Privacy Policy

Shyne is operated by Kube Ecosystem SL, Gran Via 415, 08015, Barcelona, Spain ("Company," "we," "us," or "our"). We act as the data controller for the personal data processed through the Shyne mobile application and related services (the "Service").

Data Protection Officer: privacy@shynesocial.com General enquiries: support@shynesocial.com Website: https://shynesocial.com

This Privacy Policy applies to all personal data we collect and process when you use the Shyne mobile application, visit our website, or interact with our services.

This policy is drafted in compliance with the following data protection regulations, among others: the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679; the Spanish Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales (LOPDGDD); the ePrivacy Directive (2002/58/EC); the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018; the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA); US state privacy laws including the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), and similar legislation enacted through 2026; the Brazilian Lei Geral de Proteção de Dados (LGPD); the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); and the Australian Privacy Act 1988.

Where a specific jurisdiction provides additional rights or imposes additional requirements, we address those in dedicated sections below. If there is a conflict between the general provisions of this policy and a jurisdiction-specific section, the jurisdiction-specific section prevails for residents of that jurisdiction.

Account data: When you register, we collect your phone number (for verification), display name, profile photo, date of birth, and intent tag. We do not collect your full legal name unless you choose to use it as your display name.

Venue check-in data: When you check into a venue, we record the venue ID, check-in time, and checkout time. Check-in is always explicit and opt-in — we never check you in automatically.

Signal and response data: We log all approach signals and their responses, including sender ID, recipient ID, response type, and timestamp. This data is used for moderation, safety enforcement, and service operation.

Chat data: If a recipient selects "Message first," we process the text messages exchanged during the in-session chat. Chat messages are ephemeral and are deleted when the venue session ends.

Location data: We process your approximate location only during venue check-in to verify you are at the venue (geofence verification). We do not track your location continuously or within the venue.

Device and technical data: We collect device type, operating system version, app version, IP address, and crash logs for service operation and troubleshooting.

Moderation data: Reports, blocks, and "I feel unsafe" alerts are logged with relevant context for safety review. This includes the reporter ID, reported user ID, category, optional note, and timestamp.

Under the CCPA/CPRA and other US state privacy laws, we are required to disclose the categories of personal information we collect. In the preceding 12 months, we have collected the following categories:

Identifiers: Display name, email address, phone number, unique user ID, IP address, device identifiers.

Personal information under Cal. Civ. Code § 1798.80(e): Name, phone number.

Characteristics of protected classifications: Date of birth (age).

Internet or other electronic network activity: App usage data, crash logs, interaction data (signals, responses).

Geolocation data: Approximate location during venue check-in.

Sensory data: Profile photo.

Inferences: Intent tag (self-selected by user).

We do not collect sensitive personal information as defined by the CCPA/CPRA (such as Social Security numbers, financial account numbers, precise geolocation for tracking, or genetic data).

We process your personal data for the following purposes and on the following legal bases under GDPR Article 6(1):

Service operation (contract performance, Art. 6(1)(b)): To create and maintain your account, facilitate venue check-ins, process approach signals and responses, enable in-session chat, and deliver the core functionality of the Service.

Safety and moderation (legitimate interest, Art. 6(1)(f)): To review reports, enforce community guidelines, prevent abuse, investigate misconduct, and maintain a safe environment for all users. Our legitimate interest is balanced against your rights through data minimisation, access controls, and retention limits.

Legal compliance (legal obligation, Art. 6(1)(c)): To comply with applicable laws, respond to lawful requests from authorities, enforce our Terms of Use, and protect our legal rights.

Service improvement (legitimate interest, Art. 6(1)(f)): To analyse aggregated, anonymised usage patterns to improve the Service. We do not use individual user data for profiling or algorithmic matching.

Communications (consent, Art. 6(1)(a)): To send you optional marketing communications, only if you have explicitly opted in. You can withdraw consent at any time.

With other users: Your display name, profile photo, intent tag, and approximate age range are visible to users checked into the same venue. When you send or receive a signal, the other party sees your profile information.

With venue operators: Venue operators receive anonymised, aggregated check-in counts only. They do not have access to individual user profiles, signal data, or chat content.

With service providers: We use third-party service providers for hosting (Hetzner), authentication (Keycloak, self-hosted), push notifications (Firebase Cloud Messaging), and email delivery. These providers process data on our behalf under data processing agreements that ensure compliance with applicable data protection laws.

With law enforcement: We may disclose personal data to law enforcement or regulatory authorities when required by law, in response to a valid legal process, or when we believe disclosure is necessary to protect the safety of our users or the public.

We do not sell your personal data. We do not "share" your personal data for cross-context behavioural advertising as defined by the CCPA/CPRA. We do not share your data with advertisers. We do not use your data for algorithmic matching or profiling.

Your data is primarily stored and processed within the European Economic Area (EEA) on servers located in Germany (Hetzner).

Where data is transferred outside the EEA (for example, to Firebase Cloud Messaging operated by Google), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions under GDPR Article 45.

For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office.

For transfers involving Brazilian data subjects, we rely on the transfer mechanisms permitted under LGPD Article 33, including SCCs and adequacy determinations.

For transfers involving Canadian data subjects, we ensure compliance with PIPEDA's requirements for cross-border data transfers, including contractual safeguards that provide a comparable level of protection.

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): You can request a copy of the personal data we hold about you.

Right to rectification (Art. 16): You can request correction of inaccurate or incomplete personal data.

Right to erasure (Art. 17): You can request deletion of your personal data, subject to legal retention obligations.

Right to restriction (Art. 18): You can request that we restrict the processing of your data in certain circumstances.

Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format.

Right to object (Art. 21): You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

Rights related to automated decision-making (Art. 22): Shyne does not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

To exercise any of these rights, contact us at privacy@shynesocial.com. We will respond within 30 days. If we need more time, we will inform you of the extension and the reasons within the initial 30-day period.

You also have the right to lodge a complaint with a supervisory authority. In Spain, the relevant authority is the Agencia Española de Protección de Datos (AEPD) at https://www.aepd.es.

If you are located in the United Kingdom, you have equivalent rights under the UK GDPR and the Data Protection Act 2018, including the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent as described in Section 8.

To exercise your rights, contact us at privacy@shynesocial.com. We will respond within one calendar month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk or by calling the ICO helpline at 0303 123 1113.

Depending on your state of residence, you may have the following rights under applicable US state privacy laws (including the CCPA/CPRA, VCDPA, CPA, CTDPA, TDPSA, OCPA, and similar laws enacted through 2026):

Right to Know / Access: You have the right to request that we disclose the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you.

Right to Delete: You have the right to request the deletion of your personal information, subject to certain exceptions.

Right to Correct: You have the right to request the correction of inaccurate personal information.

Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link.

Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Service.

Right to Appeal: If we deny your privacy request, you may appeal our decision by contacting us at privacy@shynesocial.com. If your appeal is denied, you may contact your state Attorney General.

To exercise your rights, email privacy@shynesocial.com with the subject line "US Privacy Request." We will verify your identity before processing your request. You may designate an authorised agent to submit a request on your behalf.

California Shine the Light: California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

We have not sold or shared (as defined by the CCPA/CPRA) any personal information of consumers in the preceding 12 months.

If you are located in Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018):

Confirmation and access: You may request confirmation of whether we process your personal data and access to that data.

Correction: You may request the correction of incomplete, inaccurate, or outdated personal data.

Anonymisation, blocking, or deletion: You may request the anonymisation, blocking, or deletion of unnecessary or excessive data, or data processed in violation of the LGPD.

Portability: You may request the portability of your personal data to another service provider.

Deletion: You may request the deletion of personal data processed with your consent.

Information about sharing: You may request information about the public and private entities with which we have shared your data.

Revocation of consent: You may revoke your consent at any time.

We process your data on the legal bases of contract performance, legitimate interest, legal obligation, and consent, as applicable under LGPD Articles 7 and 11.

To exercise your rights, contact us at privacy@shynesocial.com. You may also file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at https://www.gov.br/anpd.

If you are located in Canada, your personal information is handled in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial legislation where applicable.

Under PIPEDA, you have the right to: access your personal information held by us; challenge the accuracy and completeness of your personal information and request amendments; withdraw consent for certain processing (subject to legal or contractual restrictions); file a complaint regarding our privacy practices.

We collect, use, and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. We obtain meaningful consent for the collection, use, and disclosure of personal information.

To exercise your rights, contact us at privacy@shynesocial.com. You may also file a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca.

Account data: Retained for as long as your account is active. Upon account deletion, we delete or anonymise your data within 30 days, except where retention is required by law.

Venue check-in data: Retained for 90 days for safety and moderation purposes, then anonymised.

Signal and response data: Retained for 90 days for moderation audit trail, then anonymised.

Chat data: Deleted when the venue session ends. Chat messages are not retained after session expiry.

Moderation data (reports, blocks): Retained for 2 years to support ongoing safety enforcement and pattern detection.

Technical and device data: Retained for 12 months for troubleshooting, then deleted.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children.

In the United States, we comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will delete that information immediately.

In the United Kingdom, we have regard to the ICO's Age Appropriate Design Code (Children's Code) to the extent applicable. Our Service is designed for adults aged 18 and over and does not target children.

If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe we have inadvertently collected data from a minor, please contact us at privacy@shynesocial.com.

Some browsers transmit "Do Not Track" (DNT) signals. There is no industry consensus on how to respond to DNT signals. Our website does not currently alter its behaviour in response to DNT signals.

We honour Global Privacy Control (GPC) signals as a valid opt-out of the sale or sharing of personal information where required by applicable US state law. If your browser or extension sends a GPC signal, we will treat it as a request to opt out of any sale or sharing of personal information for that browser/device.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service.

We will notify you of material changes by posting the updated policy within the app, by email, or by a prominent notice on our website. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Kube Ecosystem SL Gran Via 415, 08015, Barcelona, Spain Data Protection Officer: privacy@shynesocial.com General enquiries: support@shynesocial.com Website: https://shynesocial.com

You may also lodge a complaint with the supervisory authority in your jurisdiction: • EU/Spain: Agencia Española de Protección de Datos (AEPD) — https://www.aepd.es • United Kingdom: Information Commissioner's Office (ICO) — https://ico.org.uk • Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — https://www.gov.br/anpd • Canada: Office of the Privacy Commissioner — https://www.priv.gc.ca • United States: Your state Attorney General's office