Privacy Policy

This Privacy Policy explains how Pacoo collects, uses, shares, and protects your personal information.

This Privacy Policy explains how Pacoo ("we", "us", "our") collects, uses, shares, and protects your personal information when you use our mobile application Pacoo (the "App") and our website pacoo.co (the "Service"). It also describes the rights you have over your data and how to exercise them.

By using the App or the Service, you agree to the processing of your personal data as described in this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy complements our Terms of Use, available at pacoo.co/cgu.

1. Who we are

Pacoo is operated by Pacoo (the "Controller"), acting as the data controller for the personal data collected through the App.

For any question related to your personal data, you can reach us at contact@pacoo.co.

2. Information we collect

2.1 Account information

• Phone number (used to authenticate you via one-time SMS code)
• Username and display name you provide
• Profile avatar (optional)
• Preferred language
• Intention or answers you give during onboarding
• Timezone of your device

2.2 User content

• Card responses (text or photo), messages you send in duos or group conversations, comments, reactions, mentions
• Photos you upload as card responses (stored on Supabase Storage; scanned by Sightengine for NSFW detection)

2.3 Social data

• Friends you add, users you block, participants in your group conversations
• Phone numbers from your device contacts, only if you grant access, used to find friends already using Pacoo (contacts are hashed before being compared on our servers; we do not store your raw contacts)

2.4 Device and technical data

• Device identifiers, model, operating system, app version
• IP address
• Language settings
• Push notification tokens (managed by OneSignal)

2.5 Usage and analytics data

• Product interaction events: screens viewed, buttons tapped, cards played, purchases made
• Crash reports and performance diagnostics
• Collected through PostHog

2.6 Advertising data (AdMob)

• Advertising Identifier (IDFA on iOS, AAID on Android)
• Ad impression, click, and reward events
• Processed by Google AdMob for serving rewarded advertisements

2.7 Purchase and subscription data

• Subscription status, product identifiers, transaction timestamps
• Managed by RevenueCat (we do not store your payment details, which are handled by Apple and Google)

3. How we use your information

We use your personal data for the following purposes:

• Providing the Service — authenticating you, showing your profile, letting you play cards, send messages, and connect with friends
• Personalising your experience — suggesting friends, recommending cards, remembering your settings
• Communicating with you — sending push notifications for friend requests, reactions, new cards, and important updates
• Displaying advertisements — through Google AdMob's rewarded ads system
• Analytics and product improvement — understanding how the App is used so we can fix bugs and improve features
• Fraud prevention and moderation — detecting inappropriate content through automated moderation (Sightengine) and enforcing our Terms of Use
• Legal compliance — responding to lawful requests from authorities

4. Legal bases for processing (GDPR)

Depending on the purpose, we rely on the following legal bases under the General Data Protection Regulation (GDPR):

• Performance of a contract — to provide you with the Service you requested when you created your account
• Legitimate interests — to keep the Service secure, prevent fraud, improve our features, and display advertising
• Consent — for cross-app tracking for personalised advertising (via Apple's App Tracking Transparency on iOS), access to your contacts, access to your photos, and push notifications
• Legal obligation — to comply with legal and regulatory requirements

5. Who we share your data with

We share your data only with the following categories of third parties, and only as strictly necessary:

Supabase, Inc. — hosting, database, authentication, storage. Location: United States and Europe. Privacy policy

OneSignal, Inc. — push notifications delivery. Location: United States. Privacy policy

RevenueCat, Inc. — subscription management and receipts validation. Location: United States. Privacy policy

PostHog Inc. — product analytics. Location: United States / United Kingdom. Privacy policy

Google LLC (AdMob) — rewarded video advertisements. Location: Worldwide. Privacy policy | AdMob privacy practices

Sightengine SAS — automated image moderation (NSFW detection). Location: France. Privacy policy

Apple Inc. and Google LLC — app distribution and in-app purchases processing.

We do not sell your personal data to third parties.

6. International data transfers

Some of our service providers are located outside the European Economic Area. When your data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, or on adequacy decisions where applicable.

7. Data retention

We retain your personal data only for as long as necessary:

• Account data — until you delete your account
• User content (card responses, messages, photos) — until you delete the content or your account
• Usage and analytics data — up to 24 months
• Advertising data — as long as required by AdMob's policies
• Moderation records and NSFW violations — up to 12 months, or longer if needed to enforce our Terms
• Subscription data — for the duration required by tax and accounting laws (typically 10 years)

When you delete your account, your personal data is deleted or anonymised within 30 days, except where we are legally required to retain it.

8. App Tracking Transparency and personalised ads (iOS)

On iOS, Apple's App Tracking Transparency (ATT) framework requires your explicit permission before apps can track you across other apps and websites for advertising purposes.

The first time Pacoo shows you a rewarded advertisement, a system dialog will ask whether you allow Pacoo to track your activity across other companies' apps and websites. If you allow tracking, AdMob may use your Advertising Identifier (IDFA) to serve you personalised ads. If you decline, AdMob will still serve you ads, but they will not be personalised based on your cross-app activity.

You can change your decision at any time in Settings > Privacy & Security > Tracking > Pacoo.

9. Your rights

Depending on where you live, you have the following rights over your personal data:

• Right of access — obtain a copy of the personal data we hold about you
• Right of rectification — correct inaccurate or incomplete data
• Right of erasure ("right to be forgotten") — request deletion of your data
• Right to restrict processing — ask us to limit how we process your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — revoke any consent you have given
• Right to lodge a complaint — with your local data protection authority (in France: the CNIL, at cnil.fr)

To exercise any of these rights, email us at contact@pacoo.co. We will respond within 30 days.

10. Deleting your account

You can permanently delete your account at any time from within the App: Settings > Delete my account. Deletion is processed within 30 days. After deletion, your user content is removed or anonymised, except where legal obligations require us to retain it (e.g. billing records, moderation decisions).

11. Children's privacy

Pacoo is not intended for children under the age of 13 (or the minimum legal age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at contact@pacoo.co so we can delete the data.

12. Security

We implement industry-standard technical and organisational measures to protect your personal data, including encryption in transit (HTTPS / TLS), encryption at rest on our database, row-level security rules in our database, and regular security reviews. However, no online service is perfectly secure, and we cannot guarantee absolute security.

13. Cookies and similar technologies

The Pacoo mobile app does not use cookies. It uses local device storage (AsyncStorage on React Native) to remember your preferences and session. The website pacoo.co uses only technically necessary cookies for navigation; no tracking cookies are placed without your consent.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App or by updating the "Last updated" date at the top of this page. Please review this page periodically.

15. Contact

For any question about this Privacy Policy or about the processing of your personal data, contact us at:

Pacoo
Email: contact@pacoo.co