Privacy Policy

Shyne is operated by Kube Ecosystem SL ("Company," "we," "us," or "our"), a company registered in Spain. We act as the data controller for the personal data processed through the Shyne mobile application and related services (the "Service").

Data Protection Officer: privacy@shynesocial.com General enquiries: support@shynesocial.com Website: https://shynesocial.com

This Privacy Policy applies to all personal data we collect and process when you use the Shyne mobile application, visit our website, or interact with our services.

This policy is drafted in compliance with the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, the Spanish Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales (LOPDGDD), and the ePrivacy Directive (2002/58/EC).

Account data: When you register, we collect your phone number (for verification), display name, profile photo, date of birth, and intent tag. We do not collect your full legal name unless you choose to use it as your display name.

Venue check-in data: When you check into a venue, we record the venue ID, check-in time, and checkout time. Check-in is always explicit and opt-in — we never check you in automatically.

Signal and response data: We log all approach signals and their responses, including sender ID, recipient ID, response type, and timestamp. This data is used for moderation, safety enforcement, and service operation.

Chat data: If a recipient selects "Message first," we process the text messages exchanged during the in-session chat. Chat messages are ephemeral and are deleted when the venue session ends.

Location data: We process your approximate location only during venue check-in to verify you are at the venue (geofence verification). We do not track your location continuously or within the venue.

Device and technical data: We collect device type, operating system version, app version, IP address, and crash logs for service operation and troubleshooting.

Moderation data: Reports, blocks, and "I feel unsafe" alerts are logged with relevant context for safety review. This includes the reporter ID, reported user ID, category, optional note, and timestamp.

We process your personal data for the following purposes and on the following legal bases under GDPR Article 6(1):

Service operation (contract performance, Art. 6(1)(b)): To create and maintain your account, facilitate venue check-ins, process approach signals and responses, enable in-session chat, and deliver the core functionality of the Service.

Safety and moderation (legitimate interest, Art. 6(1)(f)): To review reports, enforce community guidelines, prevent abuse, investigate misconduct, and maintain a safe environment for all users. Our legitimate interest is balanced against your rights through data minimisation, access controls, and retention limits.

Legal compliance (legal obligation, Art. 6(1)(c)): To comply with applicable laws, respond to lawful requests from authorities, enforce our Terms of Use, and protect our legal rights.

Service improvement (legitimate interest, Art. 6(1)(f)): To analyse aggregated, anonymised usage patterns to improve the Service. We do not use individual user data for profiling or algorithmic matching.

Communications (consent, Art. 6(1)(a)): To send you optional marketing communications, only if you have explicitly opted in. You can withdraw consent at any time.

With other users: Your display name, profile photo, intent tag, and approximate age range are visible to users checked into the same venue. When you send or receive a signal, the other party sees your profile information.

With venue operators: Venue operators receive anonymised, aggregated check-in counts only. They do not have access to individual user profiles, signal data, or chat content.

With service providers: We use third-party service providers for hosting (Hetzner), authentication (Keycloak, self-hosted), push notifications (Firebase Cloud Messaging), and email delivery. These providers process data on our behalf under data processing agreements that ensure GDPR compliance.

With law enforcement: We may disclose personal data to law enforcement or regulatory authorities when required by law, in response to a valid legal process, or when we believe disclosure is necessary to protect the safety of our users or the public.

We do not sell your personal data. We do not share your data with advertisers. We do not use your data for algorithmic matching or profiling.

Your data is primarily stored and processed within the European Economic Area (EEA) on servers located in Germany (Hetzner).

Where data is transferred outside the EEA (for example, to Firebase Cloud Messaging operated by Google), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions.

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): You can request a copy of the personal data we hold about you.

Right to rectification (Art. 16): You can request correction of inaccurate or incomplete personal data.

Right to erasure (Art. 17): You can request deletion of your personal data, subject to legal retention obligations.

Right to restriction (Art. 18): You can request that we restrict the processing of your data in certain circumstances.

Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format.

Right to object (Art. 21): You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

Rights related to automated decision-making (Art. 22): Shyne does not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

To exercise any of these rights, contact us at privacy@shynesocial.com. We will respond within 30 days. If we need more time, we will inform you of the extension and the reasons within the initial 30-day period.

You also have the right to lodge a complaint with a supervisory authority. In Spain, the relevant authority is the Agencia Española de Protección de Datos (AEPD) at https://www.aepd.es.

Account data: Retained for as long as your account is active. Upon account deletion, we delete or anonymise your data within 30 days, except where retention is required by law.

Venue check-in data: Retained for 90 days for safety and moderation purposes, then anonymised.

Signal and response data: Retained for 90 days for moderation audit trail, then anonymised.

Chat data: Deleted when the venue session ends. Chat messages are not retained after session expiry.

Moderation data (reports, blocks): Retained for 2 years to support ongoing safety enforcement and pattern detection.

Technical and device data: Retained for 12 months for troubleshooting, then deleted.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly. If you believe we have inadvertently collected data from a minor, please contact us at privacy@shynesocial.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service.

We will notify you of material changes by posting the updated policy within the app, by email, or by a prominent notice on our website. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Kube Ecosystem SL Data Protection Officer: privacy@shynesocial.com General enquiries: support@shynesocial.com Website: https://shynesocial.com

You may also lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at https://www.aepd.es.