Privacy Policy

1. Introduction

Welcome to Ignis, a comprehensive social media management platform operated by NovaMind Technologies FZE, a company registered in Ajman, United Arab Emirates ("we," "us," "our," or "Ignis"). We are committed to protecting your personal information and your right to privacy in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use our platform at ignisapp.co ("Service," "Platform," or "Ignis"). This policy applies to all users of our service, including individuals who register for accounts, connect social media profiles, and interact with our platform.

By accessing or using Ignis, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not register for an account or use our services. We reserve the right to make changes to this Privacy Policy at any time and for any reason, with notice provided as described in Section 11.

Data Controller: NovaMind Technologies FZE (Ajman, UAE) acts as the data controller for the personal information processed through Ignis.

2. Information We Collect

2.1 Information You Provide to Us

We collect information that you voluntarily provide when registering for an account, using our services, or communicating with us:

• Account Registration Information: Full name, email address, password (encrypted), username, phone number (optional)
• Profile Information: Company/organization name, job title, profile picture, bio, website URL, timezone preferences
• Billing and Payment Information: Credit card details (processed securely via Stripe - we do not store full card numbers), billing address, VAT/tax identification numbers, payment history
• Communication Data: Customer support inquiries, feedback, survey responses, chat messages, email correspondence
• User-Generated Content: Social media posts (text, images, videos, links), captions, hashtags, scheduling preferences, content drafts, media uploads
• Team and Collaboration Data: Information about team members you invite, role assignments, permissions, workspace settings

2.2 Social Media Account Data

When you connect your social media accounts to Ignis using OAuth 2.0 authentication, we collect and process the following data from each connected platform:

• Meta Platforms (Facebook, Instagram): OAuth access tokens, page/profile IDs, page names, follower counts, post content, engagement metrics (likes, comments, shares), insights and analytics data, profile pictures, account status
• TikTok: OAuth access tokens, user IDs, username, display name, avatar URL, video content, engagement metrics (views, likes, comments, shares), follower statistics, video analytics
• Snapchat: OAuth access tokens, account IDs, display name, Bitmoji avatar, snap content, story views, engagement data, audience demographics
• LinkedIn: OAuth access tokens, organization/personal profile IDs, company pages, profile information, post content, engagement metrics (likes, comments, shares), follower demographics, connection data
• Reddit: OAuth access tokens, username, subreddit information, post and comment content, karma scores, upvotes/downvotes, submission history
• YouTube: OAuth access tokens, channel IDs, channel name, subscriber count, video content, video analytics (views, watch time, engagement), comments, playlists
• X (Twitter): OAuth access tokens, user IDs, username, display name, profile picture, tweet content, engagement metrics (likes, retweets, replies), follower/following counts, timeline data

We only request the minimum permissions necessary to provide our services. You can revoke access to any connected social media account at any time through your Ignis account settings or directly through the respective social media platform.

2.3 Automatically Collected Information

When you access and use Ignis, we automatically collect certain information about your device and usage:

• Log and Usage Data: IP address, browser type and version, operating system, device type, unique device identifiers, referring/exit pages, access times, pages viewed, clicks, navigation paths
• Device Information: Hardware model, screen resolution, device settings, mobile network information, geolocation data (with your consent)
• Performance and Diagnostic Data: Crash reports, error logs, API response times, feature usage statistics, system performance metrics
• Cookies and Tracking Technologies: Session cookies, authentication tokens, preference cookies, analytics cookies (see Section 7 for details)
• Security and Fraud Detection Data: Login attempts, security events, authentication logs, rate limiting data, suspicious activity indicators

3. How We Use Your Information

We use the information we collect for the following purposes, in accordance with applicable law and with your consent where required:

• Service Delivery and Functionality: To provide, operate, and maintain the Ignis platform; process and fulfill your requests; enable social media posting and scheduling; display analytics and insights
• Account Management: To create and manage your user account; authenticate your identity; process registrations and logins; manage subscriptions and billing
• Social Media Operations: To connect to and interact with social media platforms on your behalf; publish, schedule, and manage social media content; retrieve analytics and engagement data; maintain OAuth tokens and session management
• Analytics and Insights: To generate performance reports; analyze social media engagement trends; provide audience insights and demographics; track content performance
• Communication: To send transactional emails (account notifications, password resets, scheduling confirmations); provide customer support; send service announcements and updates; respond to inquiries and feedback (we will not send marketing emails without your explicit consent)
• Compliance and Legal Obligations: To comply with legal requirements, court orders, and regulatory obligations; enforce our Terms of Service; protect our legal rights and interests
• Security and Fraud Prevention: To detect, prevent, and respond to security incidents; monitor for fraudulent activity; implement rate limiting and abuse prevention; conduct security audits and testing
• Platform Improvement: To understand how users interact with Ignis; identify bugs, errors, and performance issues; develop new features and functionality; conduct research and analysis to improve user experience
• Business Operations: To process payments and manage billing; maintain backups and disaster recovery systems; facilitate business transfers (mergers, acquisitions, asset sales)

3A. Legal Basis for Data Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under GDPR:

• Consent (Article 6(1)(a) GDPR): When you explicitly consent to the processing of your personal data, such as connecting social media accounts, subscribing to optional communications, or using certain features
• Performance of Contract (Article 6(1)(b) GDPR): To fulfill our contractual obligations under the Terms of Service, including providing the Ignis platform, processing your social media operations, and managing your account
• Legitimate Interests (Article 6(1)(f) GDPR): To pursue our legitimate business interests, such as improving our services, conducting analytics, preventing fraud and abuse, ensuring platform security, and communicating service updates (balanced against your rights and interests)
• Legal Obligations (Article 6(1)(c) GDPR): To comply with legal and regulatory requirements, including tax obligations, financial regulations, and law enforcement requests

4. How We Protect Your Data

We implement comprehensive technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

4.1 Encryption and Data Security

• Encryption at Rest: All sensitive data stored in our databases is encrypted using AES-256 encryption, including passwords (bcrypt hashing with salt), OAuth tokens, payment information, and user-generated content
• Secrets Management: API keys, credentials, and sensitive configuration data are stored in HashiCorp Vault with encryption at rest and strict access policies
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (Transport Layer Security) with strong cipher suites
• Database Security: Self-hosted PostgreSQL databases with encrypted connections, regular security patches, and restricted network access

4.2 Access Controls and Authentication

• Role-Based Access Control (RBAC): Internal access to systems and data is restricted based on job function and the principle of least privilege
• Multi-Factor Authentication (2FA): Required for all administrative and sensitive operations, with support for TOTP and backup codes
• OAuth 2.0: Secure authentication protocol for social media integrations, ensuring we never store your social media passwords
• Session Management: Secure session handling with HTTP-only cookies, CSRF protection, and automatic session expiration
• Password Security: Strong password requirements, secure password reset flows, and protection against brute-force attacks through rate limiting

4.3 Security Monitoring and Incident Response

• Continuous Monitoring: Real-time security monitoring, intrusion detection systems, and automated alerts for suspicious activity
• Logging and Auditing: Comprehensive audit logs of system access, data modifications, and security events with retention for forensic analysis
• Breach Notification: In accordance with GDPR Article 33, we will notify relevant supervisory authorities within 72 hours of becoming aware of a personal data breach, and affected users without undue delay if the breach poses a high risk
• Incident Response Plan: Documented procedures for detecting, responding to, and recovering from security incidents
• Vulnerability Management: Regular security assessments, penetration testing, dependency scanning, and timely application of security patches

4.4 Infrastructure Security

• Self-Hosted Infrastructure: We maintain full control over our infrastructure, hosting critical components (databases, Redis cache, HashiCorp Vault) on our own secure servers
• Network Security: Firewalls, network segmentation, VPN access for remote administration, and DDoS protection
• Physical Security: Data centers with 24/7 surveillance, biometric access controls, and redundant power/cooling systems
• Backup and Disaster Recovery: Automated encrypted backups with off-site storage, tested recovery procedures, and business continuity planning

4.5 Compliance and Certifications

• SOC 2 Type II Compliance: Our security practices and controls are independently audited and certified to meet SOC 2 standards
• GDPR Compliance: Our data processing activities are designed to comply with GDPR requirements, including data minimization, purpose limitation, and user rights
• Regular Audits: Internal security audits, third-party penetration testing, and compliance reviews conducted at least annually

Important Note: While we implement industry-leading security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our security posture and promptly address any identified vulnerabilities.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to third parties. We may share your information in the following limited circumstances:

5.1 Infrastructure and Service Providers

• Self-Hosted Infrastructure: We maintain full control over core infrastructure components, including self-hosted PostgreSQL databases, Redis cache, and HashiCorp Vault for secrets management. This minimizes third-party data sharing.
• Payment Processing: Credit card and payment information is processed securely by Stripe, our PCI DSS compliant payment processor. We do not store full credit card numbers. See Stripe's privacy policy: https://stripe.com/privacy
• Email Communications: Transactional emails (account notifications, password resets, scheduling confirmations) are sent through our self-managed SMTP infrastructure. We do not use third-party marketing email services unless you explicitly opt-in.
• Hosting and Cloud Infrastructure: Our frontend application and API services may be hosted on cloud platforms (e.g., Vercel, AWS, or similar) with appropriate data processing agreements in place.

5.2 Social Media Platform APIs

To provide our core social media management services, we interact with the following third-party social media platforms via their official APIs. Data is shared only as necessary to perform actions you request (posting content, retrieving analytics, etc.):

• Meta Platforms (Facebook, Instagram): Privacy Policy
• TikTok: Privacy Policy
• Snapchat: Privacy Policy
• LinkedIn: Privacy Policy
• Reddit: Privacy Policy
• YouTube (Google): Privacy Policy
• X (Twitter): Privacy Policy

5.3 Frontend Dependencies and Analytics

• Next.js and React: Our platform is built with Next.js (open-source framework) and React. These libraries run in your browser and do not share data with third parties.
• Content Delivery Network (CDN): Static assets (CSS, JavaScript, images) may be served via CDN for performance optimization.
• Error Monitoring: We may use error tracking services (e.g., Sentry) to monitor application stability. Error reports may include anonymized diagnostic data but not personal content.
• Analytics: We use minimal, privacy-respecting analytics to understand platform usage. We do not use invasive tracking scripts like Google Analytics without explicit consent.

5.4 Legal Requirements and Business Transfers

• Legal Compliance: We may disclose your information if required by law, court order, subpoena, or governmental authority, including to law enforcement agencies, regulatory bodies, or in response to valid legal process.
• Protection of Rights: To enforce our Terms of Service, protect our rights, property, or safety, or that of our users or the public, including fraud prevention and security investigations.
• Business Transfers: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the acquiring entity, subject to the same privacy protections.

We do not sell your personal information. We have not sold personal information in the past 12 months and do not intend to do so in the future.

5A. Platform-Specific Data Handling

Each social media platform has its own data policies and terms of service. When you connect a social media account to Ignis, you are also subject to that platform's privacy policies and terms:

Meta Platforms (Facebook, Instagram)

We access Facebook and Instagram data via Meta's official APIs using OAuth 2.0. Data is processed in accordance with:

• Meta Platform Terms: https://www.facebook.com/terms.php
• Meta Privacy Policy: https://www.facebook.com/privacy/policy/

TikTok

We access TikTok data via the TikTok for Developers API. Data is processed in accordance with:

• TikTok Terms of Service: https://www.tiktok.com/legal/terms-of-service
• TikTok Privacy Policy: https://www.tiktok.com/legal/privacy-policy

Snapchat

We access Snapchat data via the Snap Kit API. Data is processed in accordance with:

• Snapchat Terms of Service: https://www.snap.com/en-US/terms
• Snapchat Privacy Policy: https://values.snap.com/privacy/privacy-policy

LinkedIn

We access LinkedIn data via the LinkedIn Marketing Developer Platform. Data is processed in accordance with:

• LinkedIn User Agreement: https://www.linkedin.com/legal/user-agreement
• LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy

Reddit

We access Reddit data via the Reddit API. Data is processed in accordance with:

• Reddit User Agreement: https://www.redditinc.com/policies/user-agreement
• Reddit Privacy Policy: https://www.reddit.com/policies/privacy-policy

YouTube (Google)

We access YouTube data via the YouTube Data API. Data is processed in accordance with:

• YouTube Terms of Service: https://www.youtube.com/t/terms
• Google Privacy Policy: https://policies.google.com/privacy

X (Twitter)

We access X (Twitter) data via the X API. Data is processed in accordance with:

• X Terms of Service: https://twitter.com/en/tos
• X Privacy Policy: https://twitter.com/en/privacy

You can revoke Ignis's access to any connected platform at any time through your account settings on Ignis or directly on the respective social media platform.

6. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information under data protection laws. We are committed to honoring these rights and providing transparent mechanisms for exercising them.

6.1 GDPR Rights (European Economic Area, United Kingdom, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access (Article 15): Request a copy of your personal data we hold, along with information about how we process it
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data
• Right to Erasure / "Right to be Forgotten" (Article 17): Request deletion of your personal data under certain circumstances (e.g., data no longer necessary for original purpose, withdrawal of consent, unlawful processing)
• Right to Restriction of Processing (Article 18): Request limitation on how we use your data in certain circumstances (e.g., while verifying accuracy, during legal proceedings)
• Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and transmit it to another controller
• Right to Object (Article 21): Object to processing of your personal data based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal
• Right Not to be Subject to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (see Section 8B for details on our automated processing)
• Right to Lodge a Complaint (Article 77): Lodge a complaint with your local supervisory authority if you believe we have violated your rights under GDPR

6.2 CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, the sources from which it is collected, the purposes for collection, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., completing transactions, security purposes, legal compliance)
• Right to Opt-Out of Sale: Opt-out of the "sale" of personal information (note: we do not sell personal information)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your CCPA rights (we will not deny services, charge different prices, or provide different quality of service)
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: Limit the use and disclosure of sensitive personal information (we use sensitive information only as necessary to provide services)

6.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at:

• Email: privacy@ignisapp.co
• Subject Line: "Data Subject Request" or "Privacy Rights Request"
• Include: Your full name, registered email address, description of your request, and proof of identity (if required)

Request Processing:

• We will acknowledge receipt of your request within 5 business days
• We will respond to your request within 30 days (GDPR) or 45 days (CCPA), with possible extensions if necessary
• We may require additional information to verify your identity before processing certain requests
• We will not charge a fee for processing requests unless they are manifestly unfounded, excessive, or repetitive
• If we deny your request, we will provide a written explanation and information about your right to appeal or lodge a complaint

Additional Options:

• You can update your account information directly through your Ignis account settings
• You can disconnect social media accounts at any time through the Connections page
• You can delete your account at any time through Account Settings (this will initiate data deletion as described in Section 8)

6.4 Supervisory Authority

If you are located in the EEA, UK, or Switzerland and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

7. Cookie Policy

Ignis uses cookies and similar tracking technologies to enhance your experience, provide functionality, and analyze platform usage. This section explains what cookies we use and how you can manage them.

7.1 What Are Cookies?

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently, remember your preferences, and provide information to website owners.

7.2 Types of Cookies We Use

• Essential Cookies (Strictly Necessary): Required for the platform to function. These include authentication cookies, session management, security tokens, and CSRF protection. You cannot opt-out of these cookies. Retention: Session duration or up to 30 days.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences (theme, timezone, language), saved filters, and UI settings. Retention: Up to 1 year.
• Analytics Cookies: Help us understand how users interact with Ignis by collecting anonymous usage statistics (pages visited, features used, time spent). We use minimal, privacy-respecting analytics. Retention: Up to 2 years.
• Performance Cookies: Monitor platform performance, page load times, error rates, and system stability to help us improve service quality. Retention: Up to 90 days.

7.3 How to Manage Cookies

You have several options to control or limit cookies:

• Browser Settings: Most browsers allow you to refuse or accept cookies, delete existing cookies, and set preferences for specific websites. Consult your browser's help documentation for instructions.
• Cookie Preferences: You can manage your cookie preferences through our cookie banner (if available) or account settings.
• Opt-Out of Analytics: You can opt-out of analytics cookies through your account settings or browser extensions like Privacy Badger or uBlock Origin.

Note: If you disable or refuse cookies, some features of Ignis may not function properly, and you may not be able to use certain services.

7.4 Third-Party Cookies

In limited cases, third-party services we use (such as payment processors, CDNs, or error monitoring tools) may set their own cookies. These cookies are subject to the respective third party's privacy policies:

• Stripe (Payment Processing): https://stripe.com/privacy
• CDN Providers: May set cookies for content delivery optimization
• Error Monitoring (e.g., Sentry): May set cookies for session tracking in error reports

7.5 Cookie Retention Periods

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Remain on your device for a specified period (see retention times above) or until you manually delete them
• Authentication Cookies: Expire after 30 days of inactivity or when you log out

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary based on the type of data and the purpose for which it was collected.

8.1 Retention Schedule

• Account Information: Retained for the duration of your active account, plus 90 days after account deletion (to allow for recovery or dispute resolution)
• Social Media Content and Posts: Retained for the duration of your active account, plus 30 days after account deletion or disconnection of the respective social media account
• OAuth Tokens: Retained until you disconnect the respective social media account or revoke access. Tokens are automatically refreshed or expired per platform requirements.
• Billing and Payment Information: Retained for 7 years after the last transaction to comply with tax and financial regulations (credit card details stored by Stripe per their retention policy)
• Analytics and Usage Data: Anonymized and aggregated analytics data may be retained indefinitely for research and platform improvement. Identifiable usage logs are retained for 90 days.
• Customer Support Communications: Retained for 3 years after the last interaction to maintain support history and resolve future inquiries
• Security Logs and Audit Trails: Retained for 1 year for security investigations, fraud detection, and compliance audits
• Backup Data: Encrypted backups are retained for 90 days, after which they are permanently deleted. If your account is deleted, your data will be removed from backups at the next backup cycle.

8.2 Legal Retention Requirements

In some cases, we may be required to retain your data for longer periods due to legal, regulatory, tax, or accounting requirements. This includes:

• Financial records for tax compliance (7 years)
• Data subject to legal holds or ongoing litigation
• Data required to comply with law enforcement requests or regulatory investigations
• Data necessary to establish, exercise, or defend legal claims

8.3 Data Deletion Process

When you delete your account or request data deletion:

• Your account will be immediately deactivated and inaccessible
• Personal data will be permanently deleted from our production databases within 30 days
• Backup copies will be removed within 90 days (at the next backup rotation)
• OAuth tokens for connected social media accounts will be immediately revoked
• Some anonymized, aggregated data may be retained for analytics and research purposes (cannot be linked back to you)
• Data required for legal compliance will be retained per legal requirements and then securely deleted

To request account deletion, go to Account Settings or contact us at privacy@ignisapp.co. We will confirm deletion via email once the process is complete.

8A. Data Minimization Principle

In accordance with GDPR Article 5(1)(c), we adhere to the principle of data minimization, ensuring that we collect and process only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

Our Data Minimization Practices:

• We only request social media permissions necessary to provide the specific features you use
• We do not collect personal information "just in case" it might be useful in the future
• We regularly review the data we collect and delete data that is no longer necessary
• We anonymize or pseudonymize data wherever possible while still maintaining functionality
• We design features to minimize data collection (e.g., processing data client-side when possible)
• We provide granular controls so you can choose which data to share and which features to enable

If you believe we are collecting data that is not necessary for our services, please contact us at privacy@ignisapp.co.

8B. Automated Decision-Making and Profiling

In accordance with GDPR Article 22, we want to be transparent about any automated decision-making or profiling activities that may affect you. We do not make decisions that produce legal effects or similarly significantly affect you based solely on automated processing without human intervention.

8B.1 Automated Processing We Use

Ignis uses limited automated processing for the following purposes:

• Content Scheduling Algorithm: Automated scheduling system that determines optimal posting times based on your audience engagement patterns and historical performance data. Impact: Suggests posting times; you retain full control over final scheduling decisions.
• Analytics and Insights: Automated analysis of social media performance metrics to generate reports, identify trends, and provide recommendations. Impact: Informational only; does not make decisions on your behalf.
• Fraud Detection and Security: Automated systems monitor for suspicious activity, unauthorized access attempts, and potential security threats. Impact: May temporarily restrict access or flag accounts for manual review; appeals are always available.
• Rate Limiting and Abuse Prevention: Automated rate limiting to prevent platform abuse and ensure fair usage. Impact: May temporarily throttle requests; does not permanently affect your account.

8B.2 Your Rights Regarding Automated Processing

Under GDPR Article 22, you have the right to:

• Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
• Obtain human intervention if an automated decision significantly affects you
• Express your point of view and contest automated decisions
• Request an explanation of the logic involved in automated decision-making

If you have concerns about automated processing or believe an automated decision has adversely affected you, please contact us at privacy@ignisapp.co for human review.

9. International Data Transfers

NovaMind Technologies FZE is based in Ajman, United Arab Emirates. As a global social media management platform, your personal information may be transferred to, stored, and processed in countries other than your country of residence, including the United States, European Union member states, Singapore, and other jurisdictions where our service providers operate.

9.1 Data Transfer Locations

• United Arab Emirates: Primary data processing location (NovaMind Technologies FZE headquarters and infrastructure)
• United States: Some service providers (Stripe for payments, potential cloud infrastructure) are based in the US
• European Union: May process data in EU data centers for European users to minimize latency
• Singapore: Potential infrastructure location for Asia-Pacific users

9.2 Legal Safeguards for International Transfers

When we transfer personal data from the EEA, UK, or Switzerland to countries that do not provide an adequate level of data protection as determined by the European Commission, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) to govern data transfers to third countries
• International Data Transfer Agreement (IDTA): For UK transfers, we may use the UK IDTA approved by the UK Information Commissioner's Office (ICO)
• Adequacy Decisions: We rely on adequacy decisions issued by the European Commission where available (e.g., for transfers to countries recognized as providing adequate protection)
• Data Processing Agreements: All third-party service providers that process personal data on our behalf are contractually bound to implement appropriate technical and organizational measures to protect your data

9.3 Platform-Specific International Transfers

When you connect social media accounts, your data may be shared with platforms headquartered in different countries:

• Meta (Facebook, Instagram): Headquartered in the United States; operates globally with data centers worldwide
• TikTok: Owned by ByteDance (China); US operations managed by TikTok Inc. (United States); EU operations managed by TikTok Technology Limited (Ireland)
• Snapchat: Snap Inc., headquartered in the United States
• LinkedIn: Owned by Microsoft Corporation, headquartered in the United States
• Reddit: Headquartered in the United States
• YouTube: Owned by Google LLC (Alphabet Inc.), headquartered in the United States
• X (Twitter): X Corp., headquartered in the United States

Each platform has its own data transfer mechanisms and privacy policies (see Section 5A for links). By connecting these accounts, you acknowledge that your data will be processed according to those platforms' policies.

9.4 Your Rights Regarding International Transfers

You have the right to request information about the safeguards we have in place for international data transfers and to obtain a copy of the relevant transfer mechanisms (such as Standard Contractual Clauses). Please contact us at privacy@ignisapp.co for more information.

10. Children's Privacy

Ignis is not intended for use by children under the age of 13 (or 16 in the European Economic Area, United Kingdom, and Switzerland, where required by law). We do not knowingly collect, use, or disclose personal information from children under these ages.

Age Requirements:

• General Users: You must be at least 13 years old to create an Ignis account
• EEA/UK/Switzerland Users: You must be at least 16 years old (or the age of digital consent in your country) to create an account
• Business Use: If you are using Ignis on behalf of a business or organization, you must have the legal authority to bind that entity to our Terms of Service

If You Become Aware of Child Data: If you are a parent or guardian and become aware that your child has provided us with personal information without your consent, please contact us immediately at privacy@ignisapp.co. If we discover that we have collected personal information from a child under the applicable age without parental consent, we will take steps to delete that information as quickly as possible.

Social Media Platform Age Requirements: Please note that the social media platforms you connect to Ignis (Facebook, Instagram, TikTok, etc.) have their own age requirements, which may differ from ours. You are responsible for complying with those platforms' terms of service.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this policy and take appropriate steps to notify you in accordance with the significance of the changes.

11.1 Types of Changes and Notification

• Minor Changes: For minor updates (typos, clarifications, formatting), we will update the policy on this page. We encourage you to review this policy periodically.
• Material Changes: For material changes that significantly affect how we collect, use, or share your personal information, we will provide prominent notice through one or more of the following methods:
  • Email notification to the email address associated with your account (at least 30 days before changes take effect)
  • In-app notification or banner on the Ignis platform
  • Pop-up or modal requiring acknowledgment of changes before continued use
• Legal Requirement Changes: If changes are required by law or to comply with legal obligations, we may implement them immediately with notice provided as soon as reasonably possible.

11.2 Your Rights Upon Policy Changes

If you do not agree with the updated Privacy Policy, you have the right to:

• Object to the changes by contacting us at privacy@ignisapp.co
• Delete your account before the changes take effect (see Section 8 for data deletion procedures)
• Exercise your GDPR or CCPA rights (see Section 6)

Continued Use = Acceptance: By continuing to access or use Ignis after the updated Privacy Policy takes effect, you acknowledge that you have read, understood, and agree to be bound by the updated policy.

11.3 Version History

You may request previous versions of this Privacy Policy by contacting us at privacy@ignisapp.co. We will provide archived versions upon request.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below. We are committed to addressing your inquiries promptly and transparently.

Data Protection Officer: For GDPR-related inquiries, you may direct your communication to our privacy team at privacy@ignisapp.co with the subject line "Attn: Data Protection Officer."