theSHFT ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our mobile application ("Application" or "App"). This Policy applies globally to all users regardless of location.

1. INFORMATION WE COLLECT

1.1 Information You Provide Directly

• Username: A unique identifier you choose during account creation. This is the only personally identifiable information we require.
• Recovery Phrase: An encrypted backup phrase for account recovery. This is stored ONLY on your device and is NEVER transmitted to our servers.
• PIN: Your access code for the Application. This is stored ONLY on your device using encrypted local storage and is NEVER transmitted to our servers.
• Contact List: Usernames of people you add as contacts within the Application.
• User Reports: Information you voluntarily provide when reporting abuse or contacting support.

1.2 Information Collected Automatically

• Device Identifier: An anonymous, non-personally identifiable device ID used to ensure account uniqueness and prevent fraud.
• App Usage Analytics: Anonymous, aggregated statistics about feature usage to improve the Application (can be disabled in Settings).
• Crash Reports: Technical diagnostic data when the Application crashes, including device type, OS version, and crash stack traces (no personal data).
• Performance Data: Anonymous metrics about Application performance and stability.
• Push Notification Token: If you enable notifications, we receive a device token from Apple Push Notification Service (APNs) to deliver notifications.

1.3 Information We Do NOT Collect

Due to our privacy-focused design and end-to-end encryption, we explicitly DO NOT collect:

• Message content (all messages are end-to-end encrypted)
• Photos, images, or media you send
• Voice messages or audio recordings
• Your real name, legal name, or identity
• Phone number or email address
• Physical address or location data
• Contacts from your device's address book
• Browsing history or search history
• Photos, files, or other content from your device
• Biometric data (Face ID/Touch ID data stays on your device)
• Financial information (payments processed by Apple)
• Social Security numbers or government IDs
• Health or medical information
• Racial or ethnic origin, political opinions, religious beliefs
• Sexual orientation or gender identity
• Trade union membership
• Genetic or biometric data for identification

2. HOW WE USE YOUR INFORMATION

We use the limited information we collect for the following purposes:

• Provide Services: To operate, maintain, and provide the features of the Application
• User Discovery: To enable you to find and message other users by username
• Account Management: To manage your account and verify account uniqueness
• Subscriptions: To process and manage subscription purchases through Apple
• Notifications: To send push notifications if you enable them
• Improvement: To analyze usage patterns and improve Application performance
• Bug Fixes: To identify and fix technical issues and crashes
• Security: To prevent fraud, abuse, and unauthorized access
• Legal Compliance: To comply with applicable laws and legal processes
• Support: To respond to your inquiries and provide customer support

3. END-TO-END ENCRYPTION

theSHFT uses end-to-end encryption for all messages. This is a fundamental architectural decision that affects your privacy:

• Message Privacy: Only you and your intended recipient can read messages. Messages are encrypted on your device before transmission.
• No Server Access: We cannot access, read, decrypt, or store the content of your messages. We do not have the encryption keys.
• No Content Moderation: Due to encryption, we cannot moderate or review message content.
• Legal Requests: We cannot comply with requests for message content because we do not have access to it. We can only provide the limited metadata we collect.
• Automatic Deletion: Messages are automatically deleted based on your timer settings (ranging from 5 seconds to 24 hours).
• Transit Storage: Messages may be temporarily stored in encrypted form on our servers only for the purpose of delivery. Undelivered messages are automatically deleted after 30 days.

4. DATA STORAGE AND SECURITY

4.1 Local Device Storage

The following data is stored ONLY on your device using encrypted local storage:

• Your PIN (never transmitted)
• Your recovery phrase (never transmitted)
• Application settings and preferences
• Decrypted message content (until timer expiration)
• Biometric authentication data (managed by your device OS)

4.2 Cloud Storage

The following limited data is stored on our servers (Firebase/Google Cloud):

• Your username (for account identification and discovery)
• Anonymous device identifier (for account uniqueness)
• Contact list (usernames only)
• Push notification token (if notifications enabled)
• Subscription status (synced from Apple)
• Account creation timestamp

4.3 Security Measures

We implement industry-standard security measures including:

• End-to-end encryption for all messages
• Encrypted data transmission (TLS/HTTPS)
• Secure cloud infrastructure (Google Cloud/Firebase)
• Regular security assessments
• Access controls and authentication

However, no security system is 100% secure. We cannot guarantee absolute security. You use the Application at your own risk.

5. DATA SHARING AND DISCLOSURE

We do NOT sell, trade, rent, or otherwise share your personal information with third parties for their marketing purposes. We may share information only in these limited circumstances:

5.1 Service Providers

We use the following third-party service providers who may have access to limited data:

• Firebase (Google): Cloud infrastructure, authentication, database, analytics
• Apple Inc.: In-app purchases, push notifications, App Store distribution
• RevenueCat: Subscription management and payment processing

These providers are bound by their own privacy policies and data processing agreements.

5.2 Legal Requirements

We may disclose information if required by law, subpoena, court order, or government request. However, due to our encryption design:

• We CAN provide: username, device ID, account creation date, subscription status, contact list (usernames)
• We CANNOT provide: message content, media, photos, voice messages (these are end-to-end encrypted and we do not have access)

5.3 Safety and Protection

We may disclose information to protect the safety of any person, to address fraud or security issues, or to protect our rights and property.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will provide notice before your information becomes subject to a different privacy policy.

5.5 With Your Consent

We may share information with third parties when you explicitly consent to such sharing.

6. DATA RETENTION

We retain different types of data for different periods:

• Messages: Deleted based on your timer setting (5 seconds to 24 hours)
• Undelivered Messages: Deleted after 30 days
• Account Data: Retained until you delete your account
• Analytics Data: Aggregated, anonymized data retained for up to 26 months
• Crash Reports: Retained for 90 days
• Support Requests: Retained for up to 3 years for legal compliance
• Legal Hold: Data may be retained longer if required for legal proceedings

7. YOUR PRIVACY RIGHTS

You have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct your username
• Deletion: Delete your account and all associated data
• Portability: Request your data in a portable format
• Opt-Out: Disable analytics in Application Settings
• Withdraw Consent: Withdraw consent for optional data processing
• Restrict Processing: Request restriction of certain processing activities
• Object: Object to certain types of processing

To exercise these rights, contact us at support@theshft.app. We will respond within 30 days (or as required by applicable law).

8. ACCOUNT DELETION

You can delete your account at any time through Settings → Delete Account. Upon deletion:

• Your username is immediately released and may be claimed by others
• All local data on your device is permanently erased
• Your account record is deleted from our servers
• Your contact relationships are removed
• This action is PERMANENT and CANNOT be undone

Note: Messages you previously sent may still appear on recipients' devices until their timers expire. We cannot delete messages from other users' devices.

9. CHILDREN'S PRIVACY

9.1. Age Restriction: theSHFT is not intended for children under seventeen (17) years of age. We do not knowingly collect personal information from children under 17.

9.2. Parental Notice: If you are a parent or guardian and believe your child under 17 has provided personal information to us, please contact us immediately at support@theshft.app.

9.3. Deletion: If we discover that we have collected personal information from a child under 17, we will take immediate steps to delete that information.

9.4. COPPA Compliance: We comply with the Children's Online Privacy Protection Act (COPPA) by not knowingly collecting information from children under 13.

10. INTERNATIONAL DATA TRANSFERS

10.1. Server Location: Our servers are primarily located in the United States.

10.2. Cross-Border Transfers: If you access the Application from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

10.3. Legal Basis: For transfers from the European Economic Area (EEA), UK, or Switzerland, we rely on: (a) Standard Contractual Clauses approved by the European Commission; (b) adequacy decisions; (c) your explicit consent where applicable.

10.4. Different Laws: Data protection laws in the United States and other countries may differ from those in your jurisdiction. By using the Application, you consent to such transfers.

11. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

11.1 Right to Know

You have the right to request disclosure of:

• Categories of personal information collected
• Specific pieces of personal information collected
• Categories of sources from which information is collected
• Purpose for collecting or selling personal information
• Categories of third parties with whom information is shared

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

11.3 Right to Opt-Out

You have the right to opt-out of the "sale" or "sharing" of personal information. WE DO NOT SELL YOUR PERSONAL INFORMATION.

11.4 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

11.5 Right to Correct

You have the right to request correction of inaccurate personal information.

11.6 Right to Limit Use of Sensitive Information

We do not collect sensitive personal information as defined under CPRA.

11.7 Contact for California Requests

To exercise your California privacy rights, contact us at support@theshft.app with subject line "California Privacy Request."

11.8 "Do Not Sell My Personal Information"

We do not sell personal information. We do not have a "Do Not Sell" link because we do not sell data.

12. EUROPEAN PRIVACY RIGHTS (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and similar laws:

12.1 Legal Basis for Processing

We process your personal data based on:

• Contract Performance: Processing necessary to provide the Application services you requested
• Legitimate Interests: Processing necessary for our legitimate business interests (e.g., security, fraud prevention, improvement)
• Consent: Where you have given explicit consent (e.g., analytics, notifications)
• Legal Obligation: Processing necessary to comply with legal requirements

12.2 Your GDPR Rights

You have the following rights under GDPR:

• Right of Access (Art. 15): Obtain confirmation of processing and access to your data
• Right to Rectification (Art. 16): Correct inaccurate personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing (Art. 18): Limit how we use your data
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time for consent-based processing
• Right to Lodge a Complaint (Art. 77): File a complaint with a supervisory authority

12.3 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at: support@theshft.app

12.4 Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

13. OTHER INTERNATIONAL PRIVACY LAWS

13.1 Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including rights to access, correction, deletion, portability, and information about data sharing.

13.2 Canada (PIPEDA)

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including rights to access and correct your personal information.

13.3 Australia (Privacy Act)

If you are located in Australia, you have rights under the Privacy Act 1988, including the Australian Privacy Principles (APPs).

13.4 Other Jurisdictions

We strive to comply with applicable privacy laws in all jurisdictions where we operate. If you have questions about your specific rights, contact us at support@theshft.app.

14. DO NOT TRACK

14.1. Browser Signal: The Application does not respond to "Do Not Track" browser signals because we do not track users across third-party websites.

14.2. No Cross-Site Tracking: We do not track your activities across websites or applications owned by other companies.

15. APP TRACKING TRANSPARENCY (iOS)

15.1. No Cross-App Tracking: theSHFT does not track you across apps or websites owned by other companies.

15.2. No IDFA: We do not use or collect the Identifier for Advertisers (IDFA).

15.3. No Ad Networks: We do not participate in advertising networks or display third-party advertisements.

15.4. ATT Framework: We comply with Apple's App Tracking Transparency framework by not engaging in tracking activities that require user permission.

16. PUSH NOTIFICATIONS

16.1. Optional Feature: Push notifications are optional. You can enable or disable them in your device settings.

16.2. Apple APNs: We use Apple Push Notification Service (APNs) to deliver notifications to iOS devices.

16.3. Encrypted Content: Notification content is encrypted during transmission.

16.4. Token Storage: We store your push notification token to deliver notifications. This token is deleted if you disable notifications or delete your account.

17. COOKIES AND SIMILAR TECHNOLOGIES

17.1. No Cookies: As a mobile application, theSHFT does not use browser cookies.

17.2. Local Storage: We use encrypted local storage on your device to store settings and preferences.

17.3. Third-Party SDKs: Third-party SDKs we use (Firebase, RevenueCat) may use their own data collection technologies. See their privacy policies for details.

18. THIRD-PARTY LINKS AND SERVICES

18.1. External Links: The Application may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties.

18.2. Review Policies: We encourage you to review the privacy policies of any third-party services you access.

19. CHANGES TO THIS PRIVACY POLICY

19.1. Updates: We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

19.2. Notice: We will notify you of material changes by posting the updated policy in the Application and updating the "Last Updated" date. For significant changes, we may also provide additional notice (e.g., in-app notification).

19.3. Continued Use: Your continued use of the Application after changes are posted constitutes your acceptance of the updated Privacy Policy.

19.4. Review: We encourage you to periodically review this Privacy Policy to stay informed about our data practices.

20. DATA CONTROLLER INFORMATION

For the purposes of applicable data protection laws:

Data Controller: theSHFT

Contact Email: support@theshft.app

Data Protection Officer: support@theshft.app

21. APPLE APP STORE DISCLOSURES

22.1. Distribution: This Application is distributed through the Apple App Store. Apple's Privacy Policy applies to information collected by Apple.

22.2. Data Controller: We are the data controller for information collected through the Application. Apple is not the data controller for Application data.

22.3. Privacy Nutrition Labels: We provide accurate information to Apple for display in App Store privacy nutrition labels.