Privacy Policy

1. INFORMATION WE COLLECT

1.1 Information You Provide Directly

• Account Information: Full name, email address, password (encrypted), phone number (optional), profile picture, date of birth (for age verification)
• Profile Data: Username, bio, interests, goals, accountability preferences
• Payment Information: Billing address, payment method details (processed and stored by Stripe; we do not store full card numbers)
• Verification Content: Photos, images, and other media submitted for check-in verification
• Communication Data: Messages sent through the Platform, support inquiries, feedback
• Squad Data: Squad names, descriptions, rules, member lists, commitment details

1.2 Information Collected Automatically

• Device Information: Device type, operating system, unique device identifiers, mobile network information, device settings
• Usage Data: Pages visited, features used, time spent, click patterns, search queries, interaction data
• Log Data: IP address, browser type, browser version, access times, referring URLs, error logs
• Location Data: General location based on IP address; precise location only if explicitly permitted for specific features
• Performance Data: App crashes, system activity, hardware settings

1.3 Information from Third Parties

• OAuth Providers (Google): Name, email, profile picture when you sign in with Google
• Health/Fitness APIs (Google Fit, Apple Health): Activity data, step counts, workout data, sleep data (only with your explicit permission)
• Payment Processor (Stripe): Transaction confirmations, payment status, fraud indicators
• Analytics Providers: Aggregated usage statistics, demographic information

1.4 Sensitive Personal Data

We do not intentionally collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, genetic data, or sexual orientation. If such data is inadvertently collected through user-generated content, it is subject to this Privacy Policy and will be handled with appropriate security measures.

2. HOW WE USE YOUR INFORMATION

2.1 Primary Purposes

• To create and manage your account
• To provide, maintain, and improve the Platform
• To process transactions and manage stakes
• To verify check-ins and commitment completion
• To facilitate Squad creation, joining, and participation
• To send notifications about your commitments, Squads, and check-in reminders
• To respond to your inquiries and provide customer support

2.2 Secondary Purposes

• To analyze usage patterns and improve user experience
• To develop new features and services
• To send marketing communications (with your consent)
• To conduct research and analytics
• To personalize your experience
• To monitor and prevent fraudulent activity

2.3 Legal and Security Purposes

• To comply with applicable laws and regulations
• To respond to legal process or government requests
• To enforce our Terms of Service
• To protect our rights, privacy, safety, or property
• To protect against legal liability
• To detect, prevent, or address fraud, security, or technical issues

3. LEGAL BASIS FOR PROCESSING (DPDPA & GDPR COMPLIANCE)

We process your personal data based on the following legal grounds:

3.1 Contractual Necessity

Processing necessary to perform our contract with you (providing Platform services, processing payments, managing your account).

3.2 Consent

Where you have given explicit consent (marketing communications, health data access, optional features). You may withdraw consent at any time through your account settings or by contacting us.

3.3 Legitimate Interests

Processing necessary for our legitimate interests (fraud prevention, security, analytics, improving services) that do not override your fundamental rights.

3.4 Legal Obligation

Processing necessary to comply with legal obligations (tax requirements, responding to law enforcement, financial regulations, anti-money laundering requirements).

4. INFORMATION SHARING AND DISCLOSURE

4.1 Third-Party Service Providers

We share information with trusted service providers who assist in operating the Platform:

• Stripe: Payment processing, fraud detection (subject to Stripe's Privacy Policy)
• Supabase: Database hosting, authentication services
• Google: OAuth authentication, Google Fit integration, analytics
• Apple: Apple Health integration (iOS users)
• OpenAI: AI-powered photo verification (images processed and deleted after verification)
• Cloud Hosting Providers: Server infrastructure and data storage
• Analytics Providers: Usage analytics and performance monitoring
• Communication Services: Email delivery, push notifications

4.2 Sharing with Other Users

Certain information is visible to other Users:

• Profile information (name, username, profile picture) to Squad members
• Check-in status and verification results to Squad members
• Commitment completion rates within Squads
• Messages sent in Squad chats

4.3 Legal Disclosures

We may disclose information when required by law or to:

• Comply with legal process, court orders, subpoenas, or government requests
• Cooperate with law enforcement investigations
• Enforce our Terms of Service and other agreements
• Protect against legal liability
• Protect the rights, property, or safety of Covenant, our Users, or others
• Investigate potential violations of our policies or applicable laws
• Respond to claims of illegal content or rights violations

4.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on the Platform at least 30 days before your information becomes subject to a different privacy policy. You will have the option to delete your account before the transfer.

4.5 What We Do NOT Do

5. DATA RETENTION

5.1 Retention Periods

• Active Account Data: Retained while your account is active and for 90 days after account deletion request
• Verification Images: Deleted within 30 days after verification completion
• Transaction Records: Retained for 7 years (legal and tax compliance requirements in India and US)
• Communication Records: Retained for 3 years after last interaction for customer service quality
• Usage Logs: Retained for 2 years for security and analytics purposes
• Deleted Account Data: Permanently deleted within 90 days of deletion request (except legally required retention as noted above)

5.2 Legal Retention Requirements

Certain data must be retained to comply with legal obligations under:

• Indian Law: Income Tax Act (7 years), FEMA regulations, Companies Act 2013, anti-money laundering requirements
• US Law: IRS requirements (7 years), state financial regulations, payment processing regulations, consumer protection laws

This data is retained for the legally mandated period even after account deletion, but access is restricted to authorized personnel only for compliance purposes.

6. YOUR RIGHTS AND CHOICES

6.1 Rights Under Indian Law (DPDPA 2023)

If you are in India, you have the following rights:

• Right to Access: Request a summary of your personal data and processing activities
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to Grievance Redressal: File complaints with our Grievance Officer
• Right to Nominate: Nominate a person to exercise your rights in case of death or incapacity
• Right to Withdraw Consent: Withdraw previously given consent at any time (does not affect processing based on other legal grounds)

6.2 Rights Under US Law (California - CCPA/CPRA)

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of personal information collected, used, shared, and disclosed in the past 12 months
• Right to Delete: Request deletion of your personal information (subject to exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of sale/sharing of personal information (we do not sell personal information)
• Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights
• Right to Limit Use: Limit use and disclosure of sensitive personal information

6.3 How to Exercise Your Rights

To exercise any of your rights, contact us at support@covenantapp.me with the subject line PRIVACY REQUEST. Include your full name, email address, and specific request. We will respond within:

• India (DPDPA): 30 days from receipt of request
• California (CCPA/CPRA): 45 days (extendable by 45 days with notice if necessary)
• Other jurisdictions: 45 days or as required by applicable law

We may request verification of your identity before fulfilling requests. This may include requesting government-issued ID or answering security questions about your account activity.

6.4 Communication Preferences

• Marketing Emails: Unsubscribe via link in email footer or through account settings
• Push Notifications: Manage in device settings or app notification preferences
• SMS Messages: Reply STOP to any SMS or contact support
• Operational Emails: Cannot be disabled (account security, payment confirmations, legal notices)

7. DATA SECURITY

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

7.1 Security Measures

• Encryption in transit (TLS/SSL) and at rest (AES-256)
• Secure authentication with password hashing (bcrypt)
• Regular security audits and vulnerability assessments
• Access controls and authentication for all systems
• Employee training on data protection and security
• Incident response and breach notification procedures
• Regular backups with encryption
• Firewall and intrusion detection systems

7.2 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of discovery (as required by DPDPA)
• Report to relevant authorities as required by law
• Provide information about the breach, affected data, and remedial actions
• Offer credit monitoring services if financial data was compromised (at our discretion)

8. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to and processed in countries other than your country of residence. We take steps to ensure adequate protection:

8.1 Transfer Mechanisms

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Adequacy decisions by competent data protection authorities
• Binding Corporate Rules where applicable
• Your explicit consent where required

8.2 Data Locations

Our primary data centers are located in [specify regions]. Service providers may process data in the United States, European Union, and other jurisdictions. All transfers comply with applicable data protection laws including DPDPA 2023 and GDPR.

9. CHILDREN'S PRIVACY

Covenant is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information as soon as possible.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@covenantapp.me and we will promptly investigate and delete such information.

10. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to:

• Maintain your session and keep you logged in
• Remember your preferences and settings
• Analyze usage patterns and improve the Platform
• Provide personalized content and features
• Measure advertising effectiveness (with consent)

Types of Cookies

• Essential Cookies: Required for Platform operation (cannot be disabled)
• Functional Cookies: Remember preferences and settings
• Analytics Cookies: Help us understand Platform usage
• Advertising Cookies: Measure ad performance (only with consent)

You can control cookies through your browser settings. Disabling cookies may limit Platform functionality. For mobile apps, you can control tracking through your device settings (iOS: Limit Ad Tracking; Android: Opt out of Ads Personalization).

11. GRIEVANCE OFFICER (INDIAN COMPLIANCE)

In compliance with the Digital Personal Data Protection Act, 2023 and Information Technology Act, 2000, we have appointed a Grievance Officer to address privacy concerns:

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Email notification to your registered email address (at least 15 days before changes take effect)
• Prominent notice on the Platform
• In-app notification
• Updating the Last Updated date at the top of this policy

Your continued use of the Platform after changes become effective constitutes acceptance of the revised Privacy Policy. If you do not agree to the changes, you must stop using the Platform and may request account deletion.

We encourage you to review this Privacy Policy periodically. Material changes will be clearly indicated and may require re-acceptance.

CONTACT US

For questions, concerns, or requests regarding this Privacy Policy or our data practices: