POY · Legal
Privacy Policy
What we collect, why, the legal basis, who we share with, and your rights.
Draft v0.2 — Effective date: [GO-LIVE DATE] (drafted 2026-06-08)
This Privacy Policy explains how [CONTROLLER LEGAL NAME] ("POY", "we", "us")
collects, uses, shares, and protects your personal data when you use the POY app and
related services, and the rights you have. It is written to be read — if anything is
unclear, email [privacy@heypoy.app].
POY is a place to get anonymous, community feedback on photos. It is not an appearance-rating app. We are built around data minimisation: we collect as little about you as possible and delete it on a short clock.
Contents: 1. Who we are · 2. Summary · 3. Data we collect · 4. Sources · 5. Sensitive data · 6. How & why we use it (legal bases) · 7. SDKs & identifiers · 8. What others see · 9. Sharing & sub-processors · 10. International transfers · 11. Retention · 12. Your rights · 13. Region-specific rights · 14. Children · 15. Automated decisions · 16. Security · 17. Changes · 18. Contact & complaints.
1. Who we are
POY is operated by [CONTROLLER LEGAL NAME], the data controller of your personal
data.
| Operator | [CONTROLLER LEGAL NAME], trading as POY (sole trader) |
| Address | [CONTROLLER ADDRESS] |
| Privacy contact | [privacy@heypoy.app] |
| ICO registration | [ICO REGISTRATION NUMBER] |
| EU representative (Art. 27) | [appoint if required — see README #6] |
POY is operated from the United Kingdom. We comply with the UK GDPR and Data Protection Act 2018, and with the EU GDPR for users in the EEA. We are not required to appoint a statutory Data Protection Officer, but the contact above reaches the person responsible for data protection.
2. The short version
| You sign up with | A phone number (for SMS verification). No name, email, or real-name profile. |
| You're anonymous to other users | They only see your photos or your "Decide" options — never your number; there are no usernames, profiles, comments, DMs, or followers. |
| Posts disappear fast | Photos: public 24h. Decisions: 5 min–24h. Everything is hard-deleted from our servers within 15 days. |
| Delete everything yourself | Profile → Delete my account erases your account and all its content. |
| We use Google/Firebase | Our backend is Google Firebase; safety features use Google Vision and Google's Gemini AI. |
| No ads, no selling data, no behavioural profiling | We don't sell your data or use it for advertising. |
| Minimum age | 16+. |
| Your rights | Access, deletion, correction, objection and more (§12–13). Complain to the ICO (§18). |
3. The personal data we collect
We only collect what the Service needs to work and stay safe. We never ask for your name, email, postal address, or contacts.
a) Account & identity
- Phone number — to sign in; Firebase sends an SMS code to verify it. It is an identifier only, never shown to other users, and never attached to your posts or votes.
- Account ID (UID) — an opaque, random identifier Firebase assigns; your posts and votes link to this, not to your number.
- Account timestamps — creation and sign-in times.
b) Content you create
- Photos (single, or two for head-to-head).
- "Decide" text — the question you pick and the two short answer options you type (≤80 characters each), plus the source language.
- These may incidentally contain personal data about you or others (a face, a place) — see §5 and the Community Guidelines.
c) Activity data
- Votes (which post, which direction), your total vote count, and the IDs of posts you've voted on (to prevent double-voting and unlock posting after 5 votes).
- Daily counters — uploads and votes per flow today, to enforce limits.
- Blocks — the (anonymous) accounts you've hidden.
d) Age verification
- Date of birth you self-declare at sign-up, and the time you confirmed it — kept as evidence that we apply an age limit. Used for nothing else.
e) Safety, reports & support
- Reports you submit (post, reason, optional note).
- Support messages and our replies (a conversation thread).
- Moderation outcomes about your account — e.g. warning count, strikes, suspension/ban status and reason. Set by us/our systems, not by you.
f) Notifications & technical data
- Push token (FCM) and update time, if you allow notifications.
- Device-integrity / anti-abuse signals via Google App Check (Play Integrity) — to confirm requests come from the genuine POY app, not a bot.
- Limited technical data processed by our infrastructure when you use the Service — e.g. IP address, app/OS version, device/locale, and timestamps/log data — for security, fraud prevention, reliability, and to show "Decide" content in your language.
We do not collect: your name, email, contacts, precise GPS location, payment details (no paid features yet), biometric identifiers, or advertising IDs for ad targeting.
4. Where your data comes from
- From you — your number, DOB, content, votes, reports, support messages, settings.
- Automatically — technical/usage data, identifiers, and App Check signals generated as you use the Service.
- From our providers — e.g. Firebase Auth (verification result), App Check/Play Integrity (validity signal), and our moderation tools (their assessment of your content).
We do not buy personal data about you or obtain it from data brokers.
5. Sensitive ("special category") data
Photos and text can reveal "special category" data under GDPR — e.g. ethnicity, health, religious belief, or sexual orientation. POY is not designed to collect this, and our rules ask you not to post sensitive information about yourself or anyone else (Community Guidelines §15).
Where such data nonetheless appears in content you choose to make public, we process it only to display your post to voters and to moderate it for safety; for moderation/safety we rely on the "substantial public interest" and safeguarding conditions in the DPA 2018 and on our legal obligations. We do not use facial recognition or biometric identification — our image moderation classifies images for unsafe content; it does not identify who is in a photo.
[legal advice]Confirm the Art. 9 condition for any special-category processing.
6. How and why we use your data — and our legal basis
| Purpose | Data used | Legal basis (UK/EU GDPR) |
|---|---|---|
| Create/secure your account; verify your phone by SMS | Phone, UID, timestamps | Contract (Art. 6(1)(b)) |
| Run the Service: show posts to voters, operate the three flows, enforce daily limits and the 5-vote posting gate, prevent double-voting | Content, votes, counters | Contract |
| Translate "Decide" answers into supported languages | Decision text | Contract |
| Verify you meet the minimum age | Date of birth | Legal obligation (Art. 6(1)(c)) / legitimate interests — protecting minors |
| Moderate photos & text; act on reports; operate the strike system; warn/suspend/ban; comply with online-safety law | Content, reports, moderation outcomes | Legal obligation + legitimate interests — keeping the community and the public safe |
| Prevent abuse, fraud, spam, vote manipulation, SMS-pumping, and ban evasion; keep the Service reliable & secure | App Check signals, technical data, counters | Legitimate interests — security & integrity |
| Send push notifications (e.g. vote milestones) | Push token | Consent (Art. 6(1)(a)) — the device permission; withdraw anytime |
| Respond to support and handle rights requests | Support thread, account data | Contract + legal obligation |
| Comply with legal/regulatory obligations and respond to lawful requests | As required | Legal obligation |
| Establish, exercise, or defend legal claims | As needed | Legitimate interests |
| Delete your data on schedule | All categories | Legal obligation + legitimate interests |
Where we rely on legitimate interests, we've weighed them against your rights and concluded our use is proportionate and within your reasonable expectations; our balancing tests are recorded in our internal ROPA. You can object (§12).
We do not use your data for advertising, ad-targeting, or selling. If we add paid subscriptions, we'll update this policy to cover payment processing before launch.
7. Cookies, SDKs & identifiers
POY is a native mobile app and does not use traditional advertising cookies. We do use software development kits (SDKs) and device identifiers necessary to run and secure the app:
| Technology | Purpose | Type |
|---|---|---|
| Firebase Authentication | Sign-in / phone verification | Strictly necessary |
| Firebase SDKs (Firestore, Storage, Functions) | Core app data and logic | Strictly necessary |
| Firebase Cloud Messaging | Push notifications (token) | Functional / consent |
| App Check (Play Integrity) | Anti-abuse device attestation | Security |
| IP address & device/app identifiers | Security, fraud prevention, reliability | Strictly necessary |
Full detail, and any cookies used by the heypoy.app website, are in our Cookie & Tracking Policy. We do not use third-party advertising or cross-app tracking SDKs.
8. What other users can see
POY is anonymous by design:
- Other users see only your photos or your "Decide" question and its two options.
- They never see your phone number, date of birth, account ID, or any account detail.
- There are no usernames, profiles, bios, comments, DMs, followers, or social graph.
- Votes are aggregate counts — voters can't see who voted, and posters can't see who voted on theirs.
- Share appears only on your own post in My posts; voters cannot reach you.
Remember: a photo you post is public to the community for its lifetime, and others could screenshot it. Don't post anything you wouldn't want seen or saved.
9. Who we share your data with
We don't sell your data and don't share it for advertising. We use a small number of trusted providers ("processors") who handle data on our instructions, plus disclosures required by law.
Sub-processors:
| Provider | Role | Where |
|---|---|---|
| Google Firebase / Google Cloud (Firestore, Auth, Storage, Cloud Functions, FCM) | Core backend: accounts, database, image storage, push, server logic | Primarily London (europe-west2); Google global infrastructure for some services |
| Google Cloud Vision (SafeSearch) | Automated photo safety moderation | Google Cloud |
| Google Vertex AI (Gemini) | Automated moderation + translation of "Decide" text | [CONFIRM REGION — us-central1 (US) / europe-west1] |
| SMS provider (via Firebase Phone Auth) | Delivering your verification code | Routed to your mobile network |
| Google Play (Play Integrity) | App distribution + app-authenticity attestation | |
| RevenueCat (future) | Subscription management — only if/when paid features launch | — |
Other recipients & disclosures:
- Law enforcement / authorities — where legally required or to prevent serious harm or crime; see Law Enforcement Guidelines.
- Child-safety reporting — we report suspected CSAM to the relevant authorities (e.g. NCMEC / the NCA), and preserve/disclose the necessary evidence.
- Professional advisers / a buyer — to lawyers, auditors, insurers, or in a sale/restructuring of POY (under confidentiality and the same protections; we'll tell you about a transfer first).
We do not permit our providers to use your data for their own purposes.
10. Sending data outside the UK/EEA (international transfers)
Our data is hosted primarily in the UK/EEA (Google's London region). Some processing
happens on Google's global infrastructure, our "Decide" AI moderation may run in the
United States [CONFIRM], and push notifications rely on US-based infrastructure.
Where data leaves the UK/EEA, it is protected by appropriate safeguards required by GDPR — primarily Google's Standard Contractual Clauses and the UK International Data Transfer Addendum, plus adequacy decisions where applicable. You can request a copy of the relevant safeguards via §18.
11. How long we keep your data
| Data | Retention |
|---|---|
| Posts (photos & decisions) + images | Public for their lifetime (24h photos; 5 min–24h decisions). Visible to you in your private archive up to 15 days, then hard-deleted (document, images, and votes) by an automated job. |
| Votes you cast | Deleted with the related post; all deleted if you delete your account. |
| Account record (UID, phone, DOB, counters, blocks, consent) | Kept while your account exists; deleted on account deletion. |
| Reports & support threads | While needed to handle the issue + a reasonable safety/audit period [define]; deleted on account deletion. |
| Moderation records (strikes, warnings, suspensions, audit log) | While needed for safety, rule enforcement, and to defend legal claims [define] — may outlive a single post. |
| Verification SMS / phone-auth logs | Held briefly by the auth/SMS layer for fraud prevention, then expire. |
| CSAM evidence | Preserved per legal/NCMEC/NCA guidance — not auto-deleted. |
| Backups | Rotate out on [confirm cycle]. |
When you delete your account, we immediately remove your posts (and images), the votes you cast, the reports you filed, your support tickets, your account record, and your sign-in account. Some records may persist briefly in backups, or where the law requires retention, after which they are deleted.
12. Your rights (UK/EU GDPR)
You have the right to: access a copy of your data; rectify inaccurate data; erase your data ("right to be forgotten" — do most of this instantly via Profile → Delete my account); restrict processing in certain cases; object to processing based on legitimate interests (and to any direct marketing — we don't do marketing); data portability; withdraw consent (e.g. turn off notifications); and not to be subject to solely automated decisions that significantly affect you (§15).
To exercise any right, contact us (§18). We respond within one month (extendable by two further months for complex requests, with notice). It's free unless a request is manifestly unfounded or excessive. How we handle requests: Data Subject Rights.
13. Region-specific rights
UK & EEA. The rights in §12 apply, and you can complain to the ICO or your local data-protection authority (§18).
Outside the UK/EEA. Other countries may give you similar rights (e.g. to access or delete your data). We extend the core controls — self-service deletion and the contact in §18 — to all users regardless of location.
United States (if/when offered there). If we make POY available in the US, applicable
US state privacy laws (e.g. California's CCPA/CPRA) may give you rights to know, delete,
correct, and opt out of "sale"/"sharing" of personal information. We do not sell or
share personal information for cross-context behavioural advertising. [Add a US/state addendum before any US launch.]
14. Children
POY is for users aged 16 and over. We apply a date-of-birth age check at sign-up and
design for the safety of younger users in line with the ICO's Age-Appropriate Design
("Children's") Code and the UK Online Safety Act. We may strengthen age-assurance
where the law requires. If we learn someone under 16 has an account, we delete it. Please
don't post photos of children, or of anyone without their clear permission. Tell us at
[privacy@heypoy.app] if you believe a child is using POY.
15. Automated moderation & decision-making
To keep POY safe at speed, we use automated tools: Google Vision SafeSearch screens photos for unsafe content, and Google Gemini plus rule-based filters screen "Decide" text (blocking links, emails, and phone numbers). These can reject or hold a post automatically.
Where an automated outcome significantly affects you (for example your account is
suspended or banned), you have the right to request human review — contact in-app
Support or [privacy@heypoy.app] and a person will look at it. If our systems are uncertain
or fail, a post is held for human review rather than published. We don't use automated
decision-making for advertising or profiling. See
Moderation & Escalation.
16. Security
We protect your data with: encryption in transit and at rest (Google Cloud); a server-authoritative access model (clients can't write privileged data); least-privilege, version-controlled security rules; App Check device attestation; rate-limits and anti-abuse controls; fail-closed moderation; and a short data lifetime that limits exposure. No system is perfectly secure, but we work to protect your data and operate a breach-response procedure (including notifying the ICO and you where the law requires).
17. Changes to this policy
If we change this policy materially, we'll update the effective date and, where the change
affects how we use your data, ask you to re-accept the updated terms in the app before you
continue. The current version always lives at heypoy.app/privacy.
18. Contact & complaints
- Email:
[privacy@heypoy.app](orhello@heypoy.app) - Post:
[CONTROLLER LEGAL NAME],[CONTROLLER ADDRESS]
To protect your account we may verify your request comes from you — usually by confirming control of the phone number on the account. We won't ask for more than necessary.
You can complain to the Information Commissioner's Office (ico.org.uk; 0303 123 1113; Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF), or to your local EEA authority — though we'd appreciate the chance to put things right first.
POY is operated by [CONTROLLER LEGAL NAME]. This policy is provided in good faith and is
not legal advice to you.
Questions about this policy? Contact privacy@heypoy.app or visit our contact page.