Privacy policy.

1.1 Controller. Thumbs is the “controller” (GDPR) / “business” (CCPA) / “person carrying on an enterprise” (Law 25) of the personal information described in this policy.

1.2 Who this covers. This policy applies to prospective customers, account holders, members of customer organizations, billing contacts, people who contact our support or abuse channels, and visitors to our marketing site.

1.3 Customer Content is yours, not ours. Anything you do on a rented iPhone — accounts you log into, content you post, traffic you route through the device — is your data, not ours. We process it only to provide the service. This policy describes the operational metadata we collect about that activity; it does not cover the content of your activity, which you control.

2.1 Categories of personal information. We collect the following categories of personal information:

• Identity & contact data: name, email, business name (if applicable), billing address.
• Authentication data: hashed password (we never store plaintext), session tokens, password-reset tokens, MFA factors if enabled.
• KYC / identity-verification data: government-issued ID image, selfie / liveness capture, date of birth, document metadata. Collected and verified by Stripe Identity on our behalf — we receive the verification result and a redacted snapshot, not the raw biometric template.
• Payment data: last four digits of payment card, card brand, expiry, billing postal/ZIP code, Stripe customer ID. We do not store full card numbers; Stripe is the card processor.
• Usage & telemetry: login timestamps, IP addresses, user-agent strings, session start/end, iPhone assignments, bandwidth consumption, API call counts, error logs.
• Communications: emails you send to support, abuse, DMCA, or legal; chat transcripts; any voluntary feedback.
• Abuse signals: carrier flags, third-party platform abuse reports, payment-fraud signals, sanctions-screening results.

2.2 Sources. We collect personal information directly from you (signup, KYC, billing, support); from your use of the service (telemetry, logs); from our payment processor and identity-verification provider (Stripe); from carriers and platforms (abuse reports); and from public sources (sanctions and watch-list databases).

2.3 What we do not collect. We do not pre-screen the content of your activity on rented iPhones. We do not collect biometric data outside of the KYC flow operated by Stripe. We do not sell personal information (see Section 12).

3.1 Purposes of use. We use personal information to:

• Create and operate your account.
• Verify your identity (KYC) and screen against sanctions lists.
• Provision iPhones and bill your subscription.
• Operate, monitor, secure, and improve the service.
• Detect, investigate, and respond to abuse, fraud, and security incidents.
• Communicate with you about your account, billing, security, and material service changes.
• Respond to your support questions, DMCA notices, and data-subject requests.
• Comply with legal obligations and respond to valid legal process (subpoenas, court orders, mandatory reports).
• Enforce our Terms of Service and Acceptable Use Policy.

3.2 No automated decision-making with legal effects. We do not use solely automated decision-making (including profiling) to make decisions that produce legal effects or similarly significant effects about you, except for automated fraud / abuse detection. You may request human review of any such decision by emailing privacy@thumbsy.co.

3.3 Marketing. We send transactional and service emails (billing receipts, security alerts, ToS changes). We do not send marketing emails without your opt-in. You can opt out of any non-essential email at any time using the unsubscribe link or by emailing privacy@thumbsy.co.

4.1 GDPR / UK GDPR legal bases. Where the GDPR or UK GDPR applies, we rely on the following bases:

• Contract (Art. 6(1)(b)): processing necessary to provide the service you signed up for — account, billing, provisioning.
• Legal obligation (Art. 6(1)(c)): KYC, AML, sanctions screening, mandatory abuse reporting, response to legal process, tax records.
• Legitimate interests (Art. 6(1)(f)): security, abuse prevention, fraud detection, service improvement, defending legal claims. We balance these against your rights and apply appropriate safeguards.
• Consent (Art. 6(1)(a)): optional analytics and marketing emails, where applicable. You may withdraw consent at any time.

4.2 Special categories of data. KYC may involve special-category data (e.g., biometric data). Where applicable we rely on Art. 9(2)(g) (substantial public interest — fraud and AML prevention) and on your explicit consent provided in the KYC flow.

5.1 We share personal information with:

• Subprocessors (Section 6) who provide infrastructure, payment processing, identity verification, email delivery, and analytics on our behalf, under written data-processing terms.
• Law enforcement and regulators in response to valid legal process or where we are legally required to disclose (including mandatory CSAM reports to NCMEC / Cybertip.ca).
• Carriers and platforms where required to respond to a credible abuse report or to defend against carrier-imposed sanctions on the fleet.
• Professional advisors (lawyers, accountants, auditors) under professional confidentiality obligations.
• Acquirers in the event of a merger, acquisition, financing, reorganization, or sale of assets — with notice to you where required by law.

5.2 We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do not engage in targeted advertising as defined under other US state privacy laws.

6.1 Current subprocessors. The following third-party processors handle personal information on our behalf under written data-processing terms:

6.2 Changes to subprocessors. We will update this list when subprocessors change. Material changes (adding a new subprocessor that processes a new category of personal information) will be communicated by email or via prominent notice in the dashboard.

7.1 Cross-border transfers. Our infrastructure and most of our subprocessors are located in Canada and the United States. When personal information from the EU/UK or Quebec is transferred to the United States, we rely on:

• EU/UK Standard Contractual Clauses (SCCs / UK IDTA) with our US subprocessors.
• Quebec Law 25 transfer impact assessments before transferring personal information outside Quebec, documented and available on request.
• Supplementary measures including encryption in transit and at rest, access controls, and audit logging.

7.2 Stripe Identity in the United States. KYC data is processed in the United States by Stripe Identity under Stripe's published privacy and security commitments. By submitting to KYC, you consent to this cross-border processing.

8.1 Retention principles. We retain personal information only as long as necessary for the purposes set out in Section 3, or as required by law. Indicative periods:

• Account & profile data: while your account is active, plus up to 12 months after closure for billing disputes and abuse follow-up.
• KYC records: retained for at least 5 years after the end of the customer relationship to satisfy AML record-keeping requirements (Proceeds of Crime / Bank Secrecy Act).
• Billing & tax records: retained for at least 6 years to satisfy Canadian and US tax-record requirements.
• Operational logs: typically 12 months, longer for security-incident logs and abuse case files.
• Communications: retained for the duration needed to resolve the matter, then archived per our standard schedule.
• Legal hold: data subject to litigation, investigation, or legal process is retained until the matter is resolved.

8.2 Deletion on request. You may request deletion of your personal information per Section 10. We will delete or de-identify data we are not legally required to retain.

9.1 Technical and organizational measures. We implement industry-standard security controls including:

• TLS 1.2+ for all data in transit.
• Encryption at rest for the database and file storage.
• Row-level security on the application database.
• Role-based access controls and audit logging for administrative actions.
• MFA on all production administrative access.
• Vendor security review before adding new subprocessors.
• Regular review of access privileges.

9.2 Breach notification. If we suffer a confidentiality incident or personal-information breach that creates a risk of significant harm, we will notify affected individuals and the applicable regulator(s) in accordance with Quebec's Law 25 (CAI), the GDPR (Art. 33-34), and any other applicable law. Where required, we will notify within 72 hours of becoming aware of the breach.

9.3 No system is perfectly secure. Despite our controls, no method of transmission or storage is 100% secure. You are responsible for keeping your password and API tokens confidential.

10.1 Your rights (regardless of jurisdiction). Subject to applicable law and verification of your identity, you may:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete personal information.
• Request deletion of personal information we are not legally required to retain.
• Withdraw any consent you previously gave (where consent is the basis for processing).
• Object to or restrict certain processing.
• Receive a portable copy of personal information you provided.
• Complain to a supervisory authority (see Section 17).

10.2 How to exercise rights. Email privacy@thumbsy.co with the request. We will acknowledge within 10 days and respond substantively within 30 days (extendable by a further 60 days for complex requests, with notice).

10.3 No fee, no retaliation. We do not charge a fee for a first request in any 12-month period and will not retaliate against you for exercising your rights. We may charge a reasonable fee for manifestly excessive or repetitive requests, as permitted by applicable law.

10.4 Identity verification. We will verify the identity of the requester before disclosing or deleting personal information, to protect against unauthorized access.

10.5 Authorized agents. You may use an authorized agent to submit a request. The agent must provide written authorization, and we may still verify your identity directly.

11.1 Privacy Officer. Our Privacy Officer for purposes of Quebec's Law 25 can be reached at privacy@thumbsy.co.

11.2 Categories of recipients. See Section 5 (Sharing) and Section 6 (Subprocessors) for the categories of third parties with whom we share personal information.

11.3 Transfers outside Quebec. See Section 7. We conduct a privacy impact assessment before transferring personal information outside Quebec, available on written request.

11.4 Automated decisions. We do not use personal information to render a decision based exclusively on automated processing that would have legal effects on you, other than fraud / abuse detection. You may request human review per Section 3.2.

11.5 Right to deindexation. Where personal information about you is published by us in a way that causes serious injury to your reputation or privacy and the dissemination is not justified by law, you may request that we cease dissemination or deindex the information.

11.6 Complaints to the CAI. If you are dissatisfied with how we handle your personal information, you may file a complaint with the Commission d'accès à l'information du Québec (CAI) at cai.gouv.qc.ca.

12.1 Categories collected (last 12 months). Identifiers; commercial information; internet/network activity; geolocation (approximate, from IP); audio/visual (KYC selfie); professional/employment-related information (business name); inferences drawn for fraud detection. See Section 2 for details.

12.2 Sources, purposes, and recipients. See Sections 2.2, 3, 5, and 6.

12.3 Sale and sharing. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we have not done so in the last 12 months.

12.4 Sensitive personal information. We collect sensitive personal information (account login credentials, KYC government ID) only for the purposes permitted under CCPA § 7027(m) — providing the service, security, fraud prevention, and legal compliance. We do not use it to infer characteristics about you.

12.5 Your California rights. California residents may request: (a) the categories and specific pieces of personal information we collected; (b) the categories of sources, business or commercial purposes, and third parties; (c) deletion of personal information; (d) correction of inaccurate personal information; (e) to limit our use of sensitive personal information; (f) to opt out of any sale/share (we do not sell or share — opt-out is moot but available). Submit requests per Section 10.

12.6 Shine the Light. We do not share personal information with third parties for those third parties' direct marketing purposes.

13.1 Controller. Thumbs is the controller of personal information described in this policy.

13.2 EU/UK representative. We do not currently have an Art. 27 representative appointed in the EU/UK. EU/UK customers may contact us at privacy@thumbsy.co.

13.3 Legal bases. See Section 4.

13.4 Your rights. Access, rectification, erasure (subject to legal-retention exceptions), restriction, portability, objection, withdrawal of consent, and the right to lodge a complaint with your local supervisory authority.

13.5 International transfers. See Section 7. SCCs and UK IDTA are available on request.

14.1 Strictly necessary cookies. We use cookies and equivalent local-storage entries strictly necessary to operate the service — session cookies for login, CSRF protection, and the Supabase auth state. These do not require consent under applicable law.

14.2 Analytics. We may use first-party analytics to understand aggregate usage of the marketing site and dashboard. We do not use third-party advertising cookies. Where consent is required (EU/UK), we will request it before setting non-essential cookies.

14.3 Do Not Track. We do not currently respond to Do Not Track browser signals, as there is no industry consensus on their meaning. We do honor Global Privacy Control (GPC) signals as an opt-out of any sale/share where applicable.

15.1 Not for minors. The service is not directed at children under 18 (or under 19 where required by provincial law). We do not knowingly collect personal information from anyone under the applicable age of majority. If you believe a minor has provided us with personal information, contact privacy@thumbsy.co and we will delete it.

16.1 Updates. We may update this policy from time to time. The current version is always at this URL with a clear last-updated date.

16.2 Material changes. For material changes (e.g., new categories of personal information, new purposes, new subprocessors that handle new categories of data), we will provide at least 30 days advance notice by email and/or via prominent notice in the dashboard.

17.1 Privacy contact. All privacy-related questions, complaints, and data-subject requests should be sent to privacy@thumbsy.co.

17.2 Supervisory authorities. You may lodge a complaint with:

• Quebec: Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca
• Canada (federal): Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
• EU: your national data-protection authority — full list at edpb.europa.eu/about-edpb/board/members
• UK: Information Commissioner's Office (ICO) — ico.org.uk
• California: California Privacy Protection Agency — cppa.ca.gov; California Attorney General — oag.ca.gov/privacy