Privacy Policy

Last updated: April 17, 2026

At Rawly, we believe privacy is a fundamental right, not a feature. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our mobile application and website (collectively, the "Service").

1. Information We Collect

Account Information: When you register, we collect your username, email address, and phone number. Your password is securely hashed and never stored in plain text.

Profile Data: Your optional profile photo, bio, and display name.

Content: Photos you capture and post through the app, voice comments, and text descriptions. All photos are captured in-app and cannot be uploaded from your device gallery.

Usage Data: We collect anonymized analytics including app interactions, feature usage, and crash reports to improve the Service.

Device Information: Device type, operating system version, and app version for compatibility and security purposes.

Location Data: Only when you explicitly grant permission, we collect location for bounty challenges and location-tagged posts. You can revoke this permission at any time.

2. How We Use Your Information

• To create and manage your account
• To display your content on the feed and in challenges
• To facilitate the Jeton economy (earning, spending, gifting)
• To match you with bounty challenges based on location
• To send push notifications you've opted into
• To detect and prevent abuse, spam, and fraudulent activity
• To improve and develop new features

3. End-to-End Encrypted Messaging

Direct messages on Rawly are encrypted end-to-end using the Signal protocol. This means:

• Only the sender and recipient can read message content
• Rawly cannot access, read, or decrypt your messages
• Messages are stored as encrypted ciphertext on our servers
• Encryption keys are generated and stored only on your device

4. Data Sharing

We do not sell your personal information. We may share limited data with:

• Service Providers: Cloud hosting, push notification services, and crash analytics — only the minimum necessary data
• Legal Requirements: When required by law, court order, or to protect the safety of our users
• With Your Consent: Any other sharing requires your explicit approval

5. Data Retention

We retain your account data as long as your account is active. You can request deletion of your account and all associated data at any time from the app settings. Upon deletion, your data is permanently removed within 30 days.

6. Data Security

We implement industry-standard security measures including encrypted data transmission (TLS), secure password hashing, device attestation (iOS App Attest), rate limiting, and regular security audits. However, no system is 100% secure, and we cannot guarantee absolute security.

7. Legal Basis for Processing (GDPR Art. 6)

For users in the European Economic Area, we process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Account creation, delivering core features (feed, challenges, messaging, Jeton transactions).
• Legitimate interest (Art. 6(1)(f)): Fraud prevention, platform security, abuse detection, and aggregate analytics.
• Legal obligation (Art. 6(1)(c)): Financial record-keeping (Jeton transaction logs, 7-year retention).
• Consent (Art. 6(1)(a)): Push notifications and location access. You may withdraw consent at any time through device Settings or in-app Notification Preferences.

8. International Data Transfers

Rawly is based in Estonia (EU) and our primary servers are located within the European Economic Area. If data is processed by service providers outside the EEA (e.g., Firebase/Google in the US), such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or by adequacy decisions.

9. Automated Decision-Making

Rawly does not make decisions based solely on automated processing that produce significant effects on you. Content moderation flags are reviewed by our team before action is taken. Feed ranking uses non-personalized, engagement-based algorithms.

10. Your Rights (GDPR)

Under GDPR and other applicable laws, you have the following rights:

• Access (Art. 15): Request a copy of the personal data we hold about you.
• Rectification (Art. 16): Correct inaccurate data in Settings or by contacting us.
• Erasure (Art. 17): Delete your account through Settings > Delete Account.
• Portability (Art. 20): Request an export of your data in a machine-readable format.
• Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Object (Art. 21): Object to processing based on legitimate interests.
• Withdraw consent: Withdraw consent for push notifications or location at any time through device Settings.
• Lodge a complaint: You have the right to lodge a complaint with your national supervisory authority. For users in Estonia: Andmekaitse Inspektsioon (aki.ee).

To exercise your rights, contact us at hello@rawly.app. We will respond within 30 days.

11. Children's Privacy

Rawly is not intended for users under the age of 16. Under GDPR, we require users to be at least 16 years old. We do not knowingly collect personal information from children. If we discover that a user under 16 has created an account, we will delete the account and all associated data immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Data Controller

The data controller responsible for your personal information is:

Rawly OÜ
Registry code: 17484887
Narva mnt 5, 10117 Tallinn, Harju maakond, Estonia
Email: hello@rawly.app

14. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:
Email: hello@rawly.app
Rawly OÜ · Narva mnt 5, 10117 Tallinn, Estonia
We aim to respond to all privacy inquiries within 5 business days.