1. Introduction

1.1 Who We Are

Squicle LLC (“Squicle,” “we,” “us,” or “our”) is a limited liability company registered in Ras Al Khaimah, United Arab Emirates. We operate the Squicle mobile application, website (www.squicle.com), and related services (collectively, the “Platform”). We are committed to protecting your privacy and handling your personal data responsibly and in compliance with applicable data protection laws, including UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “UAE Data Protection Law”).

1.2 What This Policy Covers

This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you use our Platform. It applies to all users of the Squicle mobile application, website, and related services, regardless of your location.

1.3 Data Controller

Squicle LLC is the data controller responsible for your personal data. For privacy inquiries, contact our Data Protection Officer at dpo@squicle.com.

1.4 Your Agreement

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein. If you do not agree, please do not use the Platform.

2. Information We Collect

2.1 Information You Provide Directly

We collect the following categories of personal data that you provide to us:

2.2 Information Collected Automatically

We automatically collect the following information when you use the Platform:

2.3 Information We Do NOT Collect

We want to be transparent about what we do not collect:

• We do not use social login (Facebook, Google, Apple Sign-In) and therefore do not receive data from social media platforms.
• We do not purchase data from data brokers or third-party sources.
• We do not track your precise GPS location continuously in the background. Location is collected only when you actively use location-dependent features (event creation, carpool, ETA).
• We do not collect financial payment card information (credit/debit card numbers). Squicle does not process electronic payments.

3. How We Use Your Information

3.1 Service Provision

• Create and manage your account via phone number verification (OTP).
• Enable real-time messaging through our XMPP chat infrastructure.
• Process event creation, RSVP tracking, task assignments, and carpool coordination.
• Display event locations on maps via Google Maps integration.
• Deliver push notifications via Firebase Cloud Messaging (FCM) for messages, event updates, and account alerts.
• Facilitate contact discovery (with your permission) to connect you with other Squicle users.

3.2 Content Moderation and Safety

• Screen text content using profanity filters and OpenAI Moderation API to detect policy violations.
• Analyze uploaded images using Google Cloud Vision SafeSearch API to detect inappropriate content.
• Enforce chat moderation rules (auto-muting after repeated violations).
• Maintain content audit logs and moderation records to ensure consistent enforcement.

3.3 Communication

• Send event reminders, booking confirmations, and update notifications.
• Deliver new follower, like, and comment notifications.
• Send account security alerts (new device login, password changes).
• Provide customer support responses.

3.4 Security and Fraud Prevention

• Authenticate users via OTP verification and JWT session tokens.
• Detect and prevent fraudulent accounts and unauthorized access.
• Monitor for suspicious behavior and enforce user blocks/bans.
• Maintain security logs for incident investigation.

3.5 Analytics and Improvement

• Understand platform usage patterns through Firebase Analytics.
• Identify and fix bugs and performance issues.
• Develop new features based on usage data.
• Measure platform performance and reliability.

3.6 Legal Compliance

• Comply with applicable laws, including UAE data protection regulations.
• Respond to lawful requests from courts and government authorities.
• Protect our legal rights and the rights of our users.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under UAE Federal Decree-Law No. 45 of 2021:

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5. Automated Decision-Making and Profiling

We use automated systems that may make decisions affecting your use of the Platform. We believe in transparency about these systems:

5.1 Text Content Moderation

User-generated text (posts, comments, event descriptions, chat messages, reviews) is analyzed using:

• Profanity Filter: Local server-side filtering using configurable word lists to detect inappropriate language.
• OpenAI Moderation API: AI-powered analysis to detect hate speech, harassment, threats, self-harm content, sexual content, and other policy violations. Text content is sent to OpenAI’s servers for analysis; OpenAI processes this data under their data processing agreement and does not use it for model training.

5.2 Image Moderation

Images uploaded to the Platform (profile photos, event covers, post images, chat media) are analyzed using:

• Google Cloud Vision SafeSearch: Detection of adult content, violence, racy content, and other inappropriate imagery. Image URLs are sent to Google’s servers for analysis.

Images that fail moderation are flagged with a status (pending, approved, rejected) and may be blocked from public display.

5.3 Automated Enforcement Actions

• Auto-mute: Users receiving 3 profanity violations within 24 hours are automatically muted from chat for 24 hours.
• Posting blocks: Users with repeated content violations may be automatically blocked from posting, with a recorded reason.
• Avatar rejection: Profile photos flagged as inappropriate are automatically set to a pending moderation status.

5.4 Your Right to Human Review

You have the right to request human review of any automated moderation decision. To appeal, contact support@squicle.com within fourteen (14) days of the decision. Appeals are reviewed and responded to within five (5) business days. If the automated decision is found to be in error, it will be reversed and your content or access restored.

6. Information Sharing and Disclosure

6.1 With Other Users

Certain information is shared with other Users as part of Platform functionality:

• Public Profile: Name, profile photo, bio, interests (visible to all users based on your privacy settings).
• Event Participation: Organizers can see attendee names and RSVP status. Attendees can see other attendees in the same event.
• Chat Messages: Shared with other participants in the same chat group or direct conversation.
• Social Interactions: Likes, comments, follows, and public posts are visible to relevant users.
• Carpool Information: Pickup locations and ETA are shared with other carpool participants in the same event.

6.2 With Service Providers

We share information with the following third-party service providers who assist in operating the Platform:

All service providers are bound by data processing agreements and are contractually obligated to protect your data and use it only for the specified purposes.

6.3 With Law Enforcement and Government Authorities

We may disclose your information to law enforcement or government authorities when:

• Required by applicable law, regulation, court order, or subpoena;
• Necessary to protect the safety of users, the public, or Squicle;
• Required to investigate potential violations of our Terms of Service;
• Necessary to defend against legal claims or establish/exercise our legal rights.

We will make reasonable efforts to notify affected users of law enforcement requests unless prohibited by law or court order.

6.4 Business Transfers

If Squicle is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice of any such transfer and any choices you may have regarding your data before your information is transferred and becomes subject to a different privacy policy.

6.5 What We Do NOT Do With Your Data

• We do NOT sell your personal data to third parties.
• We do NOT share your data with advertisers for targeted advertising.
• We do NOT share your data with data brokers.
• We do NOT use your chat messages or private content for advertising purposes.
• We do NOT allow third-party service providers to use your data for their own marketing purposes.

7. International Data Transfers

Your personal data may be transferred to and processed in countries other than the United Arab Emirates. Our primary international data transfers include:

• United States: Google (Firebase, Cloud Vision, Maps), OpenAI, Twilio, SendGrid, Heroku (application hosting), Cloudinary.
• Global CDN locations: Cloudinary edge servers for optimized media delivery.

7.1 Safeguards for International Transfers

When transferring data internationally, we implement the following safeguards in compliance with UAE data protection law:

• Data processing agreements with all service providers that include standard contractual clauses.
• Selection of providers with robust security certifications (SOC 2 Type II, ISO 27001) where available.
• Encryption of data in transit (TLS/HTTPS) and at rest where supported.
• Minimization of data transferred — we only share the minimum data necessary for each service provider to perform its function.

7.2 UAE-Based Processing

Primary application data is processed on Heroku servers. Our real-time chat infrastructure (Openfire XMPP server) is hosted on a Microsoft Azure Virtual Machine, with chat data stored in a MySQL database on the same UAE-based server. This means your chat messages are primarily stored within UAE infrastructure.

8. Data Retention

We retain your data for as long as necessary to provide our services and fulfill the purposes described in this policy:

After the retention period expires, data is either securely deleted or irreversibly anonymized so it can no longer be associated with you.

You may request earlier deletion of your data at any time by contacting privacy@squicle.com, subject to our legal obligations to retain certain data.

9. Data Security

We implement technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

9.1 Technical Measures

• Password Security: All passwords are hashed using bcrypt (one-way cryptographic hashing). We never store plaintext passwords.
• Transport Encryption: All data transmitted between the App, our servers, and third-party services uses HTTPS (TLS encryption).
• Authentication: JWT (JSON Web Token) based session authentication with configurable expiration.
• OTP Verification: Phone number verification using time-limited one-time passwords.
• Chat Security: XMPP messaging over secured connections.
• Access Controls: Role-based access controls limiting who can access user data within our organization.
• Media Security: Public media hosted on Cloudinary with access controls; private chat media stored on Firebase/Google Cloud Storage with authentication requirements.

9.2 Organizational Measures

• Employee access to user data is limited to those with a legitimate business need.
• Regular security reviews and assessments of our infrastructure.
• Vendor security assessments before engaging new service providers.
• Incident response procedures for security events and data breaches.
• Admin authentication (Devise-based) for internal administration panels with separate credentials.

9.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant UAE data protection authority within 72 hours of becoming aware of the breach, as required by UAE law.
• Notify affected users without undue delay, providing information about the nature of the breach, likely consequences, and measures taken or proposed.
• Document the breach, its effects, and remedial actions taken in our internal breach register.

9.4 Your Security Responsibilities

While we implement robust security measures, you are responsible for: keeping your login credentials secure and confidential; not sharing your account with others; logging out of shared devices; and notifying us immediately at support@squicle.com if you suspect unauthorized access to your account.

10. Your Data Protection Rights

Under UAE Federal Decree-Law No. 45 of 2021 and applicable international data protection standards, you have the following rights:

10.1 Right to Access

You can request a copy of the personal data we hold about you. We will provide this within thirty (30) days of verifying your identity.

10.2 Right to Correction

You can request that we correct inaccurate or incomplete data. Most profile data can be corrected directly in the App settings.

10.3 Right to Deletion

You can request deletion of your personal data, subject to our legal obligations to retain certain data (e.g., financial records for 7 years, moderation logs for 2 years).

10.4 Right to Data Portability

You can request a copy of your data in a structured, commonly used, machine-readable format (JSON). Portable data includes your profile information, event history, public posts, and social connections. Contact privacy@squicle.com to request a data export; we will provide it within thirty (30) days.

10.5 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time. This includes push notifications (via device settings), location sharing (via device permissions), marketing communications (via app settings or unsubscribe links), and contact discovery (via app permissions).

10.6 Right to Object

You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.

10.7 Right to Restrict Processing

You can request that we restrict the processing of your data while a dispute or objection is being resolved.

10.8 Right to Human Review of Automated Decisions

You have the right to request human review of any automated moderation decision that significantly affects your use of the Platform (see Section 5.4).

10.9 Right to Lodge a Complaint

You have the right to lodge a complaint with the UAE Data Office or any other relevant supervisory authority if you believe your data protection rights have been violated.

10.10 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@squicle.com. We may need to verify your identity before processing your request (typically by confirming your phone number or email). We will respond within thirty (30) days. If we need additional time, we will inform you of the reason and extended timeline.

11. Account Deletion

11.1 How to Request Deletion

You can request deletion of your account by emailing privacy@squicle.com from the email address associated with your account, or through the account settings in the App.

11.2 Processing Timeline

Account deletion requests are processed within fourteen (14) days of identity verification.

11.3 What Gets Deleted

• Your profile information (name, bio, interests, profile photos).
• Your contact information (email, phone number).
• Your notification preferences and device tokens.
• Your subscription data.
• Your follows, blocks, and social connections.
• Your private messages (where you are the only participant requesting deletion).

11.4 What Gets Retained

Certain data may be retained after account deletion due to legal requirements:

• Booking/financial records: Retained for 7 years for financial compliance.
• Moderation and audit logs: Retained for 2 years for policy enforcement and legal defense.
• Anonymized analytics data: Statistical data that cannot identify you, retained indefinitely.
• Legal hold data: Data subject to ongoing legal proceedings or government requests.

11.5 Public and Shared Content

Content you posted publicly (posts, comments, reviews) may be anonymized rather than deleted. Your name and identifiers will be removed, but the content may remain visible to preserve conversation context. Group chat messages may similarly be anonymized where deletion would disrupt conversation history for other participants.

12. Children’s Privacy

Our Platform is not intended for children under the age of thirteen (13). We do not knowingly collect personal data from children under 13.

12.1 Parental Consent

Users between thirteen (13) and eighteen (18) years of age must obtain parental or legal guardian consent before using the Platform. We may require verification of parental consent where we have reason to believe a user is a minor.

12.2 Discovery of Child Data

If we discover or are notified that we have collected personal data from a child under 13 without verified parental consent, we will take steps to delete that data promptly and terminate the associated account. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@squicle.com.

12.3 COPPA Compliance (United States Users)

For users located in the United States, we comply with the Children’s Online Privacy Protection Act (COPPA). We do not knowingly collect, use, or disclose personal information from children under 13 without verifiable parental consent.

13. Cookies, Tracking, and Local Storage

13.1 Mobile Application

The Squicle mobile application does not use browser cookies. As a native application, we use:

• Realm Database: Local on-device storage for offline functionality and cached data.
• AsyncStorage: Local storage for app preferences and session data.

Data stored locally on your device is not transmitted to our servers unless required for Platform functionality.

13.2 Website (squicle.com)

Our website uses only essential cookies required for basic functionality:

• Session Cookies: Maintain your browsing session. These expire when you close your browser.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies on our website.

13.3 Firebase Analytics

We use Firebase Analytics within the mobile app to understand usage patterns. Firebase Analytics collects aggregated, anonymized usage data including feature usage frequency, session duration, crash reports, and general device information. You can opt out of analytics through your device settings. Firebase Analytics does not collect personally identifiable information for analytics purposes.

13.4 Do Not Track

We do not currently respond to “Do Not Track” browser signals, as there is no universal standard for mobile applications. We respect your privacy choices through the in-app settings and device permissions described in this policy.

14. Marketing Communications

14.1 Opt-In Required

We will only send you marketing communications if you have explicitly opted in. Marketing messages are clearly distinguished from essential service notifications (such as event reminders, booking confirmations, and security alerts).

14.2 How to Unsubscribe

• Adjust your notification preferences in the App settings.
• Click “Unsubscribe” in any marketing email.
• Contact privacy@squicle.com to opt out of all marketing communications.

14.3 No Sale of Data for Marketing

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We do not display advertising within the App or sell ad placements.

15. UAE Data Protection Compliance

15.1 UAE Federal Decree-Law No. 45 of 2021

We comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its implementing regulations. This law establishes the rights of data subjects, obligations of data controllers, and requirements for cross-border data transfers.

15.2 Lawful Processing

We ensure that all processing of personal data has a lawful basis as outlined in Section 4 of this policy, in compliance with Article 4 of the UAE Data Protection Law.

15.3 Cross-Border Transfer Compliance

International data transfers are conducted in compliance with Article 22 of the UAE Data Protection Law, which requires adequate safeguards for data transferred outside the UAE. We implement standard contractual clauses and select providers with adequate security certifications.

15.4 Data Protection Officer

We have designated a Data Protection Officer (DPO) responsible for overseeing data protection compliance. You may contact our DPO at dpo@squicle.com for any privacy-related inquiries or concerns.

15.5 Data Localization

Our real-time chat infrastructure (Openfire XMPP server) is hosted on a Microsoft Azure VM in the UAE, meaning your chat messages are primarily stored within UAE territory. Application data is hosted on Heroku. We are committed to evaluating additional data localization options as our infrastructure evolves.

16. Additional Rights for US Residents

If you are a resident of California or another US state with comprehensive privacy legislation, you may have additional rights:

16.1 California Consumer Privacy Act (CCPA/CPRA)

• Right to Know: You can request information about the categories and specific pieces of personal information we collect, use, and disclose.
• Right to Delete: You can request deletion of personal information we have collected.
• Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

16.2 Exercising US Privacy Rights

US residents may exercise these rights by contacting privacy@squicle.com. We will verify your identity using your phone number or email before processing requests.

17. Changes to This Privacy Policy

17.1 Notification of Changes

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the “Effective Date” at the top of this policy.
• Notify you through the Platform via in-app notification or push notification.
• Send an email notification for material changes.
• Provide at least thirty (30) days’ notice before material changes take effect.

17.2 Continued Use

Your continued use of the Platform after changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree with changes, you should discontinue use and request account deletion.

17.3 Version History

We maintain a version history of material changes to this policy. You may request previous versions by contacting privacy@squicle.com.

18. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Company: Squicle LLC
• Registered: Ras Al Khaimah, United Arab Emirates
• Privacy Inquiries: privacy@squicle.com
• Data Protection Officer: dpo@squicle.com
• General Support: support@squicle.com
• Legal Inquiries: legal@squicle.com
• Website: www.squicle.com

We aim to respond to all privacy inquiries within thirty (30) days.