Privacy Policy

2. Information We Collect

We collect information directly from you, automatically through your use of the Service, and from third-party sources.

2.1 Information You Provide to Us

2.1.1 Account Information

When you create an account, we collect:

• Username (publicly visible)
• Email address (private, used for authentication and communications)
• Password (stored securely using cryptographic hashing; we never see your plaintext password)
• Profile information (optional: avatar/profile image, display name, bio, interests, profile links)
• Date of account creation

2.1.2 User Content

You provide content when you use the Service, including:

• Messages posted in Circles (text, images, GIFs, emojis, mentions)
• Votes (upvotes, downvotes, reactions)
• Circle participation (Circles you join, create, or moderate)
• Profile customizations (interests, preferences)
• Direct messages (if we implement this feature)

Important: User Content is designed for ephemeral removal on the Service (including targets on the order of roughly 48 hours after the relevant daily window for Circle messages, plus technical buffers). If content is reported, we may preserve that content and limited contextual capture (such as surrounding messages) in a reported content archive for trust, safety, and legal compliance. We may also retain certain metadata (for example, connection and interaction metadata tied to safety workflows) for up to 180 days where described in Section 6.

2.2 Information Collected Automatically

2.2.1 Device and Technical Information

When you access the Service, we automatically collect:

• IP address (used for security, fraud prevention, geolocation, and analytics)
• Device identifiers (device ID, advertising ID, browser fingerprint)
• Device information (operating system, OS version, device model, manufacturer)
• Browser information (browser type, version, language preference, time zone)
• Screen resolution and display settings

2.2.2 Usage Data and Activity Logs

We collect information about how you interact with the Service:

• Login and authentication logs (login timestamps, authentication method, session duration)
• Circle activity (Circles joined, created, or moderated; time spent in each Circle)
• Messaging activity (number of messages sent, timestamps, Circle IDs—but not full message content except in the legal archive)
• Voting activity (votes cast, voting patterns, reputation changes)
• Navigation and interaction data (pages/screens viewed, features used, clicks, scrolls, time spent)
• Search queries (if we implement search functionality)
• Referral source (how you arrived at Turf—e.g., direct link, search engine, social media)

Marco Civil da Internet (Brazil): If you access the Service from Brazil, please note that under applicable Brazilian law, internet application providers may be required to retain access logs including IP addresses and timestamps for at least six months, and may be required to retain application access records for at least one year, subject to legal process and regulator guidance.

2.3 Information from Third-Party Sources

2.3.1 Authentication Providers

If you sign in using a third-party authentication service (e.g., Google, Apple, GitHub), we receive:

• Basic profile information (name, email, profile photo) as permitted by the provider
• Unique identifier from the provider (used to link your Turf account)
• Authentication tokens (used to verify your identity)

We only request the minimum permissions necessary. You can review and revoke these permissions through the third-party provider's settings.

2.3.2 Analytics and Service Providers

We use third-party analytics, error reporting, and infrastructure services that may collect and share information with us:

• Google Analytics, Firebase Analytics: Usage patterns, demographics, device types
• Sentry, LogRocket: Error reports, crash logs, session replays (with PII redaction)
• Firebase, Vercel, cloud providers: Infrastructure logs, performance metrics
• Anti-abuse and security partners: Fraud signals, IP reputation, bot detection data

3. How We Use Your Information

We use your information for the purposes described below, based on the legal grounds specified (where applicable under GDPR/UK GDPR/LGPD).

3.1 To Provide and Operate the Service

Purposes:

• Create and manage your account
• Enable you to post messages, vote, react, and participate in Circles
• Display your User Content to other users
• Implement ephemeral messaging and automated removal targets described in our Terms and this Policy
• Facilitate real-time messaging and notifications
• Process your interactions with other users
• Maintain reported-content and safety archives where required

Legal Basis (GDPR/UK GDPR): Performance of contract (providing the Service you requested)
Legal Basis (LGPD): Execution of contract

3.2 To Ensure Safety, Security, and Platform Integrity

Purposes:

• Detect, prevent, and investigate fraud, abuse, spam, and manipulation
• Enforce our Terms of Service and Community Guidelines
• Moderate content and respond to user reports
• Investigate violations and take enforcement actions (warnings, suspensions, terminations)
• Prevent unauthorized access and protect against security threats
• Combat bots, fake accounts, and coordinated inauthentic behavior
• Identify and block malicious actors

Legal Basis (GDPR/UK GDPR): Legitimate interests (protecting our users, maintaining platform integrity, preventing illegal activity)
Legal Basis (LGPD): Legitimate interest, protection of credit, and compliance with legal obligations

3.3 To Improve, Develop, and Personalize the Service

Purposes:

• Analyze usage patterns and user behavior to understand how the Service is used
• Develop new features, products, and functionality
• Conduct research and testing (including A/B testing)
• Personalize your experience (e.g., recommend Circles, tailor content feeds)
• Train and improve AI bots (using anonymized or aggregated interaction data)
• Generate anonymized, aggregated analytics and metrics
• Troubleshoot technical issues and optimize performance

We also use information to produce aggregated analytics as described in Section 3.6.

Legal Basis (GDPR/UK GDPR): Legitimate interests (improving our Service and user experience)
Legal Basis (LGPD): Legitimate interest

3.4 To Communicate with You

Purposes:

• Send account-related notifications (password resets, security alerts, account changes)
• Notify you of updates to our Terms, policies, or Service features
• Respond to your support inquiries, reports, or appeals
• Send announcements or important Service information (e.g., scheduled maintenance, policy updates)
• Request feedback or conduct user surveys (optional)

Legal Basis (GDPR/UK GDPR): Performance of contract, legitimate interests (customer service and communication)
Legal Basis (LGPD): Execution of contract and legitimate interest

Marketing Communications: We do NOT currently send marketing or promotional emails. If we introduce marketing communications in the future, we will obtain your explicit consent and provide opt-out mechanisms.

3.5 To Comply with Legal Obligations and Enforce Our Rights

Purposes:

• Comply with applicable laws, regulations, and legal processes (subpoenas, warrants, court orders)
• Respond to law enforcement requests and government inquiries
• Protect our legal rights and defend against claims or litigation
• Enforce our Terms of Service, policies, and user agreements
• Comply with tax, accounting, and record-keeping requirements
• Preserve evidence pursuant to legal holds

Legal Basis (GDPR/UK GDPR): Legal obligation, legitimate interests (defending legal rights), vital interests (protecting life or safety)
Legal Basis (LGPD): Legal or regulatory obligation, protection of credit, compliance with legal obligations

3.6 Aggregated Analytics, Reported Content, and Retention Context

3.6.1 Aggregated and de-identified statistics

We may derive and use aggregated, de-identified statistical information about how the Service is used (for example, counts, rates, and trends) to operate, secure, and improve Turf. We apply commercially reasonable measures to reduce the risk that such statistics can be linked back to you.

3.6.2 Contextual capture when you report content

When you report content, we may preserve the reported item and a limited contextual capture (for example, surrounding messages in the same thread or conversation) as needed to investigate the report, enforce our policies, and meet safety and legal obligations.

3.6.3 Commercially reasonable de-identification

Where we process information for analytics or derived statistics, we use commercially reasonable technical and organizational measures appropriate to the risk, including aggregation, minimization, access controls, and vendor restrictions. We do not claim perfect anonymization in all cases; you should avoid posting sensitive information you do not want others to see in public areas of the Service.

3.6.4 Legal bases (summary)

Depending on your jurisdiction, processing described in this Section may rely on performance of contract, legitimate interests (balanced against your rights), legal obligations, and (where required) your consent. You may contact us at team@turfyeah.com to exercise rights available to you under applicable law.

3.6.5 Reported content archive and aggregated data

Reported content archive: Content preserved because it was reported, or because it is subject to trust-and-safety or legal review, may be retained for the periods needed for those purposes and as described in Section 6.

Aggregated statistical data: We may retain and use aggregated statistical data that does not reasonably identify you for product, security, and operations purposes, consistent with our Terms of Service.

Your choices: You may contact team@turfyeah.com for privacy requests. Marketing communications are not a focus of this Policy; if we introduce promotional emails, we will provide appropriate consent and opt-out mechanisms.

4. How We Share Your Information

4.1 Service Providers

We share information with service providers who help us operate the Service, including:

• Cloud hosting and infrastructure (Firebase, Vercel, Google Cloud)
• Analytics and performance monitoring
• Email delivery services
• Customer support tools
• Security and fraud prevention services

These providers are contractually obligated to protect your information and only use it for the services they provide to us.

4.2 Legal Requirements

We may disclose information when required by law or legal process, or when we believe disclosure is necessary to:

• Comply with applicable laws, regulations, or legal proceedings
• Protect the rights, property, or safety of Turf, our users, or others
• Prevent illegal activity or enforce our Terms of Service

4.3 Business Transfers

If Turf is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control of your personal information.

4.4 Commercial Partners and Licensees

We may share aggregated, de-identified statistical information with service providers and partners as described in Section 3.6. We do not sell your personal information as defined by applicable U.S. state privacy laws; we share identifiers with service providers only as needed to operate the Service.

4.5 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Password Security: Secure password hashing using bcrypt or Argon2
• Access Controls: Role-based access controls and audit logging
• Security Assessments: Regular vulnerability scanning and penetration testing
• Incident Response: Documented procedures for responding to security incidents

However, no method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

Retention periods depend on the category of information and our legal, safety, and operational needs. The table below summarizes our default targets; actual retention may vary where law requires longer preservation or where we must freeze data under legal process.

We may retain certain information longer if required by law, legal hold, or legitimate business purposes consistent with this Policy.

7. Cookies and Tracking Technologies

7.1 What We Use

We use cookies and similar technologies for:

• Essential Cookies: Required for authentication and security
• Analytics Cookies: Help us understand how you use the Service
• Preference Cookies: Remember your settings and preferences

7.2 Your Choices

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Service.

8. AI and Automation

8.1 AI Bots in Circles

Turf may deploy AI-powered bots in Circles. These bots are clearly labeled and provide information for entertainment purposes only. Do not rely on AI bots for professional advice.

8.2 Automated Processing

We use automated systems in connection with the processing described in Section 3.6, including:

• Aggregated and de-identified statistics. We may derive and use aggregated, de-identified statistical information about how the Service is used (for example, counts, rates, and trends) to operate, secure, and improve Turf. We apply commercially reasonable measures to reduce the risk that such statistics can be linked back to you.
• Contextual capture when you report content. When you report content, we may preserve the reported item and a limited contextual capture (for example, surrounding messages in the same thread or conversation) as needed to investigate the report, enforce our policies, and meet safety and legal obligations.
• Commercially reasonable de-identification. Where we process information for analytics or derived statistics, we use commercially reasonable technical and organizational measures appropriate to the risk, including aggregation, minimization, access controls, and vendor restrictions. We do not claim perfect anonymization in all cases; you should avoid posting sensitive information you do not want others to see in public areas of the Service.
• Legal bases (summary). Depending on your jurisdiction, processing described in Section 3.6 may rely on performance of contract, legitimate interests (balanced against your rights), legal obligations, and (where required) your consent. You may contact us at team@turfyeah.com to exercise rights available to you under applicable law.

• Reported content archive: Content preserved because it was reported, or because it is subject to trust-and-safety or legal review, may be retained for the periods needed for those purposes and as described in Section 6.

  Aggregated statistical data: We may retain and use aggregated statistical data that does not reasonably identify you for product, security, and operations purposes, consistent with our Terms of Service.

You have the right to request human review of automated decisions that significantly affect you.

9. International Data Transfers

Your information may be transferred to and processed in countries outside your own. We ensure appropriate safeguards are in place for such transfers:

• Standard Contractual Clauses approved by the European Commission
• Data Processing Agreements with all service providers
• Compliance with applicable data protection laws

10. Your Rights (US Users)

10.1 California Residents (CCPA/CPRA)

California residents have the following rights:

• Right to Know: Request information about the personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

We Do Not Sell Your Personal Information: We do not sell your personal information as defined by applicable privacy laws. Aggregated, de-identified statistics described in Section 3.6 are not treated as personal information to the extent they cannot reasonably identify you.

You have the right to opt out of the sale or sharing of your personal information where applicable. De-identified aggregated statistics described in Section 3.6 are not considered personal information under California law to the extent they meet applicable standards.

To exercise your rights, contact us at team@turfyeah.com or use the "Do Not Sell or Share My Personal Information" link in our footer.

10.2 Other US States

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have similar rights. Contact us at team@turfyeah.com to exercise your rights.

11. Your Rights (EU/UK Users - GDPR)

If you are in the EU, EEA, or UK, you have the following rights under GDPR:

• Right of Access: Obtain confirmation and access to your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests, including for the analytics and aggregated processing described in Section 3.6
• Rights Related to Automated Decision-Making: Request human review of automated decisions

You have the right to object to processing based on legitimate interests, including for the analytics and aggregated processing described in Section 3.6. Contact team@turfyeah.com to exercise this right.

To exercise your rights, contact us at team@turfyeah.com. You also have the right to lodge a complaint with your local data protection authority.

12. Your Rights (Brazilian Users - LGPD)

If you are in Brazil, you have the following rights under LGPD:

• Confirmation and Access: Confirm whether we process your data and access it
• Correction: Correct incomplete, inaccurate, or outdated data
• Anonymization, Blocking, or Deletion: For unnecessary or excessive data, or data processed in violation of LGPD
• Portability: Transfer your data to another service provider
• Deletion: Delete data processed with your consent
• Information: Know about third parties with whom we share your data
• Consent Withdrawal: Revoke consent at any time

You have rights under Article 18 of the LGPD regarding processing described in Section 3.6, including the right to anonymization, blocking, or deletion of unnecessary data where applicable.

To exercise your rights, contact us at team@turfyeah.com or at our Brazil address. You may also contact the ANPD (National Data Protection Authority).

13. Children's Privacy

Turf is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn we have collected information from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal information, please contact us at team@turfyeah.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on our website
• Sending you an email notification
• Displaying a prominent notice in the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

15. Contact Us

15.1 Privacy Inquiries

For all privacy-related questions, concerns, or requests: