1. Introduction

Welcome to Sunslider ("we," "our," or "us"). We are committed to protecting your privacy and ensuring that your personal data is handled securely and in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This Privacy Policy explains how we collect, use, and protect your personal data when you use the Sunslider mobile application and related services.

Our Privacy Philosophy: Sunslider is built on the principle that social media should serve users, not exploit them. We collect only the data necessary to provide our service, we don't track your behavior for advertising, and we don't sell your data to third parties.

2. Data Controller

Sunslider SAS is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or your rights, you can contact us at:

Sunslider SAS
6 rue Jean-Marie Chavant
Lyon, France
[email protected]

3. What Data We Collect

3.1 Account Information

When you create a Sunslider account, we collect:

• emailAddress - For account authentication and essential communications
• Username - Your unique identifier on the platform
• Display Name - Optional name shown to other users
• Password - Stored as an encrypted hash, never in plain text
• Birth Date - To verify you meet our 16+ age requirement
• Bio - Optional description (up to 150 characters)
• Profile Picture - Optional image, automatically processed to remove sensitive metadata

3.2 Interest and Social Data

• Selected Interests - Categories you choose during signup to help with content discovery
• Invitation Relationships - If you joined via an invitation code, we store this relationship to suggest connections
• Social Connections - Users you follow and who follow you
• Content Interactions - Photos you like and basic interaction patterns

3.3 Content You Share

• Photos and Images - Content you upload as slides or stories
• Captions - Text descriptions you add to your content
• Privacy Settings - Your chosen visibility levels for each piece of content

Important: All photos are automatically processed to remove EXIF metadata including GPS location, device information, and timestamps before storage.

3.4 Technical Information

• Device Tokens - For push notifications (only if you enable them)
• Error and Crash Data - Anonymous technical information to help us fix bugs and improve app stability
• Basic Usage Data - Anonymous information about app performance and feature usage

3.5 What We DON'T Collect

• Location Data - We never collect or store your location
• Browsing History - We don't track your activity outside Sunslider
• Behavioral Profiles - We don't build advertising or psychological profiles
• Contact Lists - We don't access your phone's contacts
• Personal Files - We only access photos you explicitly choose to share

4. How We Use Your Data

4.1 Essential App Functions

• Account Management - Authentication, profile display, account recovery
• Content Sharing - Displaying your photos to users based on your privacy settings
• Social Features - Enabling follows, likes, and content discovery
• Interest-Based Discovery - Showing you content and suggesting users based on your declared interests
• Push Notifications - Sending notifications about app activity (only if enabled)

4.2 Privacy Protection

• EXIF Stripping - Automatically removing sensitive metadata from all uploaded images
• Privacy Controls - Enforcing your chosen visibility settings (Everyone, Followers, Mutuals)
• Data Security - Protecting your information with encryption and access controls

4.3 Service Improvement

• Bug Fixes - Using anonymous crash reports to identify and fix technical issues
• Performance Optimization - Improving app speed and reliability
• Feature Development - Understanding which features are most valuable to users

4.4 Essential Communications

• Service Updates - Important information about app changes or security updates
• Account Security - Notifications about login attempts or security concerns
• policyChanges - Updates to our terms or privacy practices

5. Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds:

• Contractual Necessity - To provide the Sunslider app service you've requested
• Consent - When you enable push notifications or provide optional information
• Legitimate Interests - To improve app security, prevent fraud, and enhance our services while respecting your privacy
• Legal Obligations - To comply with laws and regulations.

6. Data Storage and Security

6.1 EU-Only Infrastructure

• All Data in EU - Your personal data is stored and processed exclusively within European Union datacenters
• Hetzner Cloud - Our servers are hosted by Hetzner in Germany and Finland
• Supabase EU - Our database is hosted by Supabase in the EU-Central region
• EU Privacy Laws - Your data is protected by GDPR and European privacy regulations

6.2 Security Measures

• Encryption in Transit - All data transmission uses HTTPS encryption
• Encrypted Storage - Your data is encrypted when stored on our servers
• Access Controls - Strict limits on who can access your data within our team
• Regular Security Updates - Continuous monitoring and security improvements
• EXIF Stripping - Automatic removal of sensitive metadata from all images

6.3 Data Minimization

• Only What's Needed - We collect only the data necessary to provide our service
• No Behavioral Tracking - We don't build profiles based on your usage patterns
• No Cross-Platform Tracking - We don't track you across other websites or apps
• Anonymous Error Reports - Technical data is anonymized and doesn't identify you

7. Data Sharing

7.1 No Data Sales

We never sell, rent, or trade your personal data. Your information is not our product—you are our customer.

7.2 Limited Third-Party Access

We share data only with essential service providers who help us operate Sunslider:

• Sentry (EU) - Anonymous crash reports for bug fixing (no personal data included)
• Supabase (EU) - Database hosting (your data remains in EU datacenters)
• Hetzner (EU) - Server hosting (your data remains in EU datacenters)

All service providers:

• Are located in the European Union
• Have strict data protection agreements
• Cannot use your data for their own purposes
• Must delete data when no longer needed

7.3 Legal Requirements

We may disclose data only when required by law or to protect rights, safety, and property. Any such disclosure will be limited to what's legally necessary.

8. Your Content and Privacy Controls

8.1 Three-Tier Privacy System

• Everyone - Content visible to all Sunslider users
• Followers - Content visible only to users who follow you
• Mutuals - Content visible only to users you follow who also follow you

8.2 Content Control

• Your Choice - You control who sees each piece of content you share
• Easy Changes - You can modify privacy settings at any time
• Clear Indicators - Visual cues show who can see your content
• Deletion Rights - You can delete your content whenever you choose

8.3 My Days Feature

• 48-Hour Expiration - My Days automatically disappear after 48 hours
• No Permanent Storage - Expired images are deleted from our servers
• Save Feature - You can save your My Days images to your device before they expire

9. Data Retention

9.1 Active Accounts

We retain your data as long as your account is active to provide ongoing service.

9.2 Account Deletion

When you delete your account:

• 90-Day Retention - Your data is retained for 90 days to allow account recovery
• Complete Deletion - After 90 days, all your data is permanently deleted
• Immediate Deactivation - Your profile and content become invisible immediately

9.3 Content Deletion

When you delete individual content:

• Soft Deletion - Content is immediately hidden from other users
• 30-Day Retention - Deleted content is retained for 30 days to allow recovery
• Permanent Deletion - After 30 days, deleted content is permanently removed

9.4 Anonymous Data

Anonymous technical data (like crash reports) may be retained longer for service improvement, but cannot be linked back to your identity.

10. Data Transfers

All your data remains within the European Union. We do not transfer personal data outside the EU. Our infrastructure partners (Hetzner, Supabase, Sentry) all operate EU-based services with GDPR compliance.

11. Your Rights Under GDPR

You have the following rights regarding your personal data (available to all users worldwide):

11.1 Access

Request a copy of all personal data we hold about you, including:

• Account information and settings
• All your content and interactions
• Social connections and invitation relationships

11.2 Correction

Request corrections to any inaccurate or incomplete data in your profile or account.

11.3 Deletion

Request complete deletion of your account and all associated data.

11.4 Objection

Object to our processing of your data, particularly for service improvement purposes.

11.5 Restriction

Request limited processing of your data in certain circumstances.

11.6 Portability

Request your data in a structured, machine-readable format for transfer to another service.

To exercise any of these rights, please contact us at [email protected]. We will respond within one month, as required by GDPR.

12. Children's Privacy

Sunslider is only available to users aged 16 and older. We verify age during account creation and do not knowingly collect data from anyone under 16. If we learn that a user is under 16, we immediately delete their account and all associated data.

13. Push Notifications

13.1 Optional Feature

Push notifications are entirely optional and disabled by default. You can:

• Enable or disable notifications in app settings
• Choose which types of notifications to receive
• Remove your device token at any time

13.2 Device Tokens

If you enable push notifications:

• We store a device token to send notifications to your device
• Device tokens are linked to your account for targeted delivery
• You can remove the token and disable notifications anytime
• Tokens are automatically removed when you delete your account

14. Data Breach Notification

In the unlikely event of a data breach:

14.1 Authority Notification

We will notify the relevant EU supervisory authority within 72 hours of becoming aware of any breach.

14.2 User Notification

If a breach poses high risk to your rights and freedoms, we will notify affected users directly without undue delay.

14.3 Breach Response

Our notifications will include:

• The nature and scope of the breach
• Likely consequences and risks
• Measures taken to address the breach
• Steps you can take to protect yourself

We maintain comprehensive breach detection and response procedures to ensure rapid response to any security incident.

15. Open Source Privacy Tools

As part of our commitment to transparency, we've open-sourced key privacy components:

• EXIF Stripping Tool - Available on GitHub for community audit and use
• Privacy Control System - Open implementation of our three-tier visibility system
• MIT License - Free for anyone to use, modify, and audit

These open-source tools allow independent verification of our privacy protections and enable other developers to implement similar privacy features.

16. Business Model and Data Independence

16.1 No Advertising Model

Sunslider operates without advertising revenue, which means:

• No Targeted Ads - We don't show advertisements based on your data
• No Behavioral Tracking - We don't need to track your behavior for advertisers
• No Data Sales - Your information has no commercial value to us beyond providing the service

16.2 User-Funded Service

Our revenue comes from optional user subscriptions, not from exploiting your data:

• Free Access - Core features remain free to use
• Optional Support - Users can choose to support Sunslider financially
• No Freemium Pressure - No artificially limited features to force payments

17. International Users

While Sunslider operates under EU law and infrastructure, we extend GDPR-level privacy protection to all users worldwide, regardless of location. Non-EU users receive the same privacy rights and protections as EU residents.

18. Changes to This Privacy Policy

18.1 Notification of Changes

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Significant changes will be communicated through:

• In-app notifications
• Email notifications (if you've provided email)
• Website announcements

18.2 Continued Use

Continued use of Sunslider after policy changes constitutes acceptance of the updated terms. If you disagree with changes, you can delete your account and all data will be removed according to our retention schedule.

19. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or how we handle your data:

Sunslider SAS
6 rue Jean-Marie Chavant
Lyon, France
Email: [email protected]

Data Protection Officer: [email protected]

We are committed to addressing your privacy concerns promptly and transparently.