Privacy Policy

When you create an account, we collect:

• Email address
• Password (stored in encrypted form)
• Display name or username
• Profile information (optional)
• Role preferences within relationships (Dominant/Submissive)
• Timezone and language preferences

We automatically collect certain information when you use the Service:

• Features accessed and actions taken within the app
• Date and time of access
• Time spent on various features
• Error logs and performance data
• Interaction patterns with other users (within your relationships)

We may collect information about your device, including:

• Device type and model
• Operating system and version
• Unique device identifiers
• Mobile network information
• IP address
• Browser type (for web access)

Content you create or share within the Service:

• Chat messages and communications
• Tasks, habits, punishments, and rewards you create
• Notes, journals, and contracts
• Photos and media you upload
• Voice recordings and other attachments

If you enable location features, we may collect your device's location data. This is only collected with your explicit consent and is used for features like location tracking and geofencing within your relationships. You can disable location sharing at any time in your device settings.

If you use our financial features (such as the Findom module), we may collect bank account information through our third-party payment processor, Teller. We do not store your full banking credentials on our servers. Please refer to Teller's privacy policy for information about how they handle your financial data.

Information you create within a relationship (tasks, messages, photos, etc.) is shared with your relationship partner(s) as part of the core functionality of the Service. You control what information you share within each relationship.

We work with trusted third-party service providers who assist us in operating the Service:

• Supabase: Our primary database and authentication provider. Supabase stores your account data, user-generated content, and handles secure authentication. They maintain SOC 2 Type II compliance. Learn more at supabase.com/privacy
• Teller: Our banking integration partner for financial features. Teller securely handles bank account connections and transaction data. Learn more at teller.io/privacy
• Cloud Infrastructure: We use industry-standard cloud providers to host our services with appropriate security certifications

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders, etc.)
• Government requests that comply with applicable law
• Protection of our rights, privacy, safety, or property
• Emergency situations involving potential threats to safety

If Subrosa is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your personal information becomes subject to a different privacy policy.

You have the right to request a copy of the personal information we hold about you. You can access most of your data directly through the app settings, or contact us for a complete data export.

You can update your account information at any time through the app. If you need to correct other information, please contact us.

You can request deletion of your account and associated data at any time. Upon deletion:

• Your account will be deactivated immediately
• Your personal data will be deleted within 30 days
• Some data may be retained for legal or legitimate business purposes
• Anonymized/aggregated data may be retained for analytics

You have the right to receive your data in a structured, commonly used, and machine-readable format. Contact us to request a data export.

Where we process your data based on consent, you may withdraw that consent at any time. This includes opting out of optional features like location tracking or push notifications.

You can manage your notification preferences in the app settings. You can opt out of non-essential communications while still receiving important account-related messages.

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested
• Legitimate Interests: Processing for our legitimate business interests (e.g., security, fraud prevention, service improvement)
• Consent: Processing based on your explicit consent (e.g., location tracking, marketing communications)
• Legal Obligation: Processing required to comply with applicable laws

In addition to the rights listed in Section 5, GDPR provides you with:

• Right to Restriction: Request that we limit the processing of your data
• Right to Object: Object to processing based on legitimate interests
• Right to Lodge a Complaint: File a complaint with your local data protection authority

Your data may be transferred to and processed in countries outside the EEA. When we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

For GDPR-related inquiries, you may contact our Data Protection Officer at privacy@subrosaapp.com

You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.

You have the right to request deletion of your personal information, subject to certain exceptions permitted by law.

We will not discriminate against you for exercising your CCPA rights. We will not deny you goods or services, charge you different prices, or provide a different level of quality based on your privacy choices.

We do not sell your personal information. Subrosa has never sold user data and has no intention of doing so. We do not share your data with third parties for their direct marketing purposes.

You may designate an authorized agent to make requests on your behalf. We will require verification of both your identity and the agent's authorization.

To exercise your CCPA rights, contact us at privacy@subrosaapp.com or use the in-app privacy settings. We will respond to verified requests within 45 days.

• Essential Cookies: Required for basic functionality (authentication, security)
• Functional Cookies: Remember your preferences and personalization
• Analytics Cookies: Help us understand usage patterns (privacy-focused analytics only)

You can manage cookie preferences through our cookie consent banner or your browser settings. Note that disabling essential cookies may affect the functionality of the Service.

• Active Accounts: Data is retained while your account is active
• Deleted Accounts: Personal data is deleted within 30 days of account deletion
• Backups: Backup data is purged within 90 days of deletion request
• Legal Records: Some data may be retained longer if required by law (e.g., financial records, legal disputes)
• Anonymized Data: Aggregated, anonymized data may be retained indefinitely for analytics and service improvement

Chat messages and in-app communications are retained while your account and relationship are active. You may delete individual messages. When a relationship is ended, both parties retain access to their own data but shared content visibility may be affected.