This policy supplements our Privacy Policy by explaining in detail how we process your data, the legal basis for each processing activity, and your rights under applicable data protection laws (including GDPR and India's Digital Personal Data Protection Act 2023).
1. Data We Collect and Why
Identity Data
Name, profile photo, phone number, and date of birth - collected to create your account, personalise your experience, and comply with age verification requirements.
Verification Data (Creators Only)
Government-issued ID and selfie photos - collected solely for KYC verification. Stored encrypted, accessible only to our verification team, and not used for any other purpose.
Interaction Data
Call history, gift transactions, stream participation, message metadata (not content), and follow/block relationships - collected to operate platform features, generate earnings reports, and detect abuse.
Technical Data
Device identifiers, IP address, app version, operating system - collected for fraud prevention, security monitoring, and to ensure compatibility.
Financial Data
Coin wallet balance, transaction history, and withdrawal records - retained for financial compliance, dispute resolution, and creator payroll. Payment card/bank details are handled solely by our certified payment partners.
2. Legal Basis for Processing
- Contract performance: Processing required to deliver the services you have agreed to
- Legitimate interests: Fraud detection, security, product improvement, and analytics
- Consent: Marketing communications, optional personalisation features
- Legal obligation: Financial record-keeping, KYC, law enforcement cooperation
3. Data Retention
- Active account data: retained while your account is active
- Call metadata: retained for 12 months after the call
- Financial records: retained for 7 years per applicable tax/accounting regulations
- KYC documents: retained for the duration required by applicable law (typically 5 years)
- Deleted account data: purged within 30 days except where legal retention applies
4. Your Data Rights
- Right of access: Request a copy of all personal data we hold about you
- Right to rectification: Correct inaccurate information in your profile
- Right to erasure: Request account and data deletion (subject to legal retention obligations)
- Right to data portability: Receive your data in a machine-readable format
- Right to restrict processing: Limit certain uses of your data while a complaint is investigated
- Right to object: Object to processing based on legitimate interests
Submit data rights requests to privacy@peppyfriends.com or via the in-app support channel. We respond within 30 days.
5. Cross-Border Data Transfers
PeppyFriends operates globally. Your data may be processed in countries with different data protection laws. We ensure transfers are protected by Standard Contractual Clauses or other approved mechanisms where required.
6. Data Security
We apply encryption at rest and in transit, role-based access controls, regular penetration testing, and incident response procedures. All staff with data access receive regular privacy and security training.
7. Contact & Supervisory Authority
For data concerns: privacy@peppyfriends.com. If you believe we have not addressed your concern adequately, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.