FRIENDS Privacy Policy

1. Introduction & Scope

1.1 Controller and Applicability. This Privacy Policy ("Policy") governs the Processing of Personal Data by Friends Technologies LLC ("Company," "we," "our," "us") in connection with the FRIENDS mobile application, websites, and related services (collectively, the "Services"). For EU/UK users, the Company is the Controller of your Personal Data unless expressly stated otherwise.

1.2 Binding Nature. This Policy is legally binding and forms part of your agreement with us. By accessing or using the Services, you acknowledge that you have read and understood this Policy and agree to be bound by it, our Terms of Service, and our Cookie Policy. If you do not agree, you must discontinue use immediately.

1.3 Global Reach. This Policy applies worldwide, including the EU/EEA, UK, U.S., Brazil, Canada, Australia, New Zealand, Singapore, South Africa, and other jurisdictions. Where mandatory local laws impose stricter requirements, those requirements prevail solely to the extent required.

1.4 Scope of Processing. This Policy covers Personal Data collected from or about users, visitors, applicants, and individuals who otherwise interact with the Services; Processing by the Company and by Processors acting on our instructions; and Processing related to AI-based matching and personalization as described herein.

1.5 Exclusions. This Policy does not apply to:

third-party websites, apps, or services not controlled by us (even if accessed via the Services);
data that is anonymized or aggregated such that it is not reasonably capable of identifying a natural person; or
information processed by third parties as independent controllers.

1.6 Precedence and Incorporation. In the event of conflict:

mandatory local privacy law controls;
otherwise, this Policy controls over any conflicting summaries, FAQs, or marketing materials. The Cookie Policy governs cookie/SDK tracking specifics. The Terms of Service govern dispute resolution, limitations of liability, arbitration, and governing law.

1.7 Changes. We may update this Policy to reflect legal, technical, or operational changes. Material changes will be notified via the Services and/or email as required by law. Continued use after the effective date constitutes acceptance.

1.8 Contact; DPO; Representatives.

Primary contact (global): privacy@myfriendsapp.com
Data Protection Officer (if appointed): dpo@myfriendsapp.com
EU/UK Representatives (if appointed under Art. 27): Contact details available upon request.

We will respond within applicable statutory timeframes.

1.9 No Waiver of Rights; Reservation. To the fullest extent permitted by law, we reserve all rights not expressly granted herein, including the right to decline unsupported or unlawful requests and to secure the Services against abuse.

2. Definitions

2.1 "Applicable Law" means all privacy, data protection, consumer, communications, and related laws/regulations applicable to the Processing of Personal Data, including GDPR/UK GDPR, CCPA/CPRA, LGPD, PIPEDA, POPIA, PDPA, and others referenced in the Annex.

2.2 "Controller" means the entity which determines purposes and means of Processing (the Company).

2.3 "Processor" means any third party Processing Personal Data on behalf of the Controller pursuant to a written agreement with data-protection obligations.

2.4 "Personal Data" means any information relating to an identified or identifiable natural person (a "Data Subject").

2.5 "Sensitive Personal Data / Special Categories" means categories afforded heightened protection under Applicable Law (e.g., racial or ethnic origin, health data, biometric identifiers, sexual orientation, precise geolocation). We do not seek such data unless necessary and lawful (e.g., with explicit consent where required).

2.6 "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, restriction, erasure, or destruction.

2.7 "Profiling" means automated Processing evaluating personal aspects, including to analyze or predict preferences or interests. "Automated Decision-Making" refers to decisions based solely on automated Processing that produce legal or similarly significant effects.

2.8 "Pseudonymization" means Processing such that data can no longer be attributed to a specific Data Subject without additional information kept separately and subject to safeguards.

2.9 "De-identified/Anonymized Data" means data that cannot reasonably be used to identify a Data Subject, taking into account available technology and safeguards.

2.10 "Targeted Advertising" / "Sale" / "Share." Terms defined by U.S. state law (e.g., CPRA) concerning cross-context behavioral advertising or certain disclosures for value. We do not "sell" Personal Data in the ordinary sense; where an activity is legally deemed a "sale" or "share," opt-out rights apply.

2.11 "Minor/Child." A person under the age defined by local law (e.g., under 13 in the U.S.; under 16 in parts of the EU/UK). Parental consent may be required.

2.12 "Consent / Explicit Consent." A freely given, specific, informed, and unambiguous indication of wishes by which a Data Subject signifies agreement; "explicit" means a clear, express statement (e.g., written/electronic affirmative action).

2.13 "Service Providers / Sub-processors." Processors engaged by us, or by our Processors, to provide services under binding written terms that include confidentiality, security, and restricted use.

2.14 "Security Incident / Data Breach." A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

2.15 "Global Privacy Control (GPC)." A browser or device signal indicating an opt-out preference for "sale"/"sharing" or certain tracking. We honor GPC where required by law and as described in the Cookie Policy.

3. Interpretation Rules

3.1 Construction. This Policy shall be interpreted to comply with Applicable Law. Where there is a conflict, stricter legal requirements prevail to that extent.

3.2 Grammar and Usage. Words in the singular include the plural and vice versa. "Including" means "including without limitation." References to "days" are calendar days unless specified.

3.3 Electronic Consent and Signatures. Your acceptance of this Policy and consent to Processing may be obtained electronically (e.g., click-through, toggles, settings) and will have the same legal effect as a handwritten signature.

3.4 Precedence and Language. In case of conflict between this Policy and any translations, the English version controls. Headings are for convenience only.

3.5 No Waiver. Failure to enforce any provision does not constitute a waiver of that or any other provision. Partial invalidity does not invalidate the remainder (severability).

3.6 Evidence and Records. We maintain internal logs and records of notices, consents, preferences, and Policy versions presented at acceptance for evidentiary and compliance purposes.

3.7 Third-Party Terms. Your interaction with third-party services is governed by their terms and privacy policies. We are not responsible for independent third-party practices.

4. Lawful Basis Mapping

We Process Personal Data under one or more lawful bases as provided by GDPR/UK GDPR Article 6 (and Article 9 for special categories). The table below maps principal categories to typical purposes and bases. Actual bases may vary by jurisdiction and context; where multiple bases are listed, we rely on the most appropriate one for the specific Processing at issue.

Data Category	Illustrative Purposes	Primary Lawful Basis (GDPR/UK GDPR)
Identification Data (name, username, DOB, profile photo)	Account creation, profile display, age gating	Contract Art. 6(1)(b); Legal Obligation Art. 6(1)(c) (age-related rules where applicable)
Contact Data (email, phone)	Account communications, security alerts, support	Contract (b); Legitimate Interests (f) (service communications)
Authentication Data (password hash, MFA tokens)	Login, access control, account integrity	Contract (b); Leg. Interests (f); Legal Obligation (c) (security)
Location Data (precise/approximate)	Proximity features, local suggestions, safety	Consent (a) for precise/non-essential use; Contract (b) for core proximity if essential to service requested
Device/Network Data (IP, device ID, OS)	Security, fraud prevention, diagnostics	Legitimate Interests (f); Legal Obligation (c) (security standards)
Usage/Telemetry (events, session data)	Analytics, personalization, feature improvement	Legitimate Interests (f); Consent (a) where required (e.g., EU cookies)
Payment/Transaction Data	Billing, refunds, fraud prevention, tax records	Contract (b); Legal Obligation (c)
Support/Comms Metadata	Ticketing, troubleshooting, QA, training	Legitimate Interests (f); Contract (b)
User Content (text, images, video)	Core functionality, community features	Contract (b)
Contacts/Invite Data (if enabled)	Friend discovery, invitations	Consent (a); Legitimate Interests (f) with safeguards where applicable
Marketing Preferences	Manage opt-ins/opt-outs; send promos	Consent (a) (EU/UK); Leg. Interests (f) where permitted
Fraud/Safety Signals	Abuse detection, TOS enforcement	Legitimate Interests (f); Legal Obligation (c)
Inferences/AI Features	Recommendations, ranking	Legitimate Interests (f); Consent (a) where required
Consent Records	Proof of consent; audit logs	Legal Obligation (c); Legitimate Interests (f)

Special Categories (Art. 9). If you voluntarily provide Sensitive Personal Data (e.g., in a bio), we will Process it only where lawful (e.g., explicit consent Art. 9(2)(a)) and with enhanced safeguards. We do not require such data for core Services.

Vital Interests (Art. 6(1)(d)). In emergencies where life or safety is at risk, we may Process relevant data to protect vital interests.

Legitimate Interests Balancing. We document balancing tests and implement safeguards (minimization, opt-outs, pseudonymization) to ensure our interests do not override your rights.

5. Categories of Personal Data Collected

We collect the following categories, which may vary based on your use of features, jurisdiction, and settings. Not all categories apply to every user.

5.1 Identification Data. Name, display name, username, date of birth/age bracket, profile images/avatars (including metadata where applicable).

5.2 Contact Data. Email address, telephone number, mailing/region details (if provided), notification preferences.

5.3 Authentication and Security Data. Password hashes, multi-factor tokens, session identifiers, account status flags, security challenge responses.

5.4 Government/Identity Verification Data (If Implemented). Limited ID data for age/identity verification where legally required or to investigate fraud (e.g., last 4 digits of ID, masked document images). We do not collect this by default and will provide notices/consents where required.

5.5 Location Data. Precise GPS, Wi-Fi/Bluetooth-assisted signals, or IP-derived approximate location. Precise location requires consent and may be disabled via device settings (feature impact may occur).

5.6 Device and Network Data. IP address, device type/model, OS/browser version, mobile carrier/ISP, language, time zone, app version, device identifiers (e.g., IDFA/GAID where permitted), crash logs, error codes.

5.7 Usage and Telemetry Data. Interaction events (clicks, taps, swipes), feature usage, session duration, navigation flows, performance metrics, load times, diagnostic traces, and experimental cohort flags (for A/B tests).

5.8 User Content and Communications. Posts, comments, messages (including metadata), uploaded media (images, audio, video), and related content settings. Content may persist in backups for a limited period and may be captured in other users' accounts due to sharing.

5.9 Payment and Transaction Data. Payment method token/last four digits (stored by PCI-compliant processors), purchase history, refunds, chargebacks, billing address (if applicable), tax/VAT details (where required). We do not store full card numbers.

5.10 Support and Correspondence. Help tickets, emails, in-app chats with support, satisfaction surveys, call/chat recordings (where lawful and noticed), and related metadata.

5.11 Fraud, Safety, and Enforcement Signals. Failed login attempts, suspicious IPs, device fingerprint attributes (for security only), abuse reports, moderation decisions, and evidence retained for investigations and legal defense.

5.12 Contacts and Social Graph (Optional). If you choose to sync contacts or link accounts, we may collect hashed identifiers or contact entries to suggest connections. You represent you have authority to share such data, and you may revoke access at any time.

5.13 Marketing and Preference Data. Opt-in/opt-out status, campaign attribution identifiers, referral codes, and related analytics (subject to consent where required).

5.14 Inferences and Derived Data. Internal tags, interest clusters, or preference signals derived from other data to personalize experiences, subject to opt-out/consent rules where applicable.

5.15 Consent and Privacy Choices. Records of cookie choices, consent timestamps, policy versions accepted, and user rights requests/responses.

5.16 Employment/Partner Data (If Applicable). If you apply for roles or participate in partner programs, we may collect necessary professional data under separate notices where required.

5.17 Children/Minors Data. We do not knowingly collect data from children under the minimum age without verified parental consent. Teen users receive enhanced privacy defaults (see Section 15 of the Policy).

5.18 Exclusions and Prohibitions. We do not seek biometric data, precise geolocation without consent, or other special categories unless strictly necessary, lawful, and consented to (where required). Do not upload sensitive documents unless we explicitly request them for a lawful, disclosed purpose.

5.19 Required vs. Optional Data; Consequences of Non-Provision. Some data is necessary to create an account or provide core features (e.g., age for eligibility, contact for account notices). If you do not provide required data, we may be unable to deliver certain or all Services. Optional data enhances functionality but is not required.

5.20 Sources. We collect from you directly, automatically via the Services, from your device/sensors (with permission), from Processors (e.g., payment, analytics, fraud prevention), from linked third-party accounts at your direction, and from public sources where lawful.

5.21 Accuracy and User Responsibility. You must ensure the information you provide is accurate and up to date. We may take reasonable steps to maintain accuracy (e.g., verification prompts) but are not liable for inaccuracies resulting from user-provided data.

5.22 Data Minimization and Retention. We collect only what is necessary for disclosed purposes and retain it no longer than necessary (see Section 11 of the Policy for detailed retention practices).

6. Methods of Collection

6.1 Direct Collection from Users. We collect Personal Data that you provide directly, including when you:

Create or update an account or profile, submit forms, verify identity, or communicate with support.
Upload or generate User Content (e.g., images, text, audio, video).
Enter promotions, beta programs, or research/user testing initiatives (with appropriate notices).
Exercise data subject rights, submit privacy requests, or opt in/out of particular processing.

6.2 Automated Collection. We automatically collect data generated by your use of the Services, including:

Technical & Network Data: IP address, device identifiers, operating system, app version, mobile carrier/ISP, language, time zone, and diagnostic logs.
Usage & Telemetry: Feature engagement, interaction events (taps, swipes), session duration, crash reports, performance metrics, error codes.
Security Signals: Failed logins, suspicious IPs, device fingerprint attributes used exclusively to detect abuse, spam, and account takeover attempts.
Location Signals (if enabled): GPS, Bluetooth, Wi-Fi, and IP-derived approximations. Location is collected only when you grant permission and may be processed intermittently or continuously as needed to provide Proximity-Based Features.

6.3 Device and Sensor Access. With your device-level permissions, we may access:

Camera/Microphone (for content creation and in-app communications);
Contacts (optional friend-finding; never accessed without explicit, revocable permission);
Bluetooth/Wi-Fi/Motion Sensors (to improve proximity accuracy and security).

Access is limited to the minimum necessary for the requested feature and can be revoked at any time via device settings. Features may be degraded or unavailable if permissions are disabled.

6.4 Cookies and Similar Technologies. We use cookies, SDKs, local storage, pixels, and similar technologies as described in our separate Cookie Policy. Non-essential tracking requires opt-in where mandated by law. Preferences may be changed through the consent tool or device/browser settings.

6.5 Third-Party Sources. We may receive Personal Data from:

Authentication providers (e.g., "Sign in with …") consistent with your settings on those services;
Analytics, fraud, and security vendors (e.g., risk scores, compromised credential alerts);
Payment processors (limited transaction metadata, fraud indicators);
Marketing and referral partners (campaign attribution identifiers);
Publicly available sources (e.g., public profiles) where permitted by law.

6.6 Legal Requests and Compliance. We may collect and retain data responsive to lawful requests (e.g., subpoenas, court orders) and legal holds, as required by applicable law.

6.7 Derived and Inferred Data. We may derive preferences or interest categories from other data for personalization, safety, and service improvement. Where required by law, such inferences for targeted advertising or profiling are subject to opt-out or consent rules.

6.8 Notice at Collection. Where required (e.g., certain U.S. states), we provide "notice at collection" identifying categories, purposes, and retention practices at or before the point of collection.

6.9 Recordkeeping and Proof. We maintain internal logs evidencing notices given, consents captured, preference changes, and the specific versions of this Policy presented at acceptance.

6.10 Disclosure. Not all methods apply to all users at all times. We do not collect beyond what is necessary for disclosed purposes or permitted by law. We reserve the right to introduce new collection methods consistent with this Policy and the Cookie Policy, subject to required notices and consents.

7. Purposes of Processing

7.1 Contractual Performance. To provide and maintain the Services, including account creation, authentication, profile display, messaging, content posting, proximity-based features, customer support, and subscription management.

7.2 Safety, Security, and Integrity. To protect users and the platform by:

Detecting and preventing fraud, spam, abuse, unauthorized access, and violations of our Terms;
Verifying account integrity, conducting threat modeling, and enforcing community guidelines;
Preserving evidence and logs for investigations and legal/regulatory inquiries.

7.3 Legal and Regulatory Compliance. To comply with recordkeeping duties, tax and accounting requirements, lawful requests, sanctions/export controls, and consumer protection obligations.

7.4 Service Improvement and Diagnostics. To monitor performance, fix bugs, optimize reliability, conduct A/B tests, and evaluate feature usability. Where legally required (e.g., analytics cookies in the EU/UK), we obtain consent before non-essential tracking.

7.5 Personalization. To tailor in-app experience (e.g., ranking, recommendations, suggested connections or events) consistent with your settings. Where required by law, personalization involving tracking may require consent or provide opt-out rights.

7.6 Marketing and Communications. To provide service announcements, transactional notices, and, with consent or where permitted by law, promotional messages. You may opt out of marketing without impacting essential communications.

7.7 Research and Development. To conduct internal research, including quality assurance, product development, and algorithmic improvement using de-identified or pseudonymized data whenever feasible. If identifiable data is used in ways requiring consent (e.g., for training models beyond product improvement), we will obtain such consent where mandated.

7.8 Business Operations. To manage audits, finance, forecasting, mergers, acquisitions, restructurings, or asset transfers. Successors in interest will honor this Policy or adopt equivalent protections.

7.9 Compatibility of Further Processing. We may process data for compatible purposes under GDPR Article 6(4) by assessing: (a) link to original purposes; (b) collection context and user expectations; (c) data nature/sensitivity; (d) impact on users; (e) safeguards (e.g., pseudonymization). If a new purpose is incompatible, we will seek a new lawful basis (e.g., consent) or cease such processing.

7.10 Documentation and Balancing Tests. Where we rely on Legitimate Interests, we conduct and document balancing tests and implement safeguards (e.g., minimization, opt-outs) appropriate to the risk. Summaries may be provided upon request where required by law.

7.11 No Secondary Sale. We do not "sell" Personal Data in the common meaning of the term. If an activity is deemed a "sale" or "share" under state law, applicable opt-out rights are provided.

8. AI-Based Matching and Automated Decision-Making

8.1 Scope and Inputs. AI-based matching may process profile attributes, declared interests, interaction history, and (if enabled) location signals to suggest connections or events. Sensitive attributes are not used for profiling unless you voluntarily provide them and applicable law permits with appropriate safeguards/consent.

8.2 Outputs and Use. Outputs are recommendations intended to enhance discovery. They do not create legal or similarly significant effects on users' rights under GDPR Article 22.

8.3 Legal Basis. We rely on Contract (to provide core functionality), Legitimate Interests (to personalize and improve), or Consent (where laws require consent for certain tracking/profiling). If we were to introduce solely automated decisions with legal or similarly significant effects, we would do so only with a proper lawful basis, meaningful safeguards, and required notices/consents.

8.4 Safeguards and Governance. We implement:

Data minimization and quality controls to reduce spurious signals;
Model monitoring (e.g., drift, performance, and disparate impact checks);
Human-in-the-loop review upon request for contested outcomes linked to automated processing;
Appeal process for automated outputs that you believe are inaccurate or harmful;
Periodic re-evaluation of features, inputs, and thresholds.

8.5 User Controls. You may:

Adjust personalization settings or opt out of non-essential profiling where available;
Disable location features (which may limit AI relevance);
Request human intervention, an explanation of the "main parameters" that significantly influence outputs (to the extent feasible without exposing trade secrets), and the opportunity to contest a decision relying on automated processing that produces legal or similarly significant effects.

8.6 Accuracy and Bias Disclaimer. AI outputs may contain errors or unintended bias. We do not warrant accuracy, completeness, or suitability. Recommendations are informational only and do not constitute advice. You remain solely responsible for any actions or decisions you take in reliance on AI outputs.

8.7 Liability Limitation. To the fullest extent permitted by law, we disclaim liability for losses arising from reliance on AI-generated suggestions. Any claims related to AI outputs are subject to the Limitation of Liability and Dispute Resolution provisions in this Policy and/or the Terms of Service.

8.8 Future Changes. Should we expand AI processing (e.g., new personalization vectors, matching criteria), we will update this Policy and implement any required consent or opt-out flows before activating such processing.

9. Data Sharing & Third Parties

9.1 Processors (Service Providers). We engage vetted processors under written Data Processing Agreements (DPAs) that require:

Processing only on our documented instructions;
Confidentiality, appropriate technical and organizational measures, and breach notification;
Prohibition on cross-use or independent monetization of data;
Sub-processor controls and onward transfer safeguards;
Deletion or return of Personal Data upon termination of services.

Categories include hosting/cloud storage, email/push delivery, analytics and crash reporting, payment processing and fraud detection, content moderation, identity verification, customer support tooling, and mapping/location services.

9.2 Affiliates. We may share data within our corporate group for purposes consistent with this Policy (e.g., operations, security, support), subject to equivalent protections.

9.3 Independent Controllers. Some third parties may act as independent controllers (e.g., social login providers, payment processors for their own fraud checks, ad platforms you separately engage). Their processing is governed by their privacy policies; we are not responsible for their independent practices.

9.4 Business Transfers. Personal Data may be transferred as part of a merger, sale, reorganization, or similar transaction. The successor will be bound by this Policy or an equivalent policy affording materially similar protections.

9.5 Legal Disclosures. We may disclose Personal Data where required by law, court order, subpoena, or lawful government request. We will challenge overbroad or unlawful requests where reasonably possible and permitted and will disclose only what is legally required.

9.6 Security and Safety. We may share data to protect the rights, property, and safety of users, the public, or the Company, including cooperating with law enforcement in cases of imminent harm or suspected illegal activity.

9.7 Public/Shared Content. Information you make public (e.g., profile elements or posts) is visible according to your settings. We are not responsible for how other users or third parties use information you choose to disclose publicly.

9.8 Targeted Advertising and "Sale/Share." We do not "sell" Personal Data in the ordinary sense. If certain advertising/analytics activities are deemed "sale" or "sharing" under U.S. state laws, we provide opt-out mechanisms ("Do Not Sell or Share") and honor Global Privacy Control (GPC) signals as described in the Cookie Policy.

9.9 Aggregated/De-Identified Data. We may share aggregated or de-identified data that cannot reasonably be used to identify you. We take reasonable measures to prevent re-identification and contractually restrict downstream re-identification attempts where feasible.

9.10 Liability Allocation. We are not liable for acts or omissions of third parties acting as independent controllers or for processor misconduct outside our instructions and contractual controls. Your engagement with third-party services is at your discretion and governed by their terms.

10. International Transfers

10.1 Scope of Transfers. Personal Data may be transferred to, stored in, or accessed from countries outside your jurisdiction (including countries with different data protection standards) for hosting, support, security, and operational needs.

10.2 Transfer Mechanisms. Where required, we implement one or more lawful mechanisms, such as:

Adequacy decisions (where available);
Standard Contractual Clauses (SCCs) issued by the European Commission;
UK International Data Transfer Agreement (IDTA) or Addendum;
Binding Corporate Rules (BCRs) (if adopted in the future);
Other approved safeguards under applicable law.

10.3 Supplementary Measures. Depending on risk and local laws, we may apply:

Encryption in transit and at rest; strict access controls and key management;
Data minimization and pseudonymization;
Split processing and logging/auditing to deter unauthorized access;
Contractual commitments from recipients regarding government access requests.

10.4 Transfer Impact Assessments (TIAs). For high-risk transfers, we assess the legal environment of the recipient country and implement appropriate supplementary measures. We reassess if laws or practices materially change.

10.5 Onward Transfers. Any onward transfer by a recipient must occur under equivalent safeguards and for compatible purposes. Processors must obtain our approval for sub-processors and ensure chain-of-protection obligations.

10.6 Local Storage and Residency. Where required by law or agreed with enterprise customers, we may implement regional hosting or data residency solutions. Some features may be limited if strict residency is mandated.

10.7 Access Requests by Public Authorities. We do not voluntarily provide bulk or indiscriminate access to Personal Data. We will disclose only where legally compelled and will (where permitted) notify affected users before disclosure or promptly thereafter.

10.8 Copies of Safeguards. You may request a summary of the appropriate safeguards (e.g., SCCs/IDTA) used for your data transfers. Certain provisions may be redacted to protect confidentiality and security.

10.9 Unavailability of Mechanisms. If a transfer mechanism becomes invalid or inadequate due to legal developments, we will implement an alternative safeguard or suspend transfers to the affected recipients.

10.10 Liability and Limitations. We are not responsible for sovereign acts of foreign governments or lawful disclosures compelled under foreign law when appropriate safeguards are in place and disclosures are limited to what is strictly required. Your remedies, if any, will be limited as set forth in this Policy and the Terms of Service.

11. Security Measures

11.1 Program Governance. We maintain a security and privacy program proportionate to risk, overseen by designated personnel. Core elements include policies, asset inventories, access governance, vendor risk management, incident response, disaster recovery, and periodic management reviews.

11.2 Technical Controls. We implement layered controls, including:

Encryption: TLS 1.2+ in transit; industry-standard encryption (e.g., AES-256) at rest for sensitive stores; key rotation and separation of duties for key management.
Access Controls: Role-based access control (RBAC), least privilege, just-in-time elevation for privileged tasks, mandatory MFA for administrative accounts, periodic access reviews and deprovisioning SLAs.
Network & Application Security: Network segmentation, WAFs, rate-limiting, input validation, SAST/DAST, dependency scanning, and CI/CD security checks; signed builds and artifact integrity verification.
Endpoint & Data Protections: EDR/antimalware on managed endpoints; secure logging with tamper-evident storage; secrets management; environment segregation (dev/test/prod).
Resilience: Regular tested backups, geographically distributed storage, recovery runbooks; recovery objectives (RTO/RPO) are targets only, not guarantees.

11.3 Administrative Controls. Mandatory security/privacy training; background checks where lawful for sensitive roles; change management; documented escalation pathways; need-to-know data handling; clean desk and screen-lock practices.

11.4 Third-Party/Vendor Risk. Processors are vetted and contractually bound to appropriate safeguards, breach notice duties, and sub-processor controls. We may suspend or replace a vendor on risk grounds without liability to you.

11.5 Monitoring & Testing. Centralized logging, anomaly detection, and alerting; periodic penetration tests by qualified third parties; vulnerability management with risk-based patch timelines.

11.6 User Responsibilities. Users must protect credentials, enable available security features (e.g., MFA), keep devices patched, and notify us of suspected compromise. We are not liable for losses caused by weak passwords, credential sharing, jailbroken/rooted devices, or user negligence.

11.7 No Absolute Security. While we use reasonable safeguards, no system is 100% secure. To the maximum extent permitted by law, we disclaim liability for incidents caused by factors beyond our reasonable control, including sophisticated attacks, third-party failures, and force majeure events.

12. User Rights – General

Subject to Applicable Law and verified identity, you may exercise the following rights:

12.1 Access. Obtain confirmation whether we Process your Personal Data and receive a copy, subject to trade secrets, IP rights, and third-party privacy.

12.2 Rectification. Request correction of inaccurate or incomplete Personal Data. We may request documentation to validate changes.

12.3 Erasure ("Right to be Forgotten"). Request deletion where legally permitted (e.g., no longer necessary, consent withdrawn, unlawful Processing). Exceptions apply, including legal obligations, security/fraud logs, and exercise/defense of legal claims.

12.4 Restriction. Request temporary restriction (e.g., while accuracy is contested or Processing is unlawful and you oppose deletion).

12.5 Portability. Receive certain Personal Data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

12.6 Objection. Object to Processing based on legitimate interests (including profiling) and object at any time to direct marketing; we will honor marketing objections without question.

12.7 Withdraw Consent. Withdraw consent at any time (does not affect prior lawful Processing). Some Services may cease to function without consent-based features.

12.8 Automated Decision-Making Safeguards. Where solely automated decisions with legal or similarly significant effects are used (if ever), request human intervention, express your point of view, and contest the decision.

12.9 Limits and Refusals. We may deny or limit a request where: identity cannot be verified; legal exemptions apply; requests are manifestly unfounded, excessive, or repetitive; or compliance would adversely affect others' rights or our trade secrets. Where permitted, we may charge a reasonable fee for excessive requests.

12.10 No Retaliation. We will not discriminate against you for exercising rights granted by Applicable Law (e.g., CCPA/CPRA non-discrimination).

13. User Rights – Jurisdiction-Specific

13.1 EU/EEA and UK (GDPR/UK GDPR).

Full rights per Articles 12–23, including access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.
Legal bases per Section 4; details on transfers in Section 10.
Supervisory authorities: You may lodge a complaint with your local authority (e.g., ICO in the UK).

13.2 California (CCPA/CPRA).

Rights to know (categories/specific pieces), delete, correct, and opt out of sale/sharing and targeted advertising; right to limit use/disclosure of sensitive personal information; non-discrimination.
We do not sell Personal Data in the ordinary sense. If an activity is deemed "sale"/"share," we provide opt-out mechanisms and honor valid Global Privacy Control (GPC) signals.

13.3 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA).

Rights to access, correct, delete, portability, and opt-out of targeted advertising, sale, and certain profiling.
Appeals process for denied requests as required by law.

13.4 Brazil (LGPD).

Rights to confirm Processing, access, correction, anonymization, portability, deletion, and information about data sharing; consent revocation without affecting prior Processing.

13.5 Canada (PIPEDA + provincial).

Rights to access and correct; meaningful consent standard; limits on collection/use/disclosure; cross-border disclosures with appropriate safeguards.

13.6 Australia (Privacy Act) and New Zealand (Privacy Act 2020).

Rights to access and correction; breach notifications for "eligible"/"serious" harm incidents.

13.7 Other Jurisdictions. Where local laws grant additional rights, we will honor them to the extent required. Where conflicts arise, mandatory local rules prevail solely to that extent.

Company-Protective Clarifications: Nothing in this Section requires disclosure of proprietary information, trade secrets, internal assessments, or data that would infringe the rights of others. We may provide summaries instead of full copies where permitted.

14. Exercising Your Rights & Verification

14.1 Submission Channels. Use the methods in Section 23 (Contact) or any in-product rights portal we provide. Specify the right you wish to exercise and the data/account in scope.

14.2 Verification. We must verify identity before fulfilling requests. Verification methods may include:

Confirming control of the registered email/phone;
Matching account-specific information;
Government ID (only where lawful/necessary), which will be used solely to verify identity and then securely deleted or redacted per policy.

14.3 Authorized Agents. Where allowed (e.g., California), agents must provide proof of authorization and pass our verification checks. We may contact you directly to confirm agent authority.

14.4 Timelines.

GDPR/UK GDPR: 1 month from receipt; extendable by up to 2 months for complexity/volume (with notice).
CCPA/CPRA: 45 days; extendable once by 45 days (with notice).
Other regimes follow their statutory timelines.

14.5 Scope and Format. We will provide responses in a secure, commonly used, machine-readable format where applicable. We may redact information to protect third-party privacy, security, or our proprietary data.

14.6 Limitations/Refusals. We may decline or partially fulfill a request where permitted by law, including to protect:

Security and fraud prevention measures and logs;
Ongoing investigations or legal claims;
Trade secrets/IP and confidential business information;
Rights and freedoms of others (e.g., messages involving other users).

14.7 Fees. Rights requests are generally free. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded, excessive, or repetitive, consistent with law.

14.8 Effect on Services. Exercising certain rights (e.g., deleting required data or disabling tracking necessary for a feature) may limit or disable functionality. We are not liable for any inability to provide Services caused by your rights choices.

14.9 Appeals. If we deny a request (in whole or part), you may appeal where required (e.g., Virginia/Colorado). We will inform you of appeal rights and how to submit them.

14.10 Recordkeeping. We maintain records of requests and outcomes to demonstrate compliance and for fraud prevention and legal defense.

15. Minors' Data & Age Restrictions

15.1 Minimum Age. The Services are not directed to children under the minimum age defined by local law (e.g., under 13 in the U.S.; under 16 in parts of the EU/UK) without verified parental consent. If we learn that a child has used the Services without required consent, we will take reasonable steps to disable the account and delete data consistent with law.

15.2 Age Screening. We may deploy neutral age-gating at registration. Users must provide accurate information. We are not liable for misrepresentations regarding age provided by users.

15.3 Parental Consent (COPPA/GDPR-K). Where required, we will obtain verifiable parental consent through lawful methods (e.g., signed forms, government ID check with secure disposal, small card transaction). Parents/guardians may review, delete, or withdraw consent for their child's data at any time.

15.4 Teen Privacy (13–17). Enhanced safeguards may include:

Default limitations on public discoverability and location sharing;
Safety prompts before sharing sensitive content;
Prioritization of reports involving minors for moderation review.

15.5 Prohibited Data and Features for Minors. We do not knowingly enable targeted advertising based on behavioral profiling for users we know are under the applicable age, and we restrict features presenting elevated risk (e.g., public posting of precise location).

15.6 CSAM and Safety. Zero-tolerance for child sexual abuse material (CSAM) or exploitation. We will remove content, suspend accounts, preserve evidence, and report to relevant authorities as legally required.

15.7 Parental Rights. Parents/guardians may:

Request access to their child's data;
Request correction or deletion;
Withdraw consent and request account closure.

15.8 Retention Limits for Minors. We minimize retention for minors' data and delete it when no longer necessary for the purpose collected, subject to legal holds and safety obligations.

15.9 Liability Limitation. We rely on information provided during registration and reasonable verification processes. We are not liable for any content voluntarily disclosed by minors contrary to parental instructions or our guidance.

15.10 Local Variations. We will apply stricter age/consent thresholds where required (e.g., GDPR Member State "digital consent" ages). Where thresholds differ, we follow the higher standard applicable to the user's location.

16. Minors' Data & Age Restrictions (Additional)

16.1 Applicability and Thresholds. The Services are not intended for children under the age defined by local law (e.g., under 13 in the U.S.; under 16 in parts of the EU/UK, subject to Member State variations). Where parental/guardian consent is required by law ("Digital Consent"), we will not knowingly enable Services for a minor without verifiable consent.

16.2 Age-Gating and Verification. We may implement neutral age-gating at registration and, where required or risk-appropriate, verification measures (e.g., micro-charge to a payment method, ID check with secure disposal, signed consent form). Users must provide accurate information; we are not liable for misrepresentations regarding age.

16.3 Legal Bases and Minimization. Processing of minors' Personal Data occurs only where lawful (e.g., consent from a parent/guardian, contract for age-appropriate Services requested by the minor with valid consent, legal obligation for safety logs). We minimize collection and use default privacy-protective settings for minors.

16.4 Default Safeguards for Teens (13–17). Without limiting the foregoing:

Reduced public discoverability and searchability by default;
Restricted default location sharing and visibility of contact details;
Safety prompts for potentially sensitive disclosures;
Priority moderation and escalation workflows for reports involving minors.

16.5 Location Features. Precise geolocation for minors is off by default unless expressly enabled by a parent/guardian or the teen where permitted by law. We may still Process approximate IP-derived location for security and service integrity.

16.6 Prohibited Practices. We do not knowingly conduct behavioral targeted advertising to users we know are under the applicable Digital Consent age, nor encourage disclosure of sensitive data by minors. We do not condition a minor's participation on providing more Personal Data than is reasonably necessary.

16.7 Parental/Guardian Rights. Parents/guardians may at any time request access to, correction or deletion of, or cessation of further Processing of their child's data, and may withdraw consent (which may disable the child's access to some or all Services).

16.8 Retention. We retain minors' data no longer than necessary for the purposes collected, subject to legal obligations, safety logs, lawful preservation for investigations, and backup rotation schedules.

16.9 CSAM and Mandatory Reporting. We maintain zero tolerance for child sexual abuse material (CSAM) and exploitation. We will remove content, suspend accounts, preserve evidence, and report to competent authorities (e.g., NCMEC in the United States) as required by law.

16.10 Law Enforcement and Emergency Disclosures. To protect the vital interests of a child or others, we may disclose information to law enforcement or emergency responders consistent with Applicable Law.

16.11 Liability Limitation. We rely on user-supplied information and commercially reasonable verification processes. We are not liable for content voluntarily disclosed by minors contrary to parental instruction or our guidance, nor for misrepresentations of age by users.

16.12 Local Variations. We apply stricter local consent ages where mandated (e.g., GDPR Member State variations). In the event of conflict, stricter mandatory law prevails to that extent.

17. Third-Party Links & Services

17.1 Categories. The Services may link to, embed, or interoperate with third-party services (e.g., payment processors, social logins, analytics providers, ad networks, mapping/location services, content delivery networks, customer support tools).

17.2 Role Classification. Third parties may operate as (a) our Processors under written data protection terms, or (b) independent controllers that determine their own purposes/means of Processing. Independent controllers' practices are governed by their own policies; we do not control, and are not responsible for, their Processing.

17.3 Cookies/SDKs. Third-party cookies, SDKs, and similar technologies may operate within the Services. Details and consent/opt-out mechanisms are described in our Cookie Policy. Where required (e.g., EU/UK), non-essential tracking is opt-in.

17.4 Single Sign-On / Social Logins. If you choose to authenticate via a third-party identity provider, that provider may receive or provide certain Personal Data subject to its own privacy policy. You may revoke authorization via both the provider and your account settings (where available).

17.5 Payments. Payments are processed by PCI-DSS-compliant providers as independent controllers or processors. We do not store full payment card numbers. Fraud screening by such providers is subject to their terms.

17.6 Maps and Location Services. Mapping and geolocation features may involve separate processing by map providers; precise location is subject to your device permissions and Applicable Law.

17.7 Advertising/Analytics. Where used, adtech/analytics partners may act as independent controllers. We provide required opt-outs (e.g., "Do Not Sell or Share" under CPRA; targeted advertising opt-outs under state laws) and honor GPC signals as required.

17.8 External Links and Embedded Content. Links/embeds do not constitute endorsement. We are not responsible for third-party content, availability, security, or compliance.

17.9 Data Transfers and Jurisdiction. Use of third-party services may involve international transfers; we require appropriate safeguards for our Processors and recommend you review independent controllers' transfer mechanisms.

17.10 User Responsibility. You are responsible for reviewing third-party terms and privacy policies before enabling integrations or sharing data with third parties.

17.11 Liability Allocation. To the fullest extent permitted by law, we disclaim responsibility for third-party acts/omissions, platform outages, or data breaches outside our reasonable control, and for independent controller Processing. Your use of third-party services is at your discretion and risk.

18. Data Breach Response

18.1 Definition. A personal data breach is a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

18.2 Governance and Privilege. We maintain a documented incident response plan (IRP) with assigned roles. Where appropriate, we engage counsel to establish legal privilege over investigations and communications.

18.3 Detection and Triage. We employ monitoring and alerting to detect anomalies. Upon indication of an incident, we triage severity, scope, data types, and affected systems/users.

18.4 Containment and Eradication. We isolate affected assets, revoke/rotate compromised credentials, block malicious traffic, and apply patches or configuration changes. We may temporarily disable features to mitigate risk.

18.5 Forensics and Root Cause. We conduct (or commission) forensic analysis to determine cause, timeline, scope, and impacted data elements, preserving evidence where appropriate.

18.6 Notifications.

Supervisory Authorities (EU/UK): We will notify competent authorities without undue delay and, where required, within 72 hours of becoming aware of a breach, unless it is unlikely to result in a risk to individuals' rights and freedoms.
Individuals: Where required, we will notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms, including recommended protective steps.
U.S. and Other Jurisdictions: We comply with applicable sectoral and state/provincial breach laws (timelines, content requirements, regulator/AG notifications).

Content of notices may include incident nature, affected categories, protective measures taken, and contact details. Notices do not constitute an admission of fault.

18.7 Third-Party Coordination. We require Processors to promptly notify us of breaches and to cooperate with investigations and notifications. For incidents originating with independent controllers, they are responsible for their own notifications.

18.8 Remediation. We implement corrective actions (e.g., hardening, additional controls, vendor changes) and update policies, training, or architectures as appropriate.

18.9 Recordkeeping. We maintain breach logs and documentation of facts, effects, and remedial action consistent with GDPR Article 33(5) and analogous laws.

18.10 User Obligations. Users must maintain reasonable security for their accounts/devices, notify us of suspected compromise, and follow our guidance to mitigate harm (e.g., password changes, fraud alerts).

18.11 Liability. To the maximum extent permitted by law, we are not liable for damages caused by sophisticated cyberattacks, user negligence, third-party failures outside our control, force majeure events, or lawful disclosures compelled by authorities. Any liability is subject to the Limitation of Liability provisions herein and in the Terms of Service.

19. Limitation of Liability

19.1 Cap. To the fullest extent permitted by law, our aggregate liability arising out of or relating to this Policy or our Processing of Personal Data shall not exceed the greater of USD $100 or the total amount you paid to us, if any, in the twelve (12) months preceding the event giving rise to liability.

19.2 Excluded Damages. We shall not be liable for any indirect, incidental, consequential, special, exemplary, or punitive damages; loss of profits, revenue, goodwill, or data; business interruption; or cost of substitute services.

19.3 Specific Disclaimers. Without limiting the foregoing, we disclaim liability for harms arising from:

AI outputs or recommendations;
Third-party services and independent controller Processing;
User-generated content or offline interactions between users;
Force majeure events and sophisticated cyberattacks;
User negligence (e.g., weak passwords, sharing credentials, using rooted/jailbroken devices);
Compliance with lawful orders or regulatory obligations;
Unavailability due to maintenance or emergency updates.

19.4 Time Limit to Bring Claims. Any claim must be brought within one (1) year after the cause of action accrues, unless a longer period is mandated by non-waivable law.

19.5 Non-Excludable Liability. Nothing in this Policy excludes liability that cannot be excluded under Applicable Law (e.g., fraud, willful misconduct, death/personal injury caused by gross negligence where such exclusion is prohibited). In such cases, our liability is limited to the maximum extent permitted.

19.6 Basis of the Bargain. The parties acknowledge that the limitations and exclusions herein are fundamental to the allocation of risk and material to our willingness to make the Services available.

19.7 Consumer Rights. Some jurisdictions do not allow certain limitations; in those jurisdictions, the above limitations apply to the maximum extent permitted by law.

20. Indemnification

20.1 Scope of Indemnity. You agree to indemnify, defend, and hold harmless Friends Technologies LLC, its affiliates, successors, and their respective directors, officers, employees, contractors, agents, and licensors (collectively, the "Indemnified Parties") from and against any and all losses, liabilities, damages, fines, penalties, costs, and expenses (including reasonable attorneys' fees and expert costs) arising out of or related to:

your violation of this Policy, the Terms of Service, or the Cookie Policy;
your misuse of the Services or Personal Data obtained through the Services;
your infringement or violation of any third-party right (including privacy, publicity, or intellectual property);
any Content or data you submit, post, transmit, or otherwise make available;
any misrepresentation regarding age or failure to obtain required parental/guardian consent;
your configuration or use of third-party integrations in a manner that causes a claim against an Indemnified Party;
your noncompliance with Applicable Law in connection with your use of the Services.

20.2 Defense and Control. Upon written notice, you shall assume the defense of any claim covered by Section 20.1 with counsel reasonably acceptable to the Indemnified Parties. The Indemnified Parties may participate in the defense at their own expense.

20.3 Settlement. You shall not settle any claim without the Indemnified Parties' prior written consent if the settlement (i) imposes any obligation on any Indemnified Party, (ii) includes an admission of fault, or (iii) fails to include a full and unconditional release of all claims.

20.4 Notice; Prejudice. The Indemnified Parties will provide prompt notice of any claim for which indemnity is sought. Delay in notice does not relieve your obligations except to the extent you are materially prejudiced.

20.5 Advancement and Reimbursement. To the extent permitted by law, you shall promptly advance or reimburse all reasonable defense costs incurred by the Indemnified Parties in connection with covered claims.

20.6 Survival and Cumulative Remedies. These indemnification obligations survive termination or expiration of your account and are cumulative of any other rights or remedies at law or in equity.

21. Changes to This Policy

21.1 Right to Amend. We may update or amend this Policy at any time to reflect legal, technical, or operational changes. The "Effective Date" at the top indicates when the current version took effect.

21.2 Material Changes. Where required by law, we will provide clear notice of material changes via in-app notices, email, or other reasonable means. Examples of material changes include: new categories of Personal Data; expanded purposes; new recipients; changes to user rights procedures; or changes in international transfer mechanisms.

21.3 Consent Where Required. If Applicable Law requires consent for material changes (e.g., expanded purposes that are not compatible with the original purpose), we will seek your consent before applying such changes to your Personal Data.

21.4 Continued Use. Except where consent is required by law, your continued access or use of the Services after the effective date of an updated Policy constitutes your acceptance of the updated Policy.

21.5 Version Control and Archives. We maintain archived copies of prior versions for at least five (5) years or longer where required by law, to demonstrate notice and consent history.

21.6 No Retroactive Reduction of Rights. We will not reduce your statutory rights under Applicable Law without the legally required process (e.g., consent or separate notice).

21.7 Severability of Changes. If a particular amendment is held invalid or unenforceable, the remaining provisions and amendments remain in full force and effect.

22. Severability, Interpretation, and No Waiver

22.1 Severability. If any provision of this Policy is held invalid, illegal, or unenforceable by a court or authority of competent jurisdiction, such provision shall be limited or eliminated to the minimum extent necessary and the remaining provisions shall remain in full force and effect.

22.2 Modification Over Removal. Where possible, an invalid provision shall be modified to achieve the original intent to the maximum extent permitted by law rather than removed.

22.3 No Waiver. No failure or delay by the Company in exercising any right or remedy shall constitute a waiver of such right or remedy. A waiver in one instance shall not constitute a waiver in any other instance.

22.4 Construction and Language. Headings are for convenience only and do not affect interpretation. "Including" means "including without limitation." In the event of discrepancies between translations, the English version controls.

22.5 Conflict of Documents. In case of conflict between this Policy and any summary or FAQ, this Policy controls. In case of conflict between this Policy and the Terms of Service, the Terms govern procedural matters (e.g., dispute resolution, governing law), while this Policy governs privacy matters.

22.6 No Third-Party Beneficiaries. This Policy does not create any third-party beneficiary rights, except as expressly stated.

23. Contact Information; Controller; DPO; Representatives

23.1 Primary Privacy Contact (Global).

Friends Technologies LLC

Attn: Privacy Officer

Email: privacy@myfriendsapp.com

Mailing Address: [Insert Mailing Address]

23.2 Data Protection Officer (if appointed).

Email: dpo@myfriendsapp.com

The DPO (where appointed) oversees our data protection program and may be contacted for questions about this Policy.

23.3 EU/UK Representatives (if appointed under Article 27). Contact details for our EU/UK representatives (if required by law) are available upon request and may be listed on our website or within the Services.

23.4 Supervisory Authority Complaints. You have the right to lodge a complaint with your local data protection authority (e.g., an EU Member State authority or the UK ICO). We encourage you to contact us first so we can try to resolve your concerns.

23.5 Security Reports. Potential security vulnerabilities should be reported to security@myfriendsapp.com. Do not publicly disclose vulnerabilities before we confirm and address them.

23.6 Verification; Sensitive Information. For your protection, we may require verification of identity before discussing or disclosing Personal Data. Do not include sensitive information in unencrypted email.

23.7 Non-Support Channel. The above contacts are for privacy and security matters. General support requests should be sent to support@myfriendsapp.com or via in-app support.

24. Regional Compliance Annex

This Annex summarizes regional-specific rights and obligations. Where local mandatory law conflicts with this Policy, the stricter law prevails solely to the extent required.

24.1 European Union / EEA (GDPR).

Rights: access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.
Transfers: safeguarded by SCCs/IDTA, adequacy decisions, or other approved mechanisms with supplementary measures as needed.
Supervisory Authority: lodge complaints with your local authority.

24.2 United Kingdom (UK GDPR; DPA 2018).

Same core rights as GDPR; ICO is the supervisory authority.
Data transfers rely on UK IDTA/Addendum, adequacy, or other lawful mechanisms.

24.3 Switzerland (FADP).

Similar principles; potential differences in lawful basis and notification thresholds.
Swiss-U.S. Data Privacy Framework (if applicable) or SCCs with Swiss addendum.

24.4 United States (Federal/State).

California (CCPA/CPRA): rights to know, delete, correct; opt-out of "sale"/"sharing"; limit use of sensitive personal information; non-discrimination. Honors valid GPC signals.
Virginia/Colorado/Connecticut/Utah/Texas (and similar): access, delete, correct, portability; opt-out of targeted advertising, sale, and certain profiling; appeals process where required.
Breach notification per applicable state law.

24.5 Brazil (LGPD).

Rights: confirmation, access, correction, anonymization, portability, deletion, information about sharing, and consent revocation.
National Authority: ANPD.

24.6 Canada (PIPEDA & Provincial).

Meaningful consent; access/correction rights; cross-border disclosures with appropriate safeguards.

24.7 Australia (Privacy Act) & New Zealand (Privacy Act 2020).

Access/correction rights; mandatory breach notifications in defined circumstances.

24.8 South Africa (POPIA).

Rights to access, correct, object to processing, and complain to the Information Regulator.

24.9 Singapore (PDPA).

Consent required unless exceptions apply; access/correction rights; data breach notification to PDPC for significant harm.

24.10 India (DPDP Act 2023).

Consent-led processing; special rules for children's data; grievance redressal mechanisms.

24.11 Middle East (e.g., UAE PDPL, Saudi PDPL).

Consent-based regimes with cross-border transfer restrictions and localization in some cases; regulator notices for breaches within set timelines.

24.12 Other Jurisdictions. We monitor legal developments and will update practices and notices as required. If a new law imposes stricter obligations, we will comply to the extent mandated and adjust this Policy accordingly.

Company-Protective Note: This Annex is a convenience summary and does not expand our obligations beyond Applicable Law. In case of ambiguity, the operative statutory texts and this Policy's main body control.

25. Final Provisions

25.1 Entire Agreement (Privacy). This Policy, together with the Cookie Policy and relevant portions of the Terms of Service, constitutes the entire understanding regarding the Processing of Personal Data via the Services and supersedes any prior or contemporaneous statements on the same subject.

25.2 Relationship to Terms of Service. Dispute resolution, governing law, class action waiver, and arbitration provisions are set forth in the Terms of Service and are incorporated by reference. To the extent permitted by law, those provisions apply to disputes arising from or relating to this Policy or our Processing of Personal Data.

25.3 Force Majeure. We are not liable for any delay or failure to perform obligations under this Policy due to events beyond our reasonable control, including natural disasters, acts of war, terrorism, civil unrest, labor disputes, internet or utility failures, widespread platform outages, or governmental actions.

25.4 Assignment. We may assign or transfer our rights and obligations under this Policy, in whole or in part, in connection with a corporate transaction (e.g., merger, acquisition, reorganization, or asset sale). You may not assign this Policy without our prior written consent.

25.5 Retention of Prior Versions; Evidence. We retain prior versions of this Policy and associated consent logs for evidentiary purposes, including to demonstrate notice, consent, and compliance in regulatory inquiries or litigation.

25.6 No Professional Advice. Nothing in this Policy constitutes legal, financial, medical, or other professional advice. AI-generated outputs (if any) are informational only and not a substitute for professional judgment.

25.7 Survival. Provisions that by their nature should survive (including security disclaimers, international transfer mechanisms, liability limitations, indemnities, dispute resolution references, and recordkeeping commitments) shall survive termination or cessation of Services.

25.8 Contact and Effective Date. Questions about this Policy may be directed to support@myfriendsapp.com. This Policy is effective as of the date indicated at the top and remains in force until superseded.