Privacy Policy
Version: 1.0 | Effective Date: February 1, 2026 | Last Updated: February 1, 2026
Welcome to Smuppy. This Privacy Policy explains how Smuppy Inc. ("Smuppy," "we," "our," or "us") collects, uses, stores, shares, and protects your personal information when you use our platform.
We are committed to protecting your privacy and ensuring compliance with applicable data protection laws, including:
- GDPR (European Union)
- CCPA/CPRA (California, USA)
- PIPEDA and Quebec Law 25 (Canada)
- UK Data Protection Act 2018 (United Kingdom)
- LGPD (Brazil)
- Privacy Act 1988 (Australia)
By using Smuppy, you consent to the data practices described in this Privacy Policy.
1. Information We Collect
1.1 Information You Provide
Account Information:
- Name, username, email address
- Password (encrypted)
- Date of birth
- Phone number (optional)
- Profile photo and bio
Profile Information:
- Gender (optional)
- Location (optional)
- Interests and preferences
- Professional credentials (for Professional Accounts)
Content You Create:
- Posts, photos, videos, and Peaks
- Comments and messages
- Reviews and ratings
Payment Information:
- Processed securely by Stripe
- We do not store full credit card numbers
1.2 Information Collected Automatically
Device Information:
- Device type, model, and operating system
- Unique device identifiers
- IP address
- Browser type and version
Usage Information:
- Features used and actions taken
- Time spent on the Platform
- Content viewed and interactions
- Search queries
Location Information:
- Precise location (GPS) when you enable location services
- Approximate location based on IP address
- Locations you tag in posts
1.3 Information from Third Parties
- Social Login: If you sign in with Google or Apple, we receive basic profile information
- Payment Providers: Transaction status and payment confirmation from Stripe
- Identity Verification: Verification results from Stripe Identity (for Professional Accounts)
2. Legal Basis for Processing (GDPR)
For users in the European Union and other applicable jurisdictions, we process your data based on the following legal bases:
| Data Type |
Legal Basis |
GDPR Article |
| Account creation and management |
Performance of contract |
Art. 6(1)(b) |
| Processing payments |
Performance of contract |
Art. 6(1)(b) |
| Location services |
Consent |
Art. 6(1)(a) |
| Biometric authentication |
Consent |
Art. 6(1)(a), Art. 9(2)(a) |
| Marketing communications |
Consent |
Art. 6(1)(a) |
| Personalized recommendations |
Legitimate interest |
Art. 6(1)(f) |
| Analytics and improvement |
Legitimate interest |
Art. 6(1)(f) |
| Fraud prevention and security |
Legitimate interest |
Art. 6(1)(f) |
| Legal compliance |
Legal obligation |
Art. 6(1)(c) |
| Tax and financial records |
Legal obligation |
Art. 6(1)(c) |
3. How We Use Your Information
3.1 Provide and Improve Services
- Create and manage your account
- Enable social features (posting, following, messaging)
- Provide location-based features (Xplorer map)
- Process payments and subscriptions
- Provide customer support
- Improve and develop new features
3.2 Personalization
- Recommend content, users, and professionals
- Customize your feed based on interests
- Suggest relevant events and activities
3.3 Communication
- Send service-related notifications
- Respond to your inquiries
- Send marketing communications (with your consent)
- Notify you of policy changes
3.4 Safety and Security
- Detect and prevent fraud
- Enforce our Terms of Service
- Protect users from harmful content
- Comply with legal obligations
4. How We Share Your Information
4.1 With Other Users
- Your profile information is visible to other users
- Your posts, Peaks, and content are visible based on your privacy settings
- Your follower/following lists may be visible to others
4.2 With Service Providers
We share information with trusted third-party service providers:
| Provider |
Purpose |
Location |
Data Shared |
| Supabase |
Database & Authentication |
United States (AWS) |
Account data, content |
| Amazon Web Services (AWS) |
Cloud hosting |
United States |
All platform data |
| Stripe |
Payment processing |
United States |
Payment information |
| Stripe Identity |
Identity verification |
United States |
ID documents, selfie |
| Agora |
Live streaming |
United States |
Video/audio streams |
| Google Maps |
Location services |
United States |
Location data |
All service providers are contractually bound to protect your data and use it only for specified purposes.
4.3 For Legal Reasons
We may disclose information:
- To comply with legal obligations
- In response to lawful requests by authorities
- To protect Smuppy's rights and safety
- To protect users or the public
4.4 Business Transfers
If Smuppy is involved in a merger, acquisition, or sale, your information may be transferred as part of that transaction. We will notify you of any such change.
5. We Do Not Sell Your Personal Data
Smuppy Inc. does not sell your personal information.
We do not exchange your data for monetary compensation. We may share anonymized, aggregated data with partners for analytics purposes, but this data cannot identify you personally.
6. International Data Transfers
Your data may be transferred to and processed in countries outside your residence, including the United States and Canada.
6.1 Safeguards
For transfers from the European Economic Area (EEA), UK, or other regions with data transfer restrictions, we use:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
- Data Processing Agreements (DPAs) with all service providers
- Transfer Impact Assessments (TIAs) to evaluate the legal framework of destination countries
- Encryption of data in transit and at rest
6.2 Transfer Destinations
- United States: AWS, Stripe, Agora, Google (protected by SCCs)
- Canada: Smuppy Inc. headquarters (adequacy decision for commercial organizations under PIPEDA)
7. Data Retention
We retain your data only as long as necessary for the purposes described in this policy:
| Data Type |
Retention Period |
| Account data |
Until account deletion + 90 days |
| Profile information |
Until account deletion |
| Posts and content |
Until deleted by user or account deletion |
| Messages |
Until deleted by user or account deletion |
| Peaks (Stories) |
24 hours (automatic deletion) |
| Payment records |
7 years (legal requirement) |
| Usage logs |
12 months |
| Support communications |
3 years |
| Location history |
12 months |
7.1 After Account Deletion
When you delete your account:
- Your data is deleted within 30 days
- Backup copies are deleted within 90 days
- Some data may be retained if required by law
8. Your Privacy Rights
Depending on your location, you have certain rights regarding your personal data:
8.1 All Users
- Access: Request a copy of your data
- Correction: Update inaccurate information
- Deletion: Request deletion of your data
- Portability: Receive your data in a portable format
- Withdraw Consent: Withdraw consent at any time
8.2 European Union (GDPR)
- Right to access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure / "Right to be Forgotten" (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Right not to be subject to automated decision-making (Art. 22)
8.3 California (CCPA/CPRA)
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale/sharing (Note: We do not sell your data)
- Right to non-discrimination
- Right to correct inaccurate information
- Right to limit use of sensitive personal information
8.4 Canada (PIPEDA / Quebec Law 25)
- Right to access personal information
- Right to correction
- Right to withdraw consent
- Right to file a complaint with the Privacy Commissioner
8.5 Brazil (LGPD)
- Right to confirmation and access
- Right to correction
- Right to anonymization, blocking, or deletion
- Right to data portability
- Right to information about sharing
- Right to revoke consent
8.6 How to Exercise Your Rights
To exercise any of these rights, contact us at:
We will respond to your request within 30 days (or sooner if required by law).
9. California Privacy Rights (CCPA Notice)
9.1 Categories of Personal Information Collected
| Category |
Examples |
Collected |
| Identifiers |
Name, email, username, IP address |
Yes |
| Customer Records |
Phone number, payment information |
Yes |
| Protected Classifications |
Age, gender (optional) |
Yes |
| Commercial Information |
Purchase history, subscriptions |
Yes |
| Internet Activity |
Browsing history, interactions |
Yes |
| Geolocation |
Precise location (with consent) |
Yes |
| Sensory Data |
Photos, videos, audio |
Yes |
| Professional Information |
Business details (Professional Accounts) |
Yes |
| Inferences |
Preferences, interests |
Yes |
9.2 Your California Rights
- Right to Know: Request disclosure of data collected
- Right to Delete: Request deletion of your data
- Right to Opt-Out: We do not sell or share your data for cross-context behavioral advertising
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
9.3 How to Submit a Request
- Email: dpo@smuppy.com
- Include "California Privacy Request" in the subject line
10. Biometric Data
10.1 Face ID / Touch ID
If you enable biometric authentication:
- Biometric data is processed locally on your device
- Smuppy does not store or transmit biometric templates
- This data is managed by your device's operating system (Apple iOS or Android)
10.2 Identity Verification (Stripe Identity)
For Professional Accounts using identity verification:
- A selfie and ID document may be required
- This data is processed by Stripe Identity
- Smuppy receives only verification results (verified/not verified)
- Original documents are handled by Stripe per their privacy policy
11. Children's Privacy
Smuppy is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.
If we discover that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at support@smuppy.com.
12. Security
We implement industry-standard security measures to protect your data:
- Encryption: TLS/SSL for data in transit, AES-256 for data at rest
- Access Controls: Limited employee access on a need-to-know basis
- Monitoring: Continuous security monitoring and logging
- Audits: Regular security assessments
12.1 Security Breach Notification
In the event of a data breach that affects your personal data, we will:
- Notify affected users within 72 hours (as required by GDPR)
- Notify relevant supervisory authorities as required by law
- Take immediate steps to secure the data and prevent further breaches
12.2 No Guarantee
While we strive to protect your data, no system is 100% secure. We cannot guarantee absolute security against all threats.
13. Cookies and Tracking Technologies
13.1 What We Use
- Essential Cookies: Required for the Platform to function
- Analytics Cookies: Help us understand how users interact with Smuppy
- Preference Cookies: Remember your settings and preferences
13.2 Your Choices
You can manage cookie preferences through:
- Your browser settings
- Your device settings
- Our cookie consent banner (where applicable)
For more information, see our Cookie Policy.
14. Automated Decision-Making
14.1 How We Use Automation
Smuppy uses algorithms to:
- Personalize your feed and recommendations
- Detect potentially harmful content
- Prevent fraud and spam
14.2 Your Rights
You have the right to:
- Request human review of automated decisions that significantly affect you
- Object to profiling for direct marketing
- Adjust your preferences in Settings
15. Third-Party Links
Smuppy may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal information.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will:
- Notify you via email or in-app notification
- Post the updated policy on this page
- Update the "Last Updated" date
Your continued use of Smuppy after changes take effect constitutes acceptance of the updated policy.
17. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
17.1 Supervisory Authorities
If you are in the European Union and believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
If you are in Canada, you may contact the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner.
18. Governing Law
This Privacy Policy is governed by the laws of the Province of Ontario, Canada, without regard to conflict of law principles.
For users in the European Union, this policy also complies with GDPR requirements, and you retain all rights provided under EU law.
© 2026 Smuppy Inc. All rights reserved.