feed views ("For You" / default feed and similar surfaces). The main parameters of our ranking system, in order of approximate significance, are:

Your selected interests: posts whose AI-assigned categories match your selected content interests are ranked higher.
Your connections and follows: posts from people you follow or are connected with are ranked higher.
Post engagement rate: early likes, comments, shares, dwell time, and watch completion influence ranking, normalised by reach so that smaller accounts are not structurally disadvantaged.
Recency: newer posts are weighted higher, with category-specific decay.
Gryd Score of the author: a higher overall engagement score slightly increases reach.
Administrator-applied visibility boost: where an administrator has applied a boost multiplier to a profile (see Section 8), content from that profile is weighted higher. Where boosted content would otherwise not be organically ranked, it is labelled to make the boost visible to viewers.
Geographic proximity: for Spaces, Signals, and local events, proximity to your current or profile city.
Safety signals: posts from accounts under moderation review, posts containing suspected policy-violating content, and posts reported by multiple users may be de-ranked or hidden.

You can view content in chronological order (no ranking beyond reverse-chronological order) by using the "My Gryd" feed tab. You can change your selected interest categories, followed accounts, and location at any time in your settings.

7c. Gryd Score

The Gryd Score is calculated automatically from your Platform activity (posts, likes, comments, shares, connections, time on Platform). It is an indicative engagement metric displayed on your profile and used as a ranking signal. It is not used for decisions that produce legal or similarly significant effects on you (no credit, employment, insurance, immigration, or public benefit implications).

7d. Safety and Moderation Classifiers

We may apply automated classifiers (first-party rules, pattern matching, and, in future, AWS Rekognition, AWS Comprehend, or similar services) to posts, messages, stories, and reviews to surface suspected violations for human review. The final decision to remove content, issue a warning, or suspend an account is taken by a human moderator (or, in clear-cut technical cases such as known-hash CSAM, by automated systems under human oversight and with an appeal route). See our Terms Section 18 for the full Statement of Reasons and appeal process.

7e. No Solely-Automated Decisions With Legal Effect

Under GDPR Article 22 and equivalent provisions of the UK GDPR, LGPD, and state privacy laws, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. SocialGryd does not take such decisions. Visibility, ranking, and categorisation do not produce legal effects. If you believe an automated decision has significantly affected you, contact dpo@socialgryd.com and we will provide meaningful human review and an explanation.

7f. AI Training Opt-Out and Future AI Features

We do not use your personal data, content, or messages to train any AI or machine-learning model ourselves, and we require our AI sub-processors by contract not to use our customer data to train their foundation models. If we introduce any new AI feature that processes your personal data, we will update this Policy and our AI and Automated Decision-Making Notice, and, where the change is material, notify you in advance.

8. Administrator Actions and Profile Boost

SocialGryd administrators (members of our internal Trust and Safety, Growth, and Operations teams acting on behalf of the company) may take the following actions that may affect your data and your experience:

Apply a profile visibility boost: a multiplier (typically 1.5x to 5x) applied to your content ranking for a defined period. Boosts may be applied to creators, partners, event hosts, ambassadors, or newly onboarded users to accelerate discovery. Where a boost would cause content to appear in a user's feed that would not have appeared organically, the Platform labels the content so that the boost is visible.
De-rank or hide content suspected of violating our Community Guidelines, Acceptable Use Policy, or applicable law.
Apply verified badges, trusted flagger status, or official-account labels.
Suspend, restrict, or terminate accounts in accordance with our Terms.
Issue refunds, extend memberships, or waive fees in response to support tickets and disputes.

All administrator actions are recorded in an internal audit log including timestamp, administrator identity, action type, target, reason, and any parameters (e.g., boost multiplier). These audit logs are retained for up to 36 months.

9. Marketplace Data Flow

Status: pre-launch. The SocialGryd Marketplace is pre-launch. As of the Effective Date of this Policy, no brand↔creator campaign payments are being processed, Stripe Connect is not activated for Marketplace payouts, and creator Marketplace visibility is not live to brands. The description below sets out how data will flow when the Marketplace goes live. We will update this Policy before processing live Marketplace transactions.

The SocialGryd Marketplace connects brands with creators for paid partnerships and campaigns. The data flows are:

Brand onboarding: a brand registers via magic-link authentication, verifies a business email and (for higher tiers) a web domain, and provides entity name, billing information, and campaign budget.
Creator opt-in (required): a creator is visible to brands in Marketplace search only if the creator has enabled the Marketplace visibility toggle. Until then, a creator's profile, metrics, and contact details are not available to brands via the Marketplace.
Brand search and match: opted-in creators appear in brand search based on public profile data, Gryd Score, AI-assigned content categories, follower counts, engagement rate, and city/region. Brands cannot see a creator's precise location, email address, or phone number at this stage.
Campaign invitations and messaging: brands may invite creators to campaigns. Messages between brands and creators are stored in our systems and used for dispute resolution. The creator sees the brand's name, verified domain, campaign brief, and budget. The creator may decline or accept.
Agreement and delivery: if a creator accepts, campaign agreements, content submissions, approvals, and performance metrics are shared between the parties through the Marketplace. Tax and payment data is handled by Stripe.
Post-campaign: performance data (reach, engagement) may be retained by both parties for up to 24 months for tax and audit purposes, or longer where required by law.

Brands processing creator personal data through the Marketplace are separate controllers (or, for contractually limited campaign purposes, joint controllers with SocialGryd). Our Brand Data Processing Agreement defines each party's role, security obligations, and breach response.

Creators may withdraw Marketplace visibility at any time. Withdrawal removes new brand visibility; ongoing campaigns remain governed by the relevant campaign agreement until completed or terminated.

10. Creator Hub and External Platform Connections

The Creator Hub lets you link external social platforms so SocialGryd can display cross-platform metrics (and, if you enable it, read DMs on your behalf for unified-inbox features). The table below summarises the scopes we request.

Platform	Default scopes	Optional scopes
YouTube	Read public channel metrics and video statistics	Read comments (optional)
TikTok	Read public profile and video statistics	Read direct messages (default-off)
Instagram (via Meta Graph)	Read Business Account metrics and media	Read Instagram DMs (default-off; requires Business Account)
Facebook (Page)	Read Page metrics and posts	Read Page messages (default-off)
X (Twitter)	Read public profile and post metrics	Read DMs (default-off; requires X API access tier)
LinkedIn	Read basic profile and post statistics	n/a
Twitch	Read channel information and stream analytics	Read chat logs (optional)
Snapchat, Pinterest, Threads	Read public profile and post metrics	n/a

OAuth tokens are stored encrypted at rest. Tokens are refreshed automatically where the platform supports refresh, and are invalidated if you disconnect a platform. Revoking our app's permission in the external platform's own settings is honoured. We poll token validity and clean up associated data.

Your use of each external platform is subject to that platform's own terms and privacy policy. SocialGryd is not responsible for the privacy practices of external platforms.

11. Events and Third-Party Content Imports

To populate event discovery, SocialGryd imports public event metadata from the Ticketmaster Discovery API and from Eventbrite (via Eventbrite API where available and via HTML scraping of public event pages where Eventbrite's terms permit). Imported data includes event title, description, venue, date, image, organiser name, and a link back to the source. It does not include attendee lists or personal data of third parties.

When you RSVP to an imported event within SocialGryd, we record your RSVP in our own systems. We do not transmit your RSVP to the third-party source unless you click through and complete an RSVP on that source's website.

If you are an event organiser and wish to have your event removed from our imports, email privacy@socialgryd.com.

12. Messages, Stories, Reviews, Comments, and Reports: Visibility Rules

Direct and group chats: visible to conversation participants. Read receipts (if you have them enabled) are visible to other participants who have read receipts enabled. You can disable read receipts in settings; disabling also hides other users' read receipts from you.
Messages may be forwarded, edited, reacted to, or pinned by participants. Forwarded messages indicate the original sender's display name.
Stories: visible to the audience you select (public, connections, or a custom audience) and hidden from the Platform approximately 24 hours after creation. Story-view metadata is visible to the creator during the story's lifetime. Residual story media may persist in backups up to 90 days after hide.
Public posts, reviews, and comments: visible to other users and, where posts are public, to non-authenticated website visitors and indexed by search engines. Consider what you post carefully.
Other users may copy, screenshot, record, or reshare content once they have access to it. SocialGryd cannot control what recipients do with content once they can see it.
Reports: when you report someone, limited content (type, reason, reporter account, target account) is shared with our Trust and Safety team and, where relevant, with the reported user under our DSA Statement-of-Reasons process. We do not disclose the reporter's identity to the reported user unless compelled by law.
Reshares and quote-reshares: default to connections-only visibility for the share, even if the original was public. See our Terms Section 6 for the full sharing contract.

13. QR Scans, Club Card Data, and Partner Analytics

When a member uses a Club Card or QR-based perk, we record the redemption and share operational data with the applicable partner location. This can include member display name, membership status, perk redeemed, timestamp, scan history at that partner, unique and repeat visit patterns, and aggregate partner analytics (foot traffic, engagement signals). Standard partner flows do not provide a member's precise device location or email address unless the member separately shares them or a separate lawful booking/event workflow requires it.

Partners processing member personal data are independent controllers (or, for certain limited purposes, joint controllers). Our Partner Data Processing Agreement sets out each party's responsibilities.

14. Cookies, SDKs, Local Storage, and Tracking Technologies

Full details are in our Cookie Policy. In summary:

Strictly necessary: Firebase Auth session cookies, App Check attestation, CSRF tokens, and cookie-preference storage. No consent required.
Analytics (non-essential): Firebase Analytics event telemetry. On the website, analytics are consent-gated via the cookie banner and only set in the EU/EEA/UK after opt-in. In the mobile app, Firebase Analytics is currently enabled by default outside debug builds while we roll out an in-app consent gate; we will move EU/EEA/UK mobile analytics to opt-in via the in-app gate before public launch in those regions, and you can disable analytics today in the in-app "Data and Privacy" settings or by adjusting OS-level tracking permissions. Amplitude is in our roadmap but not yet receiving personal data in production; when enabled, it will be consent-gated through the same mechanism.
Performance: Firebase Performance Monitoring and Crashlytics (consent-gated in jurisdictions that require it).
Google Fonts are fetched at runtime by your browser from fonts.googleapis.com and fonts.gstatic.com, transmitting your IP address and user-agent to Google.
Advertising identifiers (Google Advertising ID, Apple IDFV/IDFA) are accessed only where permitted by your OS-level tracking choice and used for measurement/crash attribution, not third-party ad personalisation.

15. Analytics Providers

SocialGryd uses multiple analytics providers:

Firebase Analytics (Google): in-app usage events, screen views, feature interactions, retention cohorts.
Amplitude (planned, not yet receiving personal data in production): intended for product analytics, funnels, A/B test measurement, and cohort analysis. When enabled, Amplitude will receive event names, event properties, user ID (pseudonymous), and device metadata. We have signed Amplitude's DPA and will apply SCCs for transfers to the US. Amplitude does not cross-identify users across our tenant and other tenants. We will update this Policy and the Sub-processors List before routing production personal data to Amplitude.
Firebase Crashlytics: stack traces, device state at crash time, non-identifying crash identifiers.
Firebase Performance Monitoring: app-start time, network request latency, screen render time.

Analytics collection is reduced or disabled in debug builds. You can limit analytics by adjusting OS-level tracking settings and by using the in-app "Data and Privacy" controls (where available).

16. Email, Webhooks, and Service Communications

We deliver service, transactional, and promotional emails via Resend. Webhook delivery for integrations, billing events, and sub-processor callbacks is handled via Svix. For each email or webhook we may record:

Delivery status (delivered, bounced, blocked, deferred)
Open timestamps and click-through events (via tracking pixels and redirect links)
Aggregate campaign metrics
Bounce reasons and deliverability feedback
Webhook payloads and retry history (for service-to-service events)

Email tracking data is retained for up to 12 months. You can prevent open tracking by disabling image loading in your email client. You can unsubscribe from marketing communications using the unsubscribe link in any marketing email, in your in-app settings, or by emailing privacy@socialgryd.com. You cannot unsubscribe from service and safety emails while your account is active.

17. Push Notifications, FCM Tokens, and Non-Disableable Notifications

Push notifications are delivered via Firebase Cloud Messaging (FCM) on Android and Apple Push Notification service (APNs) on iOS. We store your current FCM/APNs token on our servers, rotate it on sign-in/sign-out, and delete it on account deletion.

Most notifications are user-controllable in settings. However, certain safety, proximity-signal, and service notifications cannot be disabled while your account is active:

Imminent safety alerts and account-integrity warnings
Proximity Signal acknowledgements once you have opted in to receiving Signal responses
Critical account events (suspensions, verification requirements, billing failures)

If you wish not to receive any notifications at all, you can uninstall the app or revoke notification permission at the operating-system level.

18. Sub-Processors

We use third-party sub-processors to operate the Platform. Each sub-processor is bound by a data-processing agreement that includes confidentiality, security, breach notification, and, where relevant, SCCs / UK IDTA for international transfers.

A current, detailed list is maintained at socialgryd.com/subprocessors. Major sub-processor categories are:

Cloud infrastructure: Google Cloud Platform / Firebase (Auth, Firestore, Cloud Storage, Cloud Functions, Cloud Messaging, Analytics, Crashlytics, Performance Monitoring, App Check, Remote Config, Hosting).
AI services: Anthropic (Claude model family, for post categorisation and future features).
Analytics: Amplitude (planned, not yet routing personal data in production).
Email delivery: Resend.
Webhook infrastructure: Svix.
Over-the-air code delivery: Shorebird.
Payments: Stripe, Apple App Store, Google Play.
Maps and places: Google Maps Platform (Places, Geocoding, Maps SDK).
Event data: Ticketmaster (Discovery API), Eventbrite.
Creator-linked platforms (you authorise via OAuth): YouTube, TikTok, Instagram/Meta, Facebook, X, LinkedIn, Twitch, Snapchat, Pinterest, Threads.
Office and productivity (internal only): Google Workspace, Linear, Slack, Notion, GitHub. These process business contact data and internal operational data only; they do not receive Platform content except where tickets or investigations require.

Planned and roadmap services: we are evaluating AWS Personalize (recommendations), AWS Rekognition (image/video moderation), AWS Comprehend (text moderation), AWS Neptune (graph-based recommendations), and AWS SageMaker (internal ML training on anonymised data). Before we route any personal data to a new sub-processor in production, we will (a) update this Policy and our Sub-processors List, (b) notify users where the change is material, and (c) where required by law, seek consent or offer an objection route.

We publish at least 14 days' advance notice of material sub-processor changes on the Sub-processors page for users who subscribe to the change feed.

19. International Data Transfers

SocialGryd is established in Estonia (EU). Many of our sub-processors are established in the United States and other third countries. Your personal data may therefore be transferred, stored, or processed outside your country of residence, including outside the EEA and the UK.

Where we transfer personal data outside the EEA or UK, we rely on one or more of the following safeguards:

European Commission adequacy decisions (e.g., EU-US Data Privacy Framework for certified US recipients)
EU Standard Contractual Clauses (2021/914) with supplementary measures where needed following Schrems II
UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
Explicit consent for one-off, non-repetitive transfers under GDPR Article 49 where appropriate

You may request a copy of the safeguards in place for specific transfers by emailing dpo@socialgryd.com.

We are evaluating migrating some services to AWS regions in Europe, Singapore, and the US; if we do so, we will update this Policy and the Sub-processors List before routing personal data to the new region.

20. Data Retention

We retain personal data only as long as reasonably necessary for the purposes in Section 5, subject to legal, accounting, fraud-prevention, and dispute-resolution needs.

Category	Retention period
Account and profile data	Life of account, then up to 90 days in backups
Deletion-feedback and fraud-prevention markers (post-deletion)	Up to 24 months
Stories (live)	~24 hours then hidden; purged from live systems periodically
Story data in backups	Up to 90 days after hide
Story view/reply metadata	Up to 90 days after expiry
Posts, reviews, comments, event content	Until deleted or no longer needed; backups up to 90 days
Messages and chat content	Life of account; backups up to 90 days
Engagement data (Gryd Score, impressions, views)	Life of account; deleted at account deletion. De-identified aggregates may be retained indefinitely for platform analytics
AI categorisation labels on posts	Life of post
AI usage metrics (request counts, tokens, costs; not content)	Up to 24 months
QR scan logs, redemption records, fraud markers	Up to 36 months
Crash reports, performance logs	Up to 12 months
Email delivery and tracking data	Up to 12 months
Support tickets and moderation files	Up to 24 months after matter is closed
Administrator action audit logs	Up to 36 months
DSA transparency and statements of reasons	At least 5 years (per Regulation 2022/2065)
Law-enforcement preservation requests	As required by the relevant order or applicable law
Payment, tax, and accounting records	As required by applicable law (typically 7-10 years)
OAuth refresh tokens (Creator Hub)	Until you disconnect the platform or revoke access

Where we de-identify data (removing all direct and reasonably available indirect identifiers), we may retain it indefinitely for analytics and product improvement. Re-identification is prohibited by internal policy and sub-processor contracts.

21. Security

We implement reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, alteration, or disclosure. No system is completely secure and we cannot guarantee absolute security. Measures include:

Encryption in transit (TLS 1.2+ / HTTPS) for all Platform traffic
Encryption at rest for databases and object storage (GCP/Firebase default AES-256)
Encryption of OAuth refresh tokens, API keys, and similar secrets at the application layer
Firebase App Check attestation for client integrity and anti-abuse
Firestore Security Rules restricting each read/write to the authorised user (e.g., chat messages accessible only to conversation participants)
Role-based access control for administrative tools, with separation of duties and least privilege
Multi-factor authentication for administrative and developer accounts
Logging and monitoring of administrative actions, with audit trails retained per Section 20
Vulnerability management, dependency scanning, and periodic penetration testing
Secure software-development practices, code review, and CI/CD controls
Incident response procedures and a documented data-breach response plan
Contractual security obligations on sub-processors, including SOC 2 / ISO 27001 evidence where available

You are responsible for keeping your credentials confidential and for the security of the devices you use to access the Platform. Report suspected vulnerabilities to security@socialgryd.com under our coordinated disclosure policy; we do not pursue researchers acting in good faith within that policy.

22. Children's Privacy and Age Requirement

The default minimum age for SocialGryd is 16. Where local law sets a higher age for independent digital consent, that higher age applies:

Brazil and India: 18 (or 16 with verifiable parental or legal-guardian consent).
Indonesia: 17.
South Korea: 14, with parental consent required for under-18.
All other jurisdictions: 16.

We do not knowingly collect personal data from anyone below the applicable minimum age. We verify age at registration via the date of birth you supply and apply server-side checks. If we have reasonable grounds to believe a user is under the applicable age, we suspend the account and request verification; accounts that cannot be verified are deleted, and associated content is removed.

We apply the UK Information Commissioner's Age Appropriate Design Code ("Children's Code") principles for UK users: settings default to high privacy, we do not use "nudge techniques" to get children to weaken their privacy, and we do not profile children for advertising.

For our child-safety (CSAE) standards, see Child Safety Standards.

If you believe a minor has created an account on the Platform, email privacy@socialgryd.com and we will investigate promptly.

23. Your Rights Under GDPR and UK GDPR

If you are in the EEA, the UK, or otherwise benefit from GDPR/UK GDPR protection, you have the following rights, subject to conditions and exceptions in the law:

Right of access (Article 15): request a copy of the personal data we hold about you, together with information about how and why we process it.
Right to rectification (Article 16): request correction of inaccurate or incomplete data.
Right to erasure / "right to be forgotten" (Article 17): request deletion of your personal data. See Section 26 for the account-deletion flow.
Right to restriction (Article 18): request that we restrict processing while disputes are resolved.
Right to data portability (Article 20): receive a copy of the data you provided in a structured, commonly used, machine-readable format (we provide JSON or CSV, depending on the data type), and have it transmitted to another controller where technically feasible. We action portability requests within 30 days (extendable by up to 60 days in complex cases, with notice).
Right to object (Article 21): object to processing based on legitimate interests, including our algorithmic ranking, Gryd Score usage, profiling, and direct marketing. Objection to direct marketing is always honoured. For other objections, we will stop processing unless we demonstrate compelling legitimate grounds that override your rights.
Right to withdraw consent: where processing is based on consent (marketing, optional cookies, Creator Hub scopes, background location, "Read DMs" toggle), you may withdraw at any time without affecting the lawfulness of prior processing.
Rights in relation to automated decision-making (Article 22): see Section 7e. We do not take solely-automated decisions with legal or similarly significant effects.
Right not to be subject to discrimination for exercising your rights.

To exercise any of these rights, email privacy@socialgryd.com or dpo@socialgryd.com. We respond within one month, extendable by up to two further months in complex cases (with notice). We will verify your identity before actioning any request.

You also have the right to lodge a complaint with your supervisory authority, including:

Estonian Data Protection Inspectorate (www.aki.ee): our lead supervisory authority
UK Information Commissioner's Office (ico.org.uk) for UK users
The competent data-protection authority in your EU member state of residence, work, or alleged infringement

23a. UK Representative (UK GDPR Article 27)

SocialGryd Limited is established in Estonia. Because we offer goods and services to, and monitor the behaviour of, individuals in the United Kingdom, we have appointed a representative in the UK in accordance with Article 27 of the UK GDPR. UK data subjects and the UK Information Commissioner's Office may contact our UK Representative directly in respect of all matters relating to the processing of personal data of UK residents:

SocialGryd Limited: UK Representative
Julian Nevin
61 Bridge Street
Kington HR5 3DJ
United Kingdom
Tel: +44 1544 599385
Email: dpr@socialgryd.com

Contacting the UK Representative is in addition to, and not in substitution for, your right to contact our Data Protection Officer at dpo@socialgryd.com or the Estonian Data Protection Inspectorate (our lead supervisory authority). Appointment of a representative does not transfer accountability for compliance with the UK GDPR. SocialGryd Limited remains the controller responsible for the processing.

24. Your Rights Under California Law (CCPA/CPRA)

24a. Your Rights as a California Consumer

Right to know: categories and specific pieces of personal information we have collected, sources, purposes, and categories of third parties with whom we share it (over the prior 12 months or longer at your request).
Right to delete: request deletion, subject to statutory exceptions (legal obligations, fraud prevention, free speech, internal uses aligned with your expectations, completion of transactions).
Right to correct inaccurate personal information.
Right to opt out of "sale" or "sharing": SocialGryd does not sell personal information as defined by the CCPA/CPRA and does not share personal information for cross-context behavioural advertising. All sub-processor transfers are under service-provider or contractor contracts that prohibit sale and prohibit any use other than the contracted purpose.
Right to limit use of sensitive personal information (including precise geolocation): you may disable location permissions in device settings. Our use of sensitive PI is limited to the purposes listed under "business purposes" in the CCPA and does not extend to inferring characteristics beyond those purposes.
Right to non-discrimination for exercising your rights.
Right to appeal a denial of a rights request: email privacy@socialgryd.com with subject "CCPA Appeal"; we respond within 60 days.

24b. How to Submit a Request

Submit requests by emailing privacy@socialgryd.com or using the in-app account-deletion tool. We verify your identity by confirming control of your registered email. Authorised agents may submit on your behalf with written authorisation and proof of identity.

We honour Global Privacy Control (GPC) and similar universal opt-out signals as valid opt-out requests where applicable state law requires.

24c. Categories of Personal Information Collected (CCPA Disclosure)

CCPA Category	Collected	Sold	Shared for Ads
Identifiers (name, email, username, phone, device ID)	Yes	No	No
Commercial information (membership, subscriptions)	Yes	No	No
Internet/electronic activity (usage, analytics, interactions)	Yes	No	No
Geolocation data (approximate and precise)	Yes	No	No
Professional/employment information (work profile, skills)	Yes	No	No
Education information (school, degree, graduation year)	Yes	No	No
Inferences (content categories, Gryd Score, engagement)	Yes	No	No
Sensitive PI (precise geolocation; account credentials)	Yes	No	No
Audio / visual information (photos, videos, stories)	Yes	No	No
Biometric information	No	No	No
Protected classifications (race, religion, health, etc.)	No	No	No

SocialGryd does not derive biometric identifiers (facial geometry, voiceprint, fingerprints) from user-uploaded media.

25. Your Rights Under Other US State Laws

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Delaware (DPDPA), Iowa (ICDPA), Nebraska (NDPA), New Hampshire (NHPA), New Jersey (NJDPL), Minnesota (MCDPA), Maryland (MODPA), Tennessee (TIPA), Montana (MCDPA), Indiana (INCDPA), Rhode Island, Oregon (OCPA), or any other US state that adopts comprehensive privacy legislation, you have rights substantially similar to those described in Section 24, including rights to know, access, correct, delete, and opt out of targeted advertising, sale, and profiling with legal or similarly significant effects.

We do not engage in "targeted advertising" as that term is defined under these laws; we do not "sell" personal data; and we do not conduct profiling that produces legal or similarly significant effects. You may still submit a request at any time via privacy@socialgryd.com and we will action it under the highest-protection state standard.

26. Your Rights Under Brazilian Law (LGPD)

If you are in Brazil, the LGPD gives you rights including: confirmation of processing; access; correction of incomplete, inaccurate or out-of-date data; anonymisation, blocking or deletion of unnecessary or excessive data; portability; deletion of data processed with your consent; information about public and private entities with which we shared your data; information about the possibility and consequences of refusing consent; and revocation of consent. Our Data Protection Officer is the point of contact for LGPD requests.

The minimum age in Brazil is 18 (or 16 with verifiable parental/legal-guardian consent). Brazilian users may contact the Autoridade Nacional de Protecao de Dados (ANPD) at gov.br/anpd.

27. Your Rights in Other Jurisdictions

We aim to apply the highest practical standard globally. The subsections below describe jurisdiction-specific rights, contact points, and mandatory disclosures for users outside the EEA, UK, Brazil, and the US states covered in Sections 23–26. Where a subsection is silent on a particular right, the general rights framework in Section 23 applies as a baseline by policy (not by legal obligation) so long as the processing happens under our control. To exercise any right, contact privacy@socialgryd.com or dpo@socialgryd.com; we respond within the timeframe required by your applicable law.

27a. Canada (PIPEDA and Provincial Laws)

If you are in Canada, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), the Alberta, British Columbia, and Québec private-sector privacy laws (including Québec's Law 25, in force progressively since 2022), and provincial health-information laws apply to the extent relevant. You have rights to: access your personal information; correct inaccuracies; withdraw consent (where processing was consent-based); and file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or with your provincial commissioner (e.g., Commission d'accès à l'information du Québec for Québec residents at cai.gouv.qc.ca).

Québec (Law 25) specifics. We identify our Privacy Officer as our DPO (dpo@socialgryd.com). We conduct a privacy-impact assessment before any new cross-border transfer of Québec residents' personal information. We offer a de-indexing ("right to be forgotten") route for Québec residents on request. We notify the CAI and affected individuals of confidentiality incidents posing a risk of serious injury without delay. Where Québec consumer-law principles require a French-language text of this Policy and the Terms, we will make one available on request pending publication of a full French translation. Any provision of this Policy that would be less protective than Law 25 for a Québec resident is superseded for that resident to the extent of the conflict.

27b. Australia (Privacy Act 1988 and APPs)

If you are in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") apply. You have rights to access your personal information (APP 12), seek correction (APP 13), and complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. We will notify you and the OAIC of an eligible data breach under the Notifiable Data Breaches scheme (Part IIIC) without undue delay once aware. Cross-border disclosures (APP 8) are made under our sub-processor contracts and subject to our reasonable-steps requirement. Marketing is handled under the Spam Act 2003 and Do Not Call Register Act 2006; unsubscribe in any marketing email or by contacting privacy@socialgryd.com. Content and online-safety matters are subject to the Online Safety Act 2021 and the eSafety Commissioner's Basic Online Safety Expectations; authorised takedown orders from the eSafety Commissioner should be sent to legal@socialgryd.com.

27c. New Zealand (Privacy Act 2020)

If you are in New Zealand, the Privacy Act 2020 and the Information Privacy Principles apply. You have access and correction rights, and you may complain to the Office of the Privacy Commissioner (privacy.org.nz). We will notify the OPC and affected individuals of a notifiable privacy breach. Cross-border disclosures are made only where the overseas recipient is subject to comparable safeguards.

27d. Switzerland (Revised FADP)

If you are in Switzerland, the revised Federal Act on Data Protection (in force 1 September 2023) and its implementing ordinance apply. You have rights of access, rectification, deletion, and objection. We rely on the EU Standard Contractual Clauses, adequacy recognition by the Federal Council, or explicit consent for transfers outside Switzerland. You may complain to the Federal Data Protection and Information Commissioner ("FDPIC") at edoeb.admin.ch. Where this Policy refers to GDPR rights, Swiss users may exercise the equivalent rights under the FADP via the same channels.

27e. Japan (APPI)

If you are in Japan, the Act on the Protection of Personal Information ("APPI", as amended 2022) applies. You have rights to: receive disclosure of retained personal data; request correction, addition, or deletion of inaccurate data; and request a suspension of use or a suspension of transfer to third parties under Article 30. Cross-border transfers are made under the APPI's supplementary information requirements. You may complain to the Personal Information Protection Commission ("PPC") at ppc.go.jp. We notify the PPC and affected individuals of a data leakage incident as required by Article 26.

27f. South Korea (PIPA)

If you are in South Korea, the Personal Information Protection Act ("PIPA", as amended) applies. You have rights of access, correction, deletion, and suspension of processing. You may withdraw consent at any time. Cross-border transfers are disclosed, and we require your separate consent where PIPA requires. You may complain to the Personal Information Protection Commission (PIPC) at pipc.go.kr. The minimum age for independent consent in Korea is 14 (see Section 22); for users aged 14–17 we collect verifiable consent of a legal guardian. If our user base in Korea grows past the local-representative threshold, we will appoint a local representative under PIPA Article 31-2 and publish the appointment.

27g. India (DPDP Act 2023)

If you are in India, the Digital Personal Data Protection Act 2023 ("DPDP Act") applies as it is brought into force. You have rights to: a summary of your personal data processed; correction, completion, updating, and erasure; grievance redressal; and nomination of another individual to exercise your rights in the event of death or incapacity. The minimum age for independent consent in India is 18; for users under 18, verifiable parental or legal-guardian consent is required. You may contact our DPO (dpo@socialgryd.com) as the grievance officer for DPDP purposes. If designated as a Significant Data Fiduciary, we will comply with additional obligations (audit, DPIA, and India-resident DPO). We currently operate below the SDF threshold and will monitor.

27h. Singapore (PDPA)

If you are in Singapore, the Personal Data Protection Act 2012 ("PDPA") applies. You have rights of access and correction, and you may withdraw consent. We have designated a Data Protection Officer (dpo@socialgryd.com) for PDPA purposes. The Do Not Call ("DNC") provisions apply to marketing messages to Singapore numbers; we honour DNC register requests and maintain our own unsubscribe lists. You may complain to the Personal Data Protection Commission at pdpc.gov.sg. We notify the PDPC and affected individuals of a notifiable data breach.

27i. Indonesia, Thailand, Malaysia, Philippines, Vietnam (Southeast Asia)

If you are in Indonesia (Personal Data Protection Law 2022), Thailand (PDPA 2019), Malaysia (PDPA 2010, as amended 2024), the Philippines (Data Privacy Act 2012), or Vietnam (Decree 13/2023/ND-CP on Personal Data Protection), you have rights of access, rectification, erasure, and objection analogous to those in Section 23, exercised via privacy@socialgryd.com. The minimum age in Indonesia is 17 (see Section 22). Cross-border transfer rules differ by jurisdiction; we rely on contractual safeguards (SCCs or equivalent) and, where required, consent. You may complain to the competent local authority (e.g., the Philippines National Privacy Commission at privacy.gov.ph; Thailand's PDPC; Malaysia's Department of Personal Data Protection).

27j. United Arab Emirates (Federal PDPL, ADGM, DIFC)

If you are in the UAE, the Federal Personal Data Protection Law (Decree-Law No. 45 of 2021) applies generally, with separate data-protection regimes in the ADGM and DIFC financial free zones. You have rights of access, correction, deletion, objection, and withdrawal of consent. Exercise requests via privacy@socialgryd.com. Complaints may be made to the UAE Data Office (federal), the DIFC Commissioner of Data Protection (dp.difc.ae), or the ADGM Office of Data Protection (adgm.com) depending on where you are located.

27k. Saudi Arabia (PDPL)

If you are in Saudi Arabia, the Personal Data Protection Law (Royal Decree M/19 of 2021, in force since 14 September 2023) applies. You have rights of access, correction, and deletion. Cross-border transfers are made under SDAIA-approved mechanisms. Complaints may be made to the Saudi Data and Artificial Intelligence Authority ("SDAIA") at sdaia.gov.sa.

27l. Turkey (KVKK)

If you are in Türkiye, Law No. 6698 on the Protection of Personal Data ("KVKK") applies. You have rights of access, correction, deletion, objection, and compensation for damages. Complaints may be made to the Personal Data Protection Authority ("KVKK / KVKK Kurumu") at kvkk.gov.tr. Cross-border transfers are made under KVKK's transfer rules (including the 2024 amendments introducing standard contracts and binding corporate rules).

27m. South Africa (POPIA)

If you are in South Africa, the Protection of Personal Information Act 2013 ("POPIA") applies. You have rights of access, correction, deletion, and objection, and you may complain to the Information Regulator at inforegulator.org.za. We notify the Information Regulator and affected data subjects of a security compromise as soon as reasonably possible under Section 22 POPIA.

27n. Mexico (LFPDPPP)

If you are in Mexico, the Federal Law on the Protection of Personal Data Held by Private Parties ("LFPDPPP") applies. You may exercise ARCO rights (Access, Rectification, Cancellation, Opposition) via privacy@socialgryd.com. Complaints may be made to the competent Mexican data-protection authority as designated by reform of the former INAI's functions.

27o. Other Latin America (Argentina, Chile, Colombia, Peru, Uruguay)

If you are in Argentina (Law 25.326 and its upcoming successor), Chile (Law 19.628 as being reformed into Law 21.719), Colombia (Law 1581/2012), Peru (Law 29733), or Uruguay (Law 18.331), you have rights of access, rectification, deletion, and opposition. Contact privacy@socialgryd.com. Local supervisory authorities include the AAIP (Argentina), the National Data Protection Agency (Chile, once established under Law 21.719), the Superintendencia de Industria y Comercio (Colombia), the ANPD (Peru), and the URCDP (Uruguay).

27p. Israel (Protection of Privacy Law)

If you are in Israel, the Protection of Privacy Law 5741-1981 and its regulations apply. You have rights of access and correction. Complaints may be made to the Privacy Protection Authority at gov.il/en/departments/the_privacy_protection_authority.

27q. Africa (Kenya, Nigeria, Egypt, and others)

If you are in Kenya (Data Protection Act 2019), Nigeria (Data Protection Act 2023), Egypt (Personal Data Protection Law 2020), Ghana (Data Protection Act 2012), or another African jurisdiction with applicable data-protection legislation, you may exercise rights analogous to those set out in Section 23. Contact privacy@socialgryd.com. We will identify the relevant supervisory authority on request and cooperate with it.

27r. Other Jurisdictions (Catch-All)

If your country is not named above, you may still exercise the core privacy rights set out in Section 23 as a matter of our global policy, subject to verification and statutory exceptions. Contact privacy@socialgryd.com or dpo@socialgryd.com. Where your local law is silent or provides fewer rights, we apply the global-policy baseline; where your local law provides additional rights, those apply and prevail over this Policy to the extent of any conflict.

27s. Mandatory Language and Translation

This Policy is published in English. Where your local law requires a translation into an official language of your jurisdiction for consumer contracts (for example, French in Québec; the national language in jurisdictions that so require), we will provide a reasonable translation on written request pending full publication. The English-language version prevails for interpretation except where prevailing local law requires the local-language version to prevail.

28. Account Deletion

You can request deletion of your account from in-app settings or by emailing privacy@socialgryd.com. When you delete:

We delete your profile, work profile, and subcollections (connections, blocks, notifications).
We delete your posts, comments, likes, reactions, stories, and uploaded media files from live systems.
We delete your direct-message conversations and their contents. If you participated in a group chat, your membership is removed; the group chat is preserved for remaining participants but your identifiers are replaced with "Former member".
We remove your connection and follow graph entries.
We delete your notification settings, engagement scores, and analytics associations.
We delete authentication credentials and invalidate all sessions.
We send a deletion confirmation email to your registered address.

Residual copies persist in encrypted backups for up to 90 days, then are purged. Limited data may be retained beyond deletion where required for legal compliance (tax records), fraud prevention (deletion-feedback markers and bans), dispute resolution, or safety investigations (see the Retention Table in Section 20). Content that has been shared, forwarded, screenshotted, cached, scraped, or reshared by other users or external systems before deletion cannot be recalled by SocialGryd.

29. Deceased Users

If a user passes away, a verified family member, legal representative, or estate executor may contact privacy@socialgryd.com to request deletion of the deceased user's account, or a copy of their personal data to the extent permitted by applicable law. Because accounts may contain private communications with third parties, we may provide only the data the deceased user could have exported themselves, and may require:

A certified copy of the death certificate
Proof of your identity (government-issued ID)
Proof of your legal authority to act on behalf of the estate (grant of probate, letters of administration, will, or similar instrument)
A written request specifying what action you want us to take

We may decline requests for private messages of the deceased user where disclosure would violate the privacy rights of other conversation participants, unless compelled by court order.

30. Data Breach Notification

In the event of a personal data breach:

We will notify the Estonian Data Protection Inspectorate (or another lead supervisory authority as applicable) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of affected individuals, in accordance with GDPR Article 33.
Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify affected users without undue delay, through available channels (email, in-app notice, or website notice), in accordance with GDPR Article 34.
We maintain an internal register of all personal-data breaches as required by GDPR Article 33(5).
Where our sub-processor suffers a breach affecting your data, we require the sub-processor to notify us without undue delay (typically within 24-48 hours) under our DPA, and we pass the notification up to you and regulators as needed.

Notifications will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach and mitigate its effects.

31. Corporate Transactions and Change of Control

If SocialGryd Limited is acquired, merged, sold, reorganised, enters insolvency proceedings, or transfers substantially all of its assets, personal data may be transferred as part of the transaction, subject to equivalent protection commitments. We will notify affected users before any such transfer takes effect and offer a 30-day window in which to delete their account before the transfer.

32. Do Not Track and Global Privacy Control

The Do Not Track (DNT) browser signal has not been standardised and is not currently honoured by our Platform. We do honour the Global Privacy Control (GPC) signal where required by applicable US state law. Cookie choices set through our cookie banner are honoured on the device and browser where they were set.

33. Changes to This Policy

We may update this Privacy Policy from time to time to reflect product changes, legal developments, or new sub-processors. When we make changes:

Material changes (new categories of data, new purposes, new sub-processor categories, significant changes to rights or retention, new international transfer mechanisms): we will notify you through the app, website, email, or other reasonable channel at least 30 days before the changes take effect, except where earlier effect is required for legal or security reasons.
Non-material changes (clarifications, formatting, typographical corrections): the updated Policy takes effect when we publish it with a new "Last Updated" date.

Continued use of the Platform after the effective date of a change means you accept the updated Policy. Previous versions are available on request from privacy@socialgryd.com.

34. How to Contact Us

Privacy / data subject rights: privacy@socialgryd.com
Data Protection Officer: dpo@socialgryd.com
UK Representative (UK GDPR Article 27): dpr@socialgryd.com (postal address at Section 23a above)
Safety, abuse, and CSAE reports: report@socialgryd.com
Legal, IP, and law enforcement: legal@socialgryd.com
Security: security@socialgryd.com
General support: support@socialgryd.com

SocialGryd Limited, Narva mnt 5, Kesklinna linnaosa, Tallinn, Harju maakond 10117, Estonia.