Privacy Policy

Last updated: 2026-05-28

{{LEGAL_ENTITY_NAME}} (“we”) operates Sweet Social. This policy explains what personal data we collect, why, and the rights you have under the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar laws.

1. Data controller

{{LEGAL_ENTITY_NAME}}, {{LEGAL_ENTITY_ADDRESS}}. Contact: {{LEGAL_CONTACT_EMAIL}}.

2. What we collect

• Account data: email, display name, password hash, date of birth (used only for age verification, not displayed).
• Content you post: posts, likes, profile bio.
• Payment data: processed by Stripe. We store only the Stripe customer/subscription IDs and the country reported by Stripe — we never see card numbers.
• Technical data: IP address, browser type, and timestamps in server logs (kept up to 30 days for security).
• Consent records: a log of when you accepted these terms and your cookie choices.

3. Why we use it (legal bases under GDPR)

• To provide the service (Art. 6(1)(b) — contract).
• To keep accounts secure and prevent abuse (Art. 6(1)(f) — legitimate interests).
• To process payments (Art. 6(1)(b) — contract).
• To comply with law including tax, DMCA, CSAM reporting (Art. 6(1)(c)).
• Optional analytics / marketing emails only with your consent (Art. 6(1)(a)).

4. Who we share with

We use a small number of vetted processors. We do not sell personal data.

• Supabase — database & authentication hosting (data processor).
• Stripe — payment processing and tax (data processor & sub-controller).
• Cloudflare — content delivery and DDoS protection.
• Google — only if you sign in with Google.
• Law enforcement when legally required.

5. International transfers

Our processors may store data in the United States and other jurisdictions. Where required, transfers from the EEA/UK rely on the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum.

6. How long we keep data

• Account & content: until you delete your account, then up to 30 days in backups.
• Server logs: 30 days.
• Billing records: 7 years (tax law).
• Moderation/abuse reports: 12 months after resolution.

7. Your rights

You can — at any time, free of charge — request:

• Access to a copy of your data.
• Correction of inaccurate data.
• Deletion (“right to be forgotten”).
• Portability in a machine-readable format (JSON).
• Restriction or objection to certain processing.
• Withdrawal of consent at any time.

You can export or delete your account directly from your feed settings, or email {{LEGAL_CONTACT_EMAIL}}. We respond within 30 days.

8. California residents (CCPA/CPRA)

You have the right to know what we collect, to delete it, to correct it, to opt out of any “sale” or “sharing” (we do neither), and to non-discrimination for exercising your rights. To submit a request, email {{LEGAL_CONTACT_EMAIL}}. We verify identity via the email on file.

9. Children

Sweet Social is not directed to children under 13. We do not knowingly collect data from children under that age. If you believe a child has provided us data, email {{LEGAL_CONTACT_EMAIL}} and we will delete it.

10. Security

We use encryption in transit (TLS), encryption at rest, hashed passwords, row-level security in the database, and least-privilege access. No system is perfect — we will notify you and regulators of any breach as required by law (within 72 hours under GDPR).

11. Changes

We will post any update here and, for material changes, notify you in the app or by email at least 14 days beforehand.

12. Complaints

You have the right to lodge a complaint with your local data protection authority. EU users can find theirs at edpb.europa.eu. UK users: the ICO at ico.org.uk.