Privacy Policy

Effective Date: [DATE]

Last Updated: [DATE]

Version: 2.2.0

Quick Summary

This Privacy Policy explains how we collect, use, share, and protect your personal information. By using our Platform, you agree to this Policy. We are committed to transparency about our data practices and giving you control over your information.

Part 1: Core Policy

1. Introduction & Scope

1.1 Plain-Language Summary

We believe you should understand how your data is used in clear, simple terms. Here's a quick overview before we get into the details:

What We Do	Why It Matters to You
We collect information you give us	When you create an account, post content, or message others, we store that information to provide our services.
We collect some information automatically	When you use our Platform, we gather technical data (like your device type and how you interact with features) to keep things running smoothly and improve your experience.
We use your information to provide and improve services	Your data helps us show you relevant content, keep you safe, and make our Platform better.
We share information in limited circumstances	We share data with service providers who help us operate, when legally required, and according to your privacy settings. We don't sell your personal information for money.
You have control over your information	You can access, update, download, and delete your data. You can also control many privacy settings.
We protect your information	We use industry-standard security measures to safeguard your data.

This summary is for convenience only. Please read the full Privacy Policy below for complete details about our data practices.

1.2 What This Policy Covers

Scope of This Policy:

This Privacy Policy ("Policy") describes how Boba, LLC ("Company," "we," "us," or "our") collects, uses, shares, and protects your personal information when you:

Visit our website(s) at https://boba.town
Use our mobile applications
Use our Platform and services
Interact with us through email, customer support, or social media
Participate in surveys, promotions, or events we sponsor

This Policy applies to:

All users of our Platform, whether registered or not
Visitors to our websites
Individuals who interact with us offline or through other channels

This Policy does not apply to:

Third-party websites, applications, or services linked from our Platform (these have their own privacy policies)
Information collected by other users of our Platform (their use of your information is governed by their own practices and applicable law)
Job applicants (see our separate Applicant Privacy Notice at [URL])
Employees and contractors (see our internal privacy policies)

Related Documents:

This Policy should be read together with:

Our Terms of Service, which govern your use of the Platform
Cookie Policy at https://boba.town/cookies, which provides detailed information about our use of cookies
Any feature-specific privacy notices provided when you use certain features

1.3 Data Controller

Who Is Responsible for Your Data:

For purposes of applicable data protection laws, the data controller responsible for your personal information is:

Boba, LLC 1312 17th Street Unit #2635 Denver, CO 80202 United States

Registration Information:

Company Registration Number: 20238352765
[If applicable: ICO Registration Number (UK): [NUMBER]]
[If applicable: EU Representative: See Section 1.5]

What "Data Controller" Means:

As the data controller, we determine the purposes and means of processing your personal information. We are responsible for ensuring your data is handled in compliance with applicable privacy laws.

When We Act as a Data Processor:

In some circumstances, we may process personal information on behalf of other parties (for example, when providing business services). In those cases, the other party is the data controller and their privacy policy applies to that processing.

1.4 Contact Information for Privacy Inquiries

General Privacy Questions:

If you have questions about this Policy or our privacy practices, please contact us:

By Email: privacy@boba.town

By Mail: Privacy Team Boba, LLC 1312 17th Street Unit #2635 Denver, CO 80202 United States

By Online Form: https://boba.town/privacy-request

What to Include:

When contacting us about privacy matters, please include:

Your full name and username (if applicable)
Your email address associated with your account
A detailed description of your question or request
Any relevant documentation or context

Response Time:

We aim to respond to privacy inquiries within 10 business days. Complex requests may take longer, and we will keep you informed of our progress.

1.5 Data Protection Officer

Our Data Protection Officer:

We have appointed a Data Protection Officer (DPO) to oversee our privacy practices and serve as a point of contact for data protection matters.

DPO Contact Information:

Name: Data Protection Officer

Email: dpo@boba.town

Mail: Data Protection Officer Boba, LLC 1312 17th Street Unit #2635 Denver, CO 80202 United States

When to Contact the DPO:

Contact our DPO if you:

Have concerns about how we handle your personal information
Want to exercise your data protection rights (access, deletion, etc.)
Believe we are not complying with data protection laws
Have questions about our data protection practices
Are a supervisory authority or regulator with inquiries

DPO Independence:

Our DPO operates independently and reports directly to our highest level of management. The DPO is not penalized for performing their duties and has access to resources needed to carry out their responsibilities.

1.6 EU/EEA Representative

For Users in the European Union and European Economic Area:

Although we are established outside the EU/EEA, we have appointed a representative in the EU in accordance with Article 27 of the GDPR.

EU Representative Contact Information:

Name: [EU REPRESENTATIVE NAME] Company: [EU REPRESENTATIVE COMPANY, if applicable] Address: [EU REPRESENTATIVE ADDRESS] [CITY, POSTAL CODE] [EU COUNTRY]

Email: [EU REPRESENTATIVE EMAIL]

Role of the EU Representative:

Our EU representative can:

Receive inquiries from data subjects in the EU/EEA regarding our data processing
Receive communications from supervisory authorities
Facilitate communication between you and us regarding privacy matters

The EU representative acts on our behalf but does not replace our obligations or your right to contact us directly.

1.7 UK Representative

For Users in the United Kingdom:

We have appointed a representative in the UK in accordance with Article 27 of the UK GDPR.

UK Representative Contact Information:

Name: [UK REPRESENTATIVE NAME] Company: [UK REPRESENTATIVE COMPANY, if applicable] Address: [UK REPRESENTATIVE ADDRESS] [CITY, POSTAL CODE] United Kingdom

Email: [UK REPRESENTATIVE EMAIL]

1.8 How This Policy May Change

Updates to This Policy:

We may update this Privacy Policy from time to time to reflect changes in:

Our data practices
Legal or regulatory requirements
Our business operations
Technology or security practices
Feedback from users

How We Notify You:

Material Changes: For significant changes that affect how we use or share your personal information, we will provide prominent notice (such as email notification or a banner on our Platform) before the changes take effect.
Minor Changes: For clarifications or minor updates that do not materially affect your rights, we will update the "Last Updated" date at the top of this Policy.

Your Continued Use:

Your continued use of the Platform after we post changes constitutes your acceptance of the updated Policy. If you do not agree with any changes, you should stop using the Platform and may request deletion of your account.

Accessing Previous Versions:

Previous versions of this Privacy Policy are available at https://boba.town/legal/archive or by contacting us. We maintain an archive of policies with their effective date ranges.

1.9 Children's Privacy

Age Restrictions:

Our Platform is not intended for children under the age of 13 (or the applicable age of digital consent in your jurisdiction, such as 16 in some EU countries). We do not knowingly collect personal information from children under this age.

Parental Consent:

In some jurisdictions, users between 13 and 16 (or the age of majority) may need parental or guardian consent to use certain features. Where required, we implement appropriate consent mechanisms.

If We Discover Child Data:

If we learn that we have collected personal information from a child without appropriate consent:

We will delete the information as quickly as possible
We will take steps to prevent future collection
We may suspend or terminate the associated account

Parental Rights:

Parents or guardians who believe we may have collected information from their child can contact us at privacy@boba.town to:

Review any information we may have collected
Request deletion of the information
Prevent further collection

Reporting Concerns:

If you become aware of a child using our Platform inappropriately, please report it to security@boba.town.

1.10 California Minors

Under 18 in California:

If you are a California resident under 18 years old and a registered user of our Platform, you may request removal of content or information you have publicly posted. To make such a request:

Contact us at privacy@boba.town
Include "California Minor Content Removal Request" in the subject line
Describe the content you want removed

Limitations:

Please note that removal:

May not ensure complete or comprehensive removal of the content
Does not apply to content posted by others
May not be possible where required by law or for legitimate business purposes

1.11 Accessibility

Accessible Formats:

We are committed to making our privacy information accessible to all users. If you need this Privacy Policy in an alternative format, please contact us at support@boba.town.

Available Formats:

Large print
Screen reader-compatible versions
Plain language summaries
Translations (see below)

1.12 Translations

Language:

This Privacy Policy is written in English. We may provide translations for convenience, but the English version is the official, legally binding version.

In Case of Conflict:

If there is any conflict between the English version and a translated version, the English version controls.

Requesting Translations:

If you need assistance understanding this Policy due to language barriers, please contact us at privacy@boba.town.

2. Information We Collect

We collect information in several ways: directly from you, automatically when you use our Platform, and from third parties. This section explains what information we collect and how we collect it.

2.1 Information You Provide

Account Registration Data:

When you create an account, we collect:

Data Type	Examples	Purpose
Identity Information	Name, username, date of birth	To create and identify your account
Contact Information	Email address, phone number	To communicate with you and secure your account
Authentication Data	Password (stored in hashed form), security questions	To protect your account
Demographic Information	Gender, country/region (if provided)	To personalize your experience and comply with local laws

Profile Information:

When you set up and customize your profile, we collect:

Profile photo and cover images
Bio and description
Location (city, region, or country you choose to display)
Links to your website or other social media accounts
Interests, preferences, and other information you choose to share
Profile settings and preferences

Content You Create and Upload:

When you use our Platform to create and share content, we collect:

Posts, comments, messages, and other text content
Photos, videos, audio recordings, and other media files
Metadata associated with your content (such as when and where it was created)
Reactions, likes, and other interactions with content
Lists, collections, and saved items
Draft content and content you start but don't publish

Communications:

When you communicate with us or other users, we collect:

Messages you send through our Platform (direct messages, group chats)
Emails and correspondence you send to our support team
Feedback, suggestions, and bug reports
Responses to surveys and questionnaires
Recordings of calls if you contact us by phone (with notice)
Chat logs from customer support interactions

Payment Information:

When you make purchases or receive payments, we collect:

Billing name and address
Payment method details (credit card, debit card, bank account, or other payment method)
Transaction history and purchase records
Tax identification information (for creators receiving payments)
Payout preferences and banking information (for creators and sellers)

Note: Full payment card numbers are processed by our payment processors and are not stored on our servers. We receive only partial card information (such as the last four digits) for identification purposes.

Verification Documents:

When you verify your identity or account, we may collect:

Government-issued identification documents (driver's license, passport, national ID)
Proof of address documents
Selfies or photos for identity verification
Business registration documents (for business accounts)
Tax forms and documentation

Verification documents are handled with enhanced security measures and retained only as long as necessary.

Survey and Research Participation:

When you participate in surveys or research, we collect:

Survey responses
Feedback and opinions
Usage patterns (if participating in user research)
Demographic information for research purposes

Participation is voluntary, and we will inform you how your responses will be used.

Event and Promotion Participation:

When you enter contests, promotions, or attend events, we collect:

Entry information
Eligibility verification data
Photos or recordings from events (with notice)
Winner information for prize fulfillment

2.2 Information Collected Automatically

Device Information:

When you access our Platform, we automatically collect information about your device:

Data Type	Examples
Device Identifiers	Device ID, advertising ID, hardware identifiers
Device Characteristics	Device type, model, manufacturer, operating system and version
Browser Information	Browser type and version, browser settings, plugins
Network Information	IP address, mobile carrier, connection type (Wi-Fi, cellular)
Screen Information	Screen size, resolution, orientation

Log Data and Usage Information:

We collect information about how you use our Platform:

Access Logs: Date and time of access, pages viewed, features used, actions taken
Interaction Data: Clicks, taps, scrolls, time spent on pages or features
Search Queries: Terms you search for on our Platform
Content Interactions: Content you view, like, share, comment on, or save
Feature Usage: Which features you use and how often
Error Logs: Crashes, errors, and performance issues you encounter
Referral Data: How you arrived at our Platform (links, search engines, other apps)

Location Data:

We may collect location information:

Approximate Location: Derived from your IP address, typically accurate to city or region level
Precise Location: If you grant permission, we may collect GPS-based location data from your device (see the Location Sharing Addendum in our Terms of Service for detailed terms)
Location from Content: Location information embedded in photos or other content you upload (EXIF data)
Location You Provide: City or region you enter in your profile or posts

You can control location collection through your device settings and account preferences.

Cookies and Similar Technologies:

We use cookies, pixels, web beacons, local storage, and similar technologies to collect information:

Essential Cookies: Required for the Platform to function (authentication, security, preferences)
Analytics Cookies: Help us understand how users interact with our Platform
Advertising Cookies: Used to deliver and measure advertising (where applicable)
Social Media Cookies: Enable social sharing and integration features

For detailed information, see our Cookie Policy at https://boba.town/cookies and Section 9 of this Privacy Policy.

Inferences:

We may derive inferences about you based on information we collect:

Interests and preferences based on your activity
Demographic inferences (such as age range)
Content preferences and recommendations
Account risk assessments for security purposes

2.3 Information from Third Parties

Social Login Providers:

If you choose to register or log in using a third-party service (such as Google, Facebook, or Apple), we receive:

Basic profile information (name, email address, profile photo)
Unique identifier from the social login provider
Other information you authorize the provider to share

The information we receive depends on your settings with the third-party provider and their privacy policy.

Payment Processors:

Our payment processors may share information with us:

Transaction confirmations and status
Partial payment method information (last four digits)
Fraud and risk assessments
Chargeback and dispute information

Advertising and Analytics Partners:

We may receive information from advertising and analytics partners:

Information about your interactions with ads
Demographic and interest information for advertising purposes
Attribution data (how you found our Platform)
Aggregated analytics and insights

Public Sources:

We may collect information from publicly available sources:

Public social media profiles
Public records and databases
News articles and public statements
Information you make publicly available on our Platform

Other Users:

Other users may provide information about you:

When they tag or mention you in content
When they share your content
When they add you to groups or conversations
When they upload contact information that includes you (with their consent)
When they report content or accounts involving you

Business Partners:

If we partner with other companies, we may receive:

Information necessary to provide joint services
Verification or identity information
Purchase or transaction information from integrated services

2.4 Special Categories of Data

Sensitive Personal Information:

We generally do not require you to provide sensitive personal information (also known as "special category data" under GDPR). However, you may choose to share such information, for example:

Racial or ethnic origin (in profile or content)
Political opinions (in content you post)
Religious or philosophical beliefs (in content you post)
Health information (in content you post)
Sexual orientation (in profile or content)
Biometric data (we do not currently collect biometric data; see Section 2.2)

How We Handle Sensitive Data:

We process sensitive data you voluntarily share only for the purposes of providing our services
We obtain explicit consent where required by law
We apply additional safeguards to protect sensitive information
You can control what sensitive information you share through your privacy settings

Biometric Information:

We do not currently collect biometric data. If we introduce features that use biometric data in the future, we will update this Privacy Policy and obtain your explicit consent where required by law before collecting such data.

2.5 Information We Do Not Collect

We do not intentionally collect:

Government ID numbers (except for verification purposes where required)
Financial account passwords or PINs
Complete payment card numbers (these are handled by payment processors)
Medical records or detailed health information (unless you choose to share in content)
Genetic or biometric data
Information about children under 13 (or applicable age in your jurisdiction)

We do not:

Purchase personal information from data brokers for marketing purposes
Collect information through deceptive means
Access your device's contacts, photos, or files without your permission

2.6 Accuracy of Information

Your Responsibility:

You are responsible for ensuring the information you provide is accurate and up to date. Inaccurate information may affect your ability to use certain features or receive communications from us.

Updating Your Information:

You can update your information at any time through:

Your account settings
Contacting our support team
Submitting a data correction request

Our Efforts:

We take reasonable steps to ensure the information we hold is accurate and, where necessary, kept up to date. We may periodically ask you to verify or update your information.

3. How We Use Your Information

This section explains the purposes for which we use the information we collect. We only use your information for legitimate purposes and, where required by law, with an appropriate legal basis.

3.1 Providing and Operating Our Services

Core Service Delivery:

We use your information to provide, maintain, and operate our Platform:

Account Management: Creating and managing your account, authenticating your identity, and maintaining your profile
Content Delivery: Displaying your content to you and others according to your settings, processing and storing your uploads
Communication Features: Enabling messaging, comments, and other communication between users
Transaction Processing: Processing purchases, payments, and payouts for marketplace and monetization features
Customer Support: Responding to your inquiries, troubleshooting issues, and providing assistance
Feature Functionality: Enabling all Platform features to work as intended

Service Improvement:

We use your information to improve our services:

Product Development: Developing new features and improving existing ones based on how users interact with our Platform
Performance Optimization: Identifying and fixing bugs, errors, and performance issues
User Experience Research: Understanding how users navigate and use our Platform to make it more intuitive
Testing: Testing new features and changes before broader release
Feedback Analysis: Analyzing user feedback and suggestions to prioritize improvements

3.2 Personalization

Content Personalization:

We use your information to personalize your experience:

Recommendations: Suggesting content, creators, and accounts you might be interested in based on your activity and preferences
Feed Curation: Ordering and prioritizing content in your feeds based on relevance to you
Search Results: Personalizing search results based on your history and preferences
Discovery: Helping you discover new content and creators aligned with your interests

Feature Personalization:

Interface Customization: Remembering your preferences for how the Platform looks and behaves
Language and Region: Displaying content in your preferred language and showing region-relevant information
Accessibility: Adapting the Platform to your accessibility preferences

Personalization Controls:

You can control many aspects of personalization through your settings. See Section 5 (Your Rights and Choices) for more information.

3.3 Communications

Transactional Communications:

We use your contact information to send essential service communications:

Account Notifications: Password resets, security alerts, account verification, and important account updates
Transaction Confirmations: Order confirmations, payment receipts, and shipping updates
Service Updates: Changes to our Terms, Privacy Policy, or features that affect you
Support Responses: Replies to your customer support inquiries

You cannot opt out of transactional communications while maintaining an account, as they are essential to providing our services.

Marketing Communications:

With your consent or where permitted by law, we may send:

Promotional Emails: Information about new features, special offers, and Platform updates
Newsletters: Regular updates about content, creators, or topics you may be interested in
Event Invitations: Invitations to events, webinars, or promotions
Partner Offers: Offers from carefully selected partners (with your consent)

Communication Preferences:

You can manage your marketing communication preferences:

Through your account settings
By clicking "unsubscribe" in any marketing email
By contacting us at privacy@boba.town

Push Notifications:

If you enable push notifications, we may send:

Activity notifications (likes, comments, follows, messages)
Reminders and alerts you've set up
Breaking news or time-sensitive content (if enabled)
Promotional notifications (if enabled)

You can control push notifications through your device settings and account preferences.

3.4 Safety and Security

Platform Safety:

We use your information to keep our Platform safe:

Content Moderation: Reviewing content for violations of our Terms and Community Guidelines
Abuse Prevention: Detecting and preventing harassment, bullying, and other abusive behavior
Harmful Content Detection: Identifying and removing illegal, violent, or otherwise harmful content
Child Safety: Protecting minors from exploitation and inappropriate content

Account Security:

We use your information to protect your account:

Fraud Prevention: Detecting and preventing fraudulent accounts, transactions, and activities
Unauthorized Access: Identifying and blocking unauthorized access attempts
Suspicious Activity: Alerting you to unusual activity on your account
Identity Verification: Verifying your identity when you perform sensitive actions

Platform Integrity:

We use your information to maintain Platform integrity:

Spam Prevention: Detecting and blocking spam, fake accounts, and coordinated inauthentic behavior
Bot Detection: Identifying and restricting automated abuse
Manipulation Prevention: Preventing manipulation of engagement metrics, recommendations, and other Platform systems
Terms Enforcement: Enforcing our Terms of Service and taking action against violations

Security Measures:

Threat Detection: Monitoring for security threats and vulnerabilities
Incident Response: Investigating and responding to security incidents
System Protection: Protecting our systems, networks, and infrastructure

3.5 Research and Analytics

Platform Analytics:

We use your information to understand how our Platform is used:

Usage Statistics: Measuring overall Platform usage, feature adoption, and user engagement
Performance Metrics: Tracking Platform performance, load times, and reliability
Trend Analysis: Identifying trends in how users interact with our Platform
A/B Testing: Testing variations of features to determine which performs better

Aggregated Research:

We may use aggregated and anonymized information for research:

Industry Research: Contributing to understanding of social media, content creation, and online behavior
Academic Partnerships: Collaborating with researchers on studies (using anonymized data)
Trend Reports: Publishing insights about Platform trends and user behavior (in aggregate form)

Your Privacy in Research:

Research uses aggregated or anonymized data that cannot identify you individually
We do not share identifiable personal information for research without your consent
You can opt out of certain analytics through your settings

3.6 Legal Compliance

Legal Obligations:

We use your information to comply with legal requirements:

Law Enforcement Requests: Responding to valid legal process (subpoenas, court orders, warrants)
Regulatory Compliance: Meeting requirements of data protection, consumer protection, and other laws
Tax Obligations: Fulfilling tax reporting and withholding requirements
Record Keeping: Maintaining records as required by law

Legal Rights:

We use your information to establish, exercise, or defend legal claims:

Dispute Resolution: Resolving disputes with users or third parties
Litigation: Defending against or pursuing legal claims
Investigations: Investigating potential violations of law or our Terms
Enforcement: Enforcing our agreements and policies

3.7 Advertising

Advertising on Our Platform:

If we display advertising on our Platform, we may use your information for:

Ad Delivery: Showing you advertisements on our Platform
Ad Targeting: Selecting ads that may be relevant to your interests based on your activity and profile
Ad Measurement: Measuring the effectiveness of advertisements
Ad Fraud Prevention: Detecting and preventing fraudulent ad activity

Your Advertising Choices:

Interest-Based Advertising: You can opt out of interest-based advertising through your settings
Ad Preferences: You can indicate preferences about the types of ads you see
Industry Opt-Outs: You can use industry tools like the Digital Advertising Alliance's opt-out at [DAA URL]

What We Don't Do:

We do not sell your personal information for money to advertisers
We do not share your private messages with advertisers
We do not use sensitive information (health, religion, sexual orientation) for ad targeting without your explicit consent

3.8 Artificial Intelligence and Automated Processing

AI and Machine Learning:

We use artificial intelligence and machine learning to:

Content Recommendations: Suggest content, creators, and accounts you might like
Content Moderation: Detect potentially violating content for human review
Safety Features: Identify spam, fake accounts, and malicious activity
Search and Discovery: Improve search results and content discovery
Accessibility: Generate captions, alt text, and other accessibility features
Content Understanding: Analyze content to categorize and organize it

Automated Decision-Making:

Some decisions may be made automatically by our systems:

Content Filtering: Automatic removal of content that clearly violates our policies
Account Restrictions: Temporary restrictions on accounts exhibiting suspicious behavior
Spam Detection: Automatic blocking of spam and malicious content
Age Restriction: Automatic age-gating of mature content

Your Rights:

For significant automated decisions, you have the right to request human review
You can contest automated decisions through our appeals process
See Section 5 for more information about your rights regarding automated processing

3.9 Business Operations

Business Purposes:

We use your information for legitimate business operations:

Financial Management: Processing transactions, managing accounts payable/receivable, financial reporting
Business Planning: Analyzing business performance and planning future development
Vendor Management: Working with service providers who help us operate
Corporate Transactions: In connection with mergers, acquisitions, or sale of assets (see Section 4)

Legal Bases for Processing (GDPR):

For users in the EU/EEA/UK, our legal bases for processing include:

Purpose	Legal Basis
Providing services	Performance of contract
Account security	Legitimate interests
Marketing (with consent)	Consent
Marketing (existing customers)	Legitimate interests
Legal compliance	Legal obligation
Safety and security	Legitimate interests
Personalization	Legitimate interests or consent
Advertising	Consent or legitimate interests

You can request more information about our legal bases by contacting us.

4. How We Share Your Information

This section explains when and how we share your information with others. We are committed to being transparent about our sharing practices and ensuring your information is protected when shared.

4.1 Sharing With Other Users

Public Content:

When you create public content on our Platform, it may be visible to:

Other users of our Platform
Non-users who view public pages
Search engines (unless you opt out where available)
Third-party services that integrate with our Platform

Content You Share:

Your content sharing is controlled by your privacy settings:

Public Posts: Visible to anyone on or off the Platform
Followers Only: Visible only to your approved followers
Close Friends/Custom Lists: Visible only to users you've specifically selected
Direct Messages: Visible only to the conversation participants

Profile Information:

Depending on your settings, other users may see:

Your username and display name
Your profile photo and bio
Your public posts and activity
Your followers and following lists (if set to public)
Your approximate location (if enabled)

Interactions:

When you interact with others, they may see:

Comments, likes, and reactions you make on their content
Messages you send them
Collaborative content you create together
Your participation in groups, events, or communities

4.2 Sharing With Service Providers

What Are Service Providers?

Service providers are companies that help us operate, maintain, and improve our Platform. They act on our behalf and under our instructions.

Categories of Service Providers:

Category	Examples	What They Access
Cloud Infrastructure	Hosting, storage, content delivery	Content, account data
Payment Processing	Payment processors, fraud prevention	Transaction data, billing info
Analytics	Usage analytics, performance monitoring	Aggregated usage data
Customer Support	Help desk, ticketing systems	Support inquiries, account info
Communication	Email, SMS, push notification services	Contact information, message content
Security	Fraud detection, anti-abuse services	Activity patterns, security signals
Content Moderation	AI moderation, human review services	User content for review
Marketing	Email marketing, attribution	Contact info (with consent)

Protections for Service Provider Sharing:

All service providers must:

Sign data processing agreements with strict confidentiality requirements
Use your information only for the purposes we specify
Implement appropriate security measures
Delete or return data when our relationship ends
Undergo security assessments before engagement
Comply with applicable data protection laws

4.3 Sharing With Business Partners

Integration Partners:

If you connect third-party services to your account, we may share information with those services:

Social Logins: If you sign in using another service, we receive information from that service and may share limited information back
Connected Apps: Apps you authorize may access your information according to the permissions you grant
Cross-Posting: If you share content to other platforms, that content is shared with those platforms

Measurement Partners:

We work with partners to measure the reach and effectiveness of content:

Advertising Measurement: Partners who help us measure ad effectiveness
Content Analytics: Partners who provide content performance insights
Research Partners: Academic or commercial researchers (with appropriate safeguards)

Business Customers:

If you interact with business accounts on our Platform:

Businesses may receive information about your interactions with their content or ads
Transaction information is shared with merchants for purchases you make
Customer service interactions may be accessible to the business

4.4 Sharing for Legal Reasons

Legal Obligations:

We may share your information when required or permitted by law:

Court Orders: Responding to valid subpoenas, court orders, or warrants
Legal Process: Complying with legal process from law enforcement or government agencies
Regulatory Requirements: Meeting obligations to regulatory authorities
Tax Authorities: Providing information required for tax compliance

Our Process for Legal Requests:

When we receive legal requests, we:

Carefully review each request for legal validity and proper scope
Narrow overly broad requests when possible
Notify you of requests when legally permitted, unless doing so would be counterproductive to the purpose of the request
Object to requests we believe are improper
Provide only the information legally required

Transparency Reporting:

We publish regular transparency reports detailing:

The number and types of legal requests we receive
How many requests we comply with
Requests by jurisdiction
Content removal and account restriction requests

4.5 Sharing to Protect Rights and Safety

Safety and Security:

We may share information when necessary to:

Prevent Harm: Protect the safety of any person from death or serious physical injury
Prevent Fraud: Detect, prevent, or investigate fraud or security issues
Protect Rights: Protect our rights, property, or the rights of others
Enforce Policies: Enforce our Terms of Service and Community Guidelines

Emergency Disclosures:

In genuine emergencies, we may share information:

With law enforcement to prevent imminent harm
With emergency services when there is risk to life
With appropriate parties to locate missing persons

Industry Cooperation:

We may share information with other platforms and industry groups to:

Prevent terrorism and child exploitation
Share threat intelligence about coordinated harmful activity
Participate in industry safety initiatives

4.6 Sharing in Business Transfers

Corporate Transactions:

Your information may be transferred in connection with business transactions:

Mergers and Acquisitions: If we merge with or are acquired by another company
Asset Sales: If we sell or transfer business assets
Restructuring: In corporate reorganizations or restructurings
Bankruptcy: In bankruptcy or insolvency proceedings

Protections in Business Transfers:

In any business transfer:

We will require the receiving party to honor this Privacy Policy or provide you notice of any changes
You will be notified of any change in ownership or control
Your choices will be preserved to the extent possible
You will have the opportunity to delete your account before a transfer

4.7 Sharing With Your Consent

Consent-Based Sharing:

We share information in other circumstances with your consent:

When you direct us to share with specific third parties
When you participate in promotions involving partners
When you use features that involve sharing with others
When you explicitly authorize sharing through your settings

Revoking Consent:

You can typically revoke consent for sharing by:

Changing your privacy settings
Disconnecting linked services
Contacting us with your request
Deleting your account

4.8 Aggregated and Anonymized Data

What Is Aggregated/Anonymized Data?

This is information that cannot reasonably be used to identify you:

Aggregated Data: Statistics about groups of users (e.g., "60% of users are between 18-34")
Anonymized Data: Individual-level data with identifying information removed
Pseudonymized Data: Data where identifying information is replaced with artificial identifiers

How We Use This Data:

We may share aggregated and anonymized data:

For industry research and reports
With partners for analytics and insights
In academic research
For public statistics about Platform usage

Safeguards:

We use industry-standard techniques for anonymization
We assess re-identification risks before sharing
We prohibit recipients from attempting to re-identify individuals
We regularly review our anonymization practices

4.9 International Data Transfers

Where We Transfer Data:

Your information may be transferred to and processed in:

Countries where we have operations
Countries where our service providers operate
Countries where our business partners are located

Transfer Safeguards:

For transfers outside your home country, we use appropriate safeguards:

Mechanism	Description
Standard Contractual Clauses	EU-approved contract terms for data transfers
Adequacy Decisions	Transfers to countries with adequate data protection
Binding Corporate Rules	Internal rules for intra-group transfers
Certification Frameworks	Frameworks like EU-US Data Privacy Framework
Consent	Your explicit consent for specific transfers

Your Rights:

You can:

Request information about international transfers of your data
Obtain copies of transfer safeguards
Object to certain transfers (subject to limitations)

4.10 Third-Party Content and Links

Third-Party Content:

Our Platform may contain content from third parties:

Embedded content (videos, maps, social media posts)
Advertisements from ad networks
User-generated content with third-party links

Third-Party Links:

When you click links to third-party sites:

Those sites have their own privacy policies
We are not responsible for their data practices
We encourage you to review their policies

Third-Party Integrations:

Third-party services you connect may:

Collect information directly from you
Receive information from us based on permissions you grant
Have their own terms and privacy policies

5. Your Privacy Controls & Rights

You have meaningful control over your information. This section explains the privacy controls available to you, your legal rights regarding your data, and how to exercise those rights.

5.1 Account Settings and Preferences

Privacy Settings:

You can control your privacy through settings in your account:

Setting Category	What You Can Control
Profile Visibility	Who can see your profile, bio, and public information
Content Visibility	Default audience for your posts and content
Discoverability	Whether you appear in search results and recommendations
Contact Permissions	Who can message you or send connection requests
Activity Status	Whether others can see when you're online
Read Receipts	Whether others can see when you've read messages
Location Sharing	Whether and when to share your location
Data for Personalization	Whether we use your data to personalize your experience

How to Access Settings:

Mobile App: Profile → Settings → Privacy
Web: Account icon → Settings → Privacy & Safety
API: Settings endpoints (for developers)

Setting Defaults:

New accounts start with privacy-protective default settings
We notify you of important setting options during onboarding
You can review and modify all settings at any time

5.2 Communication Preferences

Marketing Communications:

You control whether you receive marketing communications:

Email Marketing: Opt in or out of promotional emails
Push Notifications: Control which types of notifications you receive
SMS/Text: Opt in or out of text message communications
In-App Messages: Control promotional messages within the app

Transactional Communications:

Some communications are necessary for your account and cannot be fully disabled:

Security alerts (password changes, suspicious activity)
Account notifications (changes to terms, important updates)
Transaction confirmations (purchases, subscription changes)
Legal notices (required by law)

Managing Preferences:

Unsubscribe Links: Use the unsubscribe link in any marketing email
Settings: Manage all preferences in your account settings
Frequency: Adjust how often you receive certain communications
Channels: Choose your preferred communication channels

5.3 Access and Portability

Right to Access:

You have the right to:

Obtain confirmation of whether we process your personal data
Access a copy of the personal data we hold about you
Receive information about how we process your data
Know the categories of data we collect and sources

Data Portability:

You can request a copy of your data in a portable format:

Download Your Data: Request a complete copy of your account data
Format: Data is provided in commonly used, machine-readable formats (JSON, CSV)
Scope: Includes content you've created, account information, and activity data
Timeframe: We process requests within 30 days (or as required by law)

How to Request Your Data:

Go to Settings → Privacy → Download Your Data
Select the categories of data you want
Verify your identity
Receive a notification when your download is ready
Download within the available timeframe (typically 14 days)

5.4 Correction and Rectification

Right to Correct:

You have the right to correct inaccurate personal data:

Profile Information: Edit directly in your account settings
Account Details: Update email, phone, or other account information
Content: Edit or delete your own posts and content
Metadata: Request correction of system-generated data that is inaccurate

How to Request Corrections:

Self-Service: Most information can be corrected directly in your settings
Support Request: For data you cannot edit yourself, contact our support team
Verification: We may need to verify your identity for certain corrections

Our Response:

We will correct confirmed inaccuracies promptly
If we disagree with the correction, we will explain why
You can add a statement to your record if we cannot agree

5.5 Deletion

Right to Delete:

You have the right to request deletion of your personal data:

Account Deletion: Permanently delete your entire account and associated data
Content Deletion: Delete specific content you've created
Selective Deletion: Request deletion of specific categories of data

Account Deletion Process:

Go to Settings → Account → Delete Account
Review what will be deleted and what may be retained
Confirm your identity
Enter a reason (optional)
Confirm deletion
Grace period: 30 days to change your mind before permanent deletion

What Happens When You Delete:

Data Type	What Happens
Your Content	Permanently deleted
Your Profile	Removed from the Platform
Your Messages	Deleted from your account; copies may remain in recipients' accounts
Activity Logs	Deleted after retention period
Backup Copies	Deleted within 90 days

Exceptions to Deletion:

We may retain certain data even after deletion requests:

Data required for legal compliance (tax records, legal holds)
Data necessary to resolve disputes
Data needed to prevent fraud or abuse
Aggregated or anonymized data that cannot identify you
Data in others' accounts (e.g., messages you sent them)

5.6 Restriction of Processing

Right to Restrict:

In certain circumstances, you can request that we restrict processing of your data:

Accuracy Contested: While we verify the accuracy of data you've challenged
Unlawful Processing: If you prefer restriction over deletion
No Longer Needed: If we no longer need the data but you need it for legal claims
Objection Pending: While we consider your objection to processing

Effect of Restriction:

When processing is restricted:

We will store but not actively process the data
We will not use the data for any purpose except storage
We will notify you before lifting the restriction

5.7 Objection to Processing

Right to Object:

You can object to certain types of processing:

Legitimate Interests: Object to processing based on our legitimate interests
Direct Marketing: Object to processing for direct marketing purposes
Profiling: Object to automated profiling that affects you
Research: Object to processing for research or statistics

How to Object:

Use the relevant settings in your account
Contact our privacy team with your objection
Explain the grounds for your objection

Our Response:

For direct marketing: We will stop immediately
For other objections: We will assess and respond within 30 days
We will stop processing unless we have compelling legitimate grounds

5.8 Withdrawal of Consent

Right to Withdraw Consent:

Where we process data based on your consent, you can withdraw that consent at any time:

Effect: Withdrawal does not affect the lawfulness of processing before withdrawal
Ease: Withdrawing consent should be as easy as giving it
Consequence-Free: We will not penalize you for withdrawing consent

How to Withdraw Consent:

Consent Type	How to Withdraw
Marketing emails	Unsubscribe link or settings
Cookies	Cookie settings or browser controls
Location sharing	Device or app settings
Connected apps	Disconnect in settings
Research participation	Contact support
Sensitive data processing	Contact privacy team

5.9 How to Exercise Your Rights

Methods for Submitting Requests:

In-App: Settings → Privacy → Privacy Rights
Web Form: https://boba.town/privacy-request
Email: privacy@boba.town
Mail: 1312 17th Street Unit #2635, Denver, CO 80202

What to Include:

Your name and account identifier (username or email)
The specific right you want to exercise
Details about your request
Preferred response method

Authorized Agents:

You can authorize someone to make requests on your behalf:

Provide written authorization
The agent must verify their identity
We may contact you directly to confirm

5.10 Verification Process

Why We Verify:

We verify your identity to protect your data from unauthorized access:

Prevent fraudulent requests
Ensure we respond to the correct person
Comply with legal requirements

Verification Methods:

Risk Level	Verification Required
Low (e.g., settings change)	Logged-in session
Medium (e.g., data download)	Password confirmation or email verification
High (e.g., account deletion)	Multi-factor verification

If We Cannot Verify:

We will explain what additional information we need
We may offer alternative verification methods
We will not process the request until verified

5.11 Response Timeframes

Standard Timeframes:

Region	Initial Response	Extension (if needed)
EU/EEA/UK (GDPR)	30 days	+60 days with notice
California (CCPA/CPRA)	45 days	+45 days with notice
Brazil (LGPD)	15 days	As needed with notice
Other regions	30 days	Varies by jurisdiction

What Affects Timing:

Complexity of the request
Number of requests from you
Need for verification
Technical challenges

5.12 Appeals and Complaints

Internal Appeals:

If you're not satisfied with our response:

Contact our privacy team to appeal
Provide details about your original request and concerns
We will review and respond within 30 days
Our Data Protection Officer may review complex appeals

External Complaints:

You have the right to lodge complaints with supervisory authorities:

Region	Authority
EU/EEA	Your local Data Protection Authority
UK	Information Commissioner's Office (ICO)
California	California Attorney General or California Privacy Protection Agency
Brazil	Autoridade Nacional de Proteção de Dados (ANPD)

Our Commitment:

We take all complaints seriously
We cooperate with supervisory authorities
We work to resolve issues promptly and fairly

5.13 Do Not Track and Global Privacy Controls

Do Not Track:

Some browsers send "Do Not Track" signals. Our response to these signals:

We currently [do/do not] respond to DNT signals
You can use our privacy settings for more granular control

Global Privacy Control (GPC):

We recognize Global Privacy Control signals where required by law:

When we detect a GPC signal, we treat it as an opt-out of sale/sharing
This applies to the browser or device sending the signal
You may need to enable GPC on each browser/device

Other Privacy Signals:

We also honor:

CCPA opt-out preference signals
Industry opt-out mechanisms
Platform-specific privacy controls

6. Data Retention

We retain your information only as long as necessary for the purposes described in this Privacy Policy. This section explains our retention practices and the factors we consider when determining how long to keep your data.

6.1 General Retention Principles

Our Approach to Retention:

We follow these principles when determining data retention:

Purpose Limitation: We keep data only as long as needed for the purpose it was collected
Minimization: We regularly review and delete data that is no longer necessary
Legal Compliance: We retain data as required by applicable laws and regulations
User Control: We honor your deletion requests subject to legal and legitimate business requirements

Factors Affecting Retention:

When determining retention periods, we consider:

The nature and sensitivity of the information
The purpose for which it was collected
Legal requirements and regulatory guidance
Legitimate business needs
Your preferences and requests
Industry standards and best practices

6.2 Account Data Retention

Active Accounts:

While your account is active, we retain:

Data Type	Retention Period
Account credentials	Duration of account
Profile information	Duration of account (updated as you change it)
Account settings	Duration of account
Verification information	Duration of account + legal requirements
Payment methods	Until you remove them or account closure

Inactive Accounts:

For accounts that become inactive:

We may send reminders before taking action on dormant accounts
Accounts inactive for an extended period may be subject to deletion
We provide notice before deleting inactive accounts
You can prevent deletion by logging in or responding to our notice

6.3 Content Retention

Your Content:

Content Type	Retention While Active	After Deletion
Posts and updates	Until you delete	Removed within 30 days
Photos and videos	Until you delete	Removed within 30 days
Comments	Until you delete	Removed within 30 days
Messages	Until you delete	See messaging retention below
Stories/ephemeral content	24 hours (or set duration)	Immediately after expiration
Live streams	Per your settings	As configured

Messaging Retention:

Direct messages have special retention considerations:

Messages you delete are removed from your view
Recipients may retain copies in their accounts
We may retain message metadata for safety purposes
Disappearing messages are deleted according to your settings
Reported messages may be retained for review

Shared Content:

Content you share with others:

Remains with recipients even if you delete your copy
May be saved, screenshot, or reshared by recipients
Downloaded copies are outside our control

6.4 Activity and Log Data Retention

Activity Logs:

Log Type	Typical Retention	Purpose
Login history	12 months	Security, fraud prevention
IP addresses	90 days	Security, abuse prevention
Device information	12 months	Security, functionality
Feature usage	24 months (aggregated)	Product improvement
Search history	18 months	Personalization (if enabled)
Content interactions	24 months	Recommendations

Server Logs:

Technical logs necessary for Platform operation:

Error logs: 90 days
Access logs: 30 days
Performance logs: 30 days
Security logs: 12 months or as required by law

6.5 Post-Deletion Retention

After You Delete Your Account:

When you delete your account, most data is removed immediately from active systems. However, some data may be retained:

Backup Retention:

Backup systems may contain your data for up to 90 days after deletion
Backups are used only for disaster recovery, not regular access
Data in backups is deleted during normal backup rotation

Legal and Safety Retention:

We may retain data after deletion for:

Reason	Retention Period	Examples
Legal holds	Duration of legal matter	Litigation, government investigation
Tax records	7 years or as required	Transaction records, tax documents
Fraud prevention	Up to 10 years	Account abuse records, fraud indicators
Safety records	As required	Reports of harm, safety investigations
Legal claims	Statute of limitations period	Potential disputes

Anonymized Data:

Aggregated and anonymized data may be retained indefinitely
This data cannot be used to identify you
Used for research, analytics, and Platform improvement

6.6 Transaction and Financial Data Retention

Payment and Transaction Records:

Data Type	Retention Period	Reason
Transaction history	7 years	Tax and accounting requirements
Payment method details	Until removed + 90 days	Dispute resolution
Invoices and receipts	7 years	Legal and tax compliance
Refund records	7 years	Accounting requirements
Creator earnings	7 years	Tax reporting obligations

Subscription Records:

Active subscription data: Duration of subscription
Subscription history: 7 years for tax purposes
Cancellation records: 3 years

6.7 Communications Retention

Customer Support:

Communication Type	Retention Period
Support tickets	3 years after resolution
Chat transcripts	2 years
Email correspondence	3 years
Phone call recordings (if applicable)	1 year

Surveys and Feedback:

Survey responses: 3 years (anonymized after 1 year)
Feedback submissions: 2 years
Beta/test feedback: Duration of program + 1 year

6.8 Legal and Compliance Data Retention

Regulatory Requirements:

Different jurisdictions require different retention periods:

Jurisdiction	General Requirement
United States	Varies by state and data type; typically 3-7 years for financial data
European Union	As long as necessary; specific rules for certain data types
United Kingdom	Similar to EU; sector-specific requirements
Brazil	As long as necessary; specific rules in LGPD
California	Specific requirements under CCPA/CPRA

Legal Holds:

When we receive legal process or anticipate litigation:

We preserve relevant data regardless of normal retention schedules
Preservation continues until the legal matter is resolved
We do not delete data subject to legal hold even upon user request

6.9 Feature-Specific Retention

Location Data:

Precise location: Deleted after use for the specific feature
Location history (if enabled): Per your settings, up to 18 months
Approximate location: May be retained longer for analytics (city-level)

Biometric Data (if applicable):

Face/voice recognition templates: Until you disable the feature
Deleted within 30 days of feature deactivation
Not shared with third parties

Third-Party Integrations:

Connection records: Duration of connection + 90 days
Data shared with third parties: Subject to their retention policies
Tokens and credentials: Until you revoke access

6.10 Your Retention Controls

Managing Your Data:

You have controls to manage retention of your data:

Delete Content: Remove individual posts, photos, messages
Clear History: Clear search history, watch history, activity
Download First: Download your data before deletion
Account Deletion: Request full account deletion

Automatic Deletion:

Some data is automatically deleted:

Ephemeral content after its set duration
Expired stories after 24 hours
Temporary files after processing
Session data after logout (configurable)

Retention Preferences:

Where available, you can set preferences for:

How long to keep search history
Whether to save content preferences
Duration for location history
Message retention settings

7. Data Security

Protecting your information is a top priority. This section describes the security measures we implement to safeguard your data and what you can do to help protect your account.

7.1 Our Security Commitment

Security Principles:

We are committed to protecting your data through:

Defense in Depth: Multiple layers of security controls
Least Privilege: Access only to what is necessary
Continuous Monitoring: Ongoing surveillance for threats
Regular Assessment: Frequent security testing and audits
Rapid Response: Quick action when issues are detected
Transparency: Open communication about security matters

Security Program:

Our security program includes:

Dedicated security team with industry expertise
Regular security training for all employees
Documented security policies and procedures
Executive oversight of security initiatives
Investment in security tools and infrastructure

7.2 Technical Security Measures

Encryption:

We use encryption to protect your data:

Data State	Encryption Method
Data in transit	TLS 1.2 or higher for all connections
Data at rest	AES-256 encryption for stored data
Passwords	Salted hashing using industry-standard algorithms
Payment data	PCI DSS compliant encryption
Backups	Encrypted with separate key management

Network Security:

Our network is protected by:

Firewalls and intrusion detection/prevention systems
DDoS (Distributed Denial of Service) mitigation
Network segmentation to isolate sensitive systems
Regular vulnerability scanning and penetration testing
Secure configuration management

Application Security:

Our applications are secured through:

Secure software development lifecycle (SDLC)
Code reviews and security testing
Regular security assessments and audits
Bug bounty program for responsible disclosure
Web application firewalls (WAF)
Protection against common vulnerabilities (OWASP Top 10)

7.3 Access Controls

Employee Access:

We control access to your data through:

Control	Description
Role-based access	Employees access only data needed for their role
Multi-factor authentication	Required for all employees accessing systems
Access logging	All access to user data is logged and monitored
Regular reviews	Periodic review and removal of unnecessary access
Background checks	Screening for employees with data access
Confidentiality agreements	Contractual obligations to protect data

System Access:

Technical access controls include:

Strong authentication requirements
Session management and timeout policies
Privileged access management
Just-in-time access provisioning
Automated access revocation upon role change

Third-Party Access:

When vendors need access to data:

Contractual security requirements
Security assessments before engagement
Limited access scope and duration
Monitoring of third-party activities
Regular review of third-party access

7.4 Physical Security

Data Center Security:

Our infrastructure is hosted in secure facilities with:

24/7 security personnel and surveillance
Biometric and multi-factor access controls
Visitor logging and escort requirements
Environmental controls (fire suppression, climate control)
Redundant power and connectivity
Geographic distribution for resilience

Office Security:

Our corporate facilities are protected by:

Access control systems
Security personnel
Visitor management
Clean desk policies
Secure disposal of physical media

7.5 Incident Detection and Response

Monitoring and Detection:

We continuously monitor for security threats:

Security information and event management (SIEM)
Anomaly detection and behavioral analytics
Threat intelligence integration
Automated alerting for suspicious activity
24/7 security operations coverage

Incident Response:

When security incidents occur, we:

Identify: Detect and confirm the incident
Contain: Limit the scope and impact
Eradicate: Remove the threat
Recover: Restore normal operations
Learn: Analyze and improve our defenses

For details on how we notify you in the event of a data breach, see Section 7.6 (Data Breach Notification) below.

7.6 Data Breach Notification

What Constitutes a Data Breach:

A "data breach" or "security breach" means an unauthorized access to, acquisition of, or disclosure of personal information that compromises the security, confidentiality, or integrity of that information. This includes situations where personal information is accessed by unauthorized persons, accidentally disclosed, lost, or stolen. Incidents that are contained before any personal information is accessed or acquired may not constitute a breach under applicable law.

Jurisdiction-Specific Notification Timelines:

When a breach triggers notification obligations, we comply with the applicable timelines:

Jurisdiction	Notification to Authorities	Notification to Individuals
EU/EEA (GDPR)	Within 72 hours of becoming aware	Without undue delay, where breach is likely to result in high risk to rights and freedoms
United Kingdom (UK GDPR)	Within 72 hours of becoming aware	Without undue delay, where high risk to individuals
California (CCPA/CPRA)	N/A (Attorney General if 500+ residents)	In the most expedient time possible and without unreasonable delay
Texas	Within 60 days of determination	Within 60 days of determination
New York	As soon as possible to AG	In the most expedient time possible
Other U.S. states	Per state-specific requirements (typically 30–60 days)	Per state-specific requirements
Brazil (LGPD)	Within reasonable time to ANPD	Within reasonable time, as directed by ANPD
Canada (PIPEDA)	As soon as feasible to OPC	As soon as feasible, where real risk of significant harm
Australia	Within 30 days to OAIC	As soon as practicable, where likely serious harm
South Korea (PIPA)	Within 72 hours to PIPC	Without delay

If your jurisdiction is not listed above, we will comply with applicable local breach notification requirements.

How We Notify You:

If a breach affects your personal information, we will notify you through one or more of the following methods:

Email to the address associated with your account
In-app or on-platform notification
Push notification (if you have notifications enabled)
Prominent notice on our website
Postal mail, where required by law or where we lack electronic contact information

We will make reasonable efforts to reach you through the most direct and expedient means available.

Content of Our Notification:

Our breach notification will include:

A description of the incident and when it occurred (or our best estimate)
The types of personal information involved
What we have done and are doing in response
Steps you can take to protect yourself
Contact information for our privacy or security team for follow-up questions
Contact information for relevant regulatory authorities (where required by law)

Third-Party Processor Breaches:

When a breach occurs at a third-party service provider processing data on our behalf:

Our data processing agreements require providers to notify us without undue delay upon discovering a breach
We treat processor breaches with the same urgency and follow the same notification procedures as breaches in our own systems
We will identify the affected third party in our notification to you, unless doing so would compromise an ongoing investigation

Remediation and Support:

Depending on the nature and severity of the breach, we may offer affected users:

Free credit monitoring or identity protection services
Password reset requirements and enhanced account security measures
Dedicated support channels for breach-related inquiries
Guidance on steps to protect yourself from potential misuse of your information

Record-Keeping:

We maintain records of all data breaches, including those that did not trigger notification obligations. These records include the facts of the breach, its effects, and the remedial actions taken, in compliance with GDPR Article 33(5) and other applicable requirements.

7.7 Security Certifications and Compliance

Certifications:

We maintain industry-recognized security certifications:

Certification	Description
SOC 2 Type II	Independent audit of security, availability, and confidentiality controls
ISO 27001	International standard for information security management
PCI DSS	Payment Card Industry Data Security Standard for payment processing

Compliance Programs:

We comply with applicable security requirements:

Industry-specific regulations
Contractual security obligations
Regional data protection requirements
Platform and app store security standards

Audits and Assessments:

Our security is regularly verified through:

Annual third-party security audits
Regular penetration testing
Vulnerability assessments
Compliance audits

7.8 Your Security Responsibilities

Account Security:

You play an important role in protecting your account:

Strong Passwords:

Use a unique password for your account
Make it long (12+ characters) and complex
Don't reuse passwords from other sites
Consider using a password manager

Additional Security Features:

Enable any additional security features we may offer
Keep backup codes or recovery options in a secure location

Session Security:

Log out when using shared devices
Review active sessions regularly
Remove sessions you don't recognize
Don't save passwords on public computers

7.9 Protecting Against Common Threats

Phishing:

Protect yourself from phishing attacks:

We will never ask for your password via email
Verify URLs before entering credentials
Be suspicious of urgent requests for account information
Report suspicious emails to us

Social Engineering:

Be aware of manipulation tactics:

Don't share verification codes with anyone
Be cautious of unsolicited contact claiming to be from us
Verify requests through official channels
Don't click links in suspicious messages

Malware:

Protect your devices:

Keep your operating system and apps updated
Use reputable antivirus/anti-malware software
Don't download software from untrusted sources
Be cautious with email attachments

7.10 Security Features We Provide

Account Protection:

Features to help secure your account:

Feature	Description
Additional security features	Additional verification options we may offer beyond password
Login alerts	Notifications of new device logins
Session management	View and end active sessions
Password requirements	Enforcement of minimum password strength
Account recovery	Secure process for regaining access

Activity Monitoring:

Tools to monitor your account:

Login history showing devices and locations
Security checkup to review your settings
Alerts for suspicious activity
Privacy checkup for your sharing settings

Recovery Options:

If you lose access to your account:

Email recovery
Phone number recovery
Trusted contacts (if configured)
Identity verification process

7.11 Reporting Security Issues

Bug Bounty Program:

We welcome responsible security research:

Report vulnerabilities through our bug bounty program
Rewards for qualifying discoveries
Safe harbor for good-faith researchers
Details at https://boba.town/security

Reporting Security Concerns:

If you notice something suspicious:

Compromised Account: Use our account recovery process
Phishing: Report to security@boba.town
Vulnerabilities: Submit through our bug bounty program
General Concerns: Contact our security team

What to Report:

Suspicious emails or messages claiming to be from us
Unauthorized access to your account
Security vulnerabilities in our Platform
Potential data breaches or exposures

7.12 Limitations

No Absolute Security:

While we implement robust security measures:

No system is completely immune to attack
We cannot guarantee absolute security
Security requires ongoing vigilance
New threats emerge constantly

Shared Responsibility:

Security is a partnership:

We protect our systems and your data
You protect your account credentials and devices
Together we create a more secure environment

8. International Data Transfers

Our Platform operates globally, which means your information may be transferred to and processed in countries other than your own. This section explains how we handle international transfers of your data and the protections we have in place.

8.1 Where Your Data Is Processed

Our Global Operations:

We operate in multiple countries and regions:

Region	Operations
United States	Primary data centers, headquarters, core operations
European Union	Regional data centers, local operations, customer support
Asia-Pacific	Regional data centers, local operations
Other Regions	Local offices, customer support, content moderation

Why We Transfer Data Internationally:

Your data may be transferred internationally for:

Service Delivery: Providing you with our global Platform
Infrastructure: Utilizing data centers and cloud services worldwide
Support: Offering customer support across time zones
Operations: Running our global business operations
Safety: Conducting content moderation and trust & safety operations
Legal: Responding to legal requests from various jurisdictions

8.2 Transfer Mechanisms

Legal Frameworks for Transfers:

We use appropriate legal mechanisms to transfer data internationally:

Mechanism	Description	When Used
Standard Contractual Clauses (SCCs)	EU-approved contract terms that require recipients to protect data	Transfers from EU/EEA to non-adequate countries
International Data Transfer Agreement (IDTA)	UK-approved contract terms for international transfers	Transfers from UK to non-adequate countries
Adequacy Decisions	Formal recognition that a country provides adequate protection	Transfers to countries the EU/UK has approved
EU-US Data Privacy Framework	Certification program for US companies	Transfers to certified US organizations
Binding Corporate Rules (BCRs)	Internal rules approved by data protection authorities	Intra-group transfers (if applicable)
Consent	Your explicit consent to a specific transfer	Specific situations where you've agreed
Contractual Necessity	Transfer necessary to perform our contract with you	Providing services you've requested

Our Commitments:

Regardless of where your data is processed, we commit to:

Applying consistent privacy protections
Honoring this Privacy Policy
Complying with applicable laws
Implementing appropriate security measures

8.3 Adequacy Decisions

What Are Adequacy Decisions?

Adequacy decisions are formal determinations by the European Commission or UK government that a country provides an adequate level of data protection, allowing data to flow freely to that country.

Countries with EU Adequacy Decisions:

As of the last update to this policy, the EU has recognized the following countries/territories as providing adequate protection:

Andorra
Argentina
Canada (commercial organizations under PIPEDA)
Faroe Islands
Guernsey
Israel
Isle of Man
Japan
Jersey
New Zealand
Republic of Korea (South Korea)
Switzerland
United Kingdom
United States (for organizations certified under the EU-US Data Privacy Framework)
Uruguay

UK Adequacy Decisions:

The UK has made its own adequacy decisions, which may include additional countries.

Note: Adequacy decisions can change. We monitor regulatory developments and update our practices accordingly.

8.4 Standard Contractual Clauses

What Are SCCs?

Standard Contractual Clauses are model contract terms approved by the European Commission that provide appropriate safeguards for data transfers.

How We Use SCCs:

We incorporate SCCs into agreements with service providers and partners
We use the appropriate SCC modules based on our role (controller or processor)
We supplement SCCs with additional security measures where appropriate
We conduct transfer impact assessments as required

UK International Data Transfer Agreement:

For transfers from the UK, we use the UK's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.

Obtaining Copies:

You can request copies of the SCCs or other transfer mechanisms we use by contacting our privacy team.

8.5 EU-US and UK-US Data Privacy Framework

What Is the Data Privacy Framework?

The EU-US Data Privacy Framework (and UK Extension) is a mechanism that allows certified US organizations to receive personal data from the EU, UK, and Switzerland.

Our Participation:

Boba, LLC [is/is not] certified under the EU-US Data Privacy Framework. [If certified: Our certification can be verified at https://www.dataprivacyframework.gov/]

Framework Principles:

Certified organizations must adhere to principles including:

Notice about data practices
Choice regarding use and disclosure
Security safeguards
Data integrity and purpose limitation
Access rights for individuals
Recourse and enforcement mechanisms

8.6 Supplementary Measures

Additional Protections:

Beyond legal mechanisms, we implement supplementary measures:

Technical Measures:

Encryption of data in transit and at rest
Pseudonymization where appropriate
Access controls and authentication
Security monitoring and incident detection

Organizational Measures:

Privacy policies and procedures
Staff training on data protection
Confidentiality agreements
Regular audits and assessments

Contractual Measures:

Obligations on recipients to protect data
Rights to audit compliance
Requirements for breach notification
Restrictions on further transfers

8.7 Transfer Impact Assessments

What Are TIAs?

Transfer Impact Assessments evaluate whether the destination country provides adequate protection for transferred data, considering:

The laws of the destination country
Government access practices
Effectiveness of legal remedies
Contractual protections in place

Our Approach:

We conduct Transfer Impact Assessments when required:

Before initiating new transfer arrangements
When laws in destination countries change
Periodically for ongoing transfers
When regulatory guidance is updated

8.8 Government Access Requests

Our Approach:

When we receive government requests for user data:

We carefully review each request for legal validity
We challenge overbroad or improper requests
We notify users when permitted by law
We provide the minimum information legally required
We publish transparency reports on request volumes

Protections Against Unlawful Access:

We implement measures to protect against unlawful government access:

Strong encryption
Limited data collection
Access controls
Legal review of requests
Challenging improper requests

8.9 Your Rights Regarding International Transfers

Information Rights:

You have the right to:

Know where your data is transferred
Understand the safeguards in place
Receive copies of transfer mechanisms (such as SCCs)
Object to certain transfers

How to Exercise Your Rights:

Contact our privacy team to:

Request information about international transfers
Obtain copies of transfer safeguards
Ask questions about our transfer practices

8.10 Specific Regional Transfers

Transfers from the European Economic Area (EEA):

When we transfer data from the EEA:

We rely on adequacy decisions where available
We use SCCs for transfers to non-adequate countries
We conduct Transfer Impact Assessments as required
We implement supplementary measures where necessary

Transfers from the United Kingdom:

For transfers from the UK:

We follow UK GDPR requirements
We use the UK IDTA or UK Addendum to EU SCCs
We recognize UK adequacy decisions
We comply with ICO guidance

Transfers from Switzerland:

For transfers from Switzerland:

We comply with the Swiss Federal Act on Data Protection
We use appropriate transfer mechanisms
We recognize Swiss-specific requirements

8.11 Changes to Transfer Mechanisms

Monitoring Developments:

We actively monitor:

Regulatory changes affecting international transfers
Court decisions impacting transfer mechanisms
New adequacy decisions
Guidance from data protection authorities

Adapting Our Practices:

When transfer mechanisms change:

We assess the impact on our operations
We implement required changes promptly
We update our agreements with partners
We notify users of significant changes

9. Children's Privacy

Protecting children online is extremely important to us. This section explains our approach to children's privacy, age restrictions, and compliance with laws designed to protect minors.

9.1 Age Requirements

Minimum Age to Use Our Platform:

Region	Minimum Age
United States	13 years old
European Union/EEA	16 years old (or lower if member state allows, minimum 13)
United Kingdom	13 years old
South Korea	14 years old
Brazil	18 years old (or with parental consent)
Other regions	13 years old (or age of digital consent in your country)

Age Verification:

We rely on self-declaration of age during registration to verify that users meet our age requirements. We do not use programmatic age verification or technology-based age estimation. If we have reason to believe a user is underage based on content or activity, we will take appropriate action as described below.

What Happens If We Learn a User Is Underage:

If we discover that a user does not meet our minimum age requirements:

We will terminate the account
We will delete personal information collected from that user
We may retain limited information necessary for safety purposes
Parents/guardians may contact us regarding their child's information

9.2 Children Under 13 (COPPA Compliance)

Our Policy:

Our Platform is not directed at children under 13, and we do not knowingly collect personal information from children under 13 in the United States.

Children's Online Privacy Protection Act (COPPA):

In compliance with COPPA:

We do not knowingly collect personal information from children under 13
If we learn we have collected information from a child under 13, we will delete it promptly
Parents can contact us to review, delete, or stop collection of their child's information
We do not condition participation on disclosure of more information than reasonably necessary

If You Are a Parent or Guardian:

If you believe your child under 13 has provided us with personal information:

Contact us immediately at privacy@boba.town
Provide details to help us locate the account
We will investigate and delete the information if confirmed
We will notify you of the actions taken

9.3 Teen Privacy (Ages 13-17)

Enhanced Protections for Teens:

We provide additional protections for users between 13 and 17:

Protection	Description
Default Privacy Settings	More restrictive default settings for teen accounts
Limited Advertising	Restrictions on targeted advertising to teens
Content Restrictions	Age-appropriate content controls
Direct Messaging	Limits on who can message teen users
Discoverability	Reduced visibility in search and recommendations by default
Time Management	Optional tools to manage time spent on Platform

Features We Limit for Teens:

Certain features may be limited or unavailable for teen users:

Live streaming (may require additional verification)
Monetization features
Certain direct messaging capabilities
Some third-party integrations
Features involving financial transactions

Parental Involvement:

We encourage parental involvement in teens' online activities:

Family sharing and supervision tools (where available)
Resources for parents about Platform safety
Ability for parents to report concerns
Support for parent-teen conversations about online safety

9.4 Parental Consent

When Parental Consent Is Required:

In some jurisdictions, parental consent may be required:

Jurisdiction	Consent Age	Requirement
EU/EEA (varies by country)	13-16	Parental consent for users below digital age of consent
United Kingdom	13	Parental consent may be required for certain processing
South Korea	14	Parental consent for users under 14
Brazil	18	Parental consent for users under 18
United States	13	Parental consent for users under 13 (COPPA)

How We Obtain Parental Consent:

When parental consent is required, we may:

Request parent/guardian email address
Send verification to parent/guardian
Use third-party verification services
Require signed consent forms for certain features
Implement other reasonable verification methods

Verifying Parental Consent:

We use reasonable methods to verify that consent is provided by a parent or guardian:

Email verification plus additional steps
Credit card verification (small charge, refunded)
Government ID verification
Video call verification
Signed consent forms

9.5 Information We Collect From Minors

Limited Collection:

For users we know to be minors, we limit our data collection:

Data Type	Collection Approach
Account information	Minimum necessary for account creation
Content	User-generated content with enhanced protections
Location	Precise location disabled by default; requires explicit activation
Contacts	Not collected without explicit consent
Behavioral data	Limited collection for personalization
Advertising data	Restricted or prohibited for ad targeting

What We Don't Collect From Minors:

We do not collect the following from known minor users:

Precise geolocation without explicit consent
Biometric data
Data for behavioral advertising (in most jurisdictions)
Sensitive personal information beyond what's necessary

9.6 How We Use Minor's Information

Purpose Limitations:

We use information from minor users only for:

Providing and maintaining the Platform
Safety and security
Age-appropriate content recommendations
Customer support
Legal compliance

Prohibited Uses:

We do not use minor's information for:

Behavioral or targeted advertising (where prohibited)
Sale to third parties
Profiling that produces legal or significant effects
Creating marketing profiles

9.7 Parent and Guardian Rights

Your Rights as a Parent/Guardian:

If you are a parent or legal guardian, you have the right to:

Right	Description
Review	Review personal information collected from your child
Delete	Request deletion of your child's personal information
Consent	Provide or withdraw consent for data collection
Opt-out	Opt your child out of certain data practices
Access	Access your child's account (with appropriate verification)
Restrict	Request restrictions on how we use your child's data

How to Exercise These Rights:

To exercise rights regarding your child's information:

Contact us at privacy@boba.town
Provide verification of your identity and relationship to the child
Specify the action you are requesting
We will respond within the timeframe required by applicable law

Verification Requirements:

To protect children, we verify parent/guardian identity through:

Government-issued ID
Notarized statement
Other reliable verification methods
Consistency with account information

9.8 Safety Features for Minors

Built-In Protections:

We implement safety features specifically for minor users:

Content Safety:

Age-appropriate content filtering
Sensitive content warnings
Restricted access to mature content
AI-powered content moderation

Interaction Safety:

Limits on who can contact minor users
Blocking and reporting tools
Comment filtering
Restricted live features

Account Safety:

Enhanced privacy defaults
Limited public visibility
Restricted discovery features
Protected profile information

9.9 Education and Resources

For Parents and Guardians:

We provide resources to help parents:

Safety Center with tips and guides
Information about Platform features and controls
Guidance on talking to children about online safety
Information about reporting concerns

For Educators:

Resources for schools and educators:

Digital citizenship materials
Classroom discussion guides
Information about educational use
Reporting mechanisms for schools

For Young Users:

Age-appropriate resources for young users:

Tips for staying safe online
Information about privacy settings
How to report problems
Resources for help and support

9.10 Reporting Concerns About Minors

How to Report:

If you have concerns about a minor's safety on our Platform:

Concern Type	How to Report
Underage user	Report through in-app reporting or contact us
Harmful content involving minors	Use urgent reporting feature
Exploitation or abuse	Report immediately; we escalate to authorities
Bullying or harassment	Report through safety tools
Mental health concerns	Report with concern type; we provide resources

Our Response:

When we receive reports involving minors:

We prioritize review of these reports
We take swift action to protect the minor
We report illegal content to appropriate authorities (e.g., NCMEC)
We preserve evidence as required by law
We may contact parents/guardians if appropriate

9.11 Legal Compliance

Laws We Comply With:

We comply with children's privacy laws worldwide:

Law	Jurisdiction	Key Requirements
COPPA	United States	Parental consent for under 13; notice; deletion rights
CAADCA	California	Age estimation; DPIAs for children; default high privacy; no profiling by default; no dark patterns
GDPR (children's provisions)	EU/EEA	Age of digital consent; parental consent; clear language
UK Age Appropriate Design Code	United Kingdom	Best interests of child; default privacy; data minimization
LGPD (children's provisions)	Brazil	Best interests of child; parental consent
PIPA	South Korea	Parental consent for under 14

Age Appropriate Design:

We comply with age-appropriate design codes in applicable jurisdictions, including the UK Age Appropriate Design Code (Children's Code) and the California Age-Appropriate Design Code Act (CAADCA). Our approach includes:

We design with the best interests of children as a primary consideration
We use high privacy settings by default for users under 18
We minimize data collection from children and teens
We provide prominent, clear, and age-appropriate privacy information
We do not use nudge techniques, dark patterns, or other design elements that encourage children to provide more data or choose privacy-diminishing options
We do not profile children or teens by default
We conduct Data Protection Impact Assessments (DPIAs) for features and services likely to be accessed by children
We provide age-appropriate explanations to young users about how their data is used
We implement age estimation measures as required by applicable law

For detailed implementation of the UK AADC, see Supplement 1, Section 1.10. For California CAADCA-specific provisions, see Supplement 2, Section 2.13.

9.12 Updates to Children's Privacy Practices

Changes to This Section:

When we make material changes to our children's privacy practices:

We provide notice to users and parents
We update this Privacy Policy
We may seek fresh consent where required
We give parents opportunity to review changes

Contact for Children's Privacy:

For questions specifically about children's privacy:

Email: childrenprivacy@boba.town
Include "Children's Privacy" in the subject line
We prioritize these inquiries

10. Cookies & Tracking Technologies

We use cookies and similar technologies to operate our Platform, remember your preferences, understand how you use our services, and improve your experience. This section explains what these technologies are, how we use them, and your choices.

10.1 What Are Cookies and Similar Technologies?

Cookies:

Cookies are small text files that websites place on your device when you visit. They help websites remember information about your visit, like your preferred language and other settings.

Cookie Type	Description
Session cookies	Temporary cookies deleted when you close your browser
Persistent cookies	Remain on your device for a set period or until you delete them
First-party cookies	Set by the website you're visiting
Third-party cookies	Set by other parties (advertisers, analytics providers)

Similar Technologies:

We also use other tracking technologies:

Technology	Description
Pixels/Web beacons	Tiny images that track whether you've opened an email or visited a page
Local storage	Data stored in your browser that persists longer than cookies
Session storage	Data stored temporarily during a browser session
Device fingerprinting	Collecting device attributes to identify your device
SDKs	Software in our mobile apps that collects data
ETags	Identifiers used for caching that can also track users

10.2 Types of Cookies We Use

Essential Cookies:

These cookies are necessary for the Platform to function:

Purpose	Examples
Authentication	Keeping you logged in
Security	Detecting fraud and protecting your account
Load balancing	Distributing traffic across servers
Session management	Maintaining your session state
User preferences	Remembering your cookie consent choices

You cannot opt out of essential cookies as they are required for basic Platform functionality.

Functional Cookies:

These cookies enable enhanced features:

Purpose	Examples
Language preferences	Remembering your language selection
Region settings	Showing content relevant to your location
Accessibility	Remembering accessibility preferences
Personalization	Customizing your experience based on your choices
Video players	Remembering volume settings and playback position

Analytics Cookies:

These cookies help us understand how users interact with our Platform:

Purpose	Examples
Usage statistics	Pages visited, time spent, features used
Performance monitoring	Load times, errors, technical issues
A/B testing	Testing different versions of features
User journeys	Understanding how users navigate the Platform
Aggregate reporting	Generating anonymized usage reports

Advertising Cookies:

These cookies are used for advertising purposes:

Purpose	Examples
Ad targeting	Showing relevant ads based on interests
Ad measurement	Measuring ad effectiveness and conversions
Frequency capping	Limiting how often you see an ad
Cross-site tracking	Understanding behavior across websites
Attribution	Determining which ads led to actions

10.3 First-Party vs. Third-Party Cookies

First-Party Cookies:

Cookies set by us (on our domain):

Used for core Platform functionality
Controlled by our Privacy Policy
Subject to our data practices

Third-Party Cookies:

Cookies set by other companies:

Category	Examples	Purpose
Analytics providers	Google Analytics, Mixpanel	Usage analytics
Advertising networks	Google Ads, Meta	Ad serving and measurement
Social media	Facebook, Twitter buttons	Social sharing features
Customer support	Zendesk, Intercom	Support chat functionality
Security	reCAPTCHA	Bot detection and security

Third-Party Policies:

Third parties have their own privacy policies:

We encourage you to review their policies
We are not responsible for their data practices
You can often opt out through their services directly

10.4 How We Use Cookies

Platform Operation:

Authenticating users and maintaining sessions
Remembering your settings and preferences
Enabling core features and functionality
Providing security and preventing fraud

Performance and Analytics:

Understanding how you use our Platform
Identifying and fixing technical issues
Measuring feature adoption and engagement
Improving Platform performance

Personalization:

Customizing content recommendations
Remembering your preferences
Providing a tailored experience
Showing relevant information

Advertising (if applicable):

Delivering advertisements on our Platform
Measuring ad effectiveness
Limiting ad frequency
Understanding ad-driven conversions

10.5 Cookie Consent

How We Obtain Consent:

When you first visit our Platform (in jurisdictions where required):

We display a cookie banner or notice
We explain what cookies we use and why
We provide options to accept or customize
We record your consent choice

Consent Options:

Option	Description
Accept All	Accept all cookies including advertising
Reject All (non-essential)	Accept only essential cookies
Customize	Choose which categories to accept
Manage Later	Adjust preferences in settings at any time

Regional Requirements:

Region	Consent Requirement
EU/EEA (ePrivacy/GDPR)	Prior consent for non-essential cookies
UK (PECR/UK GDPR)	Prior consent for non-essential cookies
California (CCPA/CPRA)	Opt-out right for sale/sharing via cookies
Brazil (LGPD)	Consent or legitimate interest
Other regions	Varies by jurisdiction

10.6 Managing Your Cookie Preferences

Through Our Platform:

You can manage cookies through our cookie settings:

Access cookie preferences at any time
Change your consent choices
View which cookies are active
Location: [Cookie Settings Link]

Through Your Browser:

Most browsers allow you to control cookies:

Browser	How to Manage Cookies
Chrome	Settings → Privacy and Security → Cookies
Firefox	Settings → Privacy & Security → Cookies
Safari	Preferences → Privacy → Cookies
Edge	Settings → Cookies and Site Permissions
Mobile browsers	Settings vary by browser and device

Browser Controls Include:

Blocking all cookies
Blocking third-party cookies only
Deleting existing cookies
Setting cookie preferences per site
Private/incognito browsing (limits persistent cookies)

Impact of Blocking Cookies:

If you block or delete cookies:

Some Platform features may not work properly
You may need to log in more frequently
Your preferences may not be remembered
You may see less relevant content and ads
Some essential functions may be unavailable

10.7 Specific Cookie Information

Our Cookie List:

Below is a representative list of cookies we use:

Cookie Name	Type	Duration	Purpose
session_id	Essential	Session	Maintains your login session
csrf_token	Essential	Session	Prevents cross-site request forgery
preferences	Functional	1 year	Stores your settings
consent	Essential	1 year	Records your cookie consent
analytics_id	Analytics	2 years	Anonymous usage tracking
_ga	Analytics	2 years	Google Analytics identifier
ad_preferences	Advertising	90 days	Ad personalization settings

Note: This is not an exhaustive list. Cookie details may change. Visit our cookie settings for the current list.

10.8 Mobile App Tracking

In Our Mobile Apps:

Our mobile apps use similar technologies:

Technology	Purpose
Device identifiers	Analytics and advertising
SDKs	Third-party services (analytics, crash reporting)
Local storage	App preferences and cached data
Push tokens	Sending push notifications

Mobile Privacy Controls:

You can control mobile tracking through:

App settings within our app
Device settings (iOS: Settings → Privacy; Android: Settings → Privacy)
Advertising ID controls (limit ad tracking)
App permissions (location, contacts, etc.)

Advertising Identifiers:

iOS: Identifier for Advertisers (IDFA)
Android: Google Advertising ID (GAID)
You can reset or limit these identifiers in device settings

10.9 Do Not Track and Similar Signals

Do Not Track (DNT):

Some browsers send a "Do Not Track" signal. Our response:

We currently [do/do not] respond to DNT signals
DNT is not widely adopted and lacks a standard definition
We recommend using our cookie settings for more control

Global Privacy Control (GPC):

We recognize GPC signals where required by law:

GPC signals are treated as opt-out of sale/sharing (CCPA/CPRA)
This applies to the browser or device sending the signal
Learn more at globalprivacycontrol.org

Other Privacy Signals:

We also recognize:

CCPA opt-out preference signals
Industry opt-out mechanisms (DAA, NAI)

10.10 Industry Opt-Out Tools

Advertising Industry Tools:

You can opt out of interest-based advertising through industry tools:

Organization	Opt-Out Link	Coverage
Digital Advertising Alliance (DAA)	optout.aboutads.info	US
Network Advertising Initiative (NAI)	optout.networkadvertising.org	US
European Digital Advertising Alliance (EDAA)	youronlinechoices.eu	EU
Digital Advertising Alliance of Canada (DAAC)	youradchoices.ca	Canada

What Opt-Out Does:

Stops personalized ads from participating companies
Does not stop all ads (you'll still see ads, just not targeted)
Requires opt-out on each browser/device
May need to be repeated if you clear cookies

Mobile Advertising Opt-Out:

iOS: Settings → Privacy → Tracking → disable "Allow Apps to Request to Track"
Android: Settings → Privacy → Ads → Opt out of Ads Personalization
App-specific settings in individual apps

10.11 Pixels and Email Tracking

Email Pixels:

Our marketing emails may contain pixels that track:

Whether you opened the email
When you opened it
Your general location (city level)
What device/email client you used

How to Prevent Email Tracking:

Disable automatic image loading in your email client
Use privacy-focused email clients
Unsubscribe from marketing emails

Website Pixels:

We may use pixels on our website and others' websites to:

Measure advertising effectiveness
Understand user journeys
Retarget visitors with ads
Track conversions

10.12 Local and Session Storage

What Is Local/Session Storage?

Browser storage mechanisms similar to cookies but with different characteristics:

Feature	Cookies	Local Storage	Session Storage
Size limit	~4KB	~5-10MB	~5-10MB
Expiration	Set by cookie	Never (manual clear)	End of session
Sent with requests	Yes	No	No
Access	Server and client	Client only	Client only

How We Use Storage:

Local storage: App state, cached content, offline functionality
Session storage: Temporary form data, navigation state

Clearing Storage:

You can clear local/session storage through browser settings:

Usually found in "Clear browsing data" options
Look for "Cookies and other site data"
May need to specifically select site data/storage

10.13 Cookie Policy Updates

Changes to This Section:

We may update our cookie practices:

We will update this section of the Privacy Policy
We may refresh our cookie consent if changes are material
The "last updated" date will reflect changes

Staying Informed:

Review this section periodically
Check our cookie settings for current cookie information
Contact us with questions about our cookie practices

11. Policy Updates

This Privacy Policy may change over time as we update our practices, respond to new regulations, or add new features. This section explains how we handle updates and how you'll be notified.

11.1 Our Right to Update

Why We Update:

We may update this Privacy Policy for various reasons:

Changes to our data practices or services
New features or products
Changes in applicable law or regulations
Regulatory guidance or enforcement actions
Industry best practice developments
Mergers, acquisitions, or corporate restructuring
User feedback and questions

Our Commitment:

When we update this policy:

Changes will be reflected in the posted Privacy Policy
We will update the "Last Updated" date
We will maintain an archive of previous versions
Material changes will be communicated more prominently

11.2 Material vs. Non-Material Changes

Material Changes:

Material changes are significant updates that affect your rights or how we handle your data:

Type of Change	Examples
New data collection	Collecting new categories of personal information
New purposes	Using data for purposes not previously disclosed
New sharing	Sharing data with new categories of third parties
Reduced rights	Any reduction in your privacy rights
Security changes	Significant changes to security practices
Retention changes	Materially longer retention periods
Children's privacy	Changes affecting children's data

Non-Material Changes:

Non-material changes are minor updates that don't significantly affect you:

Clarifications of existing practices
Grammatical or formatting corrections
Updated contact information
Reorganization without substantive change
Adding examples or explanations
Updates to reflect already-announced features

11.3 How We Notify You

For Material Changes:

We will notify you of material changes through one or more of:

Notification Method	Description
Email notification	Email to your registered email address
In-app notification	Alert within the Platform
Website banner	Prominent notice on our website
Push notification	Mobile notification (if enabled)
Account notification	Notice in your account settings
Blog post	Announcement on our official blog

Notice Period:

For material changes, we typically provide:

At least 30 days' notice before changes take effect
Longer notice periods where required by law
Immediate effect only when required by law or for safety

For Non-Material Changes:

Non-material changes may be made without specific notice:

The updated policy will be posted
The "Last Updated" date will change
Changes will be reflected in the changelog

11.4 Your Choices When We Update

Reviewing Changes:

When notified of changes:

Review the updated Privacy Policy
Compare with the previous version (available in our archive)
Contact us with questions

Accepting or Rejecting Changes:

Your options when we make material changes:

Option	How to Exercise
Accept	Continue using the Platform after the effective date
Object	Contact us to discuss concerns
Delete account	Request account deletion before changes take effect
Exercise rights	Use your privacy rights (access, delete, etc.)

Continued Use:

If you continue to use our Platform after material changes take effect:

This constitutes acceptance of the updated policy
Previous versions no longer apply to new data processing
Your existing rights are preserved

If You Disagree:

If you disagree with material changes:

You may delete your account before the effective date
We will process your deletion request under the prior policy
Contact us if you have concerns about specific changes

11.5 Version History and Changelog

Version Control:

We maintain versioned Privacy Policies:

Each version has a unique version number (e.g., 2.0.0)
Major changes increment the first number (1.0 → 2.0)
Minor changes increment the second number (2.0 → 2.1)
Patches increment the third number (2.1.0 → 2.1.1)

Changelog:

We maintain a changelog summarizing changes:

Date	Version	Summary of Changes
[Current Date]	2.0.0	Initial comprehensive policy
[Future]	[Version]	[Description of changes]

Accessing Previous Versions:

You can access previous versions of this policy:

Archive available at https://boba.town/legal/archive
Request previous versions from our privacy team
Significant historical versions maintained indefinitely

11.6 Effective Dates

When Changes Take Effect:

Change Type	When Effective
Material changes	Date specified in notice (typically 30+ days)
Non-material changes	Immediately upon posting
Required by law	As mandated by the applicable law
Emergency changes	Immediately, with prompt notification

Transition Periods:

For some changes, we may provide transition periods:

Grace period to adjust settings
Time to exercise rights under prior policy
Phased implementation of new practices

11.7 Regional Considerations

Jurisdiction-Specific Updates:

Some updates may apply only to specific regions:

EU/EEA-specific updates for GDPR changes
California-specific updates for CCPA/CPRA changes
Updates for other jurisdiction-specific laws

Localized Notices:

In some jurisdictions, we may provide:

Translated notices of changes
Region-specific communication channels
Compliance with local notification requirements

11.8 Special Circumstances

Acquisitions and Mergers:

If we are acquired or merge with another company:

We will notify you before your data is transferred
The acquiring company must honor this policy or provide notice
You will have opportunity to delete your data

Regulatory Requirements:

If changes are required by regulators:

We may need to make immediate changes
We will notify you as soon as practicable
We will explain the regulatory requirement

Emergency Updates:

In rare cases, we may need to make immediate updates:

Security vulnerabilities requiring urgent changes
Legal requirements with immediate effect
Protection of users from imminent harm

11.9 Questions About Updates

Getting Help:

If you have questions about policy updates:

Email: privacy@boba.town
Subject line: "Privacy Policy Update Question"
Include specific sections or changes you're asking about

Response Time:

We aim to respond to policy questions:

Within 5 business days for general questions
More quickly for time-sensitive questions about upcoming changes
Before the effective date when possible

11.10 Subscribing to Updates

Stay Informed:

You can stay informed about policy updates:

Method	How to Subscribe
Email alerts	Enable privacy update notifications in settings
Blog/RSS	Follow our official blog
Social media	Follow our official accounts
In-app	Enable policy update notifications

Update Preferences:

Manage your notification preferences:

Settings → Privacy → Update Notifications
Choose which types of updates to receive
Opt out of non-required notifications

12. Contact & Complaints

Privacy Team:

For privacy-related questions or to exercise your rights:

Email: privacy@boba.town
Mail: Boba, LLC, Attn: Privacy Team, 1312 17th Street Unit #2635, Denver, CO 80202
Web Form: https://boba.town/privacy-request

Data Protection Officer:

For EU/EEA/UK users or DPO-specific inquiries:

Email: dpo@boba.town
Mail: Boba, LLC, Attn: Data Protection Officer, 1312 17th Street Unit #2635, Denver, CO 80202

EU Representative:

For users in the European Union:

Name: [EU Representative Name]
Email: [EU Representative Email]
Address: [EU Representative Address]

UK Representative:

For users in the United Kingdom:

Name: [UK Representative Name]
Email: [UK Representative Email]
Address: [UK Representative Address]

Part 2: Feature-Specific Policies

The following addendums provide additional privacy information for specific Platform features. Each addendum applies when you use the corresponding feature and supplements the core Privacy Policy above.

Addendum 1: Messaging, Comments & Direct Messages

This addendum covers privacy practices specific to our messaging features, including direct messages, group chats, and comments.

1.1 Message Content and Access

What We Collect:

Data Type	Description	Purpose
Message content	Text, images, videos, files you send	Delivering messages, storage
Message metadata	Timestamps, sender, recipient, read status	Service functionality
Attachments	Files, images, voice messages	Delivery and storage
Reactions	Emoji reactions, replies	Feature functionality
Drafts	Unsent message drafts	Convenience (optional)

Who Can Access Your Messages:

Party	Access Level
Recipients	Full content of messages sent to them
You	Your sent and received messages
Our systems	Encrypted storage; limited access for specific purposes
Our staff	Only when required for safety, legal, or support purposes
Law enforcement	Only with valid legal process

1.2 Encryption

End-to-End Encryption (E2EE):

[If applicable] Direct messages are protected by end-to-end encryption:

Messages are encrypted on your device before transmission
Only you and your recipients can read message content
We cannot read the content of E2EE messages
Encryption keys are stored only on user devices

Encryption Limitations:

E2EE does not protect:

Message metadata (who, when, but not content)
Messages if a recipient shares or screenshots them
Messages reported for abuse (content shared with report)
Backups stored on your device or cloud services

Transport Encryption:

All messages are protected in transit:

TLS encryption for all data transmission
Protection against interception during delivery

1.3 Message Retention

How Long We Keep Messages:

Scenario	Retention Period
Active conversations	Indefinitely until you delete
Deleted messages	Removed from your view immediately; may persist in backups up to 90 days
Disappearing messages	Deleted according to your timer settings
Reported messages	Retained for review and potential legal requirements
Account deletion	Deleted with account (backup retention applies)

Recipient Copies:

When you delete a message:

It's removed from your account
Recipients may still have their copy
We cannot force deletion from recipient accounts
Screenshots or copies outside our Platform are beyond our control

1.4 Message Scanning and Safety

Automated Scanning:

We may scan messages for safety purposes:

Purpose	What We Scan	How
Spam detection	Patterns, links, sending behavior	Automated systems
Malware protection	Links and attachments	Automated security scanning
CSAM detection	Image hashes (not content viewing)	Hash matching against known illegal content databases
Abuse prevention	Reported content	Human review after report

What We Don't Do:

We do not read your private messages for advertising purposes
We do not scan message content to target ads
We do not share message content with advertisers
Human review occurs only for reported content or legal requirements

1.5 Group Chat Privacy

Group Visibility:

Setting	Who Can See
Group members	Other members can see your messages and membership
Group admins	May have additional visibility (member list, settings)
Non-members	Cannot see group content (unless public group)

Group Data Sharing:

When you join a group:

Other members see your display name and profile picture
Your messages are visible to all current and future members
Members may be able to add you to other groups
Leaving a group removes future messages but not past ones

1.6 Message Notifications

Notification Content:

Push notifications may include:

Sender name
Message preview (configurable)
Notification appears on lock screen (device setting)

Privacy Controls:

You can control notifications:

Disable message previews in notifications
Mute specific conversations
Turn off notifications entirely
Control lock screen visibility (device settings)

1.7 Your Messaging Privacy Controls

Available Controls:

Control	Location
Who can message you	Settings → Privacy → Messaging
Read receipts	Settings → Privacy → Read Receipts
Online status	Settings → Privacy → Activity Status
Message requests	Settings → Privacy → Message Requests
Blocked users	Settings → Privacy → Blocked
Disappearing messages	Conversation settings

Addendum 2: Photos & Videos

This addendum covers privacy practices for photos and videos you upload, share, or view on our Platform.

2.1 Photo and Video Data Collection

What We Collect:

Data Type	Description	Purpose
Media files	Photos and videos you upload	Storage, display, sharing
EXIF metadata	Camera settings, date, location (if embedded)	Features, organization
File metadata	File name, size, format, upload time	Service functionality
Editing history	Filters, crops, edits applied	Feature functionality
View data	Who viewed, when, engagement	Analytics, recommendations

EXIF and Metadata:

Photos may contain embedded metadata:

What's included: Date/time, camera model, GPS coordinates, camera settings
Our handling: We strip GPS coordinates from publicly shared photos by default
Your control: You can remove metadata before uploading using device tools

2.2 Facial Recognition and Tagging

We do not use facial recognition technology. Face detection (identifying that a face exists, not who it is) may be used for features like camera focus or content filtering.

2.3 Photo and Video Visibility

Audience Settings:

Setting	Who Can See
Public	Anyone on or off the Platform
Followers only	Your approved followers
Close friends	Selected close friends list
Private/Only me	Only you
Direct share	Specific recipients only

Visibility of Photo Data:

Data Element	Public Photos	Private Photos
Image content	Visible	Only to permitted viewers
Your username	Visible	Only to permitted viewers
Location (if shared)	Visible	Only to permitted viewers
EXIF data	Stripped	Stripped
Comments/likes	Visible	Only to permitted viewers

2.4 Photo Storage and Retention

Storage:

Photos stored on secure cloud infrastructure
Multiple copies for redundancy and global access
Encrypted at rest
Cached on CDN for performance

Retention:

Scenario	Retention
Active photos	Indefinitely until you delete
Deleted photos	Removed within 30 days; backups within 90 days
Story photos	24 hours (or your setting), then deleted
Account deletion	All photos deleted per our retention policy

2.5 Photo Sharing with Third Parties

When Photos May Be Shared:

Recipient	Purpose	What's Shared
Other users	You share directly	Photo content
Embedded on websites	You enable embedding	Photo with attribution
Third-party apps	You authorize access	Per app permissions
Service providers	Processing, storage	Encrypted data
Law enforcement	Valid legal process	As legally required

2.6 Copyright and Content ID

Content Identification:

We may use technology to identify copyrighted content:

Audio fingerprinting for music detection
Visual matching for copyrighted images
Hash matching for known prohibited content

How This Works:

Automated systems scan uploads
Matching content may be restricted or removed
You may receive a notice if content matches
Appeal process available for disputes

2.7 Your Photo & Video Controls

Available Controls:

Control	Location
Who can see your photos/videos	Settings → Privacy → Post Visibility
Who can download your media	Settings → Privacy → Downloads
EXIF data stripping	Settings → Privacy → Metadata
Facial recognition opt-out	Settings → Privacy → Face Recognition
Photo/video location data	Settings → Privacy → Location Tags
Delete uploaded media	Your profile → Media → Delete
Download your media archive	Settings → Your Data → Download

Addendum 3: Live Streaming

This addendum covers privacy practices for live streaming features.

3.1 Live Stream Data Collection

What We Collect:

Data Type	Description	Purpose
Stream content	Video and audio of your stream	Broadcasting, recording
Stream metadata	Title, description, category, duration	Discovery, analytics
Chat messages	Live chat during stream	Interaction, moderation
Viewer data	Who watched, when, how long	Analytics for streamers
Engagement data	Likes, comments, shares, gifts	Analytics, monetization

Real-Time Processing:

During live streams, we process data in real-time:

Video encoding and transcoding
Content moderation scanning
Chat filtering
Viewer count updates
Gift and donation processing

3.2 Stream Visibility and Recordings

Live Stream Visibility:

Setting	Who Can Watch
Public	Anyone on the Platform
Followers only	Your followers
Subscribers only	Paying subscribers
Private	Invited viewers only

Stream Recordings:

Setting	What Happens
Auto-save enabled	Stream saved as video after broadcast
Auto-save disabled	Stream not saved (ephemeral)
Clips enabled	Viewers can create clips
Downloads enabled	Viewers can download recordings

3.3 Viewer Data and Analytics

What Streamers See:

Streamers may receive analytics including:

Data	Visibility
Total viewer count	Real-time and historical
Viewer usernames	Visible in chat if they participate
Anonymous viewers	Count only, no identity
Watch time	Aggregate statistics
Geographic data	Country/region level only
Device types	Aggregate percentages

What Streamers Don't See:

Individual viewer watch time (unless they interact)
Precise location of viewers
Viewer personal information
Viewer browsing history

3.4 Live Chat Privacy

Chat Data:

Aspect	How It's Handled
Chat messages	Visible to all stream viewers
Username display	Your display name shown
Badges/roles	Subscriber, moderator status visible
Emotes/gifts	Visible to all
Whispers/DMs	Private to recipient only

Chat Moderation:

Chat may be moderated:

Automated filters for prohibited content
Streamer and moderator actions
Keyword blocking
Slow mode and follower-only chat
Bans and timeouts

3.5 Monetization Data

If You Stream with Monetization:

Data	Purpose	Retention
Gift/donation amounts	Payment processing	7 years (tax)
Subscriber information	Subscription management	Duration + 1 year
Payout information	Paying you	As legally required
Tax information	Tax reporting	7+ years

If You Gift/Subscribe:

Data	Who Sees	Retention
Your username	Streamer, viewers (if public gift)	Duration of display
Gift amount	Streamer, viewers (if public)	Streamer analytics
Payment info	Payment processor only	Per processor policy
Transaction record	You and us	7 years

3.6 Your Live Streaming Controls

Available Controls:

Control	Location
Stream privacy	Stream settings before going live
Chat settings	Stream settings → Chat
Recording settings	Settings → Content → Recordings
Viewer analytics	Creator dashboard
Moderation tools	Stream controls

Addendum 4: Location Sharing

This addendum covers privacy practices for location-based features.

4.1 Types of Location Data

Location Data We May Collect:

Type	Accuracy	How Collected
Precise location	Within meters	GPS, device location services
Approximate location	City/region level	IP address, Wi-Fi
Location from content	Varies	Geotags in photos, check-ins
Inferred location	General area	Activity patterns, connections

4.2 How We Use Location Data

Location Features:

Feature	Location Type Used	Purpose
Nearby content	Approximate	Show local content
Location tags	Precise (opt-in)	Tag posts with location
Check-ins	Precise (opt-in)	Share where you are
Local search	Approximate	Find nearby places/users
Maps features	Precise (opt-in)	Show your location on maps
Live location	Precise (opt-in)	Real-time location sharing

Background Location:

If you enable background location:

We may collect location when app not in use
Used for features like live location sharing
You can disable anytime in device settings
Battery usage may increase

4.3 Location Visibility

Who Sees Your Location:

Setting	Who Can See
Precise location shared	Selected contacts only
Location tags on posts	Per post audience setting
Check-ins	Per check-in privacy setting
Approximate location	May be visible in profile (configurable)
Location off	No location visible

4.4 Location Data Retention

How Long We Keep Location Data:

Data Type	Retention
Real-time location	Only during active sharing
Location history	Per your settings; max 18 months
Location tags	Until post/content deleted
Approximate location	Session duration
Derived location data	Aggregated, anonymized

4.5 Location and Third Parties

Third-Party Access:

Recipient	What They Receive	Why
Map providers	Approximate location	Display maps
Local businesses	Aggregate foot traffic	Analytics (anonymized)
Emergency services	Precise location (if you call)	Safety
Law enforcement	As legally required	Legal compliance

4.6 Your Location Controls

Available Controls:

Control	How to Access
Disable all location	Device settings → Location
Disable for our app	Device settings → Apps → [App] → Location
Precise vs. approximate	Device settings (iOS 14+, Android 12+)
Location history	Settings → Privacy → Location History
Clear location history	Settings → Privacy → Clear Location Data
Per-post location	Edit before posting

Addendum 5: E-Commerce / Marketplace

This addendum covers privacy practices for buying and selling features.

5.1 Transaction Data Collection

What We Collect:

Data Type	Purpose
Purchase history	Order fulfillment, records
Payment information	Processing transactions
Shipping addresses	Delivery
Billing addresses	Payment verification
Seller information	Marketplace operation
Buyer-seller messages	Transaction support
Reviews and ratings	Trust and safety

5.2 Payment Data

Payment Processing:

Aspect	How It's Handled
Credit card numbers	Processed by payment processor; we don't store full numbers
Payment tokens	We store tokens for repeat purchases
Billing address	Stored for payment verification
Bank accounts (sellers)	Stored securely for payouts
Tax information	Collected as legally required

Payment Processor Sharing:

We share with payment processors:

Transaction amount
Your name and billing address
Payment method details
Device information for fraud prevention

5.3 Seller and Buyer Visibility

What Buyers See About Sellers:

Information	Visibility
Seller username/store name	Visible
Seller ratings and reviews	Visible
Seller location (approximate)	City/region for shipping estimates
Seller real name	Only if required for certain categories

What Sellers See About Buyers:

Information	Visibility
Buyer username	Visible
Shipping address	For order fulfillment only
Order details	For fulfillment
Buyer real name	If provided for shipping
Payment information	Never shared with sellers

5.4 Transaction Retention

How Long We Keep Transaction Data:

Data Type	Retention Period
Transaction records	7 years (legal/tax requirements)
Payment card data	Per payment processor policies
Shipping addresses	Until you delete or account closed
Buyer-seller messages	3 years after transaction
Reviews	Indefinitely unless removed

5.5 Your Marketplace Controls

Your Controls:

Control	Location
Saved payment methods	Settings → Payments
Saved addresses	Settings → Addresses
Purchase history visibility	Settings → Privacy
Review visibility	Per-review settings

Addendum 6: Creator Monetization

This addendum covers privacy for creators who monetize their content.

6.1 Creator Data Collection

What We Collect From Creators:

Data Type	Purpose
Identity verification	Verify you are who you claim
Tax information (W-9, W-8, etc.)	Tax reporting obligations
Bank/payout information	Paying your earnings
Content analytics	Provide performance insights
Revenue data	Calculate and pay earnings
Audience demographics	Aggregate insights (anonymized)

6.2 Identity and Tax Information

Verification Data:

Document Type	Purpose	Retention
Government ID	Identity verification	Until verified, then deleted or retained per law
Tax forms	Tax compliance	7+ years as required
Business documents	Business verification	As legally required

How We Protect This Data:

Encrypted storage
Limited access (need-to-know basis)
Third-party verification services bound by confidentiality
Deleted when no longer legally required

6.3 Earnings and Payout Data

Financial Data:

Data	Who Sees It
Your earnings	You, our finance team
Payout details	You, payment processors
Tax reporting	You, tax authorities as required
Aggregate creator earnings	May be reported in aggregate publicly

6.4 Audience Analytics for Creators

What Creators See About Their Audience:

Data	Granularity
View counts	Exact numbers
Demographics	Age ranges, gender (percentages)
Geographic data	Country/region level
Traffic sources	How viewers found content
Engagement metrics	Likes, comments, shares, watch time
Subscriber/follower info	Aggregate counts and trends

What Creators Don't See:

Individual viewer identities (unless they interact publicly)
Precise viewer locations
Viewer personal information
Viewer activity on other content

6.5 Your Creator Controls

Your Controls:

Control	Location
Analytics visibility	Creator dashboard settings
Payout settings	Monetization settings
Tax documents	Account settings
Earnings privacy	Whether to show subscriber counts, etc.

Addendum 7: Premium/Subscription Services

This addendum covers privacy for premium and subscription features.

7.1 Subscription Data Collection

What We Collect:

Data Type	Purpose
Subscription status	Provide premium features
Billing information	Process payments
Feature usage	Improve premium offerings
Subscription history	Customer support, records

7.2 Premium Feature Data

Additional Data from Premium Features:

Premium features may involve additional data collection:

Feature	Additional Data
Extended analytics	More detailed usage data
Priority support	Support interaction records
Advanced features	Usage of advanced tools
Ad-free experience	We still count views but don't target ads

7.3 Subscription Visibility

What Others See:

Setting	Visibility Options
Premium badge	Display or hide
Subscriber status	Public, friends only, or private
Premium features	Visible when you use them

7.4 Subscription Retention

Data Retention:

Data	Retention
Active subscription data	Duration of subscription
Billing records	7 years (legal requirements)
Cancelled subscription info	1 year for reactivation; then archived
Feature usage history	2 years

7.5 Your Subscription Controls

Available Controls:

Control	Location
View subscription details	Settings → Subscription → Plan Details
Cancel subscription	Settings → Subscription → Cancel
Update payment method	Settings → Subscription → Billing
Manage auto-renewal	Settings → Subscription → Auto-Renew
Hide premium badge	Settings → Privacy → Badge Visibility
Download billing history	Settings → Subscription → Billing History
Request subscription data	Settings → Your Data → Download

Addendum 8: API & Developer

This addendum covers privacy for developers using our APIs and developer tools.

8.1 Developer Data Collection

What We Collect From Developers:

Data Type	Purpose
Developer account info	Account management
App registration details	API access, abuse prevention
API usage logs	Rate limiting, abuse detection, billing
App credentials	Authentication
Compliance information	Ensuring policy compliance

8.2 User Data Accessed via API

When Your App Accesses User Data:

Requirement	Description
User authorization	Users must authorize your app
Scope limitations	Request only necessary permissions
Data use restrictions	Use data only for stated purposes
Security requirements	Implement appropriate security
Privacy policy required	Your app must have a privacy policy

8.3 API Data Retention

Data Retention for API Access:

Data	Retention
API logs	90 days
Developer account info	Duration of account
App registration	Until app deleted
User authorizations	Until user revokes

8.4 Developer Compliance Requirements

Your Obligations:

As a developer, you must:

Comply with our API Terms and Privacy Policy
Have your own privacy policy
Obtain appropriate user consents
Protect user data with reasonable security
Delete user data upon request or revocation
Not sell user data
Comply with applicable data protection laws

8.5 Your Developer Controls

Available Controls:

Control	Location
View API access permissions	Developer Portal → My Apps → Permissions
Revoke API keys	Developer Portal → My Apps → Keys → Revoke
View data access logs	Developer Portal → My Apps → Access Logs
Delete an application	Developer Portal → My Apps → Delete
Update privacy policy URL	Developer Portal → My Apps → Settings
Download developer data	Developer Portal → Account → Export Data
Close developer account	Developer Portal → Account → Close

Addendum 9: AI & Algorithmic Systems

This Addendum describes our data practices related to the Platform's AI Features, Automated Systems, and Recommendation Systems. It supplements the general information in Core Policy Section 3.8 (Artificial Intelligence and Automated Processing) with more detailed, feature-specific disclosures.

9.1 Data Collected by AI Features

When You Use AI Features:

Data Type	Examples	Why We Collect It
AI Inputs	Prompts, instructions, text, images, or other materials you provide to AI Features	To generate AI Outputs and provide the requested AI service
AI Outputs	Text, images, suggestions, or other Content generated by AI Features in response to your inputs	To deliver results and enable you to use, save, or share them
Interaction Data	Which AI Features you use, how often, timestamps, feature settings, and preferences	To operate, maintain, and improve AI Features
Feedback Data	Ratings, thumbs up/down, error reports, and other feedback you voluntarily provide about AI Outputs	To improve the quality and safety of AI Features
Safety and Abuse Data	Logs of inputs or outputs flagged by safety systems for potential policy violations	To enforce our Terms of Service and Community Guidelines and to prevent abuse

Data Collected by Automated Systems:

Data Type	Examples	Why We Collect It
Content Signals	Text, image, and video analysis results used by content moderation systems	To detect policy violations and protect user safety
Behavioral Signals	Patterns of account activity analyzed by fraud and spam detection systems	To protect the Platform and its Users from abuse
Recommendation Signals	Your interactions (views, likes, shares, follows), stated preferences, and content engagement patterns	To personalize your experience and surface relevant Content
Profiling Data	Inferred interests, content preferences, and engagement patterns derived from your activity	To personalize recommendations and advertising (where applicable)

9.2 How AI Features Use Your Data

Processing Purposes:

We process data in connection with AI Features for the following purposes:

Providing AI Services: Processing your AI Inputs to generate AI Outputs in real time
Safety and Compliance: Screening AI Inputs and Outputs to detect and prevent harmful, illegal, or policy-violating Content
Quality Improvement: Using aggregated, anonymized usage statistics and voluntary user feedback to improve AI Feature performance (this does not involve training on your Content — see Section 9.3)
Content Moderation: Using Automated Systems to detect Content that may violate our policies, for routing to human review
Personalization: Using Recommendation Systems to surface Content, accounts, and features relevant to your interests
Abuse Prevention: Detecting and preventing misuse of AI Features, including attempts to circumvent safety filters

Legal Bases (GDPR):

For Users in the EU/EEA/UK, our legal bases for AI-related processing include:

Processing Activity	Legal Basis
Providing AI Features you request	Performance of contract
Safety screening of AI inputs/outputs	Legitimate interests (platform safety)
Content moderation	Legitimate interests (safety and compliance)
Personalized recommendations	Consent or legitimate interests
Abuse detection	Legitimate interests (preventing fraud and abuse)
Aggregated analytics	Legitimate interests (service improvement)

9.3 AI Training Data Practices

We do not use your Content to train AI models.

We want to be explicit about this:

Your User Content (posts, messages, photos, videos, and other materials you upload) is not used to train, fine-tune, or improve AI or machine learning models — ours or any third party's
Your AI Inputs and AI Outputs are not used to train generative AI models
Third-party AI providers that power our AI Features are contractually prohibited from using your data to train their models

What we do use:

Aggregated, anonymized usage data (such as overall feature usage volumes) to understand how AI Features are performing
Voluntary feedback you provide (such as quality ratings) to improve AI output quality — this is used to adjust parameters and filters, not to train foundation models
Safety logs to improve abuse detection systems — limited to patterns of misuse, not your substantive Content

9.4 Automated Decision-Making and Profiling

Decisions Made by Automated Systems:

Some decisions on the Platform are made by Automated Systems without individual human review at the point of decision. These include:

Content moderation: Automatic removal or restriction of Content that clearly violates our policies
Account actions: Temporary restrictions on accounts exhibiting patterns consistent with spam, fraud, or abuse
Content distribution: Decisions about how widely Content is distributed or recommended
Age-gating: Automatic restriction of Content detected as unsuitable for younger audiences
Spam and fraud blocking: Automatic blocking of messages, accounts, or transactions identified as spam or fraudulent

Profiling:

We build profiles of User interests and behavior to personalize your experience. These profiles are based on:

Your explicit preferences and settings
Your interactions with Content and features
Inferences drawn from your activity patterns

Profiling is used for content recommendations, personalized search results, and (where applicable) targeted advertising. It is not used to make decisions with legal or similarly significant effects on you.

Your Rights:

You may request information about the logic involved in automated decisions that significantly affect you
You may request human review of significant automated decisions (see our Community Guidelines)
You may object to profiling for direct marketing purposes at any time
In the EU/EEA/UK, you have additional rights regarding automated decision-making under GDPR Article 22 — see Supplement 1

9.5 Third-Party AI Service Providers

We work with third-party AI service providers to power certain AI Features. These providers process data on our behalf under strict contractual obligations.

How Data Is Shared:

What Is Shared	With Whom	Why	Protections
AI Inputs (to generate outputs)	AI model providers	To process your requests and generate AI Outputs	Data processing agreements; no use for provider's own training; deletion after processing
Safety signals	Trust and safety vendors	To screen for harmful content	Data processing agreements; limited to safety purposes
Aggregated usage metrics	Analytics providers	To monitor AI Feature performance	Anonymized; no individual identification

Our Commitments:

All third-party AI providers are bound by data processing agreements that prohibit use of your data for their own purposes
We conduct due diligence on third-party providers' data practices before engaging them
We require third-party providers to implement appropriate technical and organizational security measures
Where providers are located outside your jurisdiction, the international transfer safeguards in Core Policy Section 8 apply

9.6 AI Data Retention

Data Type	Retention Period	Basis
AI Inputs and Outputs	For the duration of your session or as long as you choose to save them to your account	Service provision
Unsaved AI interactions	A limited period after generation, as needed for service quality and debugging	Service quality and debugging
AI interaction logs	As long as reasonably necessary for the stated purpose	Service improvement and abuse detection
Safety-flagged content	As long as reasonably necessary, or longer if under active investigation	Safety and legal compliance
Voluntary feedback	Until you withdraw it or close your account	Service improvement
Recommendation profiles	For the duration of your account, deleted upon account closure	Personalization
Content moderation logs	As long as reasonably necessary for compliance and appeals	Compliance and appeals

You can delete saved AI Outputs at any time through your account. Deletion of interaction logs follows the timeline above and cannot be accelerated except through account deletion (subject to legal retention obligations).

9.7 Your AI & Algorithmic Controls

Available Controls:

Control	Location	What It Does
AI Feature opt-out	Settings → Privacy → AI Features	Disables optional AI tools (note: some Automated Systems like content moderation and safety cannot be disabled)
Recommendation preferences	Settings → Content → Recommendations	Adjust what is recommended to you; option for chronological/non-personalized feed
Reset recommendations	Settings → Content → Reset	Clears your recommendation profile and starts fresh
Personalized ads opt-out	Settings → Privacy → Advertising	Opts out of ad targeting based on Profiling
AI interaction history	Settings → Privacy → AI History	View and delete your AI interaction history
Download your data	Settings → Account → Download Data	Export includes AI interaction data
Request human review	Appeals Center	Request human review of automated decisions affecting your account or Content
Feedback management	Settings → Privacy → AI Feedback	View and withdraw feedback you've provided on AI Outputs

Controls You Cannot Disable:

Automated content moderation (required for platform safety)
Spam and fraud detection (required to protect all users)
Safety screening of AI inputs/outputs (required to prevent harmful use)
Platform-applied AI-generated content labels (required for transparency)

Part 2 Version 1.0.0

Part 3: Regional Supplements

The following supplements provide additional information required by specific jurisdictions. These supplements apply to residents of the specified regions and supplement (but do not replace) the core Privacy Policy and Feature-Specific Addendums above.

Supplement 1: European Union / European Economic Area / United Kingdom

This supplement applies to individuals in the European Union, European Economic Area, and United Kingdom, and provides additional information required under the General Data Protection Regulation (GDPR) and UK GDPR.

1.1 Data Controller

Controller Information:

Item	Details
Data Controller	Boba, LLC
Registered Address	1312 17th Street Unit #2635, Denver, CO 80202
Registration Number	20238352765
Contact Email	privacy@boba.town
Contact Address	1312 17th Street Unit #2635, Denver, CO 80202

Joint Controllers:

In some cases, we may act as joint controllers with other parties:

When you use integrated third-party services
For certain advertising partnerships
Details available upon request

1.2 Legal Bases for Processing

GDPR Article 6 Legal Bases:

We process your personal data based on one or more of the following legal bases:

Purpose	Legal Basis	Explanation
Providing our services	Contract (Art. 6(1)(b))	Necessary to perform our contract with you
Account creation and management	Contract	Required to provide your account
Processing payments	Contract	Fulfilling purchase transactions
Customer support	Contract / Legitimate interests	Responding to your requests
Safety and security	Legitimate interests (Art. 6(1)(f))	Protecting users and our Platform
Fraud prevention	Legitimate interests	Detecting and preventing fraud
Product improvement	Legitimate interests	Improving our services
Analytics	Legitimate interests	Understanding usage patterns
Personalization	Consent (Art. 6(1)(a)) or Legitimate interests	Customizing your experience
Marketing communications	Consent	Sending promotional messages
Advertising	Consent	Interest-based advertising
Cookies (non-essential)	Consent	As described in Section 10
Legal compliance	Legal obligation (Art. 6(1)(c))	Complying with laws
Vital interests	Vital interests (Art. 6(1)(d))	Emergency situations

Legitimate Interests:

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your rights. Our legitimate interests include:

Keeping our Platform safe and secure
Preventing fraud and abuse
Improving and developing our services
Understanding how our services are used
Marketing our services to existing customers
Enforcing our terms and policies

Withdrawing Consent:

Where processing is based on consent:

You can withdraw consent at any time
Withdrawal does not affect prior lawful processing
See Section 5 for how to withdraw consent

1.3 Special Category Data

Article 9 Special Categories:

We generally do not process special category data unless:

Category	When Processed	Legal Basis
Health data	You choose to share in content	Explicit consent
Biometric data	Face recognition features (opt-in)	Explicit consent
Religious/political views	You choose to share	Explicit consent or manifestly public
Sexual orientation	You choose to share	Explicit consent or manifestly public
Trade union membership	You choose to share	Explicit consent or manifestly public

Explicit Consent:

For special category data, we obtain explicit consent by:

Clear opt-in mechanisms
Specific explanation of what data is processed
Easy withdrawal of consent

1.4 Your GDPR Rights

Rights Under GDPR:

Right	Description	How to Exercise
Access (Art. 15)	Obtain a copy of your data	Settings → Privacy → Download Data
Rectification (Art. 16)	Correct inaccurate data	Edit profile or contact us
Erasure (Art. 17)	Delete your data ("right to be forgotten")	Settings → Delete Account
Restriction (Art. 18)	Limit how we use your data	Contact privacy team
Portability (Art. 20)	Receive data in portable format	Settings → Download Data
Object (Art. 21)	Object to certain processing	Settings or contact us
Automated decisions (Art. 22)	Not be subject to solely automated decisions	Contact us for human review
Withdraw consent	Revoke previously given consent	Settings or contact us
Complain	Lodge complaint with supervisory authority	See Supplement 1, Section 1.8

Responding to Requests:

We respond within 30 days
Extension of up to 60 additional days for complex requests (with notice)
We may verify your identity before processing
We provide information free of charge (reasonable fees for excessive requests)

1.5 Automated Decision-Making

Article 22 Automated Decisions:

We use automated decision-making in the following ways:

Process	Type	Impact	Safeguards
Content moderation	Automated with human review	Content removal	Appeals process
Spam detection	Fully automated	Account restrictions	Human review on request
Fraud detection	Automated with human review	Transaction blocking	Customer support review
Personalization	Automated	Content recommendations	You can adjust preferences
Age estimation	Automated with human review	Feature access	Appeals process

Your Rights:

For decisions with legal or significant effects:

Right to human intervention
Right to express your point of view
Right to contest the decision
Contact us to exercise these rights

1.6 Data Protection Officer

DPO Contact:

Item	Details
Name	[DPO Name or Title]
Email	dpo@boba.town
Address	Boba, LLC, Attn: Data Protection Officer, 1312 17th Street Unit #2635, Denver, CO 80202

When to Contact the DPO:

Questions about our data protection practices
Exercising your GDPR rights
Concerns about how we handle your data
Requests for information about processing

1.7 EU and UK Representatives

EU Representative (Article 27):

Item	Details
Name	[EU Representative Name/Company]
Address	[EU Representative Address]
Email	[EU Representative Email]
Country	[EU Member State]

UK Representative:

Item	Details
Name	[UK Representative Name/Company]
Address	[UK Representative Address]
Email	[UK Representative Email]

1.8 Supervisory Authorities

Lead Supervisory Authority:

Our lead supervisory authority is:

[Name of Authority]
1312 17th Street Unit #2635, Denver, CO 80202
[Website]

Your Right to Complain:

You have the right to lodge a complaint with:

Your local data protection authority
Our lead supervisory authority
Both simultaneously

EU Member State Authorities:

Country	Authority	Website
Austria	Datenschutzbehörde	dsb.gv.at
Belgium	Autorité de protection des données	dataprotectionauthority.be
France	CNIL	cnil.fr
Germany	BfDI (federal) and state authorities	bfdi.bund.de
Ireland	Data Protection Commission	dataprotection.ie
Italy	Garante	garanteprivacy.it
Netherlands	Autoriteit Persoonsgegevens	autoriteitpersoonsgegevens.nl
Spain	AEPD	aepd.es
[Other countries]	[Authority]	[Website]

UK Authority:

Information Commissioner's Office (ICO)
ico.org.uk
0303 123 1113

1.9 International Transfers from EU/UK

Transfer Mechanisms:

When transferring data outside the EU/EEA/UK:

Mechanism	Description
Standard Contractual Clauses	EU-approved contract terms
UK IDTA	UK-approved transfer terms
Adequacy decisions	Transfer to approved countries
EU-US Data Privacy Framework	For certified US organizations

Obtaining Transfer Documents:

You can request copies of transfer safeguards by contacting our privacy team.

1.10 UK Age Appropriate Design Code

Compliance with the Children's Code:

For users under 18, we implement the UK Age Appropriate Design Code:

Principle	Our Implementation
Best interests	Child's best interests are primary consideration
Data protection impact assessments	Conducted for features affecting children
Age appropriate application	Designing with children in mind
Transparency	Clear, age-appropriate privacy information
Detrimental use of data	Not using data in ways detrimental to children
Policies and community standards	Enforcing terms that protect children
Default settings	Privacy-protective defaults for children
Data minimization	Limiting data collection from children
Data sharing	Restricting sharing of children's data
Geolocation	Location services off by default for children
Parental controls	Tools for parents to manage children's accounts
Profiling	Limiting profiling of children
Nudge techniques	Not using techniques to encourage privacy-diminishing behavior
Connected toys/devices	N/A or applicable measures
Online tools	Tools to help children exercise their rights

Supplement 2: California (CCPA/CPRA)

This supplement applies to California residents and provides additional disclosures required under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

2.1 Categories of Personal Information

Information Collected in the Past 12 Months:

CCPA Category	Examples	Collected	Source
A. Identifiers	Name, email, username, IP address	Yes	You, automatic
B. Personal records	Billing address, payment info	Yes	You
C. Protected characteristics	Age, gender (optional)	Yes	You
D. Commercial information	Purchase history, products viewed	Yes	Automatic
E. Biometric information	Face recognition (if enabled)	Yes	You (opt-in)
F. Internet/network activity	Browsing history, search history	Yes	Automatic
G. Geolocation data	Approximate and precise location	Yes	You, automatic
H. Sensory data	Photos, videos, audio recordings	Yes	You
I. Professional/employment	Job title (optional profile)	Yes	You
J. Education information	Education history (optional)	Yes	You
K. Inferences	Preferences, characteristics	Yes	Derived
L. Sensitive personal information	See Supplement 2, Section 2.5	Yes	You

2.2 Sources of Personal Information

Categories of Sources:

Source Category	Examples
Directly from you	Registration, content you post, purchases
Automatically	Device data, cookies, usage analytics
Third parties	Social login providers, advertising partners
Service providers	Payment processors, analytics providers
Public sources	Publicly available information

2.3 Business Purposes for Collection

How We Use Personal Information:

Purpose	Categories of PI Used
Providing services	A, B, D, F, G, H
Account management	A, B
Order fulfillment	A, B, D
Customer support	A, B, D, F
Analytics and improvement	A, D, F, G, K
Personalization	A, D, F, K
Marketing	A, D, F, K
Safety and security	A, B, D, F, G
Legal compliance	All categories as needed

2.4 Disclosure and "Sale" or "Sharing" of Personal Information

Disclosure for Business Purposes:

In the past 12 months, we disclosed the following categories of PI to service providers:

Category	Recipients
Identifiers (A)	Cloud providers, customer support, analytics
Commercial info (D)	Payment processors, analytics
Internet activity (F)	Analytics providers, security services
Geolocation (G)	Map providers, analytics

"Sale" or "Sharing" of Personal Information:

Under CCPA/CPRA definitions:

Category	Sold/Shared	Recipients	Purpose
Identifiers (A)	Shared	Advertising partners	Interest-based advertising
Commercial info (D)	Shared	Advertising partners	Ad measurement
Internet activity (F)	Shared	Advertising partners	Interest-based advertising
Inferences (K)	Shared	Advertising partners	Ad targeting

Opt-Out of Sale/Sharing:

You can opt out of the sale or sharing of your personal information:

Click "Do Not Sell or Share My Personal Information" at https://boba.town/privacy-request
Enable Global Privacy Control (GPC) in your browser
Settings → Privacy → Do Not Sell or Share

2.5 Sensitive Personal Information

Categories of Sensitive PI:

Sensitive Category	Collected	Use	Your Rights
Social Security number	No	N/A	N/A
Driver's license/ID	Verification only	Identity verification	Limited use
Financial account info	Yes	Payments	Limit use
Precise geolocation	Yes (opt-in)	Location features	Limit use
Racial/ethnic origin	No	N/A	N/A
Religious beliefs	Optional profile	Display on profile	Limit use
Union membership	No	N/A	N/A
Genetic/health data	No	N/A	N/A
Sex life/orientation	Optional profile	Display on profile	Limit use
Biometric data	Yes (opt-in)	Face recognition	Limit use
Contents of communications	Yes	Service delivery	Limit use

Right to Limit Use:

You can limit the use of sensitive personal information to what is necessary:

Settings → Privacy → Limit Sensitive Info Use
Contact us at privacy@boba.town

2.6 Your California Privacy Rights

CCPA/CPRA Rights:

Right	Description	How to Exercise
Right to Know	Know what PI we collect, use, share	Submit request
Right to Access	Receive a copy of your PI	Settings → Download Data
Right to Delete	Request deletion of your PI	Settings → Delete Account
Right to Correct	Correct inaccurate PI	Edit profile or submit request
Right to Opt-Out	Opt out of sale/sharing	Click "Do Not Sell" link
Right to Limit	Limit use of sensitive PI	Settings → Limit Sensitive Info
Right to Non-Discrimination	No penalty for exercising rights	Automatic

Submitting Requests:

Online: https://boba.town/privacy-request
Email: privacy@boba.town
Toll-Free: [PHONE NUMBER — to be determined]

2.7 Verification Process

How We Verify Requests:

Request Type	Verification Level
Know (categories)	Reasonable verification
Know (specific pieces)	Heightened verification
Delete	Reasonable verification
Correct	Reasonable verification

Verification Methods:

Matching information provided with account data
Confirmation via email to registered account
Additional documentation for heightened verification
Knowledge-based questions

2.8 Authorized Agents

Using an Authorized Agent:

You can designate an authorized agent to submit requests on your behalf:

Provide signed written authorization
Agent must verify their identity
We may contact you directly to confirm

Agent Requirements:

Written proof of authorization
Proof of agent's identity
We may require direct verification with you

2.9 Financial Incentives

Incentive Programs:

[If applicable] We may offer programs that involve personal information:

Program	What's Offered	PI Involved	Value
[Program Name]	[Description]	[Categories]	[Calculation method]

Opting In/Out:

Participation is optional
You can opt out at any time
No penalty for not participating

2.10 Retention

Retention Periods:

We retain personal information as described in Section 6. California-specific notes:

We do not retain PI longer than reasonably necessary
Retention periods vary by data type and purpose
You can request deletion subject to legal exceptions

2.11 Shine the Light

California Civil Code § 1798.83:

California residents may request information about disclosure of PI to third parties for direct marketing. We do not share PI with third parties for their direct marketing purposes without your consent.

2.12 Do Not Track / GPC

Global Privacy Control:

We recognize GPC signals as valid opt-out requests for:

Sale of personal information
Sharing for cross-context behavioral advertising

Browser Settings:

When we detect GPC:

We treat it as opt-out of sale/sharing
Applies to the browser/device sending the signal
You may need to enable on each browser/device

2.13 California Age-Appropriate Design Code Act (CAADCA)

What Is the CAADCA?

The California Age-Appropriate Design Code Act requires businesses that provide online services, products, or features likely to be accessed by children (under 18) to design those services with children's well-being and privacy in mind. It is modeled after the UK Age Appropriate Design Code (Children's Code).

Our Obligations Under CAADCA:

Requirement	Our Implementation
Data Protection Impact Assessments	We conduct DPIAs before offering any new feature, product, or service likely to be accessed by children, assessing potential harms to children arising from our data practices
Default high privacy settings	Privacy and safety settings are set to the most protective level by default for users under 18
Age estimation	We implement age estimation measures proportionate to the risks arising from our data practices to determine whether users are children
No profiling by default	We do not profile children by default unless we can demonstrate that profiling is necessary to provide the specific feature and that appropriate safeguards are in place
No dark patterns	We do not use design features, interface elements, or language that could lead children to provide more personal information than necessary, weaken their privacy protections, or take actions contrary to their interests
No detrimental use	We do not use children's personal information in ways that are materially detrimental to their physical health, mental health, or well-being
Clear privacy information	We provide prominent, accessible, and age-appropriate privacy information for children
Data minimization	We limit data collection from children to what is reasonably necessary and proportionate to provide the service the child is using
Geolocation restrictions	We do not collect, sell, or share a child's precise geolocation data unless strictly necessary for the service, and we provide a clear signal when geolocation is being collected

DPIA Process:

Our DPIAs for children address:

Whether the design of the feature could harm children, including by exposing them to harmful content or contacts
Whether the feature uses personal information in ways that could be detrimental to children
Whether the feature uses design elements (including dark patterns) that could lead children to take actions not in their interest
How the feature uses profiling and what safeguards are in place

DPIAs are documented, reviewed periodically, and made available to the California Attorney General upon request.

Enforcement Note:

The CAADCA is subject to ongoing legal proceedings regarding its enforceability. We implement these protections as a matter of best practice for protecting children's privacy regardless of the current enforcement status, consistent with our obligations under other children's privacy frameworks.

Supplement 3: US State Privacy Laws

This supplement applies to residents of US states with comprehensive consumer privacy laws (other than California, which is covered in Supplement 2). If you reside in one of the states listed below, the rights and obligations described in this supplement apply to you under your state's law.

3.1 Covered States and Laws

State	Law	Abbreviation	Effective Date
Virginia	Consumer Data Protection Act	VCDPA	Jan. 1, 2023
Colorado	Colorado Privacy Act	CPA	July 1, 2023
Connecticut	Data Privacy Act	CTDPA	July 1, 2023
Utah	Consumer Privacy Act	UCPA	Dec. 31, 2023
Texas	Data Privacy and Security Act	TDPSA	July 1, 2024
Oregon	Consumer Privacy Act	OCPA	July 1, 2024
Montana	Consumer Data Privacy Act	MCDPA	Oct. 1, 2024
Delaware	Personal Data Privacy Act	DPDPA	Jan. 1, 2025
Iowa	Consumer Data Protection Act	ICDPA	Jan. 1, 2025
Nebraska	Data Privacy Act	NDPA	Jan. 1, 2025
New Hampshire	Privacy Act	NHPA	Jan. 1, 2025
New Jersey	Data Privacy Act	NJDPA	Jan. 15, 2025
Tennessee	Information Protection Act	TIPA	July 1, 2025
Minnesota	Consumer Data Privacy Act	MCDPA-MN	July 31, 2025
Maryland	Online Data Privacy Act	MODPA	Oct. 1, 2025
Indiana	Consumer Data Protection Act	INCDPA	Jan. 1, 2026
Kentucky	Consumer Data Protection Act	KCDPA	Jan. 1, 2026
Rhode Island	Data Transparency and Privacy Protection Act	RIDTPPA	Jan. 1, 2026

[EXTENSIBILITY: Additional states will be added as their laws take effect. This table should be reviewed quarterly.]

3.2 Your Rights by State

Most covered states provide a substantially similar set of consumer privacy rights. The table below shows which rights are available in each state. All rights are subject to certain exceptions permitted by the applicable law.

Right	VA	CO	CT	UT	TX	OR	MT	DE	IA	NE	NH	NJ	TN	MN	MD	IN	KY	RI
Access / Confirm processing	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
Correction	✓	✓	✓	—	✓	✓	✓	✓	—	✓	✓	✓	✓	✓	✓	✓	✓	✓
Deletion	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
Data portability	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
Opt-out: targeted advertising	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
Opt-out: sale of personal data	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
Opt-out: profiling	✓	✓	✓	—	✓	✓	✓	✓	—	✓	✓	✓	✓	✓	✓	✓	✓	✓
Right to list of third parties	—	—	—	—	—	✓	—	—	—	—	—	—	—	✓	—	—	—	—

"—" indicates the right is not explicitly provided under that state's law.

3.3 Exercising Your Rights

How to Submit Requests:

Regardless of your state, you may exercise your rights through the following channels:

Online: https://boba.town/privacy-request
Email: privacy@boba.town
Toll-Free (if applicable): [PHONE NUMBER — to be determined]

Response Timeframes:

States	Initial Response	Extension
VA, CO, CT, UT, TX, OR, MT, DE, NE, NH, NJ, TN, MN, MD, IN, KY, RI	45 days	Up to 45 additional days with notice
Iowa	90 days	None specified

Verification:

We will verify your identity before fulfilling requests. This may involve matching information you provide against our records, or requesting additional documentation. We will not fulfill a request if we cannot verify your identity to a reasonable degree of certainty.

3.4 Appeals

If we decline your request (in whole or in part), most state laws provide a right to appeal.

States	Appeal Window	Our Response Deadline
VA, TX, OR, MT, DE, NE, NH, NJ, TN, MN, MD, IN, KY, RI	Per state law	60 days
CO, CT	45 days from denial	45 days
UT, IA	No statutory appeal right	N/A

How to Appeal:

Email: privacy@boba.town (include "APPEAL" in subject line)
Online: https://boba.town/appeal

If your appeal is denied and your state's law permits it, we will provide you with instructions for contacting your state's Attorney General or relevant enforcement authority.

3.5 Sensitive Data

Most covered states require opt-in consent before processing certain categories of sensitive data. We obtain consent before processing the following, where required by your state's law:

Racial or ethnic origin
Religious beliefs
Health diagnosis or condition
Sexual orientation or sex life
Citizenship or immigration status
Genetic data
Biometric data used for identification
Precise geolocation data
Personal data of known children
Contents of private communications (where we are not the intended recipient)

State-Specific Notes:

Oregon includes status as transgender or nonbinary as sensitive data
Maryland includes gender identity as sensitive data and applies heightened data minimization requirements to all sensitive data processing
Connecticut and Colorado include children's data as a sensitive data category

3.6 Universal Opt-Out Mechanisms

Several states require us to recognize universal opt-out signals such as Global Privacy Control (GPC). We honor GPC and similar browser-based opt-out signals as valid requests to opt out of targeted advertising and the sale of personal data.

Requirement	States
Must honor universal opt-out (e.g., GPC)	CO, CT, TX, OR, MT, DE, NE, NH, NJ, MN, MD
Not required by statute (but we honor voluntarily)	VA, UT, IA, TN, IN, KY, RI

When we detect a GPC signal:

We treat it as a valid opt-out of the sale of personal data and targeted advertising
The opt-out applies to the browser or device sending the signal
You may need to enable GPC on each browser and device you use
GPC does not affect processing for other purposes (such as providing our services)

3.7 Notable State-Specific Provisions

Maryland (MODPA):

Applies heightened data minimization requirements: we may only collect and process personal data that is reasonably necessary and proportionate to provide or maintain the specific service or product the consumer requested
Prohibits the sale of sensitive data entirely (not just an opt-out right)
Prohibits targeted advertising directed at consumers known to be under 18 years of age

Oregon (OCPA):

Grants the right to obtain a list of specific third parties (not just categories) to whom we have disclosed personal data
Applies to nonprofit organizations in addition to for-profit businesses

Minnesota (MCDPA-MN):

Grants the right to obtain a list of specific third parties to whom personal data has been disclosed
Includes profiling assessment requirements

Texas (TDPSA):

Broad applicability with no revenue threshold (unlike most other states)
Includes a 30-day cure period for violations

3.8 Children and Teen Privacy by State

Several state privacy laws include provisions specific to minors, beyond the general children's privacy protections described in Core Policy Section 9.

Provision	Applicable States
Consent required for processing data of known children (under 13)	VA, CO, CT, TX, OR, MT, DE, NE, NH, NJ, TN, MN, MD, IN, KY, RI
Prohibition on targeted advertising to minors under 18	MD
Heightened protections for teens (13-17)	CT, DE, MD, MN
Opt-in consent for sale of teen data	CT, DE

Supplement 4: Brazil (LGPD)

This supplement applies to individuals in Brazil under the Lei Geral de Proteção de Dados (LGPD).

4.1 Data Controller

Controller: Boba, LLC Contact: privacy@boba.town DPO: [DPO Name], dpo@boba.town

4.2 Legal Bases (LGPD)

Purpose	Legal Basis
Providing services	Contract performance
Safety and security	Legitimate interests
Legal compliance	Legal obligation
Marketing (with consent)	Consent
Analytics	Legitimate interests

4.3 Your LGPD Rights

Right	Description
Confirmation	Confirm if we process your data
Access	Access your personal data
Correction	Correct incomplete or inaccurate data
Anonymization/blocking/deletion	For unnecessary or excessive data
Portability	Transfer to another service provider
Deletion	Delete data processed with consent
Information about sharing	Know who we share data with
Revocation of consent	Withdraw consent
Opposition	Object to non-compliant processing

4.4 Exercising Rights

Email: privacy@boba.town
We respond within 15 days

4.5 ANPD

You may file complaints with:

Autoridade Nacional de Proteção de Dados (ANPD)
gov.br/anpd

Supplement 5: Canada (PIPEDA)

This supplement applies to individuals in Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws.

5.1 Accountability

Privacy Officer:

Email: privacy@boba.town
We are accountable for personal information in our control

5.2 Consent

We obtain meaningful consent for collection, use, and disclosure:

Express consent for sensitive information
Implied consent for less sensitive purposes
You may withdraw consent (subject to legal/contractual restrictions)

5.3 Your PIPEDA Rights

Right	Description
Access	Access your personal information
Correction	Correct inaccuracies
Withdraw consent	Revoke previously given consent
Complain	Lodge complaint with the OPC

5.4 Complaints

Office of the Privacy Commissioner of Canada:

priv.gc.ca
1-800-282-1376

Provincial Commissioners:

Alberta: oipc.ab.ca
British Columbia: oipc.bc.ca
Quebec: cai.gouv.qc.ca

Supplement 6: Australia

This supplement applies to individuals in Australia under the Privacy Act 1988 and Australian Privacy Principles (APPs).

6.1 Collection Notice

We collect personal information:

Directly from you
From your use of our services
From third parties (where permitted)

6.2 Your Australian Rights

Right	Description
Access	Access your personal information
Correction	Correct inaccurate information
Complain	Lodge complaint with us or the OAIC

6.3 Complaints

Our Process:

Contact privacy@boba.town
We investigate within 30 days
We respond with outcome

OAIC:

If unsatisfied:

Office of the Australian Information Commissioner
oaic.gov.au
1300 363 992

6.4 Overseas Disclosure

We may disclose personal information overseas:

To our service providers
Subject to appropriate safeguards
See Section 8 for details

Supplement 7: Japan

This supplement applies to individuals in Japan under the Act on the Protection of Personal Information (APPI).

7.1 Business Operator

Name: Boba, LLC Representative: [Representative Name] Contact: privacy@boba.town

7.2 Purpose of Use

We use personal information for purposes specified in this Privacy Policy. Any new purposes will be notified.

7.3 Your Rights

Right	Description
Disclosure	Request disclosure of retained personal data
Correction	Request correction of inaccurate data
Cessation	Request cessation of use or provision
Deletion	Request deletion in certain circumstances

7.4 Third-Party Provision

We may provide personal information to third parties:

With your consent
As permitted by law
To service providers under appropriate agreements

7.5 Cross-Border Transfer

For transfers outside Japan, we ensure adequate protection through:

Contractual measures
Verification of recipient's data protection systems
Your consent where required

Supplement 8: South Korea

This supplement applies to individuals in South Korea under the Personal Information Protection Act (PIPA).

8.1 Personal Information Controller

Controller: Boba, LLC Contact: privacy@boba.town CPO: [CPO Name and Title]

8.2 Collection and Use

Item	Details
Purpose of collection	As described in Privacy Policy
Items collected	As listed in Section 2
Retention period	As described in Section 6
Right to refuse	You may refuse; may limit service access

8.3 Your Rights

Right	Description
Access	Access your personal information
Correction	Correct inaccurate information
Deletion	Request deletion
Suspension	Suspend processing

8.4 Children

For children under 14, we obtain consent from legal representatives.

8.5 Complaints

Personal Information Protection Commission (PIPC):

pipc.go.kr

Supplement 9: India (DPDPA)

This supplement applies to individuals in India under the Digital Personal Data Protection Act, 2023 (DPDPA).

9.1 Data Fiduciary

Data Fiduciary: Boba, LLC Contact: privacy@boba.town Grievance Officer: [Grievance Officer Name], privacy@boba.town

9.2 Legal Basis

We process personal data on the basis of consent given freely, with specificity, and in an informed and unconditional manner, or as otherwise permitted under the DPDPA (compliance with law, voluntary provision for specified purposes, employment, medical emergency, or public interest).

9.3 Your DPDPA Rights

Right	Description
Confirmation and access	Confirm processing and obtain a summary of your data
Correction	Correct inaccurate or incomplete personal data
Erasure	Erase data no longer necessary for the stated purpose
Grievance redressal	File a grievance with our Grievance Officer
Nomination	Nominate an individual to exercise your rights in case of death or incapacity

9.4 Children

For individuals under 18, we obtain verifiable consent from a parent or guardian. We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children.

9.5 Exercising Rights

Email: privacy@boba.town
We respond within a reasonable time, as prescribed by the DPDPA rules

9.6 Data Protection Board of India

You may file complaints with:

Data Protection Board of India (DPBI)
dpdpa.gov.in (once operational)

Part 3 Version 1.0.0

Last Updated: [Date]

Version 2.2.0

Appendix: Document History

Version	Date	Summary
2.2.0	[Date]	Added Regional Supplements 1-8; consolidated US state privacy laws into single supplement
2.1.0	[Date]	Added Feature-Specific Addendums 1-8
2.0.0	[Date]	Comprehensive Privacy Policy with all sections 1-11
1.0.0	[Date]	Initial Privacy Policy