Privacy Policy

PlotWings Privacy Policy Effective Date: October 28, 2025 Last Updated: October 28, 2025 Company: Further Theory, LLC ("we," "us," "our," "Company") Address: 6 Liberty Square #2327 Boston, MA 02109 United States Online Form: plotwings.com/support Website: plotwings.com This Privacy Policy describes how Further Theory, LLC collects, uses, shares, and protects personal information when you use the PlotWings mobile application and related services (the "App," "Service," or "Platform"). ═══════════════════════════════════════════════════════════ IMPORTANT NOTICES ═══════════════════════════════════════════════════════════ • WE DO NOT SELL YOUR PERSONAL INFORMATION to third parties for their own purposes. • CHILDREN'S PRIVACY: The App is not intended for children under 13. See Section 9. • YOUR RIGHTS: You have rights to access, correct, delete, and control your data. See Section 7. • THIRD-PARTY SERVICES: We use third-party service providers (cloud hosting, analytics, subscription management, AI services). See Section 5. • APPLE CONTROLS: Apple independently collects data via Sign in with Apple, In-App Purchase, and iOS. We do not control Apple's practices. See Section 3.1. By using the App, you agree to this Privacy Policy. If you disagree, do not use the App. Read our Terms of Service at plotwings.com/app-terms-of-service for additional information about your rights and obligations. ═══════════════════════════════════════════════════════════ TABLE OF CONTENTS ═══════════════════════════════════════════════════════════ 1. Information We Collect 2. How We Collect Information 3. Information from Third Parties 4. How We Use Your Information 5. How We Share Your Information 6. Legal Bases for Processing (EEA/UK) 7. Your Privacy Rights & Choices 8. Data Retention & Deletion 9. Children's Privacy 10. Data Security 11. International Data Transfers 12. State & Regional Specific Information 13. Automated Decision-Making & Profiling 14. Privacy by Design & Transparency 15. Data Breach Notification 16. Changes to This Policy 17. Contact Us & Data Protection Officer 18. Additional Information APPENDIX A: Service Provider Categories APPENDIX B: Glossary of Terms ═══════════════════════════════════════════════════════════ 1. INFORMATION WE COLLECT We collect personal information in three ways: (a) information you provide or we receive from Apple, (b) information collected automatically, and (c) information from third-party service providers. ─────────────────────────────────────────────────────────── 1.1 ACCOUNT & PROFILE INFORMATION SIGN IN WITH APPLE DATA (from Apple): • Unique user identifier (app-specific, not your Apple ID) • Email address you choose to share (may be a private relay address like privaterelay@appleid.com) • Name (if you choose to share; you may hide your real name) ACCOUNT PREFERENCES: • Display settings and preferences • Language and region settings • Notification preferences • Content preferences and interests WE DO NOT COLLECT: • Your Apple ID password • Payment information (Apple handles this) • Your full Apple ID profile • Data from other Apple services beyond what's shared via Sign in with Apple ─────────────────────────────────────────────────────────── 1.2 SUBSCRIPTION & PURCHASE DATA From Apple In-App Purchase (via subscription management service providers): • Subscription status (active, expired, cancelled, refunded) • Subscription tier and plan • Purchase date and renewal date • Trial status and eligibility • Transaction identifiers (anonymized, not full transaction details) • Subscription events (renewals, cancellations, billing issues) WE DO NOT COLLECT: • Credit card numbers or payment methods • Billing addresses (unless required for tax/legal purposes) • Full payment transaction details (Apple retains these) ─────────────────────────────────────────────────────────── 1.3 USAGE & INTERACTION DATA CONTENT INTERACTION: • Stories, articles, or content you view, read, or access • Reading progress and completion status • Time spent on content • Bookmarks, favorites, and saved items • Content ratings or feedback (if you provide) • Search queries within the App APP INTERACTION: • Features and screens you access • Buttons, links, and elements you tap or interact with • Session duration and frequency • App launches and closes • In-app navigation patterns • Actions taken within the App AI INTERACTION (if applicable): • Prompts and inputs you submit to AI systems • AI-generated outputs you receive • Interactions with AI features (e.g., regeneration requests, edits) • Feedback on AI outputs (thumbs up/down, reports) ─────────────────────────────────────────────────────────── 1.4 DEVICE & TECHNICAL INFORMATION DEVICE IDENTIFIERS: • Device type and model (e.g., iPhone 14 Pro, iPad Air) • Operating system and version (e.g., iOS 17.2) • App version and build number • Device unique identifiers generated by the App (not IDFA unless you consent to tracking) • Vendor identifier (IDFV) - provided automatically by iOS • Advertising identifier (IDFA) - ONLY if you grant App Tracking Transparency (ATT) permission TECHNICAL DATA: • IP address (may be anonymized or approximate) • Browser type and version (if using web features) • Time zone and locale settings • Network information (carrier, connection type) • Approximate location (country/region derived from IP or system settings) PERFORMANCE DATA: • App crashes and errors • Load times and latency • Feature performance metrics • Memory and CPU usage • Network speed and quality ─────────────────────────────────────────────────────────── 1.5 COMMUNICATIONS & SUPPORT DATA If you contact customer support or communicate with us: • Your name and email address • Contents of your messages, inquiries, or feedback • Attachments, screenshots, or files you provide • Support ticket history and correspondence • Survey responses (if you participate in surveys) ─────────────────────────────────────────────────────────── 1.6 USER-GENERATED CONTENT (FUTURE) If you submit content through the App (comments, reviews, posts, profiles): • Text content you create or submit • Images, videos, or other media you upload • Metadata associated with your content (timestamps, edit history) • Public profile information (if you create a profile) • Interactions with other users' content (likes, comments, shares) Note: User-generated content features may be limited or unavailable currently. If introduced, we will update this Policy. ─────────────────────────────────────────────────────────── 1.7 INFORMATION WE DO NOT COLLECT WE DO NOT COLLECT (unless you explicitly grant permission for specific features): • Precise geolocation (GPS coordinates) • Contacts or address book • Photo library or camera roll • Microphone or audio recordings (except for specific voice features if offered) • Camera or video recordings (except for specific features if offered) • Health or fitness data • Financial account information • Government-issued identification numbers • Biometric data (Face ID/Touch ID are processed by Apple locally on your device - see Section 1.8) • Contents of private messages with other users (if messaging features exist) • Sensitive categories of personal information (race, ethnicity, political opinions, religious beliefs, trade union membership, sexual orientation) unless you voluntarily provide such information ─────────────────────────────────────────────────────────── 1.8 BIOMETRIC DATA (FACE ID / TOUCH ID) If the App offers biometric authentication (Face ID, Touch ID) to lock/unlock the App: IMPORTANT: Biometric data is processed by Apple's iOS operating system, NOT by our App. • Face ID facial mapping and Touch ID fingerprints are stored locally in your device's Secure Enclave • Apple performs biometric verification on-device • We NEVER receive, store, process, or have access to your biometric data • We only receive a simple "success" or "failure" notification from iOS See Apple's Privacy Policy for details: https://www.apple.com/legal/privacy/ You can disable biometric features at any time in App Settings. ─────────────────────────────────────────────────────────── 1.9 SENSITIVE PERSONAL INFORMATION (CCPA/CPRA) Under California law, "sensitive personal information" includes: • Social Security numbers, driver's license numbers, passport numbers (we do NOT collect) • Account login credentials (we store email/user ID, but NOT passwords - Apple handles authentication) • Precise geolocation (we do NOT collect) • Racial or ethnic origin, religious beliefs, union membership (we do NOT collect) • Contents of mail, email, or text messages (we do NOT collect except customer support emails you send us) • Genetic data (we do NOT collect) • Biometric data (processed by Apple, not collected by us - see Section 1.8) • Health data (we do NOT collect) • Sex life or sexual orientation (we do NOT collect) WE DO NOT USE OR DISCLOSE SENSITIVE PERSONAL INFORMATION EXCEPT: (a) As necessary to provide the Service you requested (b) To ensure security and integrity (c) For short-term, transient use (d) To verify or maintain quality (e) As permitted by CPRA § 1798.121(a) You may limit use and disclosure of sensitive personal information (see Section 7.4). ═══════════════════════════════════════════════════════════ 2. HOW WE COLLECT INFORMATION 2.1 INFORMATION YOU PROVIDE DIRECTLY • When you create an account via Sign in with Apple • When you adjust settings or preferences • When you interact with content or features • When you submit prompts to AI features • When you contact customer support • When you participate in surveys or promotions 2.2 INFORMATION COLLECTED AUTOMATICALLY Using cookies, pixels, SDKs, and similar technologies: MOBILE SDK IDENTIFIERS: We use software development kits (SDKs) from third-party service providers that automatically collect device identifiers, usage data, and analytics. Note: Mobile apps do NOT use browser cookies. Instead, we use: • Persistent identifiers (app-generated user IDs) • iOS Advertising Identifier (IDFA) - only if you grant ATT permission • iOS Vendor Identifier (IDFV) - provided automatically by iOS • Session tokens • Local storage on your device See Section 8 (iOS Privacy Features) for how to control tracking. 2.3 INFORMATION FROM APPLE Via Sign in with Apple (see Section 3.1): • User authentication data • Email address (or private relay address) • Name (if you choose to share) Via Apple In-App Purchase (see Section 3.2): • Subscription status and events • Purchase history • Refund status Via Apple Push Notification Service (if you enable notifications): • Device push token • Notification delivery status 2.4 INFORMATION FROM THIRD-PARTY SERVICE PROVIDERS Our service providers may collect and share with us: • Analytics data (usage patterns, events, device info) • Subscription management data (purchase events, status changes) • Cloud infrastructure data (storage usage, data access patterns) • AI service data (prompts, outputs, performance metrics) • Customer support platform data (ticket history, interactions) See Section 5 and Appendix A for details. 2.5 INFORMATION FROM OTHER SOURCES We may receive information from: • Publicly available sources (if you link social media or public profiles) • Business partners (if you access the App through a partnership) • Fraud prevention and security services • Legal process or law enforcement (subpoenas, court orders) We combine this information with other data we collect to provide and improve the Service. ═══════════════════════════════════════════════════════════ 3. INFORMATION FROM THIRD PARTIES 3.1 APPLE - SIGN IN WITH APPLE WHAT APPLE PROVIDES TO US (with your consent): • Unique user identifier (specific to our App, not your Apple ID) • Email address (real or private relay address - your choice) • Name (if you choose to share; you may hide it) WHAT APPLE DOES NOT PROVIDE TO US: • Your Apple ID password • Your payment information • Your full Apple profile • Data from other Apple services (Music, iCloud, etc.) • Your device's IDFA (unless you separately grant tracking permission) APPLE'S INDEPENDENT DATA COLLECTION: Apple independently collects extensive data through: • Your Apple ID and authentication • App Store downloads and updates • Device usage and diagnostics (if enabled in iOS settings) • App launch and usage patterns (if "Share iPhone Analytics" is enabled) • Crash reports (if diagnostics are enabled) • Screen Time data WE DO NOT CONTROL APPLE'S DATA PRACTICES. See Apple's Privacy Policy: https://www.apple.com/legal/privacy/ YOUR APPLE ID MANAGEMENT: • View/manage Apple ID: https://appleid.apple.com • Delete Apple ID: https://privacy.apple.com • Manage Sign in with Apple: https://appleid.apple.com → Security → Apps Using Apple ID ─────────────────────────────────────────────────────────── 3.2 APPLE - IN-APP PURCHASE When you subscribe via Apple In-App Purchase (IAP): APPLE PROCESSES YOUR PAYMENT: • Apple collects and processes your payment information • Apple charges your iTunes Account • Apple maintains your purchase history WHAT WE RECEIVE (via subscription management service): • Notification that a purchase occurred • Subscription status (active, expired, cancelled) • Subscription tier and entitlements • Transaction ID (anonymized) • Renewal and cancellation events • Refund notifications WHAT WE DO NOT RECEIVE: • Credit card numbers or payment methods • Billing addresses (unless required for tax) • Full transaction details from Apple APPLE'S PURCHASE DATA RETENTION: Apple retains your purchase history independently for its own purposes. We cannot control or delete Apple's records. To manage purchases: iOS Settings → [Your Name] → Subscriptions To request refunds: https://reportaproblem.apple.com (Apple decides) ─────────────────────────────────────────────────────────── 3.3 THIRD-PARTY SERVICE PROVIDERS We use third-party service providers to help us operate the Service. These providers collect data on our behalf: CATEGORIES OF SERVICE PROVIDERS: (See Appendix A for detailed list) • **Cloud Hosting & Database Providers**: Store and deliver app data, content, and user information • **Analytics Providers**: Track app usage, user behavior, and performance metrics • **Subscription Management Providers**: Process subscription status from Apple IAP • **Artificial Intelligence (AI) Providers**: Process prompts and generate AI content • **Content Delivery Networks (CDNs)**: Deliver content quickly and efficiently • **Push Notification Services**: Deliver notifications (via Apple APNS) • **Customer Support Platforms**: Manage support tickets and communications • **Crash Reporting & Monitoring**: Track app crashes and errors • **Security & Fraud Prevention Services**: Detect and prevent abuse • **Email Service Providers**: Send transactional and marketing emails (if applicable) DATA SHARED WITH SERVICE PROVIDERS: We share only data necessary for each provider's specific function. Examples: • Analytics providers receive: User ID, device info, usage events, session data • Cloud hosting receives: User data, content, reading history • AI providers receive: Prompts, inputs, user preferences • Subscription management receives: Purchase events, user ID, subscription status OUR AGREEMENTS WITH SERVICE PROVIDERS: • Data Processing Agreements (DPAs) that restrict use of your data • Standard Contractual Clauses (SCCs) for international transfers (EEA/UK) • Confidentiality and security obligations • Prohibition on selling or using your data for their own purposes • Compliance with GDPR, CCPA, and other privacy laws SERVICE PROVIDER LIST: A current list of key service providers is available: • In Appendix A of this Policy • On our website at plotwings.com (if applicable) • Upon request via Online Form: plotwings.com/support **UPDATE CADENCE**: We update our service provider list as providers change. Material changes affecting data processing will be communicated as described in Section 16 (Changes to This Policy). We review and update the list at least annually and whenever we add, remove, or change service providers in ways that materially affect data processing. We may update service providers from time to time. Material changes will be communicated as described in Section 16. ─────────────────────────────────────────────────────────── 3.4 BUSINESS PARTNERS & INTEGRATIONS If we offer integrations with third-party services (e.g., social media sharing, export features): • You control whether to use these features • Data is shared only when you actively use the integration • Third parties' privacy policies govern their use of your data • We are not responsible for third-party practices ═══════════════════════════════════════════════════════════ 4. HOW WE USE YOUR INFORMATION We use your personal information for the following purposes: ─────────────────────────────────────────────────────────── 4.1 PROVIDE & DELIVER THE SERVICE • Create and maintain your account (linked to your Apple ID) • Authenticate your identity via Sign in with Apple • Deliver content, stories, and features • Enable premium features based on subscription status • Sync data across your devices • Process and respond to your requests • Provide customer support and troubleshooting • Send transactional notifications (e.g., subscription confirmations, account changes) ─────────────────────────────────────────────────────────── 4.2 PERSONALIZE YOUR EXPERIENCE • Recommend content based on your reading history and preferences • Customize the user interface and experience • Remember your settings and preferences • Provide personalized search results • Generate AI content tailored to your inputs • Show relevant in-app messages or prompts ─────────────────────────────────────────────────────────── 4.3 IMPROVE & DEVELOP THE SERVICE • Analyze usage patterns and trends (aggregated) • Identify popular and underperforming features • Conduct product research and development • Test new features and functionality (A/B testing) • Measure effectiveness of product changes • Optimize app performance and speed • Fix bugs and technical issues ─────────────────────────────────────────────────────────── 4.4 TRAIN & IMPROVE AI SYSTEMS • Use prompts and inputs to train, test, and improve AI models and algorithms • Evaluate AI output quality and accuracy • Develop new AI features and capabilities • Identify and prevent AI misuse or abuse • Improve content filtering and safety systems IMPORTANT: • We use aggregated, anonymized, or pseudonymized data where feasible • We do NOT sell your prompts to third parties for their own AI training • AI service providers process data under contractual restrictions • You may opt out of AI training use in certain circumstances (see Section 7.12) **PROCESSING THAT ALWAYS CONTINUES** (even if you opt out of AI training): • Delivering AI features and services you requested • Security, fraud prevention, and abuse detection • Content moderation and safety systems • Aggregated or fully anonymized data improvements • Legal compliance and protecting rights ─────────────────────────────────────────────────────────── 4.5 ENSURE SECURITY & PREVENT ABUSE • Detect and prevent fraud, scams, and unauthorized access • Identify and respond to security threats • Monitor for violations of our Terms of Service • Prevent spam, abuse, and misuse of the Service • Verify user eligibility and compliance • Investigate suspicious activity • Enforce our policies and legal rights • Conduct security audits and risk assessments ─────────────────────────────────────────────────────────── 4.6 ANALYTICS & BUSINESS OPERATIONS • Measure app engagement, retention, and usage metrics • Understand user demographics and preferences (aggregated) • Generate business insights and reports • Evaluate marketing campaign effectiveness • Conduct internal business analytics • Assess financial performance and forecasting • Monitor service health and uptime ─────────────────────────────────────────────────────────── 4.7 COMPLY WITH LEGAL OBLIGATIONS • Respond to legal requests (subpoenas, court orders, warrants) • Comply with applicable laws, regulations, and legal processes • Protect legal rights and enforce agreements • Establish, exercise, or defend legal claims • Comply with tax, accounting, and audit requirements • Respond to government or regulatory inquiries • Prevent or investigate illegal activity ─────────────────────────────────────────────────────────── 4.8 COMMUNICATIONS & MARKETING (WITH YOUR CONSENT) • Send push notifications about new content, features, or updates (if you opt in) • Send promotional emails or in-app messages (if you opt in) • Conduct surveys or request feedback (optional participation) • Notify you of special offers, discounts, or events OPT-OUT: You can opt out of marketing communications at any time (see Section 7.6). TRANSACTIONAL COMMUNICATIONS: We may send essential service-related communications (e.g., account security alerts, subscription renewals, Terms updates) even if you opt out of marketing. These are necessary for the Service. ─────────────────────────────────────────────────────────── 4.9 PROFILING & AUTOMATED DECISION-MAKING We may use automated processing and profiling for: • Content recommendations (what stories to show you) • Personalized search results • Fraud detection and risk assessment • Content moderation (flagging potentially inappropriate content) • Subscription eligibility and pricing (e.g., trial eligibility) SIGNIFICANT DECISIONS: We do not make solely automated decisions that produce legal effects or similarly significantly affect you (e.g., we don't auto-deny accounts based solely on algorithms). YOUR RIGHTS: EEA/UK users have the right to object to profiling and request human review (see Section 7.2 and Section 13). ─────────────────────────────────────────────────────────── 4.10 AGGREGATE & ANONYMIZED DATA We may aggregate or anonymize your personal information to create datasets that no longer identify you personally. We may use and share such data for: • Research and analysis • Product development • Benchmarking and trends • Marketing and business purposes • Training AI models • Any other lawful purpose Once properly anonymized, this data is no longer "personal information" under most privacy laws. ═══════════════════════════════════════════════════════════ 5. HOW WE SHARE YOUR INFORMATION WE DO NOT SELL YOUR PERSONAL INFORMATION. We share your personal information only in the following limited circumstances: ─────────────────────────────────────────────────────────── 5.1 WITH SERVICE PROVIDERS (PROCESSORS) We share data with third-party service providers that perform services on our behalf: EXAMPLES OF SERVICE PROVIDERS & DATA SHARED: **Cloud Hosting & Database Providers**: • Data Shared: Account data, content, reading history, preferences, device info • Purpose: Store and deliver app data and content • Examples: Cloud infrastructure, database services **Analytics Providers**: • Data Shared: User ID (pseudonymous), usage events, device info, session data • Purpose: Track app usage and performance • Examples: Mobile analytics platforms **Subscription Management Providers**: • Data Shared: User ID, subscription status, purchase events from Apple • Purpose: Enable premium features based on subscription • Examples: Subscription infrastructure services **AI & Machine Learning Providers**: • Data Shared: Prompts, inputs, user preferences, usage patterns • Purpose: Generate AI content, train models, provide AI features • Examples: AI APIs, ML platforms **Content Delivery Networks (CDNs)**: • Data Shared: Device info, IP address, content requests • Purpose: Deliver content quickly and efficiently • Examples: CDN services **Push Notification Services**: • Data Shared: Device push token, notification content, user preferences • Purpose: Deliver notifications via Apple APNS • Examples: Notification infrastructure **Customer Support Platforms**: • Data Shared: Name, email, support messages, account details • Purpose: Provide customer support • Examples: Helpdesk and ticketing systems **Crash Reporting & Monitoring**: • Data Shared: Crash logs, device info, app state, error messages • Purpose: Identify and fix bugs • Examples: Crash analytics services **Security & Fraud Prevention**: • Data Shared: Device fingerprints, IP addresses, usage patterns, transaction data • Purpose: Detect fraud and prevent abuse • Examples: Fraud detection services **Email Service Providers** (if applicable): • Data Shared: Email address, name, email content • Purpose: Send transactional and marketing emails • Examples: Email delivery platforms LEGAL PROTECTIONS: All service providers: • Act as data processors on our behalf • Execute Data Processing Agreements (DPAs) restricting use of your data • May only use your data to provide services to us (not for their own purposes) • Are contractually obligated to protect your data • Must comply with GDPR, CCPA, and other applicable privacy laws • Use Standard Contractual Clauses (SCCs) for international data transfers where required See Appendix A for a detailed list of service provider categories. For a current list of specific provider names (where required by law), Online Form: plotwings.com/support ─────────────────────────────────────────────────────────── 5.2 WITH APPLE We share limited data with Apple as part of the iOS ecosystem: VIA SIGN IN WITH APPLE: • You control what data Apple shares with us (see Section 3.1) • We do not "share back" data with Apple beyond what's necessary for authentication VIA APPLE IN-APP PURCHASE: • Apple independently collects and processes your payment information • We receive subscription status notifications (see Section 3.2) VIA APPLE PUSH NOTIFICATION SERVICE (APNS): • We send push notification content to Apple for delivery to your device • Apple delivers notifications to your device • Apple may log notification delivery for operational purposes WE DO NOT CONTROL APPLE'S DATA PRACTICES. Apple is an independent data controller for data it collects and processes. See Apple's Privacy Policy: https://www.apple.com/legal/privacy/ ─────────────────────────────────────────────────────────── 5.3 FOR LEGAL REASONS We may disclose your information when required or permitted by law: LEGAL OBLIGATIONS: • To comply with subpoenas, court orders, warrants, or legal process • To comply with applicable laws, regulations, or legal requirements • To respond to government or regulatory requests • To cooperate with law enforcement investigations PROTECT RIGHTS & SAFETY: • To enforce our Terms of Service or other agreements • To protect our legal rights, property, or safety • To protect the rights, property, or safety of users or the public • To detect, prevent, or investigate fraud, security threats, or illegal activity • To prevent imminent harm or danger to persons or property EVALUATION & NOTICE: • We evaluate the legality and scope of legal requests • We may challenge overly broad or improper requests • Where legally permitted, we notify affected users of legal demands (unless prohibited by law or court order) • We may seek protective orders or confidential treatment EMERGENCY DISCLOSURES: In emergencies involving imminent harm (e.g., suicide threats, violent threats), we may disclose information to: • Law enforcement or emergency services • Mental health professionals • Individuals at risk or their emergency contacts WITHOUT LEGAL PROCESS if necessary to prevent serious harm. ─────────────────────────────────────────────────────────── 5.4 BUSINESS TRANSFERS If Further Theory is involved in a merger, acquisition, sale of assets, reorganization, bankruptcy, or similar transaction: WHAT MAY BE TRANSFERRED: • Your personal information may be transferred to the acquiring entity or successor • The transfer is subject to this Privacy Policy unless you consent to a new policy • We will make reasonable efforts to ensure the acquiring party honors this Policy NOTICE: • We will provide notice via email and/or in-app notification before personal information is transferred and becomes subject to a different privacy policy • Notice period: Typically 30 days or as required by law YOUR RIGHTS: • You may delete your account before the transfer is completed (see Section 7.5) • You may exercise rights under applicable privacy laws (see Section 7) ─────────────────────────────────────────────────────────── 5.5 WITH YOUR CONSENT OR DIRECTION We may share your information with third parties when: • You explicitly consent to the sharing • You direct us to share information (e.g., via export, sharing features, integrations) • You make information publicly available (e.g., public profiles, public posts) You can withdraw consent at any time, but withdrawal does not affect the lawfulness of prior sharing. ─────────────────────────────────────────────────────────── 5.6 AGGREGATE OR ANONYMIZED DATA We may share aggregated, anonymized, or de-identified data that does not identify you personally with: • Business partners • Researchers and academics • The public (e.g., in blog posts, reports, presentations) • Service providers • Any other parties for any lawful purpose Such data is not "personal information" once properly anonymized. ─────────────────────────────────────────────────────────── 5.7 PUBLIC INFORMATION If you post content publicly through the App (e.g., public profiles, comments, reviews): • That information is accessible to other users and the public • We are not responsible for how others use publicly available information • You should carefully consider what you choose to make public ─────────────────────────────────────────────────────────── 5.8 WE DO NOT SELL OR SHARE YOUR PERSONAL INFORMATION IMPORTANT: We do NOT sell your personal information to third parties for money or other valuable consideration. **NO SALE OR SHARING FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING**: We **do not sell or share** personal information (for cross-context behavioral advertising) as defined under U.S. state privacy laws, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Montana (MCDPA). **GLOBAL PRIVACY CONTROL (GPC)**: We **honor Global Privacy Control (GPC) signals** on our web properties as an opt-out of any sale or sharing, demonstrating our commitment to user privacy choices. If we ever engage in practices that could be considered "selling" or "sharing" under state law definitions, we will: • Update this Policy with clear notice • Provide prominent opt-out mechanisms • Require opt-in consent where required by law • Continue to honor GPC signals ═══════════════════════════════════════════════════════════ 6. LEGAL BASES FOR PROCESSING (EEA/UK) If you are located in the European Economic Area (EEA) or United Kingdom (UK), we process your personal information only when we have a valid legal basis under the General Data Protection Regulation (GDPR) or UK GDPR. ─────────────────────────────────────────────────────────── 6.1 LEGAL BASES WE RELY ON **PERFORMANCE OF CONTRACT (GDPR Art. 6(1)(b))**: Processing necessary to perform our contract with you (Terms of Service): • Create and maintain your account • Provide the App and its features • Enable premium features based on subscription • Deliver content and services you request • Sync data across your devices • Provide customer support **LEGITIMATE INTERESTS (GDPR Art. 6(1)(f))**: Processing necessary for our legitimate interests (or those of third parties), provided your interests and rights do not override: • Improve and develop the Service • Conduct analytics and research • Ensure security and prevent fraud • Detect and prevent abuse or violations • Communicate about the Service • Enforce our Terms and policies • Protect legal rights and property • Business operations and administration BALANCING TEST: We have conducted legitimate interest assessments (LIAs) balancing our interests against your rights. You may request a copy: Online Form: plotwings.com/support **CONSENT (GDPR Art. 6(1)(a))**: Processing based on your explicit, freely given consent: • Marketing communications (promotional emails, push notifications) • Use of advertising identifier (IDFA) for tracking (iOS App Tracking Transparency) • Optional features requiring consent (e.g., camera, microphone access) • AI training use of your prompts (if you opt in) • Sharing with third parties beyond what's necessary for the Service You may withdraw consent at any time (see Section 7.10). **LEGAL OBLIGATION (GDPR Art. 6(1)(c))**: Processing necessary to comply with legal obligations: • Respond to legal requests (subpoenas, court orders) • Tax and accounting compliance • Regulatory reporting • Child safety obligations (COPPA, GDPR Article 8) **VITAL INTERESTS (GDPR Art. 6(1)(d))**: Processing necessary to protect vital interests (life or death): • Emergency disclosures to prevent serious harm • Suicide prevention or mental health emergencies **PUBLIC INTEREST (GDPR Art. 6(1)(e))**: Processing necessary for tasks carried out in the public interest: • Generally not applicable to our Service ─────────────────────────────────────────────────────────── 6.2 SPECIAL CATEGORIES OF DATA We do NOT intentionally collect "special categories" of personal data (sensitive data) under GDPR Article 9, including: • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade union membership • Genetic data • Biometric data (except as processed locally by Apple - see Section 1.8) • Health data • Sex life or sexual orientation If you voluntarily provide such information (e.g., in prompts, support messages, or user content), we may process it based on: • Your explicit consent (GDPR Art. 9(2)(a)) • Your manifestly making the data public (GDPR Art. 9(2)(e)) • Establishment, exercise, or defense of legal claims (GDPR Art. 9(2)(f)) ─────────────────────────────────────────────────────────── 6.3 CHILDREN'S DATA (GDPR ARTICLE 8) We process personal data of children aged 13-15 in the EEA based on: • Parental consent (via Apple Family Sharing) - GDPR Art. 6(1)(a) + Art. 8 • Performance of contract (for account functionality) - GDPR Art. 6(1)(b) See Section 9 for detailed children's privacy information. ═══════════════════════════════════════════════════════════ 7. YOUR PRIVACY RIGHTS & CHOICES Depending on your location, you have various rights regarding your personal information. ─────────────────────────────────────────────────────────── 7.1 RIGHTS AVAILABLE TO ALL USERS **ACCESS YOUR INFORMATION**: Request a copy of the personal information we hold about you. **CORRECT INACCURATE INFORMATION**: Update or correct inaccurate or incomplete personal information. • In-App: Settings → Account → Edit Profile • Online Form: plotwings.com/support **DELETE YOUR ACCOUNT & DATA**: Request deletion of your account and associated personal information. • In-App: Settings → Account → Delete Account • Online Form: plotwings.com/support (subject: "Delete My Account") See Section 8 for details on what gets deleted vs. retained. **OPT OUT OF MARKETING COMMUNICATIONS**: Stop receiving promotional emails or push notifications. • Email: Click "unsubscribe" link in emails • Push Notifications: iOS Settings → Notifications → PlotWings • In-App: Settings → Notifications • Online Form: plotwings.com/support **OPT OUT OF ANALYTICS TRACKING**: Reduce or stop analytics tracking (may limit some personalization). • In-App: Settings → Privacy → Opt Out of Analytics (if available) • Online Form: plotwings.com/support **MANAGE PERMISSIONS**: Control app permissions via iOS settings: • iOS Settings → Privacy & Security → [Permission Type] → PlotWings • Permissions: Tracking, Notifications, Location, Photos, Camera, Microphone ─────────────────────────────────────────────────────────── 7.2 EUROPEAN ECONOMIC AREA (EEA) & UNITED KINGDOM (UK) USERS If you are in the EEA or UK, you have additional rights under GDPR/UK GDPR: **RIGHT TO ACCESS (Article 15)**: • Confirm whether we process your personal data • Receive a copy of your personal data • Learn about processing purposes, categories, recipients, retention periods • HOW: Online Form: plotwings.com/support (subject: "GDPR Data Access Request") • TIMELINE: Response within 1 month (may extend to 3 months for complex requests) **RIGHT TO RECTIFICATION (Article 16)**: • Correct inaccurate personal data • Complete incomplete personal data • HOW: In-app Settings or Online Form: plotwings.com/support **RIGHT TO ERASURE / "RIGHT TO BE FORGOTTEN" (Article 17)**: Request deletion when: • Data no longer necessary for original purpose • You withdraw consent (where processing is based on consent) • You object to processing and no overriding legitimate grounds exist • Data processed unlawfully • Legal obligation requires deletion EXCEPTIONS (we may refuse deletion): • Compliance with legal obligations • Establishment, exercise, or defense of legal claims • Freedom of expression and information • Archiving, research, or statistical purposes (with safeguards) HOW: In-app Settings → Account → Delete Account, or Online Form: plotwings.com/support **RIGHT TO RESTRICTION OF PROCESSING (Article 18)**: Request we stop processing (but retain) your data when: • You contest accuracy (during verification) • Processing is unlawful but you prefer restriction over deletion • We no longer need the data but you need it for legal claims • You objected to processing (pending verification of our legitimate grounds) HOW: Online Form: plotwings.com/support (subject: "GDPR Restriction Request") **RIGHT TO DATA PORTABILITY (Article 20)**: • Receive personal data in structured, machine-readable format (e.g., JSON, CSV) • Transmit data to another controller (where technically feasible) • APPLIES TO: Data processed based on consent or contract, and processed by automated means • HOW: Online Form: plotwings.com/support (subject: "GDPR Data Portability Request") **RIGHT TO OBJECT (Article 21)**: • Object to processing based on legitimate interests (including profiling) - we must stop unless we demonstrate compelling legitimate grounds • Object to direct marketing (including profiling for marketing) - we will stop immediately • HOW: Online Form: plotwings.com/support (subject: "GDPR Objection") **RIGHT TO WITHDRAW CONSENT (Article 7(3))**: • Withdraw consent at any time (where processing is based on consent) • Does not affect lawfulness of processing before withdrawal • HOW: In-app settings, unsubscribe links, or Online Form: plotwings.com/support **RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING (Article 22)**: • Right not to be subject to solely automated decisions with legal or similarly significant effects • We do not make such decisions (see Section 13) • If applicable, you have the right to human review **RIGHT TO LODGE A COMPLAINT**: • File complaint with your data protection authority (supervisory authority) • EEA: Find your authority at https://edpb.europa.eu/about-edpb/board/members_en • UK: Information Commissioner's Office (ICO) - https://ico.org.uk - Phone: 0303 123 1113 TIMELINE: We respond to GDPR requests within 1 month, extendable to 3 months for complex requests. We will notify you of any extension. VERIFICATION: We may request additional information to verify your identity before fulfilling requests. NO FEE: Requests are free unless manifestly unfounded, excessive, or repetitive (we may charge reasonable fee or refuse). ─────────────────────────────────────────────────────────── 7.3 CALIFORNIA RESIDENTS (CCPA/CPRA) If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): **RIGHT TO KNOW (CCPA § 1798.100, CPRA § 1798.110)**: Request disclosure of: • Categories of personal information collected • Specific pieces of personal information collected • Categories of sources • Business or commercial purposes for collection • Categories of third parties with whom we share See Section 12.1 for detailed CCPA disclosures. **RIGHT TO DELETE (CCPA § 1798.105)**: Request deletion of personal information we collected from you (subject to exceptions). EXCEPTIONS: • Complete the transaction for which we collected the information • Detect security incidents, fraud, or illegal activity • Debug and repair errors • Exercise free speech or other legal rights • Comply with California Electronic Communications Privacy Act • Engage in research (if you provided informed consent) • Internal uses reasonably aligned with your expectations • Comply with legal obligations • Other uses compatible with the context in which you provided the information **RIGHT TO CORRECT (CPRA § 1798.106)**: Request correction of inaccurate personal information. **RIGHT TO OPT OUT**: (a) **OPT OUT OF "SALE" OR "SHARING" (CCPA § 1798.120, CPRA § 1798.121)**: • We do NOT sell personal information • If we engage in "sharing" for cross-context behavioral advertising (e.g., via cookies/pixels), you can opt out • HOW: [DO NOT SELL OR SHARE MY PERSONAL INFORMATION] link (if applicable) • We honor Global Privacy Control (GPC) browser signals (b) **LIMIT USE OF SENSITIVE PERSONAL INFORMATION (CPRA § 1798.121)**: • We do not use sensitive personal information beyond what's necessary for the Service • If applicable, you can limit use: Settings → Privacy → Limit Use of Sensitive Information **RIGHT TO NON-DISCRIMINATION (CCPA § 1798.125)**: We will NOT: • Deny goods or services • Charge different prices or rates • Provide different quality or level of service • Suggest you will receive different prices or quality ...because you exercised your CCPA/CPRA rights. **HOW TO EXERCISE RIGHTS**: • Online Form: plotwings.com/support (subject: "California Privacy Rights Request") • INCLUDE: Name, email, California residency confirmation, specific right, detailed description • TIMELINE: Response within 45 days (may extend 45 days with notice) • VERIFICATION: We will verify your identity using email, account info, or additional information **AUTHORIZED AGENTS**: You may designate an agent to submit requests on your behalf. AGENT MUST PROVIDE: • Written authorization signed by you • Proof of agent's identity and authority • We may require direct verification from you **APPEAL RIGHTS**: If we deny your request, you may appeal by Online Form: plotwings.com/support (subject: "CCPA Appeal"). ─────────────────────────────────────────────────────────── 7.4 OTHER U.S. STATE RESIDENTS If you reside in Virginia, Colorado, Connecticut, Utah, or other states with privacy laws: **VIRGINIA (VCDPA), COLORADO (CPA), CONNECTICUT (CTDPA)**: Similar rights to California: • Right to access • Right to delete • Right to correct • Right to opt out of targeted advertising, sale, and profiling in furtherance of decisions with legal/similarly significant effects **UTAH (UCPA)**: • Right to access • Right to delete • Right to opt out of sale and targeted advertising **HOW TO EXERCISE**: Online Form: plotwings.com/support (subject: "Privacy Rights Request [State]") **APPEALS** (Virginia, Colorado, Connecticut, Montana): If we deny your request, you may appeal: • Online Form: plotwings.com/support (subject: "Privacy Rights Appeal") • Timeline: We will respond to your appeal **within the deadline required by your state law** (typically **30-45 days**, depending on jurisdiction) • Include: Original request details, reason you believe the denial was incorrect, and any supporting information • If denied on appeal, you may contact your state attorney general ─────────────────────────────────────────────────────────── 7.5 CANADA (PIPEDA) If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws: **YOUR RIGHTS**: • Access your personal information • Request correction of inaccuracies • Withdraw consent (where processing is based on consent) • Challenge our compliance with PIPEDA • File complaint with the Privacy Commissioner of Canada **HOW TO EXERCISE**: Online Form: plotwings.com/support (subject: "PIPEDA Privacy Request") **COMPLAINT**: Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca - Phone: 1-800-282-1376 ─────────────────────────────────────────────────────────── 7.6 MARKETING & PROMOTIONAL COMMUNICATIONS OPT OUT OF MARKETING: • Email: Click "unsubscribe" in any promotional email • Push Notifications: iOS Settings → Notifications → PlotWings (turn off) • In-App: Settings → Notifications → Promotional Notifications (toggle off) • Online Form: plotwings.com/support (subject: "Opt Out of Marketing") TRANSACTIONAL COMMUNICATIONS: You cannot opt out of essential service communications (e.g., account security alerts, subscription renewals, legal updates), as these are necessary for the Service. OPT-OUT TIMELINE: We process opt-out requests within 10 business days. ─────────────────────────────────────────────────────────── 7.7 iOS PRIVACY CONTROLS **APP TRACKING TRANSPARENCY (ATT)**: Control whether we can access your IDFA for tracking: • iOS Settings → Privacy & Security → Tracking → PlotWings (toggle on/off) • iOS Settings → Privacy & Security → Tracking → "Allow Apps to Request to Track" (global setting) **APP PERMISSIONS**: Control access to device features: • iOS Settings → Privacy & Security → [Permission Type] → PlotWings • Permissions: Location, Photos, Camera, Microphone, Notifications **LIMIT AD TRACKING** (older iOS versions): • iOS Settings → Privacy → Advertising → "Limit Ad Tracking" (toggle on) **RESET ADVERTISING IDENTIFIER**: • iOS Settings → Privacy & Security → Apple Advertising → Reset Advertising Identifier **HIDE MY EMAIL** (iCloud+ feature): • When signing in with Apple, choose "Hide My Email" to use private relay address • Manage: https://appleid.apple.com **PRIVATE RELAY** (iCloud+ feature): • Hides your IP address from websites and apps • iOS Settings → [Your Name] → iCloud → Private Relay **APP PRIVACY REPORT** (iOS 15+): • iOS Settings → Privacy & Security → App Privacy Report • See which apps accessed your data ─────────────────────────────────────────────────────────── 7.8 DO NOT TRACK (DNT) SIGNALS Our App does not respond to "Do Not Track" (DNT) browser signals, as DNT is a web browser feature and our iOS app does not use web browsers. Instead, we respond to: • **iOS App Tracking Transparency (ATT)** prompts (see Section 7.7) • **Global Privacy Control (GPC)** signals (for web features, if applicable) ─────────────────────────────────────────────────────────── 7.9 GLOBAL PRIVACY CONTROL (GPC) If our App includes web features, we honor **Global Privacy Control (GPC)** signals as an opt-out of "sale" or "sharing" under CCPA/CPRA and similar state laws. Learn more: https://globalprivacycontrol.org ─────────────────────────────────────────────────────────── 7.10 WITHDRAWING CONSENT If processing is based on your consent, you may withdraw consent at any time. **HOW**: • In-app settings (toggle off features) • Online Form: plotwings.com/support (subject: "Withdraw Consent") **EFFECT**: • We will stop processing based on that consent • Does not affect lawfulness of processing before withdrawal • May affect your ability to use certain features ─────────────────────────────────────────────────────────── 7.11 ACCOUNT DELETION See Section 8.1 for comprehensive account deletion information. ─────────────────────────────────────────────────────────── 7.12 OPT OUT OF AI TRAINING To request that your prompts and inputs NOT be used for AI model training: **HOW**: • Online Form: plotwings.com/support (subject: "Opt Out of AI Training") • In-App: Settings → Privacy → AI Training (if available) **LIMITATIONS - PROCESSING THAT CONTINUES**: Opting out of AI training **does not limit** and **does not prevent** processing necessary for: (a) **Delivering AI features and services** you request (b) **Security, fraud prevention, and abuse detection** (c) **Content moderation** and safety systems (d) **Aggregated or fully anonymized data** improvements (e) Legal compliance and protecting rights **ADDITIONAL LIMITATIONS**: • Not retroactive (does not apply to previously collected data) • May not be possible for all AI features (some require training data to function) • Does not prevent use of aggregated or fully anonymized data • Does not prevent processing for service delivery, security, content moderation, or abuse prevention See our Terms of Service (Section 6: AI-Generated Content & Disclaimers) for comprehensive information about AI features and your rights. ─────────────────────────────────────────────────────────── 7.13 SUBMITTING REQUESTS **HOW TO CONTACT US**: Online Form: plotwings.com/support Subject: "[Type of Request] - [Your Name]" Include: Your name, email, account info, specific request, detailed description **VERIFICATION**: We may request additional information to verify your identity before fulfilling requests, such as: • Email confirmation • Account credentials • Answers to security questions • Government-issued ID (for sensitive requests) **TIMELINE**: • GDPR/UK: 1 month (extendable to 3 months) • CCPA/CPRA: 45 days (extendable 45 days) • Other jurisdictions: As required by applicable law **NO FEE**: Requests are generally free, unless manifestly unfounded, excessive, or repetitive. ═══════════════════════════════════════════════════════════ 8. DATA RETENTION & DELETION We retain personal information as long as necessary to fulfill the purposes described in this Policy, unless longer retention is required or permitted by law. ─────────────────────────────────────────────────────────── 8.1 ACCOUNT DELETION TO DELETE YOUR ACCOUNT: **IN-APP**: Settings → Account → Delete Account Online Form: plotwings.com/support (subject: "Delete My Account") **TIMELINE**: We process deletion requests within 30 days. **WHAT GETS DELETED**: • Account profile and preferences • Reading history and progress • Bookmarks and favorites • User-generated content you created • Analytics data linked to your account (within retention periods) • Prompts and AI interaction history (within retention periods) **WHAT DOES NOT GET DELETED**: • Your Apple ID (managed by Apple at https://privacy.apple.com - you must delete separately) • Purchase history held by Apple (required for Apple's financial and tax records) • Data required for legal, tax, regulatory, or contractual obligations (see Section 8.2) • Data subject to legal holds or pending disputes • Aggregated or anonymized data that no longer identifies you • Backup copies (deleted during normal backup rotation, typically within 90 days) **SUBSCRIPTION CANCELLATION**: Deleting your account does NOT automatically cancel subscriptions. Cancel separately via: • iOS Settings → [Your Name] → Subscriptions → PlotWings → Cancel **RECOVERY PERIOD**: We may retain deleted account data for 30-90 days in case you change your mind or to prevent fraud. After this period, data is permanently deleted (except as noted above). ─────────────────────────────────────────────────────────── 8.2 RETENTION PERIODS BY DATA TYPE **ACCOUNT INFORMATION**: • Active accounts: Retained while account is active • Deleted accounts: 30-90 days recovery period, then permanently deleted • Legal/tax records: Up to 7 years after deletion (e.g., subscription transaction records) **PAYMENT & TRANSACTION DATA**: • Retained for subscription duration plus 7 years (tax, accounting, legal compliance) • Apple retains separate purchase history independently **USAGE & ANALYTICS DATA**: • Identifiable data: Up to 24-26 months (recommend 24 months; some providers default to 60 months) • Aggregated/anonymized data: Indefinitely **AI PROMPTS & OUTPUTS**: • Prompts: 30-90 days for abuse monitoring and quality improvement, then deleted (unless you save outputs) • Outputs: Retained while associated with your account, or until you delete • Training data: Aggregated/anonymized data may be retained indefinitely for model improvement (opt out available - see Section 7.12) **CUSTOMER SUPPORT COMMUNICATIONS**: • Retained for 3 years after last interaction **READING HISTORY**: • Retained while account is active • Deleted upon account deletion (or as requested) **MARKETING COMMUNICATIONS & PREFERENCES**: • Contact info: Retained until you opt out • Opt-out/suppression records: Retained indefinitely to honor your preference **CRASH LOGS & ERROR REPORTS**: • Retained for 12-24 months for debugging purposes **SECURITY & FRAUD LOGS**: • Retained for 12-24 months for security and abuse prevention **LEGAL HOLD DATA**: • Retained as long as necessary for: - Pending litigation or investigations - Legal obligations or obligations under law - Exercise or defense of legal claims ─────────────────────────────────────────────────────────── 8.3 DELETION & DE-IDENTIFICATION When retention periods expire or upon your deletion request, we: **SECURE DELETION**: • Overwrite or delete data from active systems • Remove data from backups during normal rotation cycles **DE-IDENTIFICATION**: • Anonymize or aggregate data so it no longer identifies you • Once properly anonymized, data is no longer "personal information" **TECHNICAL LIMITATIONS**: In some cases, complete deletion is not technically feasible (e.g., archived records, distributed databases, backup systems). In such cases, we: • Isolate and protect data from further processing • Delete data during the next available opportunity (e.g., backup rotation) ─────────────────────────────────────────────────────────── 8.4 APPLE-CONTROLLED DATA **IMPORTANT**: Data held by Apple is governed by Apple's retention policies, NOT ours. Apple retains: • Your Apple ID and authentication data • Payment information and purchase history • App Store download and update history • Subscription data (independently from our records) TO DELETE APPLE'S DATA: • Delete your Apple ID: https://privacy.apple.com • Request data deletion from Apple: https://privacy.apple.com • Contact Apple Support: https://support.apple.com Deleting your PlotWings account does NOT delete your Apple ID or Apple's records. ─────────────────────────────────────────────────────────── 8.5 SERVICE PROVIDER DATA RETENTION Our service providers may retain data independently: **Subscription Management Providers**: • Up to 12 months for operational purposes • Up to 7 years for financial/tax compliance **Analytics Providers**: • Typically 24-60 months (varies by provider) • We recommend configuring 24-month retention **Cloud Hosting Providers**: • Retained while account is active • Deleted upon account deletion (or as requested) • Backup retention: Varies (typically 30-90 days) **AI Service Providers**: • Training data: May be retained in aggregate/anonymized form indefinitely • Raw prompts: Typically 30-90 days, then deleted We configure service providers to delete or anonymize data consistent with this Policy, where technically feasible. ─────────────────────────────────────────────────────────── 8.6 INACTIVE ACCOUNTS If your account remains inactive for an extended period: **INACTIVITY DEFINITION**: No activity for [12-24] consecutive months, including: • No logins • No app usage • No active subscription • No customer support interactions **OUR ACTIONS**: • Send warning emails 60 days and 30 days before closure • Close account and delete data per Section 8.1 • You may reactivate before closure by logging in See Terms of Service Section 19 for details. ─────────────────────────────────────────────────────────── 8.7 CRITERIA FOR RETENTION DECISIONS We determine retention periods based on: (a) **Purpose**: How long data is needed for original purpose (b) **Legal requirements**: Tax laws (7 years), statute of limitations (varies), regulatory obligations (c) **User expectations**: Reasonable expectations for data availability (d) **Technical limitations**: Backup cycles, distributed systems, archival practices (e) **Legitimate interests**: Fraud prevention, security, abuse prevention (f) **Data sensitivity**: Sensitive data retained for shorter periods ═══════════════════════════════════════════════════════════ 9. CHILDREN'S PRIVACY We are committed to protecting children's privacy and complying with applicable laws, including the Children's Online Privacy Protection Act (COPPA), GDPR Article 8, and other child privacy regulations. ─────────────────────────────────────────────────────────── 9.1 AGE RESTRICTIONS **MINIMUM AGE**: You must be at least 13 years old to use the App. **APP STORE RATING**: The App is rated 13+ on the Apple App Store. **AGE VERIFICATION**: We rely on Apple's age verification for Sign in with Apple: • Apple requires users to be 13+ to create an Apple ID • Children under 13 may use Apple IDs created via Family Sharing with parental consent ─────────────────────────────────────────────────────────── 9.2 PARENTAL CONSENT **CHILDREN UNDER 13** (via Apple Family Sharing): Children under 13 may ONLY use the App if: • They are part of an Apple Family Sharing account, AND • Their parent or legal guardian has consented to their use via Family Sharing setup **PARENTS/GUARDIANS ARE RESPONSIBLE FOR**: • Monitoring their child's use of the App • All activities and conduct under the child's account • All purchases and charges • Ensuring age-appropriate use **COPPA COMPLIANCE**: By allowing a child under 13 to use the App via Family Sharing, the parent/guardian: • Consents to our collection and use of the child's personal information as described in this Policy • Acknowledges they have reviewed this Privacy Policy and our Terms of Service • Agrees to our practices regarding children's data ─────────────────────────────────────────────────────────── 9.3 TEENS AGES 13-17 **PARENTAL CONSENT ENCOURAGED**: If you are 13-17 (or under 18 in some jurisdictions): • We encourage you to review this Policy with a parent or guardian • Your parent/guardian should consent to this Policy and our Terms • Your parent/guardian is responsible for your use and any purchases **EEA/UK (GDPR ARTICLE 8)**: In the EEA/UK, children under 16 (or younger, depending on member state - as young as 13) require parental consent for information society services. We obtain this consent via Apple Family Sharing or require users to confirm they have parental consent. ─────────────────────────────────────────────────────────── 9.4 PARENTAL CONTROLS Parents can control their child's App usage via: **iOS SCREEN TIME**: • iOS Settings → Screen Time → App Limits • Set time limits for app usage • Block app installation or deletion • Require approval for app purchases **APPLE FAMILY SHARING**: • iOS Settings → [Your Name] → Family Sharing • "Ask to Buy" - requires parental approval for purchases • Screen Time sharing - monitor child's device usage • Purchase sharing - control payment methods ─────────────────────────────────────────────────────────── 9.5 WHAT WE COLLECT FROM CHILDREN When children use the App (under 13 with parental consent, or 13-17): **WE COLLECT**: • Limited information from Apple (user identifier, email, name - if shared) • Reading history and story interaction data • Usage analytics (screens viewed, features used) • Device information (device model, OS version) • Subscription status (if parent purchases subscription) • Customer support communications (if child or parent contacts us) **WE DO NOT INTENTIONALLY COLLECT FROM CHILDREN**: • Precise geolocation • Photos or videos (unless feature specifically requires with parental permission) • Contacts or social network information • Persistent identifiers for behavioral advertising (we do not serve targeted ads to children) • Voice recordings (unless feature specifically requires with parental permission) ─────────────────────────────────────────────────────────── 9.6 HOW WE USE CHILDREN'S DATA WE USE CHILDREN'S PERSONAL INFORMATION TO: • Provide the App and its features • Sync reading progress across devices • Enable subscription features (if purchased by parent) • Provide customer support • Ensure security and prevent abuse • Comply with legal obligations WE DO NOT: • Use children's data for behavioral advertising or targeted marketing • Sell children's personal information • Build profiles on children for purposes other than supporting internal operations • Share children's data except as described in Section 9.8 ─────────────────────────────────────────────────────────── 9.7 CONTENT FILTERING FOR CHILDREN We make reasonable efforts to: • Filter AI-generated content to prevent inappropriate outputs • Maintain age-appropriate content consistent with App Store rating • Monitor for content that violates our Terms or policies HOWEVER: • Content filtering is imperfect and may not block all inappropriate content • Parents should monitor their child's use • Parents should review content their child accesses ─────────────────────────────────────────────────────────── 9.8 SHARING CHILDREN'S DATA We share children's personal information ONLY with: **SERVICE PROVIDERS** (as necessary to provide the Service): • Cloud hosting (to store data and deliver content) • Analytics (to improve app features and fix bugs) • Subscription management (to enable premium features) • Customer support (to respond to support requests) All service providers: • Are contractually obligated to protect children's data • May use data only to provide services to us • Must comply with COPPA, GDPR, and other applicable laws **APPLE**: • Via Sign in with Apple (authentication) • Via In-App Purchase (subscription management) **LEGAL AUTHORITIES**: • When required by law or legal process • To protect safety of a child or others WE DO NOT: • Sell children's personal information • Share children's data for behavioral advertising • Share children's data with third parties for their own purposes ─────────────────────────────────────────────────────────── 9.9 PARENTAL RIGHTS (COPPA) Parents/guardians of children under 13 may: **REVIEW**: Request access to their child's personal information **CORRECT**: Request correction of inaccurate information **DELETE**: Request deletion of their child's personal information **REFUSE FURTHER COLLECTION**: Refuse to permit further collection or use of their child's information **WITHDRAW CONSENT**: Withdraw consent for data collection **HOW TO EXERCISE PARENTAL RIGHTS**: Online Form: plotwings.com/support Subject: "Parental Rights Request - COPPA" **INCLUDE**: • Child's name and email (or Apple ID email) • Parent's name and contact information • Proof of parental relationship (e.g., matching last name, family sharing documentation) • Specific request (access, delete, etc.) **VERIFICATION**: We will verify parental identity before responding using reasonable methods, which may include: • Email verification (reply from family organizer email) • Answers to security questions about the child's account • Credit card verification (small charge + immediate refund) • Government-issued ID **TIMELINE**: We respond within 10 business days of verification. ─────────────────────────────────────────────────────────── 9.10 IF WE LEARN A CHILD UNDER 13 LACKS PARENTAL CONSENT If we learn a user is under 13 without proper parental consent via Apple Family Sharing: IMMEDIATE ACTIONS: • Disable the account immediately • Delete the child's personal information from our systems (except as required for legal/safety purposes) • Notify the account email address (parent or child) TIMELINE: Deletion completed within 30 days. ─────────────────────────────────────────────────────────── 9.11 REPORTING CONCERNS If you believe your child under 13 has provided information without your consent: **IMMEDIATE ACTION**: Online Form: plotwings.com/support Subject: "Underage User Report" Include: • Child's name and email/Apple ID (if known) • Description of concern • Your contact information We will investigate and take appropriate action immediately. ─────────────────────────────────────────────────────────── 9.12 CHILDREN'S ADVERTISING (COPPA RULE) **WE DO NOT**: • Serve behavioral or targeted advertising to children under 13 • Use persistent identifiers to track children across apps or websites for advertising • Allow third-party advertisers to collect data from children **FUTURE ADVERTISING COMMITMENT**: If we introduce advertising in the future: • We will ensure compliance with COPPA and other child privacy laws • **Any ads served to children will be CONTEXTUAL ONLY** (based on content being viewed, not behavioral tracking) • **Data collection for advertising to minors will be MINIMIZED** to only what is necessary for contextual ad delivery • We will NOT engage in behavioral profiling of minors • We will provide **clear, age-appropriate disclosures** about advertising • We will update this Policy with detailed advertising disclosures • We will align with UK Age-Appropriate Design Code (Children's Code) requirements **COMMITMENT TO CHILDREN'S SAFETY**: We prioritize children's privacy and safety over advertising revenue and will maintain the highest standards for any future advertising features. ─────────────────────────────────────────────────────────── 9.13 AGE-APPROPRIATE DESIGN (UK CHILDREN'S CODE) For users in the UK, we comply with the Age-Appropriate Design Code (Children's Code): • High privacy settings by default for children • Minimal data collection (data minimization) • No profiling or behavioral advertising for children • Age-appropriate application of Terms and Privacy Policy • Prominent controls and simple privacy information • Online safety measures and content filtering • Transparency about data use • Parental controls ═══════════════════════════════════════════════════════════ 10. DATA SECURITY We implement reasonable technical, administrative, and physical security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction. ─────────────────────────────────────────────────────────── 10.1 TECHNICAL SAFEGUARDS **ENCRYPTION**: • Data in transit: TLS/SSL encryption (HTTPS) • Data at rest: Encryption for sensitive data (authentication tokens, etc.) • Cloud provider encryption: Data stored with encrypted cloud services **ACCESS CONTROLS**: • Authentication and authorization mechanisms • Principle of least privilege (employees access only data necessary for their role) • Multi-factor authentication (MFA) for employee access • Role-based access control (RBAC) **INFRASTRUCTURE SECURITY**: • Firewalls and network segmentation • Intrusion detection and prevention systems (IDS/IPS) • Regular security patches and updates • Vulnerability scanning and penetration testing • DDoS protection **APPLICATION SECURITY**: • Secure coding practices • Code reviews and security testing • Input validation and output encoding • Protection against common vulnerabilities (OWASP Top 10) **MONITORING & LOGGING**: • Security event logging and monitoring • Anomaly detection • Incident response procedures ─────────────────────────────────────────────────────────── 10.2 ADMINISTRATIVE SAFEGUARDS **EMPLOYEE TRAINING**: • Security awareness training for all employees • Privacy and data protection training • Ongoing education on evolving threats **ACCESS MANAGEMENT**: • Background checks for employees with access to sensitive data (where legally permitted) • Confidentiality and non-disclosure agreements (NDAs) • Immediate access revocation upon termination **VENDOR MANAGEMENT**: • Due diligence and security assessments of service providers • Contractual security and privacy requirements • Regular vendor security reviews **INCIDENT RESPONSE**: • Written incident response plan • Designated incident response team • Procedures for detecting, containing, investigating, and remediating security incidents • Notification procedures (see Section 15) ─────────────────────────────────────────────────────────── 10.3 PHYSICAL SAFEGUARDS (Applicable to cloud service providers): • Data centers with physical access controls (biometric, badge readers) • 24/7 security monitoring and surveillance • Environmental controls (fire suppression, climate control, power backup) • Secure hardware disposal and media destruction ─────────────────────────────────────────────────────────── 10.4 LIMITATIONS & YOUR RESPONSIBILITY **NO ABSOLUTE SECURITY**: No method of electronic transmission or storage is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. **⚠️ CRITICAL: YOUR SECURITY RESPONSIBILITY**: **If you fail to secure your Apple ID or device (e.g., no multi-factor authentication, password reuse, weak passcode, sharing credentials), we are NOT responsible for resulting unauthorized access or misuse of your account or data.** **YOU ARE RESPONSIBLE FOR**: • Keeping your Apple ID password secure and confidential • Using strong, unique passwords • Enabling two-factor authentication on your Apple ID (strongly recommended) • Not sharing your account credentials with others • Logging out of shared or public devices • Keeping your device secure (passcode, biometric authentication) • Promptly notifying Apple of unauthorized access to your Apple ID • Promptly notifying us of unauthorized access to your account: Online Form: plotwings.com/support **WE ARE NOT RESPONSIBLE FOR**: • Security breaches resulting from your failure to secure your credentials or device • Unauthorized access by third parties who obtain your credentials with your permission • Security of third-party services (Apple, service providers) beyond our control ─────────────────────────────────────────────────────────── 10.5 THIRD-PARTY SECURITY Our service providers maintain their own security programs. We require service providers to implement security measures consistent with industry standards, but we do not control their security practices. For security questions about: • Apple ID: https://support.apple.com • Apple In-App Purchase: https://support.apple.com • Service providers: See their respective security/privacy documentation ─────────────────────────────────────────────────────────── 10.6 REPORTING SECURITY VULNERABILITIES If you discover a security vulnerability in our App or Service: **RESPONSIBLE DISCLOSURE**: Online Form: plotwings.com/support Subject: "Security Vulnerability Report" Include: • Description of the vulnerability • Steps to reproduce • Potential impact • Your contact information We appreciate responsible disclosure and will: • Acknowledge receipt within 5 business days • Investigate and validate the vulnerability • Work to remediate confirmed vulnerabilities • Keep you informed of our progress (if you request) Please DO NOT publicly disclose vulnerabilities before we've had reasonable time to address them (typically 90 days). ═══════════════════════════════════════════════════════════ 11. INTERNATIONAL DATA TRANSFERS Further Theory, LLC is based in the United States. If you access the App from outside the U.S., your personal information will be transferred to, stored, and processed in the United States and potentially other countries. ─────────────────────────────────────────────────────────── 11.1 ADEQUACY & SAFEGUARDS **DATA PROTECTION LEVELS**: The United States and other countries where we process data may not provide the same level of data protection as your home jurisdiction. **LEGAL SAFEGUARDS WE USE**: For EEA/UK to U.S. and other international transfers: (a) **STANDARD CONTRACTUAL CLAUSES (SCCs)**: • We use European Commission-approved Standard Contractual Clauses (2021/914) with service providers • SCCs provide contractual protections for data transferred outside the EEA/UK • **You may request a copy** of our Standard Contractual Clauses: Online Form: plotwings.com/support (subject: "SCC Request"). We will provide a copy, redacted as necessary to protect confidential business information, within 30 days. • Available upon request: Online Form: plotwings.com/support (b) **EU-U.S. DATA PRIVACY FRAMEWORK (DPF)** (if applicable): • Some service providers may be certified under the EU-U.S. Data Privacy Framework • DPF provides adequacy for transfers to certified U.S. organizations • Check DPF participant list: https://www.dataprivacyframework.gov/list (c) **TRANSFER IMPACT ASSESSMENTS (TIAs)**: • We conduct Transfer Impact Assessments to evaluate risks of international transfers • We implement supplementary measures where necessary (e.g., additional encryption, access controls) (d) **ADEQUACY DECISIONS**: • We may rely on European Commission adequacy decisions for transfers to countries with adequate protection (e.g., UK, Canada, Japan, South Korea) ─────────────────────────────────────────────────────────── 11.2 DATA LOCATIONS YOUR DATA MAY BE STORED AND PROCESSED IN: **UNITED STATES**: • Primary data storage and processing • Company headquarters **OTHER LOCATIONS** (via service providers): • Cloud service providers may use data centers globally • Content delivery networks (CDNs) may cache data in multiple regions • Analytics and other service providers may process data in their facilities SPECIFIC LOCATIONS: We do not publicly disclose specific data center locations for security reasons. For information about where your data is stored, Online Form: plotwings.com/support ─────────────────────────────────────────────────────────── 11.3 TRANSFER MECHANISMS BY SERVICE PROVIDER Our key service providers use the following transfer mechanisms: **CLOUD HOSTING & DATABASE PROVIDERS**: • Mechanism: Standard Contractual Clauses (SCCs) • May also be covered by EU-U.S. Data Privacy Framework (if certified) **ANALYTICS PROVIDERS**: • Mechanism: Standard Contractual Clauses (SCCs) • May also be covered by EU-U.S. Data Privacy Framework (if certified) **SUBSCRIPTION MANAGEMENT PROVIDERS**: • Mechanism: Standard Contractual Clauses (SCCs) **AI SERVICE PROVIDERS**: • Mechanism: Standard Contractual Clauses (SCCs) and/or DPF • May process data in U.S. or other regions **APPLE**: • Apple handles international transfers for Sign in with Apple and In-App Purchase per Apple's transfer mechanisms • See Apple's Privacy Policy: https://www.apple.com/legal/privacy/ ─────────────────────────────────────────────────────────── 11.4 YOUR RIGHTS REGARDING TRANSFERS EEA/UK users have the right to: • Request information about transfer safeguards • Obtain a copy of Standard Contractual Clauses (redacted for confidentiality if necessary) • Object to transfers on compelling legitimate grounds (subject to legal exceptions and our legitimate interests) Online Form: plotwings.com/support (subject: "International Transfer Inquiry") ─────────────────────────────────────────────────────────── ### **6. Transparency & Accountability** **TRANSPARENCY REPORTING**: We may publish periodic transparency reports disclosing aggregate statistics about: • Government and law enforcement requests for user data • Number of requests received and complied with • Types of data requested • Legal bases for requests • User notifications sent Transparency reports (if published) will be available on our website and will NOT identify individual users. **U.S. GOVERNMENT ACCESS** EEA/UK users should be aware: • U.S. law may require us to disclose data to U.S. government authorities (FBI, NSA, courts) • We evaluate and may challenge overbroad or improper requests • Where legally permitted, we notify users of government requests • We publish transparency reports with aggregate statistics (if applicable) See Section 5.3 for information on legal disclosures. ─────────────────────────────────────────────────────────── 11.6 DATA LOCALIZATION Some jurisdictions require personal data to be stored or processed locally (e.g., Russia, China). We may: • Restrict access to the App in such jurisdictions, OR • Comply with local data localization requirements where feasible Currently, we do not operate local data centers in jurisdictions with strict data localization laws. ═══════════════════════════════════════════════════════════ 12. STATE & REGIONAL SPECIFIC INFORMATION This section provides additional information for users in specific U.S. states and regions. ─────────────────────────────────────────────────────────── 12.1 CALIFORNIA RESIDENTS (CCPA/CPRA) **PERSONAL INFORMATION COLLECTED (LAST 12 MONTHS)**: | Category (CCPA § 1798.140) | Examples | Collected? | Business Purpose | Shared? | |------------------------------|----------|------------|------------------|---------| | Identifiers | User ID, email, device ID, IP address | YES | Provide Service, analytics, security | Service providers, Apple | | Commercial Information | Subscription status, purchase history | YES | Enable premium features, billing | Service providers, Apple | | Internet/Network Activity | Browsing, clicks, reading history, prompts | YES | Improve Service, personalization, analytics | Service providers | | Geolocation Data | Country/region (approximate) | YES | Content delivery, analytics | Service providers | | Sensory Information | Audio/visual (if you upload) | LIMITED | AI features (if applicable) | AI service providers | | Inferences | Preferences, interests, behavior predictions | YES | Personalization, recommendations | Service providers | | Sensitive Personal Information | Account credentials (email/ID, not password), precise location (NO), biometric (Apple only), health (NO) | LIMITED | Authentication, app lock (Apple) | Service providers, Apple | **CATEGORIES OF SOURCES**: You, Apple (SIWA, IAP), automatic collection (cookies/SDKs), service providers, publicly available sources **BUSINESS/COMMERCIAL PURPOSES**: As described in Section 4. **CATEGORIES OF THIRD PARTIES**: Service providers (cloud, analytics, subscription management, AI, support), Apple, legal authorities (when required) **SALE OR SHARING**: • **WE DO NOT SELL PERSONAL INFORMATION** for monetary or other valuable consideration • **WE DO NOT "SHARE" PERSONAL INFORMATION** for cross-context behavioral advertising (as defined by CCPA § 1798.140(ah)) • If this changes, we will provide notice and opt-out: [DO NOT SELL OR SHARE] link **SENSITIVE PERSONAL INFORMATION**: • We collect LIMITED sensitive information (account credentials, device location region) • We do NOT use sensitive information for purposes beyond what is reasonably necessary to provide the Service • You may request limits via: Settings → Privacy → Limit Use of Sensitive Information (if applicable) **RETENTION**: As described in Section 8. **YOUR RIGHTS**: As described in Section 7.3. **FINANCIAL INCENTIVES**: We do not offer financial incentives for providing personal information. **CALIFORNIA SHINE THE LIGHT (CIVIL CODE § 1798.83)**: California residents may request information about personal information shared with third parties for their own direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes. ─────────────────────────────────────────────────────────── 12.2 VIRGINIA, COLORADO, CONNECTICUT, UTAH, MONTANA (STATE PRIVACY LAWS) **VIRGINIA (VCDPA), COLORADO (CPA), CONNECTICUT (CTDPA), UTAH (UCPA), MONTANA (MCDPA)**: Similar disclosures to California: **DATA PROCESSING ACTIVITIES**: • Categories collected: As described in Section 1 • Purposes: As described in Section 4 • Categories of recipients: As described in Section 5 **SALE OF PERSONAL DATA**: We do not sell personal data. **TARGETED ADVERTISING**: We do not engage in targeted advertising using personal data. **PROFILING**: We use profiling for content recommendations and fraud detection (see Section 13). We do not use profiling for decisions that produce legal or similarly significant effects. **YOUR RIGHTS**: As described in Section 7.4. **APPEALS** (Virginia, Colorado, Connecticut, Montana): If we deny your request, you may appeal as described in Section 7.4. ─────────────────────────────────────────────────────────── 12.3 NEVADA RESIDENTS (SENATE BILL 220) Nevada residents have the right to opt out of the "sale" of certain personal information. **WE DO NOT SELL PERSONAL INFORMATION** as defined by Nevada law. If this changes, we will provide notice and an opt-out mechanism. To submit an opt-out request: Online Form: plotwings.com/support (subject: "Nevada Opt-Out Request") ─────────────────────────────────────────────────────────── 12.4 WASHINGTON RESIDENTS (MY HEALTH MY DATA ACT) Washington's My Health My Data Act regulates "consumer health data." **CONSUMER HEALTH DATA** includes data used to identify or infer: • Physical or mental health conditions • Health care services or products purchased • Body functions, vital signs, symptoms, diagnoses **OUR PRACTICES**: • We do NOT intentionally collect consumer health data • If AI prompts or user content contain health information, we process it consistent with this Policy • We do NOT sell consumer health data • We do NOT share consumer health data except as disclosed in this Policy Washington residents have rights similar to CCPA (access, delete, correct, opt-out). See Section 7.4. ─────────────────────────────────────────────────────────── 12.5 ADDITIONAL STATE LAWS (EMERGING) Several states have enacted or are considering privacy laws (e.g., Texas TDPSA, Florida Digital Bill of Rights, Oregon OCPA, Tennessee TIPA). We monitor these laws and will update our practices and this Policy to comply as laws take effect. ─────────────────────────────────────────────────────────── 12.6 CANADA (PIPEDA & PROVINCIAL LAWS) **PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA)**: Canadian residents have rights as described in Section 7.5. **PURPOSES FOR COLLECTION**: As described in Section 4. **CONSENT**: We obtain consent via your acceptance of this Policy and our Terms. You may withdraw consent (see Section 7.10). **THIRD-PARTY DISCLOSURE**: As described in Section 5. **COMPLAINTS**: Office of the Privacy Commissioner of Canada - https://www.priv.gc.ca **PROVINCIAL LAWS**: Residents of Quebec, British Columbia, and Alberta may have additional rights under provincial privacy laws (e.g., Quebec Law 25, BC PIPA, Alberta PIPA). ═══════════════════════════════════════════════════════════ 13. AUTOMATED DECISION-MAKING & PROFILING ─────────────────────────────────────────────────────────── 13.1 WHAT WE DO We use automated processing and profiling for: **CONTENT RECOMMENDATIONS**: • Algorithms analyze your reading history, preferences, and behavior • Recommend stories, articles, or content you may like • Personalize your home screen and search results **FRAUD DETECTION & SECURITY**: • Automated systems detect suspicious activity, unusual patterns, or policy violations • Risk scoring for transactions or account activity **CONTENT MODERATION**: • AI systems flag potentially inappropriate content for review • Automated filters block prohibited content (e.g., CSAM, hate speech) **SUBSCRIPTION ELIGIBILITY**: • Determine eligibility for free trials (e.g., prior subscribers ineligible) • Detect abuse of promotional offers **PERFORMANCE OPTIMIZATION**: • Automated systems optimize app performance, load times, and resource allocation ─────────────────────────────────────────────────────────── 13.2 WHAT WE DO NOT DO **NO SOLELY AUTOMATED DECISIONS WITH LEGAL/SIGNIFICANT EFFECTS**: We do NOT make decisions that: • Are based solely on automated processing (no human involvement), AND • Produce legal effects concerning you or similarly significantly affect you Examples of decisions we DO NOT make solely through automation: • Account termination (human review) • Denying service or access (human review for significant cases) • Credit or loan decisions (we don't make these) • Employment decisions (we don't make these) ─────────────────────────────────────────────────────────── 13.3 YOUR RIGHTS (EEA/UK - GDPR ARTICLE 22) EEA/UK users have the right not to be subject to solely automated decisions with legal or similarly significant effects. **YOU HAVE THE RIGHT TO**: • Request human review of automated decisions • Express your point of view • Contest the decision • Obtain an explanation of the decision Since we do not make solely automated decisions with legal/significant effects, this right rarely applies. If you believe we made such a decision, contact: Online Form: plotwings.com/support (subject: "GDPR Article 22 Request") ─────────────────────────────────────────────────────────── 13.4 OBJECTING TO PROFILING **EEA/UK USERS** (GDPR Article 21(1)): You have the right to object to profiling based on legitimate interests (e.g., content recommendations). If you object: • We will stop profiling unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms • This may reduce personalization and affect your experience To object: Online Form: plotwings.com/support (subject: "Object to Profiling") **U.S. STATE RESIDENTS** (Virginia, Colorado, Connecticut): You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Since we do not engage in such profiling, this right does not typically apply. ─────────────────────────────────────────────────────────── 13.5 TRANSPARENCY For significant automated decisions or profiling, we provide information about: • Logic involved • Significance and envisaged consequences • Steps you can take (opt out, request human review, contest) For more information about our algorithms and automated systems: Online Form: plotwings.com/support ═══════════════════════════════════════════════════════════ 14. PRIVACY BY DESIGN & TRANSPARENCY We are committed to privacy by design and transparency principles: ─────────────────────────────────────────────────────────── 14.1 PRIVACY BY DESIGN **DATA MINIMIZATION**: • Collect only data necessary for specified purposes • Avoid excessive or irrelevant data collection **PURPOSE LIMITATION**: • Use data only for purposes disclosed in this Policy • Obtain consent for new purposes **STORAGE LIMITATION**: • Retain data only as long as necessary • Delete or anonymize data when no longer needed **SECURITY & CONFIDENTIALITY**: • Implement technical and organizational measures to protect data • Regular security assessments and improvements **PRIVACY-FRIENDLY DEFAULTS**: • Default settings favor privacy • Users must opt in to non-essential data processing ─────────────────────────────────────────────────────────── 14.2 TRANSPARENCY **CLEAR COMMUNICATION**: • This Policy uses plain language where possible • Avoid jargon and legalese (where feasible) • Provide examples and explanations **ACCESSIBLE INFORMATION**: • Privacy Policy available in-app and online • Contact information provided for questions **REGULAR UPDATES**: • Update Policy to reflect changes in practices or laws • Provide notice of material changes **OPENNESS**: • Answer user questions about our practices • Provide information about data processing upon request ─────────────────────────────────────────────────────────── 14.3 ACCOUNTABILITY **DOCUMENTATION**: • Maintain records of processing activities • Document data protection impact assessments (DPIAs) • Maintain transfer impact assessments (TIAs) **TRAINING**: • Train employees on privacy and data protection • Regular updates on evolving laws and best practices **COMPLIANCE**: • Monitor compliance with this Policy and applicable laws • Conduct internal audits and assessments ═══════════════════════════════════════════════════════════ 15. DATA BREACH NOTIFICATION In the event of a data breach that poses risk to your rights and freedoms, we will take the following steps: ─────────────────────────────────────────────────────────── 15.1 WHAT IS A DATA BREACH A data breach is an incident involving unauthorized access, disclosure, alteration, loss, or destruction of personal information. Examples: • Hacking or cyber attack • Ransomware • Unauthorized employee access • Lost or stolen devices containing personal data • Accidental public exposure of data ─────────────────────────────────────────────────────────── 15.2 OUR RESPONSE **IMMEDIATE ACTIONS**: (a) Contain the breach and prevent further unauthorized access (b) Investigate the scope, cause, and impact (c) Assess risk to affected individuals (d) Document the breach **REMEDIATION**: (e) Implement measures to prevent recurrence (f) Restore security and integrity (g) Assist affected users (credit monitoring, identity theft protection, etc., as appropriate) ─────────────────────────────────────────────────────────── 15.3 NOTIFICATION TO USERS **WHEN WE NOTIFY**: • If breach poses risk of harm (identity theft, fraud, discrimination, financial loss, reputational damage, etc.) • As required by applicable law **TIMELINE**: • Without undue delay • EEA/UK: Typically within 72 hours of discovery (to supervisory authority); without undue delay to users • U.S. State Laws: As required (varies by state - e.g., California: without unreasonable delay) **METHOD**: • Email to registered email address • In-app notification • Prominent notice on website • Media or public notice (if contact info insufficient or risk is high) **CONTENT OF NOTIFICATION**: • Description of the breach • Types of personal information affected • Date or estimated date of the breach • Potential consequences and risks • Steps we are taking to address the breach • Steps you can take to protect yourself (e.g., change passwords, monitor accounts) • Contact information for questions ─────────────────────────────────────────────────────────── 15.4 NOTIFICATION TO AUTHORITIES **EEA/UK (GDPR)**: • Notify supervisory authority within 72 hours of becoming aware (if risk to rights and freedoms) • Provide required information per GDPR Article 33 **U.S. STATES**: • Notify state attorneys general or consumer protection agencies as required • Examples: California (Attorney General if 500+ residents affected), other states have similar requirements **OTHER JURISDICTIONS**: • Comply with local breach notification laws ─────────────────────────────────────────────────────────── 15.5 EXCEPTIONS TO NOTIFICATION We may delay or not notify if: • Law enforcement requests delay for investigation purposes • Notification would impede criminal investigation • No risk of harm to individuals (e.g., encrypted data, brief unauthorized access with no copying) • As permitted or required by law ─────────────────────────────────────────────────────────── 15.6 YOUR RESPONSIBILITIES AFTER A BREACH If we notify you of a breach: • Change your Apple ID password immediately • Enable two-factor authentication (if not already enabled) • Monitor your accounts for suspicious activity • Review your credit reports (if financial data was affected) • Consider identity theft protection services (we may offer assistance) • Report suspicious activity to: Online Form: plotwings.com/support ═══════════════════════════════════════════════════════════ 16. CHANGES TO THIS POLICY ─────────────────────────────────────────────────────────── 16.1 RIGHT TO MODIFY We may update, modify, or revise this Privacy Policy from time to time to reflect: • Changes in our practices, features, or offerings • Changes in applicable laws or regulations • Evolving industry standards and best practices • User feedback • Business needs Changes are effective prospectively unless earlier implementation is required by law. ─────────────────────────────────────────────────────────── 16.2 NOTICE OF CHANGES **FOR MATERIAL CHANGES**, we will provide advance notice: **NOTICE METHODS**: (a) Email to your registered email address (including private relay addresses) (b) In-app notification or prominent message (c) Notice on our website (d) Update to "Last Updated" date at the top of this Policy **NOTICE PERIOD**: • Typically 15-30 days before the effective date • Shorter period if required by law, urgent security needs, or immediate legal compliance **WHAT CONSTITUTES A MATERIAL CHANGE**: • New categories of personal information collected • New purposes for processing • New categories of third parties with whom we share data • Changes reducing your rights or protections • Significant changes to data retention periods • Changes to international data transfer mechanisms • Introduction of data selling or sharing practices ─────────────────────────────────────────────────────────── 16.3 CONSENT TO CHANGES **ACCEPTANCE**: Your continued use of the App after the effective date of changes constitutes acceptance of the updated Privacy Policy. **IF YOU DISAGREE**: (a) Stop using the App before the effective date (b) Delete your account (see Section 8.1) (c) Exercise your privacy rights (e.g., deletion, opt-out) **EXPLICIT CONSENT (EEA/UK)**: For changes expanding processing scope or introducing new purposes, we may require explicit consent from EEA/UK users as required by GDPR. ─────────────────────────────────────────────────────────── 16.4 VERSION HISTORY Prior versions of this Privacy Policy may be available upon request for your records. To request previous versions: Online Form: plotwings.com/support (subject to reasonable limitations) ─────────────────────────────────────────────────────────── 16.5 REVIEW REGULARLY We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top indicates the most recent revision. ═══════════════════════════════════════════════════════════ 17. CONTACT US & DATA PROTECTION OFFICER ─────────────────────────────────────────────────────────── 17.1 PRIVACY QUESTIONS & REQUESTS For privacy-related questions, concerns, or requests: **DATA PROTECTION CONTACT**: Privacy Lead, Further Theory, LLC 6 Liberty Square #2327 Boston, MA 02109 United States Online Form: plotwings.com/support Subject: "Privacy Inquiry" **GENERAL PRIVACY INQUIRIES**: Online Form: plotwings.com/support Subject: "Privacy Inquiry" **DATA SUBJECT RIGHTS REQUESTS**: Online Form: plotwings.com/support Subject: "Privacy Rights Request - [Type of Request]" **POSTAL MAIL**: Further Theory, LLC 6 Liberty Square #2327 Boston, MA 02109 United States Attn: Privacy Lead / Privacy Officer / Legal Department ─────────────────────────────────────────────────────────── 17.2 DATA PROTECTION OFFICER (DPO) **GDPR REQUIREMENT**: Organizations must appoint a Data Protection Officer (DPO) if they: • Are a public authority, OR • Engage in large-scale systematic monitoring of individuals, OR • Engage in large-scale processing of special categories of data or criminal conviction data **OUR STATUS**: Based on the current scale and nature of our processing activities, we are not required to appoint a DPO under GDPR Article 37. If we determine a DPO is required, or voluntarily appoint one, we will provide contact information here. **CURRENT DPO STATUS**: Not required / Not appointed If you have GDPR-related questions, contact our Privacy Officer: Online Form: plotwings.com/support ─────────────────────────────────────────────────────────── 17.3 EU/UK REPRESENTATIVE **GDPR REQUIREMENT** (Article 27): Organizations not established in the EU but offering goods/services to EU data subjects must appoint an EU representative. **UK GDPR REQUIREMENT** (Article 27): Organizations not established in the UK but offering goods/services to UK data subjects must appoint a UK representative. **OUR STATUS**: We will appoint EU and/or UK representatives if required based on the volume and nature of our EU/UK processing activities. **CURRENT REPRESENTATIVE STATUS**: • EU Representative: To be determined • UK Representative: To be determined If representatives are appointed, contact information will be provided here. **BUSINESS TRANSFERS & BANKRUPTCY**: See our Terms of Service (Section 24.12: Bankruptcy & Insolvency) for comprehensive information on how personal data is handled in bankruptcy, insolvency, receivership, or similar proceedings, including your rights to request deletion and notification procedures. ─────────────────────────────────────────────────────────── 17.4 COMPLAINTS & SUPERVISORY AUTHORITIES If you are unsatisfied with our response to your privacy concerns, you may: **EEA RESIDENTS**: • File complaint with your national data protection authority • Find your authority: https://edpb.europa.eu/about-edpb/board/members_en **UK RESIDENTS**: • Information Commissioner's Office (ICO) • Website: https://ico.org.uk • Phone: 0303 123 1113 **CALIFORNIA RESIDENTS**: • California Attorney General's Office • Website: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company • California Privacy Protection Agency: https://cppa.ca.gov/ **OTHER U.S. STATE RESIDENTS**: • State Attorney General or consumer protection agency ═══════════════════════════════════════════════════════════ 18. ADDITIONAL INFORMATION ─────────────────────────────────────────────────────────── 18.1 THIRD-PARTY LINKS & SERVICES The App may contain links to third-party websites, apps, or services. This Privacy Policy does NOT apply to third-party sites or services. **WE DO NOT**: • Control third-party sites or services • Endorse third-party content, products, or services • Monitor third-party privacy practices • Assume responsibility for third-party data collection **YOUR RESPONSIBILITY**: • Review third-party privacy policies before providing information • Understand you access third-party sites at your own risk ─────────────────────────────────────────────────────────── 18.2 SOCIAL MEDIA & SHARING FEATURES If we offer social media integration or sharing features: • You control whether to use these features • Data is shared with social platforms only when you actively use the feature • Social platforms' privacy policies govern their use of your data ─────────────────────────────────────────────────────────── 18.3 ANALYTICS OPT-OUT **GENERAL OPT-OUT**: • In-App: Settings → Privacy → Opt Out of Analytics (if available) • Online Form: plotwings.com/support (subject: "Opt Out of Analytics") **THIRD-PARTY ANALYTICS OPT-OUT TOOLS**: Some analytics providers offer opt-out tools: • Network Advertising Initiative (NAI): https://optout.networkadvertising.org/ • Digital Advertising Alliance (DAA): https://optout.aboutads.info/ Note: These are web-based tools. iOS app tracking is controlled via App Tracking Transparency (see Section 7.7). ─────────────────────────────────────────────────────────── 18.4 CALIFORNIA "DO NOT TRACK" (DNT) Our App does not respond to "Do Not Track" (DNT) browser signals, as DNT is a web browser feature not applicable to iOS apps. Instead, we respond to: • iOS App Tracking Transparency (ATT) - see Section 7.7 • Global Privacy Control (GPC) - see Section 7.9 (for web features, if applicable) ─────────────────────────────────────────────────────────── 18.5 ACCESSIBILITY We are committed to making our App and this Privacy Policy accessible to all users. If you have difficulty accessing this Policy or need it in an alternative format: • Online Form: plotwings.com/support (subject: "Accessibility Request") • We will provide this Policy in accessible formats (e.g., large print, screen reader-friendly) ─────────────────────────────────────────────────────────── 18.6 TRANSLATIONS This Privacy Policy is written in English. If translated into other languages: • The English version controls in case of conflicts or inconsistencies • Translations are for convenience only • We do not guarantee accuracy of translations ─────────────────────────────────────────────────────────── 18.7 CONTACT FOR OTHER ISSUES **TECHNICAL SUPPORT**: Online Form: plotwings.com/support (subject: "Technical Support") **ACCOUNT ISSUES**: Online Form: plotwings.com/support (subject: "Account Issue") **APPLE ID/APP STORE ISSUES**: https://support.apple.com **LEGAL NOTICES** (non-privacy): Online Form: plotwings.com/support (subject: "Legal Notice") Postal: 6 Liberty Square #2327 Boston, MA 02109 United States, Attn: Legal Department ═══════════════════════════════════════════════════════════ APPENDIX A: SERVICE PROVIDER CATEGORIES This appendix provides detailed information about categories of service providers with whom we share personal information. ═══════════════════════════════════════════════════════════ **CATEGORY 1: CLOUD HOSTING & DATABASE PROVIDERS** **Purpose**: Store app data, user information, and content; deliver content to users **Data Shared**: • Account information (user ID, email, preferences) • Reading history and progress • User-generated content (if applicable) • Device information • Usage data **Examples of Services**: Cloud infrastructure platforms, database services, object storage, file storage **Data Processing Agreement**: Yes (includes SCCs for international transfers) **Retention**: Retained while account is active; deleted per Section 8 retention schedules ═══════════════════════════════════════════════════════════ **CATEGORY 2: ANALYTICS PROVIDERS** **Purpose**: Track app usage, user behavior, performance metrics; provide product insights **Data Shared**: • Pseudonymous user identifier • Usage events (screens viewed, features used, interactions) • Device information (model, OS version) • Session data (duration, frequency) • Performance metrics (load times, errors) **Examples of Services**: Mobile analytics platforms, event tracking services, A/B testing platforms **Data Processing Agreement**: Yes (includes SCCs for international transfers) **Retention**: Typically 24-60 months (we recommend 24 months) ═══════════════════════════════════════════════════════════ **CATEGORY 3: SUBSCRIPTION MANAGEMENT PROVIDERS** **Purpose**: Track subscription status from Apple IAP; enable premium features **Data Shared**: • User identifier • Subscription events (purchases, renewals, cancellations, refunds) • Subscription status and tier • Transaction identifiers (anonymized) **Examples of Services**: Subscription infrastructure platforms, IAP management services **Data Processing Agreement**: Yes (includes SCCs for international transfers) **Retention**: Up to 12 months operational; up to 7 years for financial/tax compliance ═══════════════════════════════════════════════════════════ **CATEGORY 4: ARTIFICIAL INTELLIGENCE (AI) & MACHINE LEARNING PROVIDERS** **Purpose**: Process prompts and inputs; generate AI content; train and improve AI models **Data Shared**: • Prompts and text inputs • AI-generated outputs • User preferences and usage patterns • Feedback on AI outputs (thumbs up/down, reports) **Examples of Services**: AI model APIs, natural language processing (NLP) services, machine learning platforms **Data Processing Agreement**: Yes (includes AI-specific provisions restricting model training, SCCs for international transfers) **Retention**: Prompts 30-90 days (then deleted); aggregated/anonymized training data may be retained indefinitely ═══════════════════════════════════════════════════════════ **CATEGORY 5: CONTENT DELIVERY NETWORKS (CDNs)** **Purpose**: Deliver content quickly and efficiently; reduce latency **Data Shared**: • IP address (may be anonymized) • Device type and browser • Content requests and access patterns • Approximate location (derived from IP) **Examples of Services**: CDN providers, edge computing platforms **Data Processing Agreement**: Yes **Retention**: Typically 30-90 days (logs); cached content per CDN policies ═══════════════════════════════════════════════════════════ **CATEGORY 6: PUSH NOTIFICATION SERVICES** **Purpose**: Deliver notifications to user devices **Data Shared**: • Device push token (Apple APNS token) • Notification content • Delivery status **Examples of Services**: Apple Push Notification Service (APNS), notification infrastructure **Data Processing Agreement**: Apple's terms apply **Retention**: Per Apple's APNS policies ═══════════════════════════════════════════════════════════ **CATEGORY 7: CUSTOMER SUPPORT PLATFORMS** **Purpose**: Manage support tickets; provide customer service **Data Shared**: • Name and email address • Support messages and correspondence • Account information (user ID, subscription status) • Attachments or screenshots provided by user **Examples of Services**: Helpdesk platforms, ticketing systems, live chat services **Data Processing Agreement**: Yes (includes SCCs for international transfers) **Retention**: 3 years after last interaction ═══════════════════════════════════════════════════════════ **CATEGORY 8: CRASH REPORTING & MONITORING SERVICES** **Purpose**: Identify and fix bugs; improve app stability **Data Shared**: • Crash logs and stack traces • Device information (model, OS version) • App state at time of crash • Error messages **Examples of Services**: Crash analytics platforms, error monitoring services **Data Processing Agreement**: Yes **Retention**: 12-24 months ═══════════════════════════════════════════════════════════ **CATEGORY 9: SECURITY & FRAUD PREVENTION SERVICES** **Purpose**: Detect fraud; prevent abuse; ensure security **Data Shared**: • Device fingerprints • IP addresses • Transaction data • Usage patterns and behavioral signals **Examples of Services**: Fraud detection platforms, bot detection services, security monitoring **Data Processing Agreement**: Yes **Retention**: 12-24 months ═══════════════════════════════════════════════════════════ **CATEGORY 10: EMAIL SERVICE PROVIDERS** (if applicable) **Purpose**: Send transactional and marketing emails **Data Shared**: • Email address • Name • Email content (e.g., password reset links, newsletters) **Examples of Services**: Email delivery platforms, transactional email services **Data Processing Agreement**: Yes (includes SCCs for international transfers) **Retention**: Per provider policies; opt-out records retained indefinitely ═══════════════════════════════════════════════════════════ **CATEGORY 11: PAYMENT PROCESSORS** (future - if direct payments) Currently, all payments are processed by Apple via In-App Purchase. We do NOT use separate payment processors. If we introduce direct payment options in the future, we will update this Appendix with payment processor information. ═══════════════════════════════════════════════════════════ **OBTAINING SPECIFIC PROVIDER NAMES**: For EEA/UK users or where required by law, a list of specific service provider names (rather than just categories) is available upon request. To request: Online Form: plotwings.com/support (subject: "Service Provider List Request") We will provide the list within 30 days. **NOTE**: Service providers may change from time to time. We update our service provider lists as needed. Material changes affecting data processing will be communicated as described in Section 16. ═══════════════════════════════════════════════════════════ APPENDIX B: GLOSSARY OF TERMS **Aggregate Data**: Data combined from multiple users such that individuals cannot be identified. **Anonymized Data**: Data processed to permanently remove personally identifiable information such that it can never be linked back to an individual. **Biometric Data**: Biological characteristics used for identification (e.g., fingerprints, facial recognition). In our App, processed by Apple locally on device. **Consent**: Freely given, specific, informed, and unambiguous indication of agreement to processing of personal information. **Cookies**: Small text files stored on web browsers. NOT used in iOS apps (we use SDKs and identifiers instead). **Data Controller**: Entity that determines purposes and means of processing personal data (we are the controller). **Data Processor**: Entity that processes personal data on behalf of a controller (our service providers). **Data Subject**: Individual to whom personal data relates (you). **De-identified Data**: Data that cannot reasonably identify an individual (similar to anonymized). **GDPR**: General Data Protection Regulation (EU Regulation 2016/679). **IDFA**: Identifier for Advertisers - iOS advertising identifier (requires ATT permission). **IDFV**: Identifier for Vendor - iOS identifier automatically provided (no permission required). **Personal Data/Personal Information**: Information relating to an identified or identifiable individual. **Processing**: Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.). **Profiling**: Automated processing to evaluate, analyze, or predict personal aspects (preferences, behavior, etc.). **Pseudonymized Data**: Data processed such that it cannot be attributed to an individual without additional information kept separately. **Sensitive Personal Information**: Certain categories of data requiring heightened protection (health, biometric, financial, precise location, etc.). Defined differently by different laws. **Standard Contractual Clauses (SCCs)**: European Commission-approved contractual terms for international data transfers. **Supervisory Authority**: Government agency overseeing data protection compliance (e.g., ICO in UK). **Third Party**: Entity other than you, Further Theory, or our service providers/processors. ═══════════════════════════════════════════════════════════ END OF PRIVACY POLICY By using the App, you acknowledge you have read, understood, and agree to this Privacy Policy. Last Updated: October 28, 2025 ═══════════════════════════════════════════════════════════