Privacy Policy

Last updated: June 5, 2026

Privacy is a fundamental right. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our mobile application and website (collectively, the "Service").

1. Information we collect

Account information: When you register, we collect your username, email address, and phone number. Your password is securely hashed and never stored in plain text.

Profile data: Your optional profile photo, bio, and display name.

Content: Photos you capture and post through the app, voice comments, and text descriptions. All photos are captured in-app and cannot be uploaded from your device gallery.

Usage data: We collect anonymized analytics including app interactions, feature usage, and crash reports to improve the Service.

Website analytics: Our website uses Umami, a privacy-friendly, self-hosted analytics tool. It is cookieless, does not track you across sites, and does not build a personal profile or identify you. Because no personal data is stored and no cookies are set, no consent banner is required.

Device information: Device type, operating system version, and app version for compatibility and security purposes.

Location data: Only when you explicitly grant permission, we collect location for bounty challenges and location-tagged posts. You can revoke this permission at any time.

Payment and withdrawal information: When you buy Token, the purchase is processed by the Apple App Store or Google Play, and we receive only a confirmation that a purchase completed (we never see your card details). When you withdraw earned Jeton to your bank account, we collect your bank account number (IBAN), the account holder name, and the bank country. To meet anti-money-laundering and tax obligations, our payment partner Stripe performs identity verification (KYC), which may require an identity document and a selfie. We receive verification status, not the underlying documents.

2. How we use your information

• To create and manage your account
• To display your content on the feed and in challenges
• To facilitate the Jeton economy (earning, spending, gifting)
• To match you with bounty challenges based on location
• To send push notifications you've opted into
• To detect and prevent abuse, spam, and fraudulent activity
• Automated content moderation: Every photo you post is scanned for nudity, graphic violence, and illegal content using Google Cloud Vision (SafeSearch). Challenge submissions are additionally scanned for object recognition to verify the challenge target. This scan happens at upload time; the image is not stored by Google. The legal basis is our legitimate interest in keeping the platform safe and lawful (Art. 6(1)(f)).
• To improve and develop new features

3. End-to-end encrypted messaging

Direct messages on Rawly are encrypted end-to-end using X25519 key exchange and AES-256-GCM encryption. This means:

• Only the sender and recipient can read message content
• Rawly cannot access, read, or decrypt your messages
• Messages are stored as encrypted ciphertext on our servers
• Encryption keys are generated and stored only on your device

4. Data sharing

We do not sell your personal information. We may share limited data with:

• Payment partner: Stripe processes Jeton withdrawals to your bank account and performs identity verification (KYC). We share your bank details, account holder name, and the withdrawal amount with Stripe to complete a payout. Stripe acts as an independent controller for the identity checks it is legally required to run.
• App stores: Token purchases are processed by the Apple App Store and Google Play under their own terms.
• Google Cloud Vision (content moderation): When you upload a photo, the image is sent to Google Cloud Vision API to scan for nudity, graphic violence, and illegal content before it is published. Challenge submissions are also scanned for object recognition to verify the challenge subject. Google processes the image solely to return a classification result and does not retain the image or use it to train models. Google acts as a data processor under a Data Processing Addendum (DPA). Transfer to Google's US infrastructure is covered by Standard Contractual Clauses (SCCs).
• Push notifications: Firebase Cloud Messaging (Google) delivers push notifications to your device. Only your device's FCM token is shared, not any personal content.
• Legal requirements: When required by law, court order, or to protect the safety of our users.
• With your consent: Any other sharing requires your explicit approval.

5. Data retention

We retain your account data as long as your account is active. You can request deletion of your account and all associated data at any time from the app settings (Settings > Delete Account).

Upon deletion, the following data is permanently and immediately removed: your profile, posts, voice comments, stories, messages, follows, likes, notifications, device keys, feed personalisation signals, and security event logs.

What remains after deletion: Jeton transaction records (purchases, earnings, withdrawals, and gifts) are retained for 7 years from the date of each transaction to meet EU anti-money-laundering and tax record-keeping obligations (legal basis: GDPR Art. 6(1)(c)). These records are stored without any link to your username or profile once your account is deleted, and are not used for any commercial purpose.

6. Data security

We implement industry-standard security measures including encrypted data transmission (TLS), secure password hashing, device attestation (iOS App Attest), rate limiting, and regular security audits. However, no system is 100% secure, and we cannot guarantee absolute security.

7. Legal basis for processing (GDPR Art. 6)

For users in the European Economic Area, we process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Account creation, delivering core features (feed, challenges, messaging, Jeton transactions).
• Legitimate interest (Art. 6(1)(f)): Fraud prevention, platform security, abuse detection, and aggregate analytics.
• Legal obligation (Art. 6(1)(c)): Financial record-keeping (Jeton transaction logs, 7-year retention), and anti-money-laundering identity verification (KYC) before a withdrawal is paid out.
• Consent (Art. 6(1)(a)): Push notifications and location access. You may withdraw consent at any time through device Settings or in-app Notification Preferences.

8. International data transfers

Rawly is based in Estonia (EU) and our servers are self-hosted within the European Economic Area. We do not use third-party cloud hosting for user data. Limited data is processed by service providers outside the EEA:

• Google Cloud Vision (US): Content moderation at upload time. Image bytes are sent and a classification result is returned. Google does not retain the image. Transfer protected by Google Cloud's SCCs and DPA.
• Firebase Cloud Messaging / Google (US): Push notification delivery. Only your FCM device token is shared. Transfer protected by Google's SCCs.
• Stripe (US/EU): Processes Jeton withdrawals and KYC identity verification. Stripe maintains EU-region processing for EEA users where possible, and uses SCCs for any US-side processing.

9. Feed ranking and personalization

Rawly does not make decisions based solely on automated processing that produce legal or similarly significant effects on you. Content moderation flags are always reviewed by our team before any action is taken.

By default the feed is chronological. To improve relevance, we record which posts are shown to you (impressions) and your interactions (likes, comments, votes) and derive an interaction-strength signal between you and other accounts. This is used only to order content you see, never to set prices, restrict your account, or make decisions with legal effect. This signal is kept for a limited period and is removed when you delete your account.

10. Your rights (GDPR)

Under GDPR and other applicable laws, you have the following rights:

• Access (Art. 15): Request a copy of the personal data we hold about you.
• Rectification (Art. 16): Correct inaccurate data in Settings or by contacting us.
• Erasure (Art. 17): Delete your account through Settings > Delete Account.
• Portability (Art. 20): Request a copy of your personal data in a machine-readable format by emailing hello@rawly.app. We will provide your profile data, post metadata, and transaction history within 30 days.
• Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Object (Art. 21): Object to processing based on legitimate interests.
• Withdraw consent: Withdraw consent for push notifications or location at any time through device Settings.
• Lodge a complaint: You have the right to lodge a complaint with your national supervisory authority. For users in Estonia: Andmekaitse Inspektsioon (aki.ee).

To exercise your rights, contact us at hello@rawly.app. We will respond within 30 days.

11. Children's privacy

Rawly is not intended for users under the age of 16. Under GDPR, we require users to be at least 16 years old. We do not knowingly collect personal information from children. If we discover that a user under 16 has created an account, we will delete the account and all associated data immediately.

12. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.

If the breach is likely to result in a high risk to your rights and freedoms (for example, exposure of financial data or private messages), we will also notify you directly without undue delay, as required by GDPR Art. 34. Notification will be sent to the email address registered on your account and, where possible, via in-app notification.

We maintain an internal record of all data breaches, including those not required to be reported, in accordance with Art. 33(5).

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Data controller

The data controller responsible for your personal information is:

Rawly OÜ
Registry code: 17484887
Narva mnt 5, 10117 Tallinn, Harju maakond, Estonia
Email: hello@rawly.app

15. Contact us

If you have questions about this Privacy Policy or your data, contact us at:
Email: hello@rawly.app
Rawly OÜ · Narva mnt 5, 10117 Tallinn, Estonia
We aim to respond to all privacy inquiries within 5 business days.