CAMUP PRIVACY POLICY

Effective Date: 03 September 2025
Last Updated: 14 October 2025

1. INTRODUCTION AND CONTROLLER INFORMATION

CamUp Ltd ("we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your personal information when you use the CamUp mobile application and related services (the "Service").

Data Controller:
CAMUP LTD
Company Number: 09376782
50 North Gate Prince Albert Road
London, England, NW8 7EH
Email: privacy@camup.com

Data Protection Officer:
privacy@camup.com

This Privacy Policy applies to residents of the European Union and the United Kingdom and complies with the General Data Protection Regulation (GDPR) and UK GDPR.

2. WHAT PERSONAL DATA WE COLLECT

2.1 Account and Profile Information

• Account Details: Username, email address, phone number (if provided), password (encrypted)
• Channel Information: Channel name, bio, profile image, member count
• Verification Data: Information submitted for business verification (if applicable)

2.2 Content Data

• Video Content: All videos recorded within the app, including posts and replies
• Metadata: Recording timestamp, duration, device information
• Channel Activity: Posts, replies, comments, tier settings, membership preferences

2.3 Membership and Payment Data

• Subscription Information: Tier levels, payment history, subscription status
• Payment Data: Processed by third-party payment providers (we do not store full payment card details)
• Creator Analytics: Revenue data, member statistics, engagement metrics

2.4 Technical and Device Data

• Device Information: Device type, operating system, app version, device identifiers (Android ID)
• Essential Analytics Data: App crashes, errors, performance metrics, technical stability data
• Enhanced Analytics Data (with consent): Feature usage patterns, user engagement metrics, behavioral data
• Network Information: IP address, network type, connection quality
• Communications: Support tickets, feedback, correspondence with us

2.5 Automatically Collected Data

• Essential Analytics: Crash reports, error logs, performance statistics (always collected for app stability)
• Enhanced Analytics (with consent): User engagement metrics, retention data, feature adoption patterns
• Log Data: IP address, access times, pages viewed

2.6 What We Do NOT Collect

We do NOT collect or have access to:

• Health or medical data
• Financial account numbers or raw payment card information (handled only by secure payment processors)
• Precise location data or GPS coordinates
• Contacts from your device
• Photos or videos from your device gallery (only in-app recording is allowed)
• Browsing history outside the app
• Data from other apps on your device
• Biometric data (face templates, fingerprints, etc.)
• Religious or political beliefs
• Sexual orientation or preferences
• Advertising identifiers (IDFA, AAID)
• Data from third-party authentication beyond basic profile information

3. LEGAL BASIS FOR PROCESSING

We process your personal data based on the following legal grounds:

3.1 Contract Performance (Article 6(1)(b) GDPR)

• Creating and managing your account
• Providing access to channels and membership tiers
• Processing payments and subscriptions
• Delivering core app functionality

3.2 Legitimate Interests (Article 6(1)(f) GDPR)

• Essential Analytics: App stability, crash detection, error logging, performance monitoring
• Security and fraud prevention
• Customer support and service improvements

Justification: Essential analytics are necessary for maintaining app quality, security, and providing a stable service. These are minimal data collection practices that do not override user privacy rights.

3.3 Consent (Article 6(1)(a) GDPR)

• Enhanced Analytics: User behavior tracking, feature usage patterns, personalized insights
• Optional features requiring explicit consent

3.4 Legal Obligation (Article 6(1)(c) GDPR)

• Compliance with tax and financial regulations
• Responding to legal requests
• Child safety requirements

4. HOW WE USE YOUR PERSONAL DATA

4.1 Core Service Provision

• Channel Management: Creating and maintaining creator channels and member profiles
• Content Delivery: Displaying and organizing video posts and replies according to tier access
• Membership System: Managing subscriptions, tier access, and payment processing
• Moderation: Enabling creator-controlled content moderation and community management

4.2 Platform Enhancement

• Essential Analytics (always active): Detecting crashes, monitoring performance, fixing technical issues
• Enhanced Analytics (with your consent): Understanding user behavior, developing new features, improving user experience

4.3 Security and Safety

• Authenticity Verification: Ensuring all content is recorded in-app (no uploads allowed)
• Fraud Prevention: Detecting and preventing fraudulent activities
• Safety Measures: Implementing measures to protect users and creators

4.4 Communication

• Service Updates: Notifying you about changes to the service or your account
• Support: Responding to your inquiries and providing customer support

5. DATA SHARING AND DISCLOSURE

5.1 We Share Data With:

Service Providers:

• Payment processors (for subscription management)
• Cloud storage providers (encrypted data storage)
• Analytics services (aggregated, anonymized data)
• Customer support platforms

Business Partners:

• Only when necessary for service provision and with appropriate data processing agreements

Legal Requirements:

• Law enforcement agencies (when legally required)
• Regulatory authorities (for compliance purposes)
• Courts and legal proceedings (when compelled by law)

5.2 We Do Not:

• Sell your personal data to third parties
• Share individual user data for advertising purposes
• Provide personal data to other users (except public channel information)
• Share data with advertising networks or trackers

5.3 Data Storage and International Transfers

Data Storage Location:

• Primary data storage: Amazon Web Services (AWS) UK region
• All user data is stored within the United Kingdom
• No routine transfers of data outside the UK/EU

Limited International Transfers:

In limited cases, data may be transferred outside the UK/EU only when:

• You explicitly consent to the transfer
• Required by law or legal process
• Necessary for service provision with appropriate safeguards (Standard Contractual Clauses)

Third-Party Service Providers:

Some third-party services (Firebase/Google, Stripe) may process data in regions outside the UK/EU. These transfers are protected by:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Additional technical and organizational safeguards

6. DATA RETENTION

6.1 Account Data

• Active accounts: Retained while your account is active
• Inactive accounts: Deleted after 24 months of inactivity (with prior notice)
• Closed accounts: Most data deleted within 30 days

6.2 Data Retained After Account Deletion

When you delete your account, the following data is retained for legal and compliance purposes:

• Financial records: 7 years (tax and accounting requirements)
• Payment history: 7 years (legal compliance)
• Fraud investigation data: Up to 3 years (security purposes)
• Legal dispute records: Duration of dispute plus 1 year
• Tax documentation: As required by law

All other personal data (videos, profile information, messages, etc.) is permanently deleted within 30 days.

6.3 Content Data

• Creator Content: Retained as long as the creator's account is active
• Member Replies: Retained according to channel settings and creator preferences
• Deleted Content: Permanent deletion within 30 days, except for legal compliance needs

6.4 Financial Data

• Payment records: Retained for 7 years for tax and legal compliance
• Subscription data: Retained while subscription is active plus 3 years

6.5 Technical Data

• Essential analytics data: Retained for 12 months
• Enhanced analytics data: Aggregated and anonymized after 24 months
• Log files: Deleted after 12 months unless required for security investigations

7. YOUR RIGHTS UNDER GDPR/UK GDPR

7.1 Access Rights

• Request a copy of your personal data
• Information about how your data is processed
• Receive data in a structured, commonly used format (JSON)

7.2 Correction and Update Rights

• Correct inaccurate personal data
• Complete incomplete personal data
• Update your account information at any time through app settings

7.3 Deletion Rights ("Right to be Forgotten")

• Request deletion of your personal data
• Automatic deletion when data is no longer necessary

How to Delete Your Account:

• Open the CamUp app
• Go to Settings
• Select Account
• Tap Delete Account
• Confirm deletion

What happens after deletion:

• Most personal data deleted within 30 days
• Financial records retained for 7 years (legal requirement)
• Fraud investigation data retained for up to 3 years (if applicable)
• All videos, profile information, and messages permanently deleted

7.4 Restriction Rights

• Limit how we process your data in certain circumstances
• Object to processing based on legitimate interests
• Opt-out of enhanced analytics (Settings → Privacy & Safety → Analytics & Improvement)

7.5 Data Portability

• Receive your data in JSON format
• Transfer data to another service provider
• Available for data processed based on consent or contract

7.6 Objection Rights

• Object to processing for direct marketing (absolute right)
• Object to processing based on legitimate interests
• Object to automated decision-making (if applicable)

To Exercise Your Rights: Contact us at privacy@camup.com or through the app settings.

Response Time: We will respond within 30 days (or 60 days for complex requests).

8. SECURITY MEASURES

8.1 Technical Safeguards

• End-to-end encryption for video content
• Secure data transmission (HTTPS/TLS)
• Regular security audits and penetration testing
• Multi-factor authentication options
• Encrypted backups stored in AWS UK region, retained for 30 days

8.2 Organizational Measures

• Limited access to personal data (need-to-know basis)
• Regular staff training on data protection
• Incident response procedures
• Privacy by design and by default principles

8.3 Data Breach Procedures

• Notification to supervisory authorities within 72 hours
• User notification when high risk to rights and freedoms
• Documentation and investigation of all breaches

9. DATA COLLECTION TECHNOLOGIES AND ANALYTICS

9.1 Two-Tier Analytics Approach

Essential Analytics (Always Active - Legitimate Interest):

• Purpose: App stability, security, and technical functionality
• What we collect: Crash reports, error logs, performance metrics, technical diagnostics
• Legal basis: Legitimate interest (Article 6(1)(f) GDPR)
• Cannot be disabled: Required for app stability and security
• No user identification: Data is not linked to individual users

Enhanced Analytics (Requires Your Consent):

• Purpose: Product improvement, feature development, user experience optimization
• What we collect: Feature usage patterns, engagement metrics, user behavior, retention data
• Legal basis: Consent (Article 6(1)(a) GDPR)
• Opt-in required: You will be asked for permission after account creation
• Can be disabled: Change preference anytime in Settings → Privacy & Safety → Analytics & Improvement
• User-level tracking: Data may be linked to your account for personalized insights

9.2 Your Analytics Consent Choice

After creating your account, you will see a one-time popup:

"Help us improve CamUp"

[Allow analytics] - Share behavioral data to help us improve features you use
[Deny analytics] - Only essential crash and error data will be collected

You can change this choice at any time in Settings → Privacy & Safety → Analytics & Improvement.

9.3 Mobile App Technologies Used

• Essential App Functions: Authentication tokens, session management, user preferences
• Essential Analytics: App crash detection, error logging, performance monitoring
• Enhanced Analytics (with consent): Feature usage statistics, engagement metrics

9.4 Third-Party Services Integration

Firebase Services (Google):

• Firebase Crashlytics: Crash detection and error reporting (always active)  
• Firebase Analytics: App usage patterns and user engagement metrics 
• Firebase Cloud Messaging: Push notifications for content updates and membership activities 
• No personal identifiers are sent without consent for behavioral analytics

Cloud Infrastructure:

• Amazon Web Services (AWS): Primary data storage and processing (UK region)

Google Play Services:

• App updates and security patches
• In-app billing for subscription management
• Device compatibility and feature detection

Payment Processing SDKs:

• Stripe integration for creator payouts and revenue distribution
• Google Play Billing API for Android in-app subscriptions and payments
• Apple's Advanced Commerce Platform for iOS in-app purchases and subscriptions
• All payment data is encrypted and handled directly by the respective platform's secure payment systems; we do not process or store raw payment card information on our servers

Third-Party Privacy Policies:

For more information about how these services handle data:

• Firebase & Google Services: https://firebase.google.com/support/privacy and https://policies.google.com/privacy
• Amazon Web Services: https://aws.amazon.com/privacy/
• Stripe: https://stripe.com/privacy
• Apple: https://www.apple.com/legal/privacy/

9.5 Data Sharing with Analytics Services

• Essential Data: Crash reports, error logs (no user identification)
• Enhanced Data (with consent): Aggregated usage patterns, feature adoption
• Geographic Data: Country-level usage statistics (no precise location)
• Technical Data: Device types, OS versions for compatibility optimization

9.6 Your Control Over Data Collection

• Essential Analytics: Cannot be disabled as required for app stability and security
• Enhanced Analytics: Can be opted out through Settings → Privacy & Safety → Analytics & Improvement
• Account Data: Can be deleted through Settings → Account → Delete Account

9.7 No Web-Based Tracking

• No web cookies or browser-based tracking technologies
• No cross-site tracking or advertising networks
• No social media tracking pixels or similar web technologies
• All data collection occurs within the mobile app environment only
• No advertising IDs (IDFA, AAID) used for any purpose
• Authentication data from Sign in with Apple/Google is used only for account creation and login

10. CHILDREN'S PRIVACY

10.1 Age Eligibility and Restrictions

The CamUp Service is intended for users who are at least 16 years of age. We do not knowingly collect personal data from individuals under the age of 16. If you are under the age of 16, you are not permitted to use or register for the Service.

10.2 Age Requirement

By creating an account, you represent that you are at least 16 years old. We rely on users to provide accurate age information. We do not have automated age verification systems.

10.3 Parental Responsibility and Controls

We encourage parents and guardians to monitor their children's online activities. If you are a parent or guardian and believe your child under the age of 16 has provided us with personal data without your consent, please contact us immediately at privacy@camup.com. We will take steps to delete such information and terminate the child's account promptly.

10.4 Child Safety Reporting

We maintain strict child safety standards and report confirmed instances of child sexual abuse material to relevant authorities:

• National Center for Missing & Exploited Children (NCMEC)
• UK National Crime Agency (NCA)
• Other appropriate legal authorities as required by law

For urgent child safety concerns, contact: safety@camup.com

Full Child Safety Standards available at: http://camup-child-safety.s3-website.eu-north-1.amazonaws.com/

10.5 Compliance with EU and UK Data Protection Law

Our processing of personal data for users in the European Union and the United Kingdom complies with the GDPR and UK GDPR, including the specific provisions for the protection of children's data.

11. AUTOMATED DECISION-MAKING

11.1 Limited Automated Systems

• Basic fraud detection for payment processing
• Automated content delivery based on membership tiers
• No automated decisions that significantly affect users

11.2 No AI-Based Decision Making

• No algorithmic content filtering or removal
• No automated account suspension or banning
• All significant decisions are made by creators or through manual review

12. SPECIAL CATEGORIES OF DATA

We do not intentionally collect special categories of personal data (racial origin, political opinions, religious beliefs, health data, etc.). If such data is inadvertently collected through video content, it will be:

• Processed only when necessary for service provision
• Subject to additional safeguards
• Deleted when no longer necessary

13. PRIVACY BY DESIGN

13.1 Built-in Privacy Features

• In-app recording only (no external uploads)
• Creator-controlled content moderation
• Granular privacy settings for all content
• End-to-end encryption for sensitive communications

13.2 Data Minimization

• Collect only data necessary for service provision
• Regular data audits and cleanup procedures
• Privacy-friendly default settings

14. SUPERVISORY AUTHORITY CONTACT

For EU Residents: You have the right to lodge a complaint with your national data protection authority.

For UK Residents: Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113

15. CHANGES TO THIS POLICY

15.1 Updates and Notifications

• Material changes will be notified by email and in-app notification
• Minor updates posted on our website with updated effective date
• Continued use constitutes acceptance of updated policy

15.2 Version Control

• All previous versions archived and available upon request
• Clear documentation of changes made
• Grandfather provisions for existing users where applicable

16. CONTACT INFORMATION

For Privacy Questions:

• Email: privacy@camup.com
• In-app: Settings → Terms and Policies → Contact Privacy Team
• Mail: CAMUP LTD, 50 North Gate Prince Albert Road, London, England, NW8 7EH

For Data Protection Rights:

• Submit requests through the app or email above
• Include verification information to process requests
• Response time: 30 days (may be extended to 60 days for complex requests)

For Customer Support:

• Email: support@camup.com
• We aim to respond to support inquiries within 48 hours

17. JURISDICTION-SPECIFIC PROVISIONS

17.1 Additional EU Rights

• Right to lodge complaints with supervisory authorities
• Right to effective judicial remedies
• Cross-border processing notifications

17.2 UK-Specific Provisions

• Processing under UK GDPR and Data Protection Act 2018
• ICO registration and compliance
• UK adequacy decision considerations for international transfers

18. GOOGLE PLAY SERVICES AND ANDROID PERMISSIONS

18.1 Android Permissions

CamUp requests the following permissions:

• Camera: Required for in-app video recording (core functionality)
• Microphone: Required for audio recording with videos
• Storage: Required for temporary video processing and caching
• Internet: Required for uploading content and app functionality
• Network State: To optimize video quality based on connection

18.2 Google Play Services

• We use Google Play Services for app updates and security
• Crash reporting through Google Play Console (no personal data in reports)
• No Google advertising services or tracking SDKs are integrated

18.3 Data Shared with Google

• Technical crash data through Firebase Crashlytics (no personal identification)
• App performance metrics through Firebase Analytics
• No personal user content is shared with Google
• Standard app store analytics (downloads, usage statistics)

19. APPLE APP STORE COMPLIANCE

19.1 iOS Permissions

CamUp requests the following iOS permissions:

• Camera: Required for in-app video recording
• Microphone: Required for audio with videos
• Notifications: For membership updates and creator posts (optional)

19.2 Authentication and Privacy

• Sign in with Apple: Available as a secure authentication option. We collect only the information you choose to share (name and email).
• Other Sign-in Methods: Google Sign-In and email/password authentication are also available.
• No Advertising Tracking: We do not use Apple's IDFA (Identifier for Advertisers) or any other advertising identifiers.
• No Cross-App Tracking: We do not track user activity across other apps or websites.
• No ATT Prompt Required: Since we do not engage in tracking as defined by Apple, no App Tracking Transparency prompt is displayed.

Last Updated: 14 October 2025
Version: 1.1

This Privacy Policy is available in multiple languages. In case of conflicts between versions, the English version shall prevail.