Privacy Policy

Last updated: June 1, 2025

Curator ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal data when you use our iOS mobile application ("App"). It also describes the choices and rights you have regarding your data. If you have any questions, please contact [email protected].

1. Data Controller & Contact

Curator (legal entity CandleSaaS Sp. z o.o., ul. Marszałkowska 123, 00‑001 Warsaw, Poland) is the data controller for all processing activities described below.

2. Information We Collect

Depending on how you interact with the App, we collect the following categories of data:

• Usage data – screen views, button taps, navigation flows, feature usage, in‑app events, and crash diagnostics.
• Device data – device model, operating‑system version, preferred language, time‑zone, and country/region derived from IP address.
• Identifiers – Apple identifier‑for‑vendor (IDFV); an internal hashed user ID when you sign in; optional display name or e‑mail if you choose to provide one.
• Subscription & purchase data – product identifier, transaction identifier, price, currency, and expiration dates (collected via RevenueCat).
• Support correspondence – the contents of messages you send to our support e‑mail address.
• Session replays – only if you explicitly opt‑in; a video‑like reconstruction of your in‑app interactions (text input is masked).

3. How We Use Your Information

We process your data for the following purposes and legal bases:

• Provide core functionality – deliver chat‑based film analyses, manage entitlements and purchases (Art. 6 (1)(b) GDPR – contract).
• Product analytics – understand feature adoption, improve performance, and fix bugs using PostHog, Firebase, and Google Analytics (Art. 6 (1)(f) GDPR – legitimate interest or Art. 6 (1)(a) when user consent is required).
• Customer support – respond to enquiries and troubleshoot issues (Art. 6 (1)(b) & (f) GDPR).
• Legal compliance – comply with accounting, tax, and consumer‑protection laws (Art. 6 (1)(c) GDPR).

4. Data Sharing

We disclose personal data only to the processors listed below, each of which acts under a Data Processing Agreement (DPA):

• PostHog Inc., 2261 Market St #4066, San Francisco CA 94114, USA – product analytics & optional session replays.
• Google LLC / Firebase Inc. – crash reporting and push‑notification delivery.
• RevenueCat Inc. – subscription and in‑app‑purchase management.
• DigitalOcean LLC – hosting provider for our backend services.
• OpenAI Inc. – text‑generation API that powers the film analyses.

5. International Transfers

Data may be processed outside the European Economic Area ("EEA"). When we use processors located in the United States, transfers are safeguarded by:

• the processor’s certification under the EU‑US Data Privacy Framework or
• the European Commission’s Standard Contractual Clauses ("SCCs").

6. Data Retention

We retain raw event data for up to 12 months, aggregated analytics indefinitely, and support correspondence for 24 months, unless a longer period is required by law. Session replays (if enabled) are stored for a maximum of 30 days.

7. Your Rights

You have the right to request access, rectification, erasure, restriction, portability, or object to processing of your personal data. To exercise any right, e‑mail [email protected]. If you believe your rights are infringed, you may lodge a complaint with the Polish Data Protection Authority (UODO) or your local authority.

8. Opt‑Out & Consent Management

You can disable analytics and session replays at any time in Settings → Analytics. Doing so triggers the SDK function posthog.optOut(), which immediately stops data collection. Where consent is the legal basis, processing will not begin until you opt‑in.

9. Security Measures

We apply industry‑standard TLS encryption in transit, AES‑256 at rest, access controls, and continuous monitoring. PostHog, DigitalOcean, and RevenueCat hold SOC 2 Type II certifications.

10. Children’s Privacy

The App is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us for deletion.

11. Apple App Privacy Nutrition Label

We disclose the following data categories in App Store Connect:

• Analytics (Not linked to the user) – Usage Data, Diagnostics (when analytics is anonymous).

We do not track users across third‑party apps or websites; therefore, App Tracking Transparency permission is not required.

12. Changes To This Policy

We reserve the right to modify this policy. Changes will be communicated within the App and become effective 14 days after publication.

13. Contact

For any privacy‑related questions, reach out at [email protected].