FRIENDA
PRIVACY POLICY

Last Updated: July 22, 2025

This Privacy Policy explains how Frienda collects, uses, and protects your personal data. Frienda is operated by SUMMEET PTY LTD, doing business as FRIENDA, referred to as “we,” “us,” or “our.” Frienda is available as a Telegram Mini App, a website (frienda.au and app.frienda.au), and an iOS mobile app. By using Frienda, you agree to the collection and use of your data as outlined in this Privacy Policy. If you do not agree with this policy, please do not use Frienda.

1. Data Collection & Usage

We collect several types of information when you use Frienda, and we use it for various purposes to operate and improve the service. Below we outline what we collect on each platform and how we use it.

1.1 Account Login Data (Third-Party Authentication)

Frienda uses third-party authentication via Supabase Auth. Depending on how you sign up or log in, we receive basic account information from that provider:

Sign in with Apple: If you sign in via Apple (on iOS or web), Apple provides a unique Apple user ID and the name and email address you authorize. If you use Apple’s “Hide My Email” feature, we receive an anonymized relay email address. We use this info to create your Frienda account. We do not receive your Apple account password or any data beyond the name and email you choose to share. Apple will know that you used its Sign in with Apple feature for Frienda, but we do not send any of your Frienda usage data back to Apple.

Sign in with Google: If you log in with Google, Google provides us with a unique Google user ID and your Google account name and email (as permitted by your Google consent). We use these to set up your Frienda account, and similarly do not get your Google password or any other Google data beyond name/email.

Sign in with Telegram: If you launch the Frienda Mini App on Telegram, Telegram shares with us your Telegram user ID, display name, username, profile photo, language, and app version. Telegram may also indicate if you have Telegram Premium. We use this to create your Frienda account and pre-fill your profile. (Telegram is not responsible for Frienda’s content or services, but simply passes this data to us with your consent.)

Email (one-time code verification): If you sign up using an email one-time-passcode, we collect your email address directly. We then send a verification code to that email to authenticate you (we never collect any email password).

Privacy Note: In all cases, we limit ourselves to the data needed for authentication. You should review the third-party provider’s privacy policy (Telegram, Apple, Google) to understand how they handle your credentials. We do not send any of your Frienda data back to Apple, Google, or Telegram except as necessary for the login integration (for example, Telegram knows you opened the Frienda Mini App; Apple knows you used Sign in with Apple).

1.2 Profile Information You Provide

Once logged in, you are required to provide additional information to build your Frienda profile. This includes:

Name: We use your first name for your profile. If available from your login (e.g., your Apple, Google or Telegram name), we use that to start; you may edit it during registration.

Date of Birth: We collect your birth date to confirm you are at least 18 years old (Frienda is adults-only) and to tailor age-appropriate experiences. This helps us ensure no underage users and allows us to show approximate age or match you appropriately by age group. (Birth date is set at registration and cannot be freely changed later without contacting support, to prevent underage users from altering it.)

City/Location: We ask for the city or general location where you live. This helps connect you with potential friends nearby. If our automatic location (see below) is inaccurate, you can adjust your city during signup.

Instagram: You have the option to add an Instagram handle to your profile; this is completely voluntary and not fetched automatically (you would type it in). Any social media handle you add will be visible to your Frienda friends once connected. Note: Only share handles if you’re comfortable; leaving the Instagram field blank is fine.

Profile Photos: You are required to upload at least three profile photos to showcase yourself. These images are visible to other users. We store these photos securely and may review them for compliance with our Community Guidelines (e.g. to ensure no explicit or prohibited content). Aside from those guideline checks, we use your photos only within the app (e.g., to display to others in friend suggestions).

Profile Description and Emoji: You are required to fill out description section about yourself, and you also required to add a brief bio composed of up to 20 emojis. These fields are optional in terms of content (you choose what to write), but completing them is part of having a full profile. Whatever you share here will be visible to other users, so please do not include extremely sensitive personal details in these fields. Stick to information you are comfortable sharing publicly within the Frienda community.

How We Use Profile Data: All the profile details you provide (photos, description, etc.) are used to personalize the service for you and to show your profile to other users in Frienda’s friend-matching system. This is core to how Frienda works – it helps others decide if they want to connect with you, and vice versa. Please only include content in your profile that you are comfortable sharing. Do not include contact info like phone numbers or addresses in your profile fields, as profiles are meant to be seen by other users.

1.3 Location Data

Frienda may collect location information to enable location-based features, such as showing you nearby friends or events.

Precise Location (Opt-In): We will only collect your precise location (exact GPS-level coordinates) if you choose to grant permission. On Telegram, this happens if you share your live location via Telegram’s Location Manager (Telegram will explicitly ask you to allow this for the Frienda Mini App). On the iOS app or web, this happens if you allow location access via the OS/browser prompt. If you grant permission, we use your precise geolocation only to show relevant local content (like distance to other users or local friend suggestions). You can always revoke precise location access: in Telegram, by stopping location sharing; on iOS, by turning off location for Frienda in Settings; on web, via your browser settings. Frienda will not continually track your GPS location in the background – it’s only used when you actively share it for a feature.

Approximate Location (IP-based): If you do not share a GPS location, we may estimate your general region based on your IP address. This IP-to-city lookup is coarse – it might get your city or general area but not a pinpoint location. We use this to set a default location for your profile and to show you other users in your broad region. You can edit or correct the city we assign if it’s off. IP-based location is automatically gathered when you use any internet service; we simply use it to improve your Frienda experience in a privacy-friendly way (it’s not super precise).

Location is Optional: You can use Frienda without ever granting precise GPS location. If you decline all location requests, we will rely on IP-based approximation so the app still works (you’ll see people from your general region). If you do grant live location initially but later change your mind, just revoke the permission and we will stop collecting precise coordinates. In summary, location data (precise or approximate) is used only to tailor your Frienda experience (for example, showing distance to potential friends) and is not used for any other purpose, nor shared with any third parties outside the service.

1.4 Face Verification

For trust and safety, Frienda requires all users to complete a one-time face verification during registration. This helps us ensure each account represents a real person and prevent fraud (e.g. stopping someone from creating multiple fake profiles). Here's how it works:

Verification Process: When you sign up, Frienda will prompt you to take a selfie video or photo for a liveness check. We use AWS Rekognition Face Liveness, an AI service by Amazon Web Services, to analyze that selfie. The service confirms (1) that you are a live human (not a photo or spoof), and (2) that your face matches the person in the profile photos you uploaded. Essentially, it's checking that your profile pictures are indeed of you, and you're a real person present during signup.

Data Handling: The selfie or short video you provide for verification is encrypted and securely transmitted to AWS Rekognition for processing. AWS analyzes the data to perform the liveness and matching checks, then provides us with only a verification result. Important: Neither Frienda nor AWS retains your verification selfie or video after the verification process is complete. The data is deleted immediately after processing, typically within seconds.

Privacy Enhancement: We have implemented additional privacy safeguards beyond standard processing. We have opted out of all AWS AI service data usage policies, which means AWS is contractually prohibited from using any data we send to their services (including verification images) to improve or develop their machine learning technologies. This ensures your biometric data is used solely for your verification and nothing else, even during the brief processing period.

What We Store: We do not store your verification selfie or any biometric image data. We only retain the verification result (whether you successfully passed verification). This minimal verification record is stored as part of your account information and allows us to confirm your account has been verified without retaining any sensitive biometric data.

Use of Verification Data: We use only the verification result (not any image data) for account integrity purposes. For example, this result helps us identify potentially fraudulent accounts or prevent users from creating multiple accounts. We do not use verification results for any other purposes beyond account security and fraud prevention.

Data Sharing: The verification selfie is shared only with AWS Rekognition for the brief moment needed to perform the verification check. AWS does not retain the image data and processes it strictly for providing the verification result. We do not share verification images or results with any other third parties.

Retention: We retain only the verification status as long as your account is active. When you delete your account, we delete this verification record along with all other account data. Since we do not store the actual verification selfie or video, there is no biometric image data to delete.

Legal note: Because face verification involves processing biometric data, in jurisdictions like the EU we treat this processing as sensitive personal data requiring explicit consent. We obtain your explicit consent before the verification step (the app will ask you to agree to face verification). By completing the verification, you are explicitly consenting to this one-time biometric processing for account security purposes. The processing is limited to verification only – no ongoing biometric monitoring or analysis occurs. If you choose not to complete face verification, you will not be able to use Frienda (we require it for all users to maintain community authenticity).

1.5 Usage Data & Analytics

Like most apps, Frienda automatically collects certain technical information about how you use the app, to help us improve and troubleshoot:

Device and Technical Information: We collect data such as your device type (e.g. phone model or browser type), operating system version, app version, and language settings. We also gather device identifiers or installation IDs that help us distinguish users (for example, a random user ID we assign, or an advertising ID if available – though we do not use it for ads, see below). This information is sent whenever you interact with the app (it’s common for analytics and crash reports).

Usage Events: We use a third-party analytics platform called Amplitude to log events about how you use Frienda. For instance, we record events like screens or pages you view, buttons or features you tap, and the timing/sequencing of actions (e.g. how long you spend on a certain page, or the path you take through the app). This data helps us understand which features are popular, how users navigate, and where improvements or fixes might be needed. All usage data is primarily analyzed in aggregate – for example, we might see “X% of users clicked this new feature” or “Most users drop off at step Y of onboarding.” We generally do not look at individual user behavior except for troubleshooting specific issues or user support (and even then, the data is pseudonymized).

Analytics Privacy: We do not send highly personal content to Amplitude. For example, we do not send the text of your chat messages or the exact text of your profile answers into analytics. We might send an event like “User updated profile” or “User sent a message,” but not the message content or what you wrote in your profile. Amplitude may automatically capture additional data like IP address (which can infer general location) and device identifiers. We have configured Amplitude to either not store full IP or to anonymize it (e.g., only keep an approximate region). We have disabled any Amplitude features that would involve tracking users across different companies’ apps – for instance, Amplitude offers an “Advertising Mode” to help with ad targeting, which we do not use. Amplitude acts as our data processor, meaning they are contractually bound to use the data only to provide analytics services to us, not for their own purposes. (They are a reputable analytics provider and GDPR-compliant.) If you prefer, you can use a Do-Not-Track browser setting on our web app; we will honor it where feasible by not sending analytics for that session.

Error and Crash Reports: We use Sentry (an error monitoring service) to automatically report app errors or crashes. If the app encounters an error or bug, Sentry logs technical details about the crash (like the code location, device state, and a snapshot of recent actions leading to the error). This can include your user ID and recent taps or screen views to replay what happened up to the crash. These “session replays” help our developers diagnose and fix problems. Error logs might incidentally include some of your input at the time of crash (for example, if a glitch happened right after you typed something, the text field content could appear in the log). We do not use Sentry data for anything except debugging and improving stability. Sentry, as a processor, is also prohibited from using these data except to provide the service to us. We scrub or pseudonymize personal data in error logs where feasible (e.g., we might remove or mask email addresses or IDs in logs). Crash reports are accessible only to our developers and are treated with high confidentiality.

Other Diagnostics: We may gather other diagnostic data like load times, API call failure rates, etc., to monitor performance. This is all to ensure Frienda runs smoothly. None of this is used for marketing or profiling individual users beyond understanding technical issues.
In summary, analytics and usage data help us improve Frienda’s features and user experience. We balance this with your privacy by avoiding collection of content, focusing on metadata, using pseudonymous IDs, and honoring opt-outs (like Do-Not-Track). If you ever have concerns about analytics, you can reach out to us – we can even remove your identifier from Amplitude to stop any future analytics linking to you.

1.6 Messaging Data

Frienda enables one-on-one chatting between users who become friends (i.e., when two users mutually accept a friend connection). The way messages are handled depends on the platform you are using:

Frienda In-App Chats: On all platforms we provide an in-app messaging interface. These chats are powered by a third-party real-time chat service called CometChat. When you send messages or photos through Frienda’s own chat, those messages and associated metadata (timestamps, read receipts, etc.) are transmitted and stored by CometChat on our behalf. CometChat acts as our data processor for chat content: they store the data so that you and your friend can retrieve your chat history across sessions/devices. CometChat does not use your messages for any purpose other than delivering them and storing them for you, under our instructions. However, because CometChat’s system handles the message data, it is not end-to-end encrypted in the absolute sense – technically, the messages are readable by the service while in transit and stored on their servers (with encryption at rest). This means authorized Frienda staff or CometChat support could access message content if necessary, though we have strict policies to limit such access (see below).

Telegram Chats: If you and your Frienda friend choose to chat via Telegram (for example, the Frienda Mini App might facilitate opening a Telegram chat), those messages are handled entirely by Telegram’s infrastructure. In this case, Frienda itself does not collect or store the content of your messages at all – the conversation happens in your regular Telegram app/chat, and is governed by Telegram’s privacy policy. We might log that a chat was initiated or that two users became connected friends, but we do not see your Telegram messages or media. Your private Telegram chats remain private to you and your friend (and Telegram’s systems). Note: If you block or report a friend via Telegram, or delete messages there, that’s all handled on Telegram’s side.

Privacy of Chats: Whether on Telegram or Frienda’s internal chat, we aim to keep your messages as private as possible. We will never use the content of your personal chats for advertising or any purpose unrelated to providing the messaging service and ensuring safety. In the Frienda in-app chat, only you and your chat partner can normally see your conversation. Frienda staff do not monitor chats by default. We only access message content in rare cases where it’s necessary – for example, if a user reports abusive behavior or if our automated systems flag a chat for violating community standards, a trusted moderator might review the relevant messages to investigate. CometChat itself has no reason to access your chats except if required for system maintenance or support at our request.

Important: Keep in mind that any message you send to another user is visible to that user. While we expect all users to respect each other’s privacy, we cannot prevent a recipient of your messages from taking a screenshot or sharing the content with others outside the app. Exercise discretion in what you share in any chat. Frienda’s role is to connect you and facilitate the conversation, but once information is shared with another person, it’s up to both of you to keep it confidential.

Message Retention: Messages sent through Frienda’s in-app chat are stored as long as both users have active accounts so that you can access past conversations. If you delete your Frienda account, we will ensure you no longer appear in chats and your profile/name will be removed from the conversation (your friend may see “Deleted User” as the sender for your past messages). We generally do not delete the messages from the recipient’s inbox because those messages belong to their conversation history too, but they will no longer be attached to an active profile. We also instruct CometChat to purge or anonymize data related to your account upon deletion to the extent possible. (More details on data deletion in Section 3.)

1.7 Subscription & Payment Data

Frienda offers an optional paid membership called Frienda Premium, which unlocks additional features. We use external payment providers to handle all purchases and subscriptions. This means we do not directly collect or store your full payment card details (like credit card numbers) on our servers. However, we do receive certain information about transactions in order to activate your Premium features and maintain necessary records. The payment flows differ slightly by platform:

1.7.1 Purchases via Telegram (Telegram Stars): In the Telegram Mini App, purchases are handled through Telegram’s payment platform using Telegram Stars. If you purchase Frienda Premium using Telegram Stars (virtual in-app currency), you would first acquire Stars from Telegram (using real money, under Telegram’s terms). When you spend those Stars in Frienda, Telegram processes that transaction and simply notifies us that you spent X Stars on a particular Frienda item. We do not receive any of your financial information from a Stars purchase. All we get is a confirmation (order ID, what item was bought, timestamp, etc.) so we can grant you the Premium access. The handling of money-to-Stars and your balance is entirely managed by Telegram and subject to Telegram’s Terms of Service and Privacy Policy.

1.7.2 Purchases via Frienda Website (Credit/Debit Cards): If you subscribe through our website, we use trusted third-party payment processors. When you pay on the website, you enter your card or payment details into a secure payment form hosted by the processor. Your sensitive info (card number, billing name, etc.) goes directly to the processor – it never touches our servers. The processor then confirms to us that the payment was successful. We receive only what’s needed to activate your Premium service: e.g. confirmation of payment, the product you bought (e.g. monthly subscription), an internal customer or transaction ID, and perhaps a truncated card identifier (last 4 digits and card type) or your payment email. We do not get the full card number or any bank account details. The payment processors are PCI-DSS compliant, meaning they follow strict security standards for handling card data. They may retain your card info for things like subscription auto-renewal or fraud prevention, but that data stays with them, not with Frienda.

1.7.3 Purchases via iOS App (Apple In-App Purchase): If you use Frienda on an iPhone and purchase Premium through Apple’s in-app purchase system, the transaction is handled entirely by Apple via your Apple ID account. You confirm the purchase through Apple’s interface (e.g. using Face ID/Touch ID or your Apple password), and Apple charges the payment method on file for your Apple ID. Apple does not share your credit card or full billing information with us. Instead, Apple provides us a receipt and confirmation that you purchased a certain item. We use a service called RevenueCat to help manage these App Store subscriptions. RevenueCat acts as an intermediary (and our processor) – it receives the cryptographically signed receipt from Apple (which confirms your purchase) and informs our app of your subscription status (active, expired, canceled, etc.). RevenueCat stores minimal data like the receipt ID, product ID (which subscription tier you bought), subscription start/end dates, and an anonymous user reference. RevenueCat does not get your personal payment info – no credit card numbers or personal identifiers beyond what's in the Apple receipt. It simply helps translate Apple’s subscription system to our app’s logic. From our perspective, we mark your Frienda account as Premium and note how long it’s valid. Apple may also give us a “Subscriber ID” which is a random identifier unique to our app (not your Apple ID) that we can use to associate the subscription with your Frienda account. That Subscriber ID can’t identify you elsewhere and can reset over time for privacy. Note: Per Apple’s policies, all billing, renewal, and refunds for iOS in-app purchases are controlled by Apple. We do not have the ability to cancel or refund an Apple subscription on our end. If you need a refund for an Apple purchase, you would request it from Apple support, and if you wish to cancel, you do so in your Apple ID settings (explained below).

How We Use Payment Data: Regardless of platform, we use the payment and subscription information we receive to activate and manage your Premium membership, to keep records of our revenue (for accounting/tax compliance), and to assist with support or inquiries about billing. For example, if you contact us saying “I paid but I didn’t get Premium,” we use the transaction records to investigate. We do not use your payment info for any other purposes: we don’t profile you based on payments, we don’t target ads (we have none), and we don’t share it with third parties except the ones needed to process the payment or as required for legal compliance. All payment data is transmitted securely (using encryption) and handled in accordance with PCI-DSS standards by our providers.

1.8 Subscription Management and Cancellation

You have the right to cancel your Frienda Premium subscription at any time. The process differs slightly by platform due to how subscriptions are billed:

If you subscribed via Apple (iOS App Store): You must cancel through your Apple ID account settings. For example, on your iPhone, go to Settings → [Your Name] → Subscriptions, find Frienda, and select “Cancel Subscription.” (Or you can open the App Store app, go to your account’s Subscriptions section, and cancel from there.) Simply deleting the Frienda app will not cancel your subscription – it will continue to auto-renew until you actively cancel in your Apple ID settings. After you cancel, your Premium benefits will remain active until the end of the current paid period, then will not renew further.

If you subscribed via the Telegram Mini App or Frienda Website: You can cancel through Frienda’s interface or via our support. In the Frienda app/website, there is a “Premium” option (go to Profile → Settings) where you can turn off auto-renewal or cancel the subscription. If you have any difficulty finding it, you may contact us at support@frienda.au or through our Telegram support bot, and we can assist with cancelation. Once you cancel, it stops the next auto-renewal – any remaining days in your current subscription period will still be available to you, but it won’t renew for a new period.

Refunds: In general, we do not provide refunds for unused time after cancellation, except where required by law or specific platform policies. For instance, some jurisdictions have “cooling-off” periods or consumer protection laws that mandate refunds in certain cases, and we will comply with those. If you made the purchase via Apple, any refund requests must be directed to Apple due to their policies (Apple typically handles refunds for App Store purchases). On other platforms, if you believe you deserve a refund (e.g., accidental purchase), you can contact us and we’ll review it case by case, consistent with our Terms and local law.
Cancelling your Premium does not delete your Frienda account or remove your data – it only changes your account status to the free tier once your paid term ends. You will still have your Frienda profile and can use the basic features. (If you wish to delete your account entirely, see Section 3.3 below on Account Deletion.)
For more details on subscription terms (like pricing, benefits, auto-renewal), please see our Terms of Service or in-app purchase descriptions. We strive to make it easy to unsubscribe if you choose – you are always in control of your membership.

2. Legal Basis for Data Processing

Frienda is a global service, and we handle personal data in accordance with applicable privacy laws such as the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, the California Consumer Privacy Act (CCPA), and the Australian Privacy Act. We only process your personal data when we have a valid legal basis to do so. These bases include:

Consent: In many situations, we rely on your consent. For example, we ask for your consent before accessing your precise location (via your device GPS or Telegram’s location feature), before processing your biometric data for face verification, and before sending any promotional communications (if we ever send marketing messages, they will be opt-in). We also treat the provision of optional profile information (like your Instagram handle or extra bio details) as consent – you choose to give that data and can remove it any time. You have the right to withdraw consent at any time. If you change your mind about a permission or a piece of data you provided, you can revoke it by adjusting settings or contacting us. For instance, you can disable location sharing, or ask us to delete a profile field you no longer want to share. Withdrawing consent will stop the processing of that data going forward (it doesn’t undo processing that already happened while consent was given). Note: If we ever engage in any practice on iOS that Apple defines as “tracking” across other companies’ apps or sites, we would seek your consent via Apple’s App Tracking Transparency (ATT) prompt. As of now, we do not perform cross-app tracking – we do not collect data for third-party targeted advertising or access your device’s ad identifier, so no ATT prompt is shown (because it’s not needed). Should that change, we would of course request permission as required.

Contractual Necessity: When you use Frienda, you agree to our Terms of Service, which forms a contract between you and us. We need to process certain data to fulfill our obligations under that contract – i.e., to provide you with the Frienda services and features you expect. For example, we must use your login information (Telegram ID, Apple/Google ID, or email) to create and authenticate your account; we use your profile and preference data to match you with other users (the core function of Frienda); if you make a purchase, we process that transaction to deliver the premium features you paid for. This processing is necessary to perform the service you have requested. We don’t ask for separate consent for things that are inherent in providing Frienda, because using the app is your choice and by doing so you expect these uses of data. (For instance, we don’t ask “May we use your profile info to show your profile to others?” – that’s obviously needed to use Frienda.) That said, we only process what is necessary and we aim to be transparent about it throughout this policy.

Legitimate Interests: We may process certain data to pursue our legitimate interests in a manner that does not override your rights and freedoms. This is a flexible legal basis under GDPR that we apply carefully. Our legitimate interests include maintaining the security of our platform, preventing fraud and abuse, improving the app’s performance and features, and growing our business (responsibly). For example, it’s in our legitimate interest (and yours as a user) to detect and remove fake or malicious accounts – so we might use profile data, device info, and user reports to identify violations of our terms. Similarly, analyzing overall usage patterns (via analytics) to improve the UI falls under our interests in improving the product. When we rely on legitimate interests, we consider potential impacts on you and mitigate undue intrusions. If a particular use of data could be unexpected or sensitive, we either put extra safeguards in place or we ask for consent. You have the right to object to processing based on legitimate interests (see Section 6 on User Rights), and we will respect such objections unless we have a compelling reason to continue (in which case we’ll explain it to you).

Legal Obligation: In some cases, we need to process or disclose data to comply with a legal obligation. For example, we might need to retain certain transaction records for tax and accounting laws, or respond to lawful requests from government authorities (such as a court order or subpoena). If we are required by law to provide data to law enforcement or regulators, we will only do so after verifying the request’s legitimacy and only the data specifically required. Also, if consumer protection laws mandate that we keep track of who opted out of communications, we might retain an email on a “do not send” list under legal obligation. This basis covers processing that isn’t primarily about providing the service, but about complying with the laws that apply to us.
Additionally, in jurisdictions that recognize the concept of a “Data Controller” (such as the EU), SUMMEET PTY LTD is the data controller responsible for your personal data on Frienda. We adhere to principles of transparency, purpose limitation, and data minimization in line with regulations. That means we strive to collect only what we need, clearly explain why we need it (as we’re doing in this policy), and not use it for purposes beyond what we’ve stated without obtaining new consent or providing notice.

2.1 CCPA (California) Disclosures

If you are a California resident, the CCPA provides specific rights and imposes certain obligations on us. We want to address those clearly:

No Sale of Personal Information: We do not sell your personal information, and we have not sold any personal data in the past. The CCPA defines “sell” broadly, but essentially it means sharing personal info with third parties in exchange for money or other valuable consideration for their own purposes. Frienda does not do this. We don’t exchange your data for revenue with advertisers or data brokers. We also do not share data with third-party advertisers for cross-context behavioral advertising (which CCPA 2023 amendments cover as “sharing”). Your data is only used by us and by our service providers for the purposes described in this policy.

Business Purpose Disclosure: All of our data sharing with third parties falls under what CCPA calls “business purposes”. That means we share information only with service providers processing data on our behalf or as part of our operational needs – for example, our cloud hosting (AWS), analytics (Amplitude), payment processing, etc., as described in Section 4. These service providers are bound by contracts to only use the data for our specified purposes and not for themselves. We do not allow them to use or disclose your data except as necessary to perform services for us.

CCPA Rights: California residents have the right to know what personal information we collect, how we use it, and with whom we share it, the right to delete personal information (with some exceptions), the right to opt-out of the sale of personal info, and the right to non-discrimination for exercising these rights. This policy is intended to disclose the relevant information (types of data, purposes, third parties, etc.) to satisfy the right to know. If you want specifics or a personal data report, you can request it as described in Section 6.4. We honor all valid deletion requests – as explained, deleting your Frienda account or sending us a request will result in removal of your data (subject to exceptions allowed by law). As noted, because we do not sell data, the right to opt-out of sale is more theoretical in our case – there is nothing to opt out of since we don’t sell or share for advertising. However, if you still send us a “Do Not Sell or Share” request, we will record it and ensure that, if our practices ever change, your preference is honored (and we would inform all users and obtain consent if we were to ever consider selling data). We also confirm that we will not discriminate against you for exercising your CCPA rights. That means we won’t deny you the service or charge you differently just because you made a data request. (The only related effect might be that if you ask us to delete your data, we can’t provide the service without the data – e.g., if you delete your profile, you can’t exactly use Frienda afterward unless you sign up again. But that’s a natural consequence, not a punishment.)

Authorized Agents: CCPA allows you to designate an authorized agent to make requests on your behalf. If you choose to do so, we will take steps to verify the agent’s authority and your identity (for security) before fulfilling the request. This might involve asking for a signed permission or for you to confirm directly that you gave the agent the right.
We have detailed in Section 6 how to exercise your California privacy rights. In short, you can contact us via email with your request, and we will verify and respond within the timeframes required (typically within 45 days for CCPA requests). Frienda will not charge you for these requests, and we will do our best to accommodate them promptly.

2.2 Australian Privacy Compliance

If you are in Australia, we handle your personal information in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). In practice, much of this overlaps with what we’ve described above, as the APPs cover similar ground: being transparent about data collection, giving individuals access and correction rights, limiting use/disclosure, etc. Notably:

We will take reasonable steps to ensure that any overseas recipients of personal data (e.g., our service providers in other countries) handle your information in accordance with standards comparable to the APPs. For example, we use contractual agreements (Data Processing Addendums) with our processors to require GDPR-level protection of data, which in turn satisfies requirements to protect data for Australian users. (In other words, even if a server is in the U.S., our agreement with that service provider binds them to protect your data as if the APPs or GDPR applied.)

You have rights to access the personal information we hold about you and to request correction if it’s inaccurate, under APP 12 and 13. We address these in Section 6 (User Rights & Control) – indeed, we extend access and correction rights to all users, not just those in certain regions.

If you have a complaint about how we handle your data, please contact us (Section 10). We take privacy complaints seriously and will investigate and respond. We will work with you to resolve any concerns. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC). (Contact details for the OAIC are available on their website. We hope to resolve issues directly, but that option is available to you.)

We recognize that privacy regulations are evolving worldwide (the Privacy Act is undergoing reforms as of 2025, etc.). We are committed to complying with all applicable laws and will update our practices and this policy as needed to stay compliant. If you have questions about how we handle data under any specific law, you can always contact us.

3. Data Retention & Deletion

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. How long we keep different types of data can vary based on its use and context, but here are our general practices:

3.1 Retention of Active Accounts

If you have an active Frienda account, we keep the personal data associated with your account for as long as you continue to use Frienda. This includes all the categories of data described above: your profile info (photos, bio, etc.), your authentication IDs (Telegram ID, etc.), your Frienda connections and interactions (friend requests, matches), and records of your in-app actions and transactions. We need to retain this data to provide the service to you continuously. For example, if you’ve been using Frienda for a year, your chat histories (if on our platform), friend list, profile changes, etc., remain available unless you remove them or delete the account, so that your experience is seamless over time.
Certain data may be refreshed or overwritten in the normal course (for instance, if you update a profile answer, we may not keep the old answer except perhaps in backups), but generally we maintain an ongoing history while your account is active.

One specific note: If you completed the face verification, we retain your verification selfie as long as your profile remains active. The reason is to avoid making you do the verification again and again. If in 6 months you change your photos or there’s a need to reconfirm identity, having the original verification on file lets us quickly re-verify without asking you for a new selfie. We understand this is sensitive data, so we store it with high security (encrypted storage, very limited access) and we do not use it for any new purposes without your consent.

3.2 Account Deletion

You have the right to delete your Frienda account at any time. We’d be sorry to see you go, but we want to empower you with control over your data. We provide an in-app option (in Frienda’s settings) to delete your account, and you may also request deletion by contacting our support (e.g. email support@frienda.au or via our Telegram support bot). For security, we will verify the deletion request – typically by confirming you are the account owner (for example, we might ask you to confirm via your login method or provide certain info to ensure it’s you).
Once your request is verified and you confirm you want to proceed, account deletion is permanent and cannot be undone. We will then carry out a thorough deletion of your personal data from our systems. Specifically, this is what happens when we delete your account:

Removal from Platform: We immediately remove your Frienda profile from being visible in the app. This means other users will no longer see you in friend suggestions, search results, or anywhere else in the app. If you had any pending friend requests with other users, those will be canceled (they won’t be able to accept your request, and you won’t see theirs).

Deletion of Personal Data: We permanently delete the personal data we hold about you in our production databases. This includes all your profile information (name, age, bio, photos, etc.), your account credentials and identifiers (for example, the link between your Telegram or Apple ID and our system is removed), and any other personal attributes associated with your account. In short, we erase your user record from our user database.

Cessation of Processing: We stop all processing of your personal data. You will no longer receive any communications or notifications from us (aside from a possible final confirmation of deletion if you requested one). If you were appearing in any friend-matching algorithms or suggestion lists, you will be removed from those immediately. Essentially, it’s as if you never had an account, from the app’s perspective.

Verification Record Deletion: If you had completed the face verification step, we delete the verification status record from our database. Since we do not store verification selfies or videos (these are deleted immediately after processing), there are no biometric images to remove. We also confirm with AWS Rekognition that no verification data remains in their systems, though their standard process already deletes such data immediately after processing.

Third-Party Services Purge: We instruct our third-party processors to delete or anonymize your data associated with your account, wherever feasible. For example:

Analytics (Amplitude): We will remove or anonymize your user identifier in Amplitude, so that any analytics events from your usage can no longer be tied to you. (Amplitude might still retain aggregate counts that included your actions, but they won’t be linked to a user profile or ID.)

Error Logs (Sentry): Similarly, we either delete or anonymize entries in Sentry that were associated with your user ID or device ID. For instance, crash reports that included your internal user ID will be scrubbed of that ID or the report removed entirely.

Messaging (CometChat): We will either delete your user profile on CometChat or mark it as deleted, so you can no longer be contacted there. Messages you sent via CometChat to others may remain in the recipient’s inbox (we typically do not forcibly delete messages from someone else’s account, as those are their communications too). However, your name will no longer be attached – it would show as from a “Deleted User” or similar, and of course the recipient can’t reply to you anymore. We also request CometChat to purge or anonymize as much data as possible related to your account (e.g., clear your profile info from their records).

Other Services: If you used any other third-party integrations (for example, if we had an email provider for sending verification codes, and there’s an email log, we would purge your email from those logs where practical), we will include them in the purge process. Payment processors will be informed if necessary to cancel any active subscriptions (see next bullet) and they will retain only what they need for legal compliance (we cannot force them to delete transaction records they need for financial reporting, but those records would typically be under their independent obligations).

Cancel Subscription: If you had an active Premium subscription at the time of deletion, we will cancel it so it will not renew (to ensure you’re not billed after deletion). For Apple subscriptions, you would need to cancel it from your side (since we cannot do it for you), so we strongly encourage you to cancel any Apple in-app subscription before or at the same time as deleting your account. For website/Telegram subscriptions, we handle the cancelation on our end and confirm you won’t be charged moving forward.

Retention of Minimal Records: After deletion, we do not keep your profile content, contacts, or personal details. However, there are a few narrow exceptions where we might retain very limited information:

Legal and Compliance Records: We may keep records of financial transactions (payments) for accounting purposes or tax obligations. For example, we might need to retain a receipt of purchase without a user attached, or basic invoice data, to satisfy auditing requirements. Similarly, if we had correspondence about a legal issue, we might retain that correspondence as required by law. Any such data will not be used for anything other than required legal purposes.

Preventing Abuse (Basic Log): We maintain a basic log to prevent immediate re-registration by banned or deleted users in violation of our rules. For instance, we might keep a hash of your Telegram ID or email and a flag that says “account deleted on X date” or “banned on X date”. This helps us enforce one-account-per-person rules and prevents users who were banned for serious misconduct from simply creating a new account immediately with the same credentials. These logs do not contain any of your profile data, messages, or content – typically just an identifier and a note. The information is heavily protected and only used for security/admin purposes (for example, if a new sign-up comes in with details matching a deleted account, we know not to allow it if it was a ban). This is a common practice to protect the platform. If you legitimately delete your account and were not banned, this info is only used to prevent account recycling (someone else creating an account with your old Telegram ID, etc., which normally can’t happen anyway).

Backup Data: Our systems perform routine backups and maintain caches for performance. It’s possible that some of your data might remain in encrypted backups or cache for a short period even after deletion. For example, if we take a backup snapshot of the database every 24 hours, and you deleted your account at 3 PM, last night’s backup would still have your data until that backup is rotated out. We do not restore backups for deleted users except if needed for disaster recovery (and in that scenario we would still honor deletion by re-deleting the data). Backup retention is typically limited (e.g., backups cycle out after 30 days). Any data in backups remains protected and we will purge it in the normal course of our backup retention schedule.

Important: Simply uninstalling the Frienda app, removing the Telegram Mini App, or blocking the Frienda bot on Telegram does not delete your Frienda account or data. If you stop using Frienda but do not formally delete your account, your data will remain on our systems (we may eventually implement an inactivity purge policy, but if so, we will announce it; currently, data persists until you delete). To fully delete your data, please use the in-app delete option or contact us as described. After we process an account deletion, we can (upon request) confirm that your personal data was deleted.
Under GDPR, we will complete a verified deletion request within 30 days (and usually much sooner). Under CCPA, we will fulfill deletion requests within 45 days of verification (with an extension to 90 days if necessary, in which case we would inform you of the delay). These timelines align with legal requirements. We typically are able to wipe data almost immediately once verified, but it may take a bit of time to propagate deletions to all third-party services.

4. Third-Party Data Sharing

We do not sell your personal information to anyone, and we do not share your data with advertisers or data brokers. However, we do rely on a few trusted third-party services to operate Frienda. We share data with these providers only to the extent necessary for them to perform their functions, and each is bound by contractual obligations to protect your data. Below we list our main service partners and what data is shared in each case:

4.1 Telegram (Platform Integration)

Telegram is integral to Frienda, if you use Frienda via the Telegram Mini App. Here’s how data flows between Frienda and Telegram:

Data from Telegram to Frienda: When you launch Frienda inside Telegram, Telegram provides us with the basic account info listed in Section 1.1 (your Telegram user ID, name, username, etc.) to initialize your session. If you choose to share your live location via Telegram’s interface, Telegram passes those coordinates to us so we can show you nearby friends. Essentially, Telegram acts as an authentication gateway and optionally a conduit for certain data (like location). All of this is done with your consent as part of using the Mini App.

Data from Frienda to Telegram: If Frienda triggers certain actions that involve Telegram – for example, if you tap a button to open a chat with a Frienda friend in Telegram, or send an invitation link via Telegram – that action goes through Telegram. Telegram will know that your account is using Frienda (they can see which Mini Apps you have connected) and may log certain events for their own security and analytics (e.g., that you interacted with the Frienda bot). We keep data sent back to Telegram to a minimum; typically it’s limited to what’s needed to perform the action you requested (like initiating a chat). Keep in mind, any messages you actually send through Telegram are within Telegram’s system (not ours).

Telegram’s Role and Policies: Telegram is a separate company with its own Privacy Policy. Any data that resides in Telegram (your Telegram messages, your Telegram profile, etc.) is governed by Telegram’s terms. While using Frienda on Telegram, there is some overlap – for instance, Telegram knows you’re using Frienda and we comply with Telegram’s platform rules. Telegram might require that we report certain information in cases of abuse or to cooperate with their fraud prevention efforts. We treat Telegram essentially as an authentication provider and host platform. If you have questions about Telegram’s use of your data, please refer to Telegram’s Privacy Policy.
In summary, we only share information with Telegram as needed to make Frienda work within Telegram’s app. Primarily, Telegram is sharing your data with us (to log you in), rather than us sharing your data externally. We do not send your personal Frienda data to Telegram beyond necessary interactions, and we do not have control over Telegram’s internal data practices.

4.2 Infrastructure (Supabase, Bunny.net, Amazon Web Services)

Frienda's cloud infrastructure is built on a simple, EU-centered architecture using three primary providers. When you provide data to Frienda, it flows through this carefully designed system where each provider plays a specific, contracted role in keeping your information secure.

We use Supabase as our database with servers located in the European Union. Supabase acts as our core data processor, storing all your structured information. Beyond just storage, Supabase handles our authentication gateway and automated backups. They maintain strong security practices with data encrypted at rest and offer GDPR-compliant Data Processing Addendums. Supabase does not access or use your data except for maintaining these core database services.

For application hosting and media storage, we utilize Bunny.net infrastructure, also based in European Union regions. Frienda's backend code runs inside Bunny Magic Containers, while Bunny Storage safely holds all media files you upload. To ensure fast global access, Bunny CDN and Bunny DNS speed up content delivery worldwide. When Bunny.net serves as our CDN, they may temporarily cache public assets (like your profile pictures) on edge servers closer to users for faster loading. They might see technical request data like IP addresses and which resources are being accessed as any CDN would, but they operate strictly as a processor under contract, keeping all data encrypted in transit over TLS and never using your information for their own purposes.

For selfie verification, we use AWS Rekognition Face Liveness. When you submit a verification selfie, it's sent to AWS just long enough to perform the liveness check and face-match verification, then deleted from their systems per our instructions. AWS processes your biometric data transiently but does not retain or use it beyond providing the verification result.

In short, Supabase holds your core data records, Bunny.net runs our application and delivers your content, and AWS briefly steps in for identity verification. All three providers are contractually bound to keep your data secure, encrypted, and used solely to power Frienda's features – nothing more.

4.3 Analytics (Amplitude)

We use a third-party analytics service called Amplitude to understand how users interact with Frienda (as detailed in Section 1.5). Here we summarize what data is shared and why:

What We Share: We send Amplitude certain usage data: events (e.g., “user opened app,” “viewed profile,” “sent friend request”), timestamps, and device info (device model, OS, app version, language). We include a unique user identifier with these events – typically, an internal Frienda user ID or a random UUID that Amplitude uses to tie events to a user session. We do not send personal content like chat messages or profile text to Amplitude. If an event relates to content, we abstract it (for example, “profile updated” event without the actual bio text).

Why: Amplitude compiles these events into aggregate analyses for us: funnels, retention charts, usage frequencies, etc. This helps us identify popular features, find points where users drop off, and make data-driven improvements. For instance, if we see many users start a registration but few finish, we know to improve that flow. We might also use it to debug by examining the sequence of events for a particular (anonymized) user experience that had an issue.

Data Handling: Amplitude stores this analytics data on their servers (which are primarily in the United States). They process it to provide us with dashboards and insights. By contract, Amplitude is forbidden from using our data for any purpose other than giving us analytics. They cannot, for example, use it to profile users across different apps or sell it. We have also configured privacy settings: for example, we have them drop or anonymize IP addresses so precise location isn’t stored. We have disabled Amplitude’s ad integrations (as noted, we’re not using it for advertising). So the data stays within our account for our use. Amplitude, as a company, has a strong security reputation and is used by many companies for product analytics.
In essence, Amplitude is like an extension of our team’s analytics capability. The data we share with them is to better serve you through improving the product. If you ever decide you don’t want to be included even in this internal analytics, let us know – we could potentially opt your data out or remove your past identifier from the dataset. We also respect “Do Not Track” on web as mentioned, which signals us not to include those sessions in analytics.

4.4 Error Monitoring (Sentry)

For error monitoring and crash reporting we use Sentry, as described in Section 1.5. Data shared with Sentry includes:
Error and crash details: stack traces, error messages, and contextual data about the app’s state leading up to an error.
This often includes environment info similar to analytics (device type, OS, etc.) and a user identifier so we know which user experienced the error (which helps if we need to follow up or see if a specific account consistently has issues).
It may include recent UI events or inputs (a “session replay”) around the error time. This could inadvertently contain user-provided data visible on the screen at the moment of error.

Sentry stores this data on their servers (also typically in the U.S.). By contract, Sentry also acts purely as a data processor providing the service to us. They have no rights to the data beyond presenting it back to us in a dashboard. Sentry is a well-known tool for developers with robust security.

We treat Sentry data with the same care as our own production data. Only authorized developers access it, and it’s used strictly for diagnosing and fixing issues. We also employ measures like scrubbing certain fields from error reports to avoid collecting sensitive info. For example, if a user’s email might appear in a log, we try to hash or remove it. We’ve configured Sentry to not store things like passwords (not that we have passwords) or any secure tokens.

In summary, Sentry helps us keep the app stable and reliable by alerting us to problems. The data shared is technical, not for marketing or anything like that.

4.5 Content Moderation (OpenAI)

Frienda strives to maintain a safe and welcoming community. To assist with content moderation of user-generated text (like profile descriptions, chat messages if reported, etc.), we use an automated AI service provided by OpenAI.
Here’s what that means:

Certain text content that users create in Frienda (for example, profile descriptions, chat messages that are reported by someone, group posts if we had them, etc.) may be automatically sent to OpenAI’s API for analysis if we need to check for violations of our guidelines (hate speech, harassment, sexual content, etc.). For instance, when you submit a profile description, our system might check it via AI to ensure it’s clean; or if someone reports a message you sent as offensive, that message might be analyzed by the AI.

OpenAI’s moderation API will analyze the text and return a score or decision indicating if the content is likely violating content rules (e.g., a score for hatefulness, sexual content, etc.). This helps our team quickly identify problematic content.

Data Handling: We share only the necessary text snippet with OpenAI – not any more data than needed (we don’t send your name, or other context, just the content itself and maybe an ID or category). OpenAI processes it and returns a result within seconds. According to OpenAI’s policy for their moderation API, they do not use the data we send for any purpose other than providing us the moderation result (and they have commitments to privacy and confidentiality). They might retain the snippet for a short period to monitor for misuse of their API, but it’s not used to train models when using their purely moderation endpoint (and we have a contractual/data processing arrangement to ensure this).

If the AI flags content, our human moderators may review it. We do not take purely automated action with no human in the loop for things like banning – any account enforcement involves human review, especially for something serious like account bans (we won’t ban you just because an AI said something looked bad). The AI is a helper tool to prioritize and assist our moderators, not the final judge.

OpenAI’s servers for the API are in the U.S., so effectively some user content (if it triggers moderation checks) might be transmitted to the U.S. for processing. We include that in our data transfer considerations and have safeguards (OpenAI is under agreements with us to handle data lawfully, akin to GDPR processor terms, etc.). The benefit of using AI moderation is that it can proactively catch harmful content and protect users, given we have a small team. But we use it carefully and in accordance with privacy principles (only on content meant to be public or inter-user, not on, say, private data unrelated to policy violations).

4.6 Messaging Service (CometChat)

As described in Section 1.6, we use CometChat to provide real-time messaging. To reiterate and expand on what data CometChat handles:

When your Frienda account is created (or when you first initiate a chat), we create a corresponding user profile in CometChat’s system. This includes an internal user ID (which might be your Frienda user ID or a random ID we generate for CometChat) and your display name and profile picture URL (so that your chats show your name and avatar to others). We send only necessary info to set up your chat identity on CometChat.

When you send a chat message or photo, the content of that message (text or media) and metadata (who it’s to, timestamps, etc.) are transmitted to CometChat’s servers. CometChat then delivers it to your friend’s device. CometChat stores the messages so that chat history is available when you come back online or switch devices.

Storage & Security: CometChat stores chat data in the cloud for us. The data is encrypted in transit (they use TLS) and also stored encrypted at rest. However, as noted, it’s not end-to-end encrypted because the service needs to access the plaintext to deliver and allow features like search or moderation. By agreement, CometChat will not access or look at message content except as needed to operate the service or if we instruct them for a support issue. We have a Data Processing Addendum with CometChat aligning with GDPR and other privacy requirements. They essentially act as our processor, and have no independent right to use the data.

Access: Only you and your chat partner can see the messages in the app. Frienda administrators do not routinely access chats. We can fetch messages from CometChat if needed for an important reason (for instance, if you report someone for harassment, our moderator may retrieve the relevant chat logs to review what happened). Those cases are rare and handled by authorized staff under confidentiality. CometChat staff likewise have no reason to read chats unless required for system maintenance or at our specific request for troubleshooting.

Automated Filtering: We may use automated moderation on chat content as well (for example, CometChat provides profanity filtering or we might use OpenAI on messages as mentioned). If a message triggers an automated filter (e.g., contains disallowed content), we may log that and potentially a moderator could review it. But we do not have any public chat rooms – all chats are one-to-one – so moderation is more reactive (on reports) than proactive.

Retention: Chat messages are stored as long as the chat is active. If one user deletes their account (you or your friend), we handle it as described: the departing user’s profile on CometChat is deleted or anonymized, and their name is removed from the conversation on the remaining side. We generally do not purge the conversation from the other user’s account, as that’s their data too, but without your identity attached it’s mostly just for their reference. If both users delete accounts, obviously the chat would eventually be fully purged when no active users remain. We follow CometChat’s capabilities for data deletion to ensure compliance.
In short, CometChat is like our chat database and delivery system. It allows us to provide in-app messaging without building an entire secure messaging infrastructure from scratch. We ensure this is done in a privacy-conscious way: data is encrypted in transit, stored securely, and only accessible to authorized parties. Your normal expectation should be that only you and the person you’re chatting with can read your messages. We will intervene only if there’s a legitimate safety need, and CometChat won’t use your data elsewhere.

4.7 Payment Processors (Stripe, Apple, etc.)

As detailed in Section 1.7, we rely on external payment processors for handling purchases. For completeness, here’s how we share data with them:

Apple (App Store): For iOS in-app purchases, Apple is essentially an independent controller for the billing relationship. We initiate a purchase request via their API with an item ID, and Apple handles the rest. The data Apple shares with us is a receipt and some non-personal subscription info as described. Apple also provides us with reports on sales (aggregated financial reports). They do not share personal buyer info except possibly region or anonymous IDs. We do inform Apple of our subscription product IDs and prices so they know what is being sold, but that’s configured in App Store Connect rather than a runtime data “sharing.” If you purchase, Apple’s systems tell us “User X purchased Premium for 1 month on this date” via the receipt verification. Apple is known for not sharing user personal data like real names or emails for in-app purchases unless you’ve agreed to share contact info (which in our case is not applicable since it’s a digital service). So the main data flow is Apple -> us: confirming purchase. We may share minimal data with our intermediary RevenueCat (basically the receipt file and an internal user ID to map it), and RevenueCat shares nothing externally – it just relays info between us and Apple’s system.

RevenueCat: As mentioned, RevenueCat stores some subscription status info. It acts as our processor in managing subscription states. The data in RevenueCat’s system is mostly technical (device/app subscriber ID, purchase receipts, expiration dates). RevenueCat doesn’t have info like your name or actual contact; it deals in app-specific IDs and receipts. They are also under strict obligations not to use this data beyond servicing our app.

Telegram Stars: When you make a purchase via Telegram, either using Stars or a payment provider, Telegram and its payment partners handle your payment info. We share with them what item/plan you intend to buy and your Telegram ID so they know which account to credit. They share back a payment confirmation. We do not see your full financial info. Any personal data they collect (like your card info or Telegram account info related to payment) is governed by Telegram’s and the payment provider’s privacy policies.

Web Payments: If you pay on our website, the form you fill out is directly with the third-party payment processor. They collect your card details and possibly billing name/email. They then share with us: a confirmation that payment succeeded, the type of product (e.g. “Premium Monthly”), and an identifier for the transaction or customer (which might include the last 4 digits of your card or your card brand, but not the full number). Stripe acts as an independent controller of the payment info you provide to them (meaning they have their own obligations for that data, like fraud prevention), but they’re also a service provider to us in terms of the transaction metadata. They might retain info like your card token for recurring billing, compliance, etc. We ensure that we only share what’s needed to process the transaction (like the charge request) and they only share back what’s needed for our records. If Stripe or others are required by law to keep transaction details, they will, but that’s their responsibility.

What we share with processors: Generally, when initiating a payment, we might share a user identifier and the purchase details. If needed, we also provide an email to send a receipt to (Stripe might send receipts on our behalf). If we suspect fraud, we might share relevant info with the processor or bank as part of resolving that (for instance, if a charge is disputed, we may provide logs showing the user did receive the service, etc., which could include account ID or IP, but not much personal info beyond what’s necessary).

Fraud Prevention: Payment processors may use the data we send (like your IP or device characteristics at purchase time) for fraud screening. This is common and is in our legitimate interest to prevent fraudulent transactions. It doesn’t mean they’re using it for anything else.

Legal: We might share transaction data if required for compliance. For example, our accounting might involve giving our external accountant or accounting software records of transactions (which could include your first name and amount, for instance, if you provided that in payment). Those parties would be bound by confidentiality as well. Also, if required by law (say a tax audit), we might have to provide transaction logs to regulators. We always minimize what’s shared and anonymize where feasible.

We emphasize that we do not share your payment information with anyone except the entities necessary to process the payment or as required by law. We never sell or rent this information.

4.8 Other Service Providers

Beyond the above, we may use additional third-party services for various operational needs. For example:

Email Delivery: If we send out emails (for verification codes, newsletters if you opt-in, or support responses), we might use an email delivery service like SendPulse or others. In doing so, your email address and the content of the email would go through that service. They act as a processor to send the email on our behalf.

Customer Support Tools: If you contact us for support (via email or Telegram), we may log that conversation in a support ticketing system or database so we can track and respond to your issue If we use a third-party CRM or support platform, they will have whatever data you provided in the support request (e.g., your email and the support issue). Those are under agreements to keep data secure and only use it to facilitate our customer service.

Cloud Functions and Other Backend Tools: We might use other cloud-based tools for things like background job processing, log retention, or data backups. All of these providers are chosen carefully to meet security standards and privacy requirements.
We will update this Privacy Policy or provide notice if we introduce any significant new data processors or service providers that handle personal data in a way not covered here. We aim to keep an updated list of “categories” of recipients and major examples (as we have done).
In all cases, our service providers are bound to protect your data. We sign Data Processing Agreements with them as needed for GDPR and include privacy safeguards in our contracts. We also ensure they implement appropriate security measures. They are not allowed to use your data for their own purposes – only to provide services to us.

4.9 Legal Disclosures
Apart from the above service providers, there are some situations where we might disclose user data outside of our company if necessary:

Legal Compliance: If we are required to by law or legal process, we may disclose certain data. For instance, if we receive a valid subpoena or court order demanding information, we will comply to the extent required after ensuring it’s a legitimate request. We will do our best to notify affected users in such cases if we are legally permitted to do so. (Sometimes gag orders or ongoing investigations prevent notification.) We will only hand over what’s specifically demanded and nothing more. We’ll also verify authenticity of any request (we don’t respond to informal requests, only proper legal channels).

Protection of Rights & Enforcement: We may share data as needed to enforce our Terms of Service or other agreements, or to investigate potential violations (such as fraud, harassment, threats, or other illegal activities). For example, if someone is scamming users on Frienda, we might share data with law enforcement to address that. If someone threatens harm and we believe disclosure of information is necessary to prevent injury, we might alert authorities. We could also share between companies for fraud prevention (e.g., alerting another app or platform if we discover a user doing something illegal that might affect others, but this would be done in compliance with privacy laws – typically as allowed for fraud prevention or required by law).

Safety and Vital Interests: If we believe disclosure is necessary to protect the rights, property, or safety of our users, the public, or our company, we may do so. This could include exchanging information with other organizations for fraud protection and security (as permitted by law). An example: if a user is involved in a doxing or stalking incident, we might cooperate with police by providing relevant info to help protect the victim.
All such disclosures will be done in line with applicable laws and regulations. We base them either on legal obligation or legitimate interest (ensuring safety), and we’ll ensure any request is lawful.

4.10 Business Transfers

If our company (SUMMEET PTY LTD, the operator of Frienda) is involved in a merger, acquisition, sale of assets, restructuring, bankruptcy, or investment transaction, your personal data may be transferred to another entity as part of that deal. For example, if Frienda is acquired by or merged with another company, the user data would likely be one of the assets transferred to the new owner so they can continue providing the service to you.

In such an event, your personal data would remain subject to the protections of this Privacy Policy (unless you’re informed of changes and consent where required). The new owner would be required to handle your data under terms at least as protective as those in place now. We would also provide notice to you before your data is transferred in any materially different way or becomes subject to a new privacy policy. For instance, we might notify users via the app or email about the impending transfer. If the new entity’s privacy practices differ significantly, we would give you an opportunity to review the new policy and consent or delete your data if you choose.

If you continue using Frienda after a transfer, your data would then be governed by the new privacy policy (once you’ve been informed and any required consents obtained). If you do not agree with the new handling, you could request deletion at that time (as always).

In the case of a straightforward change of ownership with no change in how data is used (for example, if we simply sell the Frienda app to another company that will operate it similarly), this Privacy Policy might remain in effect with just updates to the company name. We would still notify users that the controlling entity changed.

Also, in an unlikely scenario like bankruptcy or insolvency, personal data might be considered an asset. We would seek to ensure your data isn’t transferred to any unscrupulous parties. Typically, it would only transfer to a successor that continues the service under proper safeguards, or if the service shuts down entirely, we’d aim to delete data rather than have it sold off.

In summary, if Frienda’s ownership changes, we will make sure your privacy protections travel with your data. We highly value the trust you place in us, and any successor will be required to safeguard your data to the same high standards – otherwise we wouldn’t go through with handing it over without giving you options.

5. Security Measures

We take the security of your personal data very seriously. We implement a variety of technical, administrative, and physical security measures to protect your information from unauthorized access, alteration, disclosure, or destruction. While no service can guarantee 100% security, we strive to follow industry best practices and continually update our defenses. Here are some key security measures in place at Frienda:

5.1 Encryption (In Transit and At Rest)

All communications between your device and our servers (and between services) are encrypted in transit. We use HTTPS/TLS for all API calls and web traffic, meaning data is encrypted (TLS 1.2/1.3) as it moves over the internet. If you use Frienda via Telegram, the data from Telegram to our service goes through Telegram’s secure channels first, then through HTTPS to us. This ensures that eavesdroppers on the network can’t read your data.

We also encrypt sensitive data at rest in our databases and storage. Our database volumes are encrypted, and for particularly sensitive fields, we may use an additional layer of encryption or hashing. User photos (profile pictures, verification selfies) and other media are stored in secure cloud storage buckets with server-side encryption enabled. In short, if someone were to somehow get ahold of the raw storage, the data would not be easily readable without the keys.
We utilize modern encryption protocols and cipher suites, and we keep them updated (deprecating older protocols). We regularly renew and manage certificates and follow best practices for encryption configurations.

5.2 Authentication and Access Control

Frienda does not use traditional passwords for user login (since we rely on third-party auth or OTP), which actually reduces risk since we’re not storing a password database that could be compromised. However, we do implement strong authentication for any of our own staff or admin access:

For internal administrative access, we enforce strong passwords and two-factor authentication (2FA) wherever possible. Developer accounts and server consoles require SSH keys or 2FA.

We follow the principle of least privilege: staff and contractors only have access to the data necessary for their job. For example, customer support might have a tool to look up your profile if you have an issue, but they won’t have direct access to the database or to any sensitive info unrelated to support. Engineer access to production data is limited and requires approval, and we maintain logs of such access.

All team members with access to personal data sign confidentiality agreements and are trained on privacy and security practices.

We also secure user sessions on the client side: e.g., if you log in to Frienda on the web, the session token is stored in an http-only cookie or secure storage, to protect against XSS (cross-site scripting) theft. We have session expiration and token revocation mechanisms if suspicious activity is detected.

5.3 Network and System Security

Our servers are protected by firewalls and network security groups to allow only necessary traffic. We separate environments (dev, test, production) to minimize risk of cross-contamination. We keep our software and server OS up to date with security patches. Critical vulnerabilities are patched as soon as possible.

We follow secure coding guidelines in development. This means our engineers are mindful of preventing common vulnerabilities like SQL injection, XSS, and others. We use parameterized queries, output encoding, Content Security Policy on the web, and other measures to protect against these threats. We also conduct code reviews focusing on security-critical code.

5.4 Payment and Financial Data Security

As noted, we offload payment processing to specialized providers (Stripe, Apple, etc.) that are PCI-DSS compliant. This greatly reduces the risk on our side since we’re not handling credit card numbers directly. Any payment-related data that we do store (like last 4 digits of a card, transaction IDs) is treated with high sensitivity: - Access to financial records is limited to personnel who need it (like a finance admin for reconciliation). - Such info is stored in secure systems/tables with access logs. We would detect if someone tried to access it without authorization. - We will never ask you to provide payment information in an insecure way. For example, if you get an email that looks like from us asking for your credit card number, it’s fake – we would never do that. Always be wary of phishing.

5.5 Data Minimization and Pseudonymization

We try to minimize usage of personally identifiable info internally. For example, in logs and analytics we often refer to users by an internal user ID or a hash, not by name or email. If we analyze usage data, we prefer aggregated data rather than individual whenever possible. If we ever need to use production data for testing or debugging, we attempt to anonymize it (mask personal fields) beforehand.

Also, importantly, we avoid collecting data we don’t need. We don’t ask for your last name, physical address, or contacts, because Frienda doesn’t require those – by not collecting data, we eliminate any risk associated with it. We focus only on data that serves the purposes described.

5.6 Monitoring and Incident Response

We actively monitor for security-relevant events. For instance: - We have alerts for multiple failed login attempts (which could indicate a brute force attempt), unusual spikes in errors (which might indicate an attack), or abnormal usage patterns like one IP creating many accounts. - If we detect suspicious activity on an account (like login from a new country far away, or a device change that’s unusual), we may take precautionary measures such as sending you a verification or temporarily locking the account until we confirm it’s really you. - We have an incident response plan in place for potential data breaches or security incidents. This plan outlines how to contain incidents, assess impact, remediate the issue, and notify affected users and authorities as required by law.

If, despite all precautions, a data breach were to occur that compromises personal data, we will notify affected users and relevant regulators promptly, within the timeframes required by law (for example, GDPR requires reporting certain breaches to authorities within 72 hours). We would communicate via appropriate channels (email, in-app notification, Telegram message, etc.) to inform you what happened, what data might be involved, what we are doing about it, and steps you may need to take.

5.7 User Responsibilities

While we work hard to secure our systems, security is also a partnership with our users. You play a role in keeping your own data secure on Frienda: - If you use Frienda via Telegram, securing your Telegram account is critical. Use a strong passcode lock for your Telegram app and enable Two-Step Verification in Telegram (which adds a cloud password). This helps prevent others from hijacking your Telegram, and thus your Frienda account. - Never share login links or verification codes you receive from Frienda (or Telegram) with anyone. We will never ask you for those codes. If someone obtains your Telegram login or your email verification code, they could impersonate you. - Be cautious of phishing attempts. Our official communications will come from our domain (frienda.au) or via the official Telegram bot. If you ever get suspicious messages asking for personal info, double-check with us. - If you believe your account has been compromised (for example, you lose access to your Telegram that’s logged into Frienda, or you suspect someone else is using your Frienda account), contact us immediately so we can help secure it.

We continually improve our security measures to adapt to new threats. If you have any questions about security or if you think you’ve discovered a vulnerability or security issue in Frienda, please reach out to us at support@frienda.au. We appreciate feedback from users and the security community.


6. User Rights & Control

You have rights and choices regarding your personal data. We are committed to enabling you to exercise those rights. This section outlines key privacy rights and how you can use them:

6.1 Accessing and Updating Your Information

You can view and edit much of your personal information in your Frienda profile at any time via the app’s interface. For example, you can edit your profile answers, update your photos, change your city, etc. We encourage you to keep your information up-to-date (especially your contact email, so you don’t miss important notifications).
If you need assistance accessing or correcting data that is not directly editable in the app (for instance, your birth date if the app doesn’t allow changing it for age-verification reasons, or if you want to change the login method linked to your account), you can contact us and we will help make the update if appropriate. We might ask for verification or proof for certain changes (e.g., to correct a birth date we may request some ID) just to prevent fraud.

6.2 Privacy Settings and Choices

We give you control over certain data-sharing features and preferences:

Location Sharing: You can choose whether or not to share precise location with Frienda. If you initially allowed GPS location, you can later disable it (in Telegram or device settings). If you never allowed it, we just use IP-based location. The app also typically provides a toggle for live location if applicable.

Optional Profile Info: Providing things like an Instagram handle or detailed prompts is optional. You can decide what personal details to include in your profile. You can also remove or change them any time. We only use what you choose to provide.

Notifications and Communications: If we introduce non-essential notifications (like a newsletter or product updates via email or Telegram), we will give you the ability to opt-in or opt-out. For example, you might have a setting to receive or not receive marketing emails. Transactional or critical messages (like account verification codes, receipts, policy updates) might still be sent as needed, but any promotional communications will be optional.

6.3 GDPR Data Subject Rights (for users in the EEA, UK, and similar jurisdictions)

If you are located in a region with data protection laws like the GDPR, you have specific rights regarding your personal data. We also extend many of these rights to all users as a matter of good practice. These include:

Right to Access: You have the right to request a copy of the personal data we hold about you. This is sometimes called a Subject Access Request. You can also ask for information about how that data is used, what categories of data we have, who we share it with, etc. In this Privacy Policy, we have attempted to outline that, but you can get a more specific report for your account. We will provide this in a common format (likely JSON or CSV) and in a concise, transparent manner.

Right to Rectification: If any personal data we have is incorrect or incomplete, you have the right to have it corrected. The easiest way is usually to correct it yourself in the app (edit your profile, etc.), but you can also contact us to rectify any inaccuracies (for example, if your date of birth was entered wrong and you can’t change it, or if there’s some account info you need changed).

Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data. The primary way to do this is to delete your Frienda account (Section 3.2). You can also ask us to delete specific data if you don’t want to delete your entire account (for instance, delete a particular photo or piece of info). We will erase the requested data unless an exception applies. (Examples of exceptions: we might need to keep data for a legal obligation or a compelling legitimate interest. If so, we’ll inform you.) In practice, account deletion as described in Section 3 handles the erasure of all your data, which covers this right comprehensively.

Right to Restrict Processing: In certain situations, you can ask us to restrict (temporarily halt) processing of your data. For example, if you contest the accuracy of something and we are verifying it, or if you have objected to processing (see below) and we are considering that objection. During such a restriction, we would still store your data but not actively use it. You might request this if, say, you want us to hold your data but not do anything until an issue is resolved.

Right to Object: You have the right to object to certain types of processing. You can object to direct marketing at any time (though we currently don’t do any). You can also object to processing based on legitimate interests. If you do, we will evaluate whether our interest in processing truly overrides your rights. For instance, if you object to us processing your data for analytics, we’ll consider if we can cease processing for you (and likely we would honor it by removing your data from analytics, unless we have a strong need to continue that doesn’t harm you). If you object to processing that is necessary (like something core to providing the service), we might have to explain why we cannot stop that processing without closing your account. In any case, we will either comply with the objection or provide you a justification.

Right to Data Portability: You can request to receive the personal data you provided to us in a structured, commonly used, machine-readable format. You also have the right to transmit that data to another service (or have us transmit it where feasible). In practice, this would mean we can give you an export of information such as your profile details, your friend list, etc., likely in a JSON or CSV form, so that you could import it elsewhere if you wanted. This right applies to data processed by consent or contract, which for Frienda includes most of what you gave us (since using Frienda is a contract and you consented to giving the data).

Right not to be subject to Automated Decision-Making: GDPR gives you the right not to be subject to a decision based solely on automated processing (including profiling) that has legal or similarly significant effects on you. In plain terms, this means you can’t be, say, auto-rejected for something by an algorithm without human oversight if it significantly affects you. Frienda does not make any legally significant decisions about users with no human involvement. We do have automated matching and suggestions, but that’s not a “decision” with legal effect, it’s just app functionality. We do not, for instance, automatically ban users purely via AI detection without a human review confirming a violation. If we ever introduce something that could be considered automated decision-making with significant effect, we will ensure appropriate safeguards or the ability to request human review.

To exercise any of these GDPR (or equivalent) rights, you can contact us at our support email (support@frienda.au) with your request. We may need to verify your identity to ensure we’re dealing with the correct person – for example, we might reply with a request that you confirm through your logged-in account or provide some info that only the account owner would know. This is to prevent unauthorized requests (imagine someone else trying to get your data deleted or exported – we have to be sure it’s you).

We will respond to your request as soon as possible, typically within 30 days. If for some reason we cannot fulfill the request (due to a legal exception or technical infeasibility), we will explain the reason. For instance, if you requested deletion but we are required by law to keep a record of something, we’ll tell you that.

6.4 CCPA Rights (for California Residents)

If you are a California resident, you have certain rights under the CCPA (some of which overlap with GDPR rights above):

Right to Know: You can request that we disclose the specific pieces and categories of personal information we have collected about you, the categories of sources for that information, the business purpose for collecting it, and the categories of third parties with whom we share it. Essentially, this is similar to the access right. We’ve described much of this in the policy itself. But upon request, we can provide you with a report of your personal data in our systems and the relevant info as required by CCPA.

Right to Delete: You can request that we delete personal information we have collected from you (with certain exceptions). This is accomplished by deleting your account or sending us a deletion request as described. We will treat it the same way – erasing your data unless an exception applies. CCPA exceptions to deletion include things like: we need the data to complete a transaction you initiated, to detect security incidents, to comply with legal obligations, etc. These closely mirror what we’ve already outlined as reasons we might keep minimal data (like fraud prevention logs or payment records). If any such exception applies, we will let you know at the time of your request.

Right to Opt-Out of Sale: As mentioned, you have the right to direct us not to sell your personal info. Frienda does not sell personal info, so by default we consider this addressed. We do not have a “Do Not Sell” link because we have no selling to opt out of. If this ever changes (unlikely, as that’s not our model), we would update our policy and provide that option. In the meantime, you can be assured we’re not selling or sharing your data for cross-context advertising. If you still want to formally record an opt-out instruction with us, you can contact us and we’ll document that preference (and confirm that we honor it by not doing any sale/sharing).

Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights. That means if you request your data or delete your data, we won’t give you a different level of service or charge you differently just because of that. The only scenario is if you delete data necessary for a feature, you simply can’t use that feature – but that’s not discrimination, it’s a result of your choice (e.g., if you opt out of location, we can’t show you nearby friends – that’s not retaliation, it’s just the feature won’t work without that data).

Authorized Agent: As noted earlier, you can have an authorized agent make requests for you. We will require proof of their authority and verification of you (to prevent fraud).

To exercise your California rights, you can use the same contact methods: emailing us at support@frienda.au with your request, and indicating that you are a California resident making a “CCPA request.” We will need to verify your identity (and if through an agent, verify their authority) as described earlier. Once verified, we will respond within 45 days as required by CCPA (or let you know if we need a bit more time, up to an additional 45 days). Our response will generally cover the 12 months prior to your request, as per CCPA requirements.

6.5 Opting Out of Communications

Separately from the formal rights above, if you have opted in to any promotional communications from Frienda (for example, if in the future we offer email newsletters or Telegram notifications with updates), you have the ability to opt out at any time. We will provide clear instructions to unsubscribe in those messages (like an “Unsubscribe” link in an email or a bot command to stop messages). You can also adjust your preferences in the app settings if such an option is available. Note that this opt-out doesn’t cover essential service communications. We may still send you emails or messages about important account issues, password resets, verification codes, or legal notices (those aren’t marketing; they are part of using the service). But anything optional or marketing-related will only be sent with consent and will always have an opt-out.

6.6 Questions or Concerns

We are committed to honoring your privacy rights. If you have any questions about your privacy choices or need guidance on how to exercise a right, please contact us at support@frienda.au. We will be happy to explain or assist.
If you are in the EU/UK and feel we have not addressed your concern satisfactorily, you also have the right to lodge a complaint with your country’s Data Protection Authority (DPA) or the UK Information Commissioner’s Office (ICO). We ask that you please reach out to us first and give us a chance to fix the issue, as we’re confident we can resolve most problems directly. For Australian users, if you’re not satisfied with our handling of a complaint, you can contact the OAIC (Office of the Australian Information Commissioner) as well. Again, we aim to resolve issues cooperatively and promptly.

7. Children’s Privacy

No Users Under 18. Frienda is not intended for children or anyone under 18 years of age. You must be at least 18 (or the age of majority in your country, if higher) to use Frienda. Our Terms of Service explicitly prohibit minors from using the platform, and we have the age gate at registration requiring date of birth.
We do not knowingly collect personal information from anyone under 18. We deliberately ask for birth date during sign-up to enforce the age rule. If someone enters an underage birth date, the account is not created. If a minor lies about their age, we have verification processes (like face verification) that are aimed, in part, to deter underage users. However, no system is foolproof.

If we discover that we have inadvertently collected information from a user under 18 (for example, if later evidence or a report reveals a user’s real age is under 18), we will take immediate steps to delete that information and terminate the account. This is part of our commitment to children’s privacy.

If you are a parent or guardian and you become aware that your under-18 child has created a Frienda account or provided us with personal information, please contact us immediately (see Contact Information in Section 10 below). We will take prompt action to remove the data and close the account. We may ask for proof that you are the parent/guardian in such cases to prevent misuse of this process.

In summary, Frienda is a service for adults only, and we take measures to block and remove any underage usage. Protecting children’s privacy is important to us, and we comply with laws like COPPA (Children’s Online Privacy Protection Act in the US) even though our service isn’t directed at children (meaning we aim to not have any children’s data at all).

8. International Data Transfers

Frienda is a global service. Using it will involve international transfer of your data in many cases. We are an Australian company, but our infrastructure and partners are located in multiple countries. Many of our users may be in the EU, the US, Asia, etc. Here’s what that means for your data:

Data Storage Locations: The personal data you provide to Frienda is primarily stored on servers in the European Union (EU). We chose EU data centers for our primary infrastructure partly to comply with strict EU privacy standards. However, we also utilize services in other countries. For example, Amplitude, Sentry, and OpenAI operate mainly in the United States (so analytics, crash logs, and moderated content might be transmitted to or stored in the U.S.). Our company is based in Australia, and some of our team might access data from Australia. Telegram’s infrastructure is global (they have servers in various regions), so Telegram-related data could pass through multiple countries. Essentially, depending on what part of Frienda you use, your data could be processed in the EU, US, Australia, or potentially other locations where our verified processors have servers.

Transfers from the EU/EEA: If you are in the European Economic Area (EEA) or UK, and your data is transferred out of the EEA (for example to the US or Australia), we take steps to ensure adequate protection for that data, in line with GDPR requirements. Typically, this means:

We have Standard Contractual Clauses (SCCs) in our contracts with service providers outside the EEA. SCCs are legal clauses approved by the European Commission that bind the external recipient to protect EU personal data to EU standards. For instance, our agreements with Amplitude, Sentry, OpenAI, CometChat, etc., include SCCs or equivalent provisions.

If any provider is in a country that has an “adequacy decision” by the EU (meaning the EU has deemed that country’s laws offer sufficient data protection), then data can flow there freely. (Currently, the US and Australia are not on the EU’s adequacy list, which is why we use SCCs for those transfers. The UK and EU have mutual adequacy as of now. If in the future, say, the EU recognizes a framework with the US or Australia as adequate, we might rely on that too.)
We also only transfer the minimum data necessary for the task and employ encryption in transit for all such transfers. For example, when our app sends data to Amplitude’s US servers, it’s via HTTPS, and we do not send any more personal data than needed for analytics.

In some cases, we might rely on a user’s explicit consent for certain transfers if warranted, but generally SCCs and similar safeguards are our main mechanism.

Transfers to Other Regions: If you are outside the EEA, your data will likely be processed in the country of our main server (EU) and also possibly in the US or other locations where our partners operate. Regardless of where your data is stored or processed, we apply the same level of security and privacy protections described in this policy. We also comply with local data protection laws to the extent they apply (e.g., Australian Privacy Principles for Australians, CCPA for Californians, etc.).

Your Acknowledgment: By using Frienda, you understand that your information may be transferred to and stored on servers in countries other than your own. Different countries have different data protection laws, and when located in those countries, data may be subject to lawful access requests by authorities in those jurisdictions (for instance, US law enforcement might lawfully request data stored in the US, etc.). However, our handling of your data will remain governed by this Privacy Policy and the agreements we have in place, regardless of location. We will resist any unlawful or overbroad government requests and, whenever possible, will notify you if we receive such requests (unless legally prohibited).

Protection Measures for International Transfers: We implement technical measures like encryption (discussed above) which protect your data no matter where it physically resides. We also limit access to your data to authorized personnel only, and those personnel access it remotely under secure conditions. For example, our developers or support staff in Australia or other countries access the central EU servers via secure connections (VPN, MFA, etc.) and only as needed. Any contractors or team members in other countries are under strict confidentiality and data protection obligations. In essence, even if data crosses borders, we treat it with the same security standards globally.
If you have questions about international data transfers or want more info about the safeguards in place, please contact us. We can provide further details, and in some cases, we might provide copies of relevant contractual clauses (like SCCs) upon request, subject to confidentiality requirements.

9. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. If we make changes, we will do the following:

Posting the Revised Policy: We will post the updated Privacy Policy within the Frienda app (in the Telegram Mini App and in the iOS app, likely in a Settings or Info section) and on our website (frienda.au). We will update the “Last Updated” date at the top of the policy to indicate the effective date of the changes.

Notification: If the changes are significant, we will provide a more prominent notice or notification. For example, we might send a message through Frienda (via the Telegram bot or in-app notification) or send an email to let you know the policy has changed. In some cases, we might prompt you to review and accept the new policy upon your next use of Frienda. If required by law or at our discretion for major changes, we might seek your explicit consent to the new terms. Minor updates that do not materially affect your rights (like clarifications or grammatical fixes) might simply be posted with the new date.

Your Continued Use: We encourage you to review this Privacy Policy periodically. If you continue to use Frienda after an updated Privacy Policy takes effect, that will constitute your acceptance of the revised policy. If you do not agree to the changes, you should stop using Frienda and you have the right to delete your account as described in Section 3.3.
We will maintain archives of previous versions of this policy and can make them available for review upon request, so you can see how our practices evolve.

10. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. We are here to help and address any issues.

SUMMEET PTY LTD (Operator of Frienda)
Address: Level 35, One International Towers, 100 Barangaroo Avenue, Sydney, NSW 2000, Australia
Email: support@frienda.au

The support team can assist with general inquiries and will route privacy-specific questions to our privacy officer or appropriate staff. We prefer email for privacy queries (to have a written record), but if you need an alternative method (for example, if you only can be reached through Telegram), you may message the Frienda support bot and we’ll handle it.
For users in the European Union/EEA or United Kingdom: If you have a privacy-related concern that we cannot resolve together, you have the right to lodge a complaint with your country’s Data Protection Authority or the UK ICO. We truly hope to resolve any concern directly and promptly, so please reach out to us first.

Thank you for reading our Privacy Policy. We have tried to be thorough and transparent about how we handle your information. Your privacy and trust are extremely important to us. We will continue working hard to protect your data and use it responsibly to provide and improve the Frienda service. If you have any questions or suggestions regarding privacy, don’t hesitate to contact us. Your feedback is valued in our ongoing effort to keep Frienda a private and secure space for making friends.