Privacy Policy

Applicability

This policy applies to all personal data collected through web, mobile, and integrated APIs. It governs collection, use, disclosure, and protection measures. Using the service means you accept these practices. Updates may be made without direct notice, so please review periodically.

Data Minimization

Only data strictly necessary for service delivery—usernames, session tokens, and usage logs—is collected. No sensitive categories such as health or financial data are ever requested. Optional features require explicit consent for additional data. All collection points are accompanied by clear explanations.

Processing Purposes

Data is processed to authenticate users, prevent abuse, and maintain system health. Aggregate, de-identified information supports performance monitoring and improvements. Personal data is not used for marketing absent separate consent. Future processing expansions will be publicly declared and require opt-in.

Consent Mechanisms

Non-essential data collection mechanisms—surveys, advanced analytics—are disabled by default. Clear opt-in prompts request user consent before activation. You can withdraw consent at any time via your account settings. Withdrawal does not affect processing completed before revocation.

Security Controls

Transport Layer Security (TLS) encrypts all data in transit. Data at rest is secured using AES-256 or equivalent algorithms. Access is governed by strict role-based permissions and multi-factor authentication. System logs record access attempts and are reviewed regularly.

User Rights

You have the right to access, correct, and delete personal data held about you. Requests are honored within 30 days, subject to applicable laws. Data essential for compliance or dispute resolution may be retained but anonymized when possible. You may also request a portable copy of your data.

Retention Schedule

Active user data is kept for up to 24 months following the last interaction. Backup archives are purged within 90 days after the active retention period. Anonymized datasets may be retained indefinitely for analytical purposes. Comprehensive retention details are provided on request.

Notification of Breach

In the event of a confirmed data breach, affected individuals will be notified within 72 hours. Notifications will outline the breach’s nature, affected data types, and steps for mitigation. Relevant regulators will be informed per legal requirements. A full incident review will guide control enhancements.

Anonymization

Before any analytical use, direct identifiers are removed or replaced with irreversible pseudonyms. Aggregated reports contain no personal identifiers. This approach ensures that individuals cannot be re-identified. Anonymized data may be used for research and performance tuning.

Third-Party Transfers

Data is shared only with essential processors like hosting and payment providers. Each processor is bound by data protection agreements. No data is transferred to advertisers or data brokers. All transfers are logged and auditable.

Policy Updates

This policy is reviewed and updated annually or when legal or operational changes occur. Material updates are announced via in-service notifications and email at least 14 days prior. Continued use after the effective date implies acceptance. Archived versions remain accessible for transparency.