Privacy Policy

1. Data Controller

Ferdly ("we," "us," or "our") is the data controller responsible for your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile applications (iOS, iPadOS, macOS, Android) and web services (collectively, the "Services").

2. Information We Collect

We collect information that you provide directly to us, information collected automatically, and information from third-party sources. Below is a comprehensive list organized by category:

2.1 Account & Profile Information

• Email address and display name
• Phone number (optional)
• Profile biography and website
• Profile photo and banner image
• Birthday and relationship status (optional)
• Location/city (optional, user-provided)
• Interests and hobbies (optional)
• Social media links (optional)

2.2 Educational & Professional Information

• University/school name and school ID
• Major/field of study and graduation year
• Student email address (for verification)
• Company name and job position
• Work email address (optional)

2.3 Communications Data

• Direct messages (end-to-end encrypted)
• Group chat messages (encrypted with group keys)
• Voice messages and audio recordings
• Voice/video call metadata (duration, participants, timestamps)
• Call transcriptions (when enabled)
• Message reactions and read receipts

2.4 Device & Technical Information

• Unique device identifier (generated by the app)
• Device model, name, and operating system version
• App version and build number
• IP address and approximate location derived from IP
• User agent string
• Session tokens and authentication data
• Push notification tokens (APNs, FCM)
• Cookies and similar tracking technologies (web application only - see our Cookie Policy)

2.5 Location Data

• Precise GPS coordinates (only when you grant permission)
• Nearby rooms and location-based feature data
• Location is used for "Moments" features and friend discovery

You can revoke location permissions at any time in your device settings.

2.6 Biometric Data (Local Processing Only)

• Face ID, Touch ID, or Optic ID for chat lock authentication

Biometric data is processed entirely on your device using Apple's LocalAuthentication framework. We never receive, transmit, or store your biometric data on our servers.

2.7 AI Feature Data

• AI provider preferences (local vs. cloud)
• Ferdi AI usage statistics
• Conversations with Ferdi AI assistant
• AI-generated content and suggestions

You can choose to use local on-device AI processing, which keeps your data private and does not send information to external servers.

2.8 Social & Content Data

• Social posts, stories, and clips
• Comments, likes, and reactions
• Followers and following lists
• Contacts and friend connections
• Photos, videos, and media uploads
• Post visibility preferences

2.9 Marketplace Data

• Product listings and descriptions
• Order history and transaction records
• Seller/buyer communications
• Reviews and ratings

2.10 Privacy Settings & Preferences

• Profile visibility settings (public, contacts only, private)
• Online status visibility preferences
• Contact request preferences
• Notification preferences
• Data sharing preferences
• Theme and language preferences

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our Services, including account creation, messaging, and core app functionality.
• Consent: Where you have given explicit consent, such as for location services, optional profile information, cloud AI features, and marketing communications. You may withdraw consent at any time.
• Legitimate Interests: Processing for purposes such as improving our Services, preventing fraud, ensuring security, and providing customer support, where these interests are not overridden by your rights.
• Legal Obligations: Processing required to comply with applicable laws, regulations, or legal processes.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Provide, maintain, and improve our Services
• Create and manage your account
• Enable messaging, calling, and social features
• Deliver end-to-end encrypted communications
• Process marketplace transactions
• Provide AI assistant functionality (Ferdi)
• Send push notifications and service communications
• Enable location-based features when permitted
• Personalize your experience based on preferences
• Monitor and analyze usage patterns and trends
• Detect, prevent, and address security issues and fraud
• Respond to your requests and provide customer support
• Comply with legal obligations

5. End-to-End Encryption

We implement strong end-to-end encryption (E2EE) to protect your private communications:

• Direct Messages: Encrypted using Curve25519 key agreement (ECDH) with AES-256-GCM symmetric encryption. Only you and your recipient can read these messages.
• Group Messages: Protected with shared symmetric keys distributed securely to group members.
• Key Storage: Your private encryption keys are stored securely in your device's Keychain/Keystore and never transmitted to our servers.
• Key Export: You can export and backup your encryption keys to sync across devices.

We cannot read your encrypted messages. If you lose access to your encryption keys, encrypted message history cannot be recovered.

6. Data Sharing & Third-Party Services

We do not sell, trade, or rent your personal information. We may share your data with third parties only in the following circumstances:

6.1 Service Providers (Data Processors)

We work with trusted service providers who process data on our behalf:

• Supabase: Database, authentication, and file storage services. Data is stored in secure, SOC 2 compliant infrastructure.
• Firebase (Google): Push notification delivery services. Only device tokens and notification metadata are shared.
• OpenAI: Cloud AI processing (optional). Only used if you select cloud AI mode. Subject to OpenAI's privacy policy and data handling practices.
• Google Sign-In: Authentication provider (optional). Only basic profile information is shared when you choose to sign in with Google.
• Vercel: Web hosting and content delivery for our web application.

6.2 Other Sharing Circumstances

• With your explicit consent or at your direction
• To comply with legal obligations, court orders, or legal processes
• To protect our rights, property, or safety, or that of our users
• In connection with a merger, acquisition, or sale of assets (with notice)
• With other users as part of normal app functionality (e.g., your profile visible to contacts)

7. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers operate.

When we transfer personal data outside the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with adequacy decisions
• Binding Corporate Rules where applicable

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.

• Account Data: Retained while your account is active and for up to 30 days after deletion request
• Messages: Encrypted messages are retained until you delete them; we cannot access their content
• Call Metadata: Retained for up to 1 year for service improvement and troubleshooting
• Device Sessions: Active sessions retained while in use; revoked sessions deleted after 30 days
• Posts & Media: Retained until you delete them or your account is closed
• Stories: Automatically deleted after 24 hours unless saved to highlights
• Usage Analytics: Aggregated, anonymized data may be retained indefinitely
• Legal Records: Data required for legal compliance may be retained as required by law

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data under certain circumstances.
• Right to Restriction: Request that we limit how we use your data.
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format (JSON) and transfer it to another service.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing that significantly affect you.

10. Automated Decision-Making & AI

Our Services include AI-powered features (Ferdi AI assistant) that may process your data:

• AI features are optional and can be disabled in settings
• You can choose local on-device AI processing for maximum privacy
• We do not make fully automated decisions with legal or significant effects without human oversight
• AI suggestions (e.g., smart replies) are recommendations only and require your action

11. Security Measures

We implement robust technical and organizational measures to protect your personal data:

• End-to-end encryption for private messages (Curve25519/AES-256-GCM)
• TLS/SSL encryption for all data in transit
• Encryption at rest for stored data
• Secure key storage using device Keychain/Keystore
• Multi-device session management with revocation capability
• Biometric authentication support (Face ID, Touch ID)
• Regular security audits and vulnerability assessments
• Access controls and authentication for internal systems
• Incident response procedures

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

Our Services are not intended for children under the age of 13 (or 16 in certain jurisdictions within the EEA). We do not knowingly collect personal information from children under these ages.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at privacy@ferdly.app. We will take steps to delete such information promptly.

13. Cookies & Tracking Technologies

Our web application may use cookies and similar tracking technologies:

• Essential Cookies: Required for basic functionality, authentication, and security.
• Preference Cookies: Remember your settings and preferences (theme, language).
• Analytics: We have disabled Google Analytics in our Firebase configuration. We do not use third-party advertising trackers.

You can control cookies through your browser settings. Note that disabling essential cookies may affect app functionality.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected and how it is used
• Right to delete your personal information
• Right to opt-out of the "sale" of personal information (we do not sell your data)
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@ferdly.app

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

• We will notify you of material changes through the app or via email
• The "Last updated" date at the top indicates when the policy was last revised
• Continued use of our Services after changes constitutes acceptance of the updated policy
• For significant changes, we may seek your explicit consent where required by law

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: