Privacy Policy

Last Updated: May 2026

Effective Date: May 2026

Huzzah ("Huzzah," "we," "us," or "our") respects your privacy. This Privacy Policy explains in detail what information we collect when you use the Huzzah mobile application (the "App"), how that information is used, who it is shared with, how long it is kept, and the rights you have over it. Because Huzzah is a social photo-sharing app used by teens and adults, this policy includes specific sections describing the additional protections that apply to users under 18 and under 16, and the legal frameworks (COPPA, GDPR, CCPA/CPRA, AADC, DSA, and others) that govern how we handle your data.

Please read this policy in full. By creating a Huzzah account or using the App you confirm that you have read and understood this policy. If you do not agree with any part of it, do not use the App; if you have already signed up, you can delete your account at any time and we will erase your personal data as described in Section 10.

Huzzah is operated by an individual developer based in the United States. For any privacy inquiry you can reach us at huzzahapp@yahoo.com — please include "Privacy" in the subject line.

1. SUMMARY (PLAIN-LANGUAGE OVERVIEW)

This section is a non-binding summary. The detailed sections that follow override anything that may appear inconsistent here.

• You must be at least 13 years old to use Huzzah. We ask for your date of birth at signup and reject anyone under 13.

• We sign you in by sending a one-time code to your phone number. We use that phone number to authenticate you and (with your permission) to help friends from your contacts find you on Huzzah.

• We host all your data on Supabase servers in Ohio, United States. Every database table has Row-Level Security so other users can only see data we are explicitly designed to show them.

• Your shots, comments, likes, follows, profile information, and any optional details you add (bio, location, music, etc.) are stored on our servers and visible to other users according to your privacy settings.

• You can change your privacy settings at any time. Under-18 accounts have certain settings (no personalized ads, quiet hours 10pm–6am) locked on by law. Under-16 accounts additionally have streak-reminder push notifications locked off.

• For users who are not Huzzah Pro subscribers, we show ads through Google AdMob. For users under 18 (and any user who has turned on the "Do Not Sell or Share My Personal Information" toggle), every ad request goes out with the non-personalized ads flag ("npa=1"), so no behavioral profile is consulted.

• You can export every piece of your data once per day (Settings → Other → Export My Data) and you can permanently delete your account at any time (Settings → Other → Delete Account). Deletion is irreversible and cascades through every Huzzah system within seconds.

2. INFORMATION WE COLLECT

We collect three kinds of information: (a) information you give us directly, (b) information collected automatically when you use the App, and (c) information we receive from third-party platforms (Apple, your contacts, etc.) with your permission. The detailed list below covers every piece of personal information that we know about each user.

2.1 Information You Provide During Signup

Phone Number. To create an account we send a six-digit one-time password (OTP) to a phone number you provide. We store the full E.164 phone number (e.g. +15555550100) plus a normalized version consisting of the last 10 digits (for matching against your friends' contact books, see Section 3.3). The phone number cannot be changed once your account is created.

Date of Birth. We require your date of birth (year, month, day). It is used to (a) confirm you are at least 13 years old, (b) decide which teen-account protections apply to your account, (c) decide whether Google AdMob ads served in your session may use behavioral targeting, and (d) send you an optional birthday notification on your local birthday. The exact date of birth is never shown to other users. Once submitted, your date of birth is locked at the database level — it cannot be modified by anyone using the App, including you. If you need it corrected because you entered it wrong at signup, contact huzzahapp@yahoo.com.

Username. A unique handle 3–20 characters long, lowercase letters, numbers, underscores, and periods only. Searchable by any signed-in user. Username changes are rate-limited to once every 30 days.

Display Name (optional). Up to 50 characters. May be different from your username. Searchable. Change-limited to once every 7 days.

2.2 Information You Provide While Using the App

Profile Photo (Avatar) (optional). Uploaded to our `avatars` storage bucket. Stored at a public URL so it can be displayed across the App. Limited to 2 MB JPEG/PNG/WebP. Changeable once per 24 hours.

Profile Details (all optional, all editable): biography (max 150 characters), location text, education, work, school, personal website link (max 200 characters), astrological sign, and free-text "interests."

Submissions ("Shots"). The photos you submit to each daily prompt. Each submission is stored at an authenticated URL in the private `submissions` storage bucket as a JPEG (max 10 MB after on-device compression). Each submission may include: caption (max 500 chars), visibility setting (everyone / friends / followers / only me), location data (only if you opt in — see Section 2.4 and 6.16 for exactly what is stored), Apple Music song metadata (title, artist, song ID — only if you attach a song), and tagged user IDs (only if you tag friends).

Comments. Threaded comments on submissions. Up to 500 characters. Top-level or replies (one level deep).

Direct Messages. We store the content (≤1000 characters), sender, recipient, send time, and read time of every message. We also store conversation metadata (last message preview, last sender, conversation creation time).

Engagement Actions. We record every like, comment-like, share, save, repost, and tag you create, along with timestamps.

Reports. When you report another user, post, comment, or message, we record the reason category, optional free-text description (up to 500 chars), and the target.

Blocks. We record every user you block, along with the timestamp.

Invites. When you invite someone to Huzzah from your phone contacts, we record the normalized (last-10-digit) phone number you invited plus your user ID, so we can credit you a free retake when 3 of your invited friends join (see Section 6.5).

Settings & Preferences. Privacy toggles, notification toggles, ad-personalization toggle, DM permission setting (everyone/friends/nobody), feed preferences, and similar choices made in the in-app Settings.

Profile Edit Timestamps. We record when you last changed your username, display name, and avatar, to enforce the per-field cooldowns described in Section 2.1.

2.3 Information Collected Automatically

Device & Session Data. When you use the App, our servers log standard request metadata including your IP address, the time of each request, the App version, the iOS version, and similar diagnostic fields. This is needed to operate the service, fight abuse, and debug bugs.

APNs Device Token. To send push notifications we register your device with Apple's Push Notification Service and store the resulting 64-character hex device token on our servers (up to 5 tokens per account, oldest evicted when a 6th appears). Tokens are tied to your account and used only to address pushes to your devices.

Time Zone. Each time the App launches we read the device's IANA timezone identifier (e.g. "America/Los_Angeles") and, if it has changed since your last login, sync it to your profile. The server uses this to evaluate Quiet Hours (10pm–6am local) so push notifications and streak reminders can be silenced at appropriate local times.

Submission Views. Each time you view a submission, we record an entry in the `views` table containing your user ID, the submission ID, and a timestamp (one row per viewer per submission; subsequent views do not create new rows but do not produce a precise "last viewed" timestamp either). Views are deleted by an automatic cron job after 30 days.

Profile Views. Each time you visit another user's profile, we record an entry in the `profile_views` table with your user ID, the profile owner's user ID, a timestamp, and a count that increments on repeat visits. Profile views are deleted after 30 days. Profile owners may see which users viewed their profile — see Section 4.7 and 7.3.

Engagement Counts. We maintain counters for likes, comments, shares, reposts, saves, and views on each submission so they can be displayed in the feed without recomputing.

Streak Tracking. We compute and store your current daily-post streak and longest-ever streak, plus the date of your last submission. The streak figure is shown on your profile unless you have hidden it.

Crash & Error Logs. Standard server-side error logging captures stack traces and request metadata when the App or our backend encounters an error.

Local Security Telemetry. The App performs on-device checks for jailbreak indicators, debugger attachment, app tampering, and tampered local UserDefaults. These checks happen locally and are NOT transmitted to our servers unless an integrity violation is detected, in which case the App may call our `flag_compromised_device` RPC to record a generic category (e.g. "jailbreak_detected", "debugger_attached") in our internal `reports` table for fraud-mitigation purposes. The actual diagnostic data never leaves your device. This RPC is rate-limited to one report per device per day.

Server-Side Honeypots. The App contains decoy configuration strings and API URLs that are inert in normal use; they exist solely as bait for attackers who decompile the binary. They do not collect any user data.

2.4 Information We Collect From Third Parties

Phone Contacts (only if you grant permission). The App can read the phone numbers in your iOS contacts to help you find friends who are already on Huzzah. Phone numbers are normalized to the last 10 digits and sent to our server in 500-number batches for matching against other users' normalized phone numbers. We do NOT store your contacts on our servers; the matching is performed in-memory and we return only the user IDs that matched. Once per hour, while the App is open, we re-check whether any contacts have joined Huzzah since the last check; when a contact joins we notify you via an in-app banner and a notification-bell entry. You can revoke contacts access at any time via iOS Settings → Privacy → Contacts → Huzzah. The names of your contacts are read locally for display purposes only and are not sent to our servers.

Apple Music (only if you grant permission). When you choose to attach a song to a submission, the App accesses Apple's MusicKit catalog API to let you search for songs. We receive song metadata (title, artist name, artwork URL, song catalog identifier) but we do NOT receive your Apple Music account, listening history, playlists, library, or any other personal Apple Music data.

Location (only if you grant permission). If you tap "Add location" on a submission, the App requests a single location fix from CoreLocation (the device captures it at roughly 100 meter accuracy) and reverse-geocodes it to a locality name (e.g. "San Francisco, CA"). Before the data is stored on our servers, the latitude and longitude are rounded to a 0.1 degree grid — approximately 11 kilometers in either direction — so the precise device coordinates are NEVER persisted in our database. The 0.1 degree resolution is enough to identify your general metro area but cannot pinpoint a specific street, building, school, or home. The reverse-geocoded name is stored in full (e.g. "San Francisco, CA"). You can choose to attach the location to the submission or skip it. We do NOT track your location in the background, and we never request location for any purpose other than your explicit "add location to this shot" action.

Photo Library (only if you grant permission). To save a watermarked version of your own submission to your camera roll (the "Save to Photos" share action), the App requests write-only access to your Photo Library. We do not request, read, or scan any photo in your library.

Camera (only if you grant permission). The App uses the camera to capture submissions and to scan friend-add QR codes. Camera frames are processed locally on your device; we never transmit a camera feed to our servers.

Apple App Store. When you make a purchase or subscribe to Huzzah Pro, Apple transmits to us the transaction record needed to validate your entitlement (transaction ID, product ID, purchase date, expiration date for subscriptions). We do not see your Apple ID, payment method, or any other Apple account data.

APNs (Apple Push Notification service). Apple provides us with a device token (described above) so we can address push notifications to your devices.

2.5 What We Do Not Collect

For clarity, we do not collect any of the following:

• Email address (Huzzah is phone-OTP only — there is no email field).

• Real legal name (other than what you choose to display).

• Government-issued ID, payment card data, or banking information (handled entirely by Apple).

• Biometric data (fingerprint, FaceID — Apple handles these locally and we never receive them).

• Browsing history outside Huzzah, cross-site tracking data, or any data from other apps.

• Audio recordings or microphone data (the App does not request microphone access).

• Your Apple Music listening history, library, or playlists.

• Your phone contact list itself (we receive only matched user IDs back, not the contacts themselves).

• Background location.

• Any data from minors under 13 (we reject under-13 signups and immediately delete any signup we discover was made by a user under 13).

3. HOW WE USE YOUR INFORMATION

3.1 Operating the App

We use the information described above to operate the daily-prompt photo service: authenticate you at each launch, deliver the daily prompt to your device, accept your submission, deliver other users' submissions to your feed, store and deliver your messages, count and display engagement, and generally make every advertised feature work.

3.2 Personalizing Your Feed

Your feed is ranked using a combination of: who you follow (friends and one-way follows), mutual connections (people you and a poster both follow), recency, engagement signals (likes, comments, views), and whether a post is currently promoted. We do not use any cross-app data, advertising profile, or third-party behavioral data in feed ranking.

3.3 Friend Discovery

With your permission, we use your contacts' phone numbers (normalized to the last 10 digits) for one-time matching against other users on the platform. We also use phone numbers you have invited (and the reciprocal: phone numbers of new signups) to credit you free retakes when an invited friend joins, and to surface a "Contact Joined" notification.

The "People You May Know" / discovery feature ranks candidate accounts using multiple signals: mutual friends, shared interactions (you and they liked or commented on the same posts), people who have viewed your profile, accounts that follow you that you don't follow back, accounts that go to the same school (when you have set a school on your profile), and — if both you and a candidate have attached a location to a recent post — geographic proximity at metro-area resolution. The proximity signal is based on each user's most recent geotagged submission, which is stored at 0.1 degree (~11 km) precision as described in Section 2.4. The distance bonus is capped at 20 score points and falls to zero past about 50 kilometers. If you have never attached a location to a submission, you produce no proximity signal and receive no proximity bonus from anyone else's location either. The discovery feature also uses light random jitter so two users in identical positions don't see identical lists.

3.4 Notifications

We use your data to send three categories of notifications:

• Push notifications via APNs, originating from server-side logic. Triggered by social events (a like, comment, share, follow, mention, friend post, like-milestone, etc.) or scheduled cron jobs (daily prompt reminder at 12:00 UTC, streak-at-risk reminder at 21:00 UTC). The server checks your `notif_daily_prompt`, `notif_streak_reminder`, suspension status, quiet-hours setting and local timezone before sending.

• Local notifications scheduled by the App itself, including a 10-minute "prompt about to expire" reminder at 11:50 UTC daily and (optionally) a birthday greeting on your local birthday.

• In-app notifications (the bell icon) reflecting all social events that have occurred since your last visit, retained for up to 1 year, capped at 1000 per account.

Each notification category is independently controllable in Settings → Notifications, in iOS Settings → Notifications → Huzzah, and (for under-16 streak reminders and under-18 quiet hours) at the legally-enforced server level.

3.5 Safety, Trust, and Security

We use your data — including reports filed against you, your report history filing reports against others, your engagement patterns, your IP address, your account age, and your follower count — to detect and prevent fraud, abuse, harassment, spam, CSAM, and other policy violations. This includes automated rate limiting (see Section 13), automated content moderation (see Section 8), automated suspension when reports exceed engagement-scaled thresholds (see Section 8.3), and automated CSAM detection on every uploaded image (see Section 8.4).

3.6 Advertising

For users who are not Huzzah Pro subscribers, we display advertisements through Google AdMob. The data we provide to AdMob is limited to standard ad-request metadata (device, OS, App version, IP address). For users under 18, and for any user who has enabled the "Do Not Sell or Share My Personal Information" toggle, every ad request is sent with the `npa=1` (non-personalized ads) extras parameter, so AdMob will not consult any behavioral or interest-based profile when selecting an ad. The SDK is also configured at launch with `tagForUnderAgeOfConsent=true` (flipped to `false` only when an adult is confirmed), `maxAdContentRating=teen`, and we have not enabled the `tagForChildDirectedTreatment` flag because Huzzah is not directed at children under 13.

3.7 Pro Subscription Management

We use your purchase records from Apple to grant and revoke Pro entitlements (unlimited retakes, post analytics, profile-view insights, post promotion).

3.8 Communication With You

We may use your account contact channels (push, in-app banner) to communicate important service announcements such as security incidents, material legal-policy changes, and time-sensitive moderation outcomes. We do not send marketing email or SMS because we don't collect email and we use SMS only for authentication codes.

3.9 Aggregate Analytics

We may compute aggregate, non-identifying statistics (e.g. "X% of users posted today") for internal analytics and product improvement. Such aggregate data does not identify any individual user.

4. WHAT OTHER USERS CAN SEE

Your privacy depends on who can see what. This section describes exactly what other users can see about you, by default and after each privacy setting is applied.

4.1 Always Public to Other Signed-In Users (no setting changes this)

• Username

• Display name

• Avatar (profile photo) if you set one

• Account creation date

• Pro status (whether you are a Huzzah Pro subscriber)

• Whether you have submitted to today's prompt (a checkmark on the friend's grid; the actual photo follows your visibility setting)

4.2 Public Unless Hidden by a Privacy Setting

• Bio, location, education, work, school, link, astrological sign, interests — hidden from non-mutuals if Private Account is on.

• Friends, followers, following lists — hidden from everyone (except counts) if "Hide Friends & Followers" is on.

• Likes count on each of your posts — hidden if "Hide Likes" is on.

• Daily-post streak — hidden if "Hide Streak" is on (or if you are under 16, where it defaults to hidden).

• Follower/following counts — always visible.

4.3 Posts (Submissions)

Each submission carries a visibility setting that you choose at post time:

• Everyone — any signed-in Huzzah user who has not blocked or been blocked by you can see this post.

• Friends — only users with whom you have a mutual follow can see this post.

• Followers — only users who follow you (regardless of whether you follow them back) can see this post.

• Only Me — only you can see this post.

Visibility is enforced at the database level via Row-Level Security policies on the `submissions` table — even our own backend code cannot bypass it without an explicit elevation. A submission that has been hidden by automated moderation is hidden from everyone (including the poster's friends and followers) until and unless reinstated.

4.4 Comments and Likes

Comments are visible to anyone who can see the underlying submission. Likes are visible to anyone who can see the underlying submission, unless the post owner has enabled "Hide Likes."

4.5 Direct Messages

Messages are visible only to the two participants in the conversation. We can technically read messages on our servers if law enforcement compels us to (see Section 5.4) or to investigate a credible report of imminent harm, but we do not routinely access message content for any other purpose.

4.6 Profile View History

Other users can see that you have viewed their profile. The view list includes your username and avatar. Huzzah Pro subscribers see full viewer details (username, avatar, total view count, last-view time). Non-Pro subscribers see view-count milestone notifications ("Someone viewed your profile" — without revealing the viewer's identity) at 10, 25, 50, 100 views.

4.7 Activity (Likes, Comments, Reposts, Saves)

Your likes are visible to anyone who can see the underlying post. Your reposts appear as new feed items on your own profile and your followers' feeds. Saves are private (only you see what you've saved). Comments are public on the underlying post.

4.8 Tags

If another user tags you in a submission, your tag is publicly visible alongside the submission. The poster — not you — has the ability to add and remove tags on their own post (the tagged user cannot self-untag through the App; if you wish to be untagged, message the poster, block them, or report the post).

4.9 Read Receipts

A message is marked read when the recipient opens the conversation. The sender sees a "read" indicator. There is no per-message disable for read receipts.

4.10 Typing Indicators

While typing in a conversation, the App publishes a "typing" status that expires after a few seconds. Typing status is stored briefly in a `typing_status` table and pruned every minute.

5. WHO WE SHARE YOUR INFORMATION WITH

5.1 With Other Users

As described in Section 4 above.

5.2 With Our Service Providers

We use the following third-party providers to run Huzzah. We share with each provider only what they need to perform their function.

• Supabase (https://supabase.com). Our database, authentication, edge functions, storage, and realtime provider. Supabase stores all profile, content, message, engagement, notification, and operational data described in this policy. Servers are located in US-East-2 (Ohio, United States). Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Supabase processes data on our behalf under its standard Data Processing Agreement and is bound by SOC 2 Type II controls.

• Google AdMob (https://policies.google.com/privacy). Our advertising provider for non-Pro users. AdMob receives standard ad-request metadata (device identifiers, IP, App version) and, only for confirmed adults who have not enabled "Do Not Sell," may use behavioral targeting signals. For users under 18 and any user with the opt-out enabled, the `npa=1` flag is included in every request so no behavioral profile is consulted.

• Apple Inc. (https://www.apple.com/legal/privacy/). Apple processes (i) SMS one-time passwords for sign-in (via Twilio/Vonage on Supabase's behalf — we never see your OTP), (ii) MusicKit search requests when you attach a song, (iii) APNs push notification delivery, (iv) App Store transaction processing for Pro and in-app purchases, (v) StoreKit subscription validation, (vi) operating-system services that the App calls (CoreLocation, Photo Library, Contacts, Camera).

• Amazon Web Services (Rekognition). Each image you submit is forwarded — by our server, not your device — to AWS Rekognition for nudity, violence, hate-symbol, weapon, drug, and graphic-imagery detection. If nudity is detected, the image is also sent through AWS Rekognition Face Detection to estimate the approximate age range of any face. Images are transmitted to AWS over TLS and AWS does not retain them after analysis. AWS receives no other personal information about you.

• Cloudflare. Front-line network protection for our Supabase-hosted endpoints. May receive standard request metadata (IP, headers) to provide DDoS mitigation and bot blocking.

5.3 With Other Users at Your Direction

When you share a submission via the in-App share menu, you choose whom to send it to. Sharing to another Huzzah user via DM creates a normal message. Sharing externally (Instagram Stories, Snapchat, TikTok, Messages, Mail, etc.) hands a watermarked copy of the image (or a deep link to your post) to the chosen third-party app, after which the receiving app's privacy practices apply.

5.4 For Legal Reasons

We may disclose information if we have a good-faith belief that disclosure is necessary to (a) comply with applicable law, regulation, legal process (such as a subpoena, court order, or search warrant), or governmental request; (b) enforce our Terms of Service or Community Guidelines; (c) detect, prevent, or address fraud, security, or technical issues; (d) protect the rights, property, or safety of Huzzah, our users, or the public, as required or permitted by law.

Where law permits, we will attempt to notify affected users before responding to legal requests.

5.5 Mandatory CSAM Reporting

If our automated moderation, manual review, or a user report identifies content that depicts suspected child sexual abuse material (CSAM), we are required by 18 U.S.C. § 2258A to report such content to the National Center for Missing & Exploited Children's CyberTipline. NCMEC may then forward reports to law enforcement. Reports include the offending content, account information, and IP/login metadata sufficient to identify the source. We retain CSAM-related records for the period required by 18 U.S.C. § 2258A(h) (90 days, extendable on request from law enforcement).

5.6 Business Transfers

If Huzzah is acquired by or merged with another company, or in the event of a bankruptcy or asset sale, your information may be transferred to the acquiring entity subject to the protections of this Privacy Policy. We will notify you (in-app or via push) before any such transfer takes effect, and you will have a reasonable period to delete your account before the transfer if you do not consent to the change.

5.7 We Do Not Sell Your Personal Information

We do not and have never sold your personal information to anyone. Under California's CCPA/CPRA and equivalent state laws, we also do not "share" your personal information for cross-context behavioral advertising — every ad served by Huzzah is either contextual (based on the App itself, not your behavior) or, for confirmed adults who have not opted out, served by Google AdMob with their own behavioral signals. You can disable the latter at any time via Settings → Privacy → "Do Not Sell or Share My Personal Information."

6. SPECIFIC FEATURES AND THEIR PRIVACY IMPLICATIONS

This section walks through every major feature of Huzzah and explains what data is collected, who sees it, and how long it is kept.

6.1 Daily Prompts

Each day at a fixed UTC time we publish a new creative prompt. You have until 12:00 UTC the next day to post to that prompt (the cutoff is enforced server-side; you cannot post to a previous day's prompt). You may submit only one shot per prompt, though Pro subscribers and users with redeemed retake credits may retake. Retaking deletes the prior submission and ALL its associated data — likes, comments, views, tags, shares — and replaces it with the new shot. Retakes are irreversible. The fact that you submitted is shown on your friends' grid view; the photo itself follows your visibility setting.

6.2 Camera and Image Capture

The camera operates entirely on-device. No camera frame is sent to our servers prior to your tapping "post." On post, the JPEG is compressed (max dimension 1440 px, quality 0.85) and uploaded.

6.3 Image Moderation

Every submission is moderated server-side immediately after upload by AWS Rekognition (see Section 5.2 and 8.4). The detection thresholds are: Explicit Nudity ≥40% confidence, Suggestive ≥70%, Violence ≥50%, Visually Disturbing ≥50%, Drugs & Tobacco ≥50–60%, Weapons ≥70%, Hate Symbols ≥40%, Self-Harm >50%, Gambling ≥70%. Violating posts are hidden and auto-reported. If nudity is detected AND a face is estimated to be under 18, the post is treated as suspected CSAM (Section 8.4 and 5.5): the image is deleted from storage, the account is permanently suspended, and the content is queued for NCMEC reporting.

6.4 Watermarking

When you export a shot via the in-app share menu to an external app, the App applies a watermark overlay to the exported copy: Huzzah logo, your username, and the prompt text. The watermark is applied on-device and only to the exported copy — your original submission stored on our servers is not modified.

6.5 Invite Program

You can invite phone-contact friends to download Huzzah. When you tap Invite, we send the recipient an SMS through your device (using iOS's standard SMS composer — we do not send SMS ourselves). We store the normalized phone number you invited plus your user ID in the `invites` table. For every 3 unique invited phone numbers that turn into actual Huzzah accounts, you earn 1 free retake. Invite records persist for the lifetime of your account (they are not deleted by the 30-day or 90-day cron jobs); when you delete your account, all `invites` rows you created remain — they are referenced as historical credit by users you invited.

6.6 QR Codes

Your profile contains a QR code encoding your username so others can scan it to follow you. QR codes are generated locally and not stored on our servers.

6.7 Direct Messaging

Messages live in our `messages` table. Read messages are automatically deleted by a daily cron job 90 days after they are marked read. Unread messages are retained indefinitely until read (then 90 days), until manually deleted by the sender, until the conversation is "hidden" by both participants, or until either participant deletes their account. The DM permission ladder is: "Friends" (default — only mutual followers; the recipient becomes reachable once they reply to you the first time, "unlocking" the conversation), "Everyone" (any user can DM you, capped at 5 new non-friend conversations per sender per day, and a banner warns when you receive a non-friend message), or "Nobody" (no DMs at all). Users under 16 are limited to "Friends" or "Nobody" — the "Everyone" option is not selectable in the Settings UI and the server trigger silently reverts any tampered attempt to set it. See Section 9.2 for the full description of the under-16 DM lock.

6.8 Profile Views & Analytics (Pro Feature)

Pro subscribers see exact view-counts and viewer identities on profile-view milestones (10/25/50/100 views) and have access to the Post Analytics screen (views, likes, comments, shares, saves, reposts, calculated engagement rate). Non-Pro users see a blurred version of analytics and see only generic milestone notifications without revealing viewer identity.

6.9 Post Promotion (Pro / In-App Purchase)

For an in-app purchase you may promote a single post (`com.huzzah.promote`). A promoted post is given higher ranking weight in the feed for 24 hours, after which the `is_promoted` flag is cleared by a cron job that runs hourly.

6.10 Reporting

You can report any user, post, comment, or message via the in-app flag icon. Report reasons are: spam, harassment, hate speech, nudity, violence, self-harm, false info, scam, underage, impersonation, other. Each (reporter, target) pair is unique — you can report the same target only once. False or frivolous reporting is itself a violation. You may file at most 5 reports per hour.

6.11 Blocking

You can block up to 1000 users. Blocking removes any existing friendship in either direction, prevents the blocked user from seeing your profile or content, prevents you from seeing theirs, prevents either of you from messaging the other, and prevents either of you from triggering notifications to the other. Blocks are bidirectional in effect but only the blocker controls the block (the blocked user is not notified). Blocks are rate-limited to 20 per hour.

6.12 Search

You can search profiles by username or display name. Queries are sanitized server-side: only letters, numbers, spaces, and underscores are allowed; queries are capped at 30 characters; minimum 2 characters. Search returns up to 50 results and excludes your own profile.

6.13 Friends, Follows, and Mutuals

"Following" is one-way (you choose to follow someone; they don't need to follow back). When two people both follow each other, they become "friends" (mutuals). Many features (Friends Only DMs, Friends Only post visibility) depend on mutuality. The friend cap is 1000 and follow actions are rate-limited to 20 per hour.

6.14 Streaks

Posting daily extends your streak. Missing a day resets your current streak (your longest streak is preserved indefinitely as a personal record). Streak data is shown on your profile unless you hide it. Streak data influences whether the server attempts to push a "streak at risk" reminder at 9pm UTC daily (if you are at risk of losing a streak ≥ 2 days and your account is over 16 and has not turned the reminder off and is not in quiet hours).

6.15 Music

Attaching a song stores: song title, artist name, and Apple Music catalog ID with your submission. The song metadata is displayed next to the post. No streaming licence is granted; tapping the song opens Apple Music (or another app capable of opening MusicKit URIs).

6.16 Location

Adding a location to a post stores three fields on the submission row: a latitude rounded to 0.1 degrees, a longitude rounded to 0.1 degrees, and the reverse-geocoded locality name (e.g. "San Francisco, CA"). The precise coordinates captured by your device (accuracy roughly 100 meters) are never persisted — only the coarsened ~11 km grid value is written to the database. This is enforced by a database-level trigger (`coarsen_submission_location`) that re-rounds the value on every insert and update, so a tampered client cannot smuggle in precise coordinates.

The locality name is displayed alongside the post to anyone who can see the post under your visibility setting. The coarsened latitude and longitude are not displayed in the App's user interface, but they are returned in the post payload over the network and can be read by anyone with API access (e.g. someone inspecting their own network traffic).

Location data is used in THREE places:

(a) Display — the reverse-geocoded locality name appears alongside the post.

(b) Friend discovery — your coarsened coordinates from your most recent geotagged submission are compared against other users' coarsened coordinates as ONE of several signals in the "People You May Know" ranking (see Section 3.3). If you have never attached a location to any submission, no proximity signal exists for you in either direction. The signal is capped and operates at metro-area resolution (~11 km grid), so it cannot reveal a specific street or building.

(c) Home feed ranking — within the home feed, posts are first ordered by social relationship (mutual friends, then one-way friends, then followers, then everyone else). Within each social tier, posts are ordered by geographic proximity to YOU, with posts physically nearer your last known location ranked above posts farther away. "Your last known location" is the latitude/longitude of your most recent geotagged submission within the last 30 days; older locations are ignored. The proximity tiebreaker does NOT apply to today's prompt — today's prompt stays ordered by social tier and recency only. The proximity tiebreaker does NOT cross social tiers — a mutual friend in another city ALWAYS ranks above a stranger in your neighborhood. If you have never attached a location to any post in the last 30 days, the proximity factor is dropped from your ranking entirely and your feed reverts to the previous social-tier-then-recency order with no behavioral change. Same 0.1 degree (~11 km) resolution applies — your feed personalization cannot reveal anything more precise than your metro area.

Location data is NOT used for: targeted advertising; cross-app tracking; analytics beyond the friend-discovery and feed-ranking uses described above; or any other purpose.

6.17 Profile Editing

You can edit any profile field except your phone number and date of birth, subject to the per-field cooldowns (username 30 days, display name 7 days, avatar 24 hours, others uncapped). All profile fields are length-validated and content-filtered server-side.

7. RETENTION AND DELETION

7.1 Account-Lifetime Data

The following are retained for as long as your account is active and erased on account deletion:

• Your `profiles` row (username, display name, avatar URL, bio, location, education, etc.) — erased on `delete_account` RPC execution.

• Your `submissions` (photos in the `submissions/` storage bucket and metadata rows) — erased.

• Your `comments`, `comment_likes`, `likes`, `views`, `shares`, `reposts`, `submission_tags`, `friendships` (both sides), `blocks` (both sides), `dismissed_suggestions`, `retake_redemptions` — erased.

• Messages you sent AND messages received in conversations you participate in — erased.

• `conversations` you participate in — erased.

• `notifications` to you and from you — erased.

• `profile_views` you generated and `profile_views` you received — erased.

• Reports you filed — erased; reports filed against you are NOT erased (Huzzah needs them to maintain moderation history; the report row retains your former user ID).

• `device_tokens` for your account — erased.

• `rate_limits` rows you generated — erased (also automatically purged daily).

• Your `auth.users` row containing your phone number — erased by the App's client SDK call following `delete_account`.

7.2 Time-Limited Data (Cron-Maintained Even Without Account Deletion)

The following data ages out automatically even if you keep your account active:

• Read messages: deleted 90 days after they were marked read. (Cron: 03:00 UTC daily.)

• Notifications: deleted 1 year after creation. (Cron: 04:00 UTC daily.) Also capped at 1000 most-recent per user (trimmed by trigger).

• Submission views: deleted 30 days after creation. (Cron: 05:10 UTC daily.)

• Profile views: deleted 30 days after creation. (Cron: 05:00 UTC daily.)

• Dismissed suggestions: deleted 30 days after creation. (Cron: 05:20 UTC daily.)

• Rate-limit counters: deleted 1 day after creation. (Cron: 03:00 UTC daily.)

• Typing-status rows: pruned every minute when stale.

• Promoted-post flags: cleared hourly when promotion period expires.

• Pro subscription state: revoked hourly when subscription expires.

7.3 Data Preserved Beyond Account Deletion

The following limited categories are preserved past account deletion:

• Aggregate analytics that have already been anonymized.

• Records required for legal or regulatory reasons (e.g. tax records, content we are legally required to preserve under 18 U.S.C. § 2258A for CSAM reporting).

• Backups: our database provider takes routine backups of the database for disaster recovery purposes. Account deletion takes effect immediately in the live database, but residual data in backups is overwritten through normal backup rotation (typically within 30 days). Backups are not used to restore deleted accounts.

• Invite records (`invites` rows where you were the inviter): your invite records persist after your account deletion because they are referenced as historical credit for users you invited (so a friend you invited keeps the "invited by you" linkage even after your account is gone).

• Reports filed against you remain in the moderation history.

• If your account was permanently suspended for severe violation (CSAM, terrorism, credible threats), we may retain account metadata as long as legally permitted to prevent re-registration and to support law-enforcement inquiries.

7.4 Deletion Mechanics

You can delete your account at any time via Settings → Other → Delete Account. The flow is: a confirmation alert ("This will permanently delete your account, posts, comments, messages, and all associated data. This cannot be undone."), then a single server-side RPC `delete_account` that runs as one atomic transaction wiping the rows enumerated in 7.1, then a follow-up call from the App that removes your `auth.users` record (the phone-number-holding row) from the Supabase Auth system. The App then locally clears: image cache, profile cache, message store, notification store, engagement cache, ad-config state, UserDefaults for the user, URL cache, and HTTP cookies. The whole process typically completes in seconds. Once `delete_account` has run, there is no way to restore your data.

7.5 Under-13 Account Cleanup (`delete_underage_signup`)

If at any point during onboarding it is determined that you are under 13, the App calls a separate RPC `delete_underage_signup` which is only callable when your account has not yet been marked as fully onboarded (`onboarding_completed = false`). This RPC deletes rate-limit rows, any device tokens, your placeholder profile row, AND your `auth.users` row (removing the phone number). The App then signs you out locally and resets the onboarding state. This is our standard COPPA cleanup path; we will not knowingly accept an under-13 account into the production user base.

7.6 Suspended Accounts

A temporarily suspended account retains its data throughout the suspension; on suspension expiry the account is automatically restored. Permanently suspended accounts retain data for at least 90 days to allow appeals. After 90 days, permanently suspended accounts may be deleted at our discretion (suspended-user data is not auto-deleted by any cron job).

7.7 Inactive Accounts

We do not currently auto-delete inactive accounts.

8. CONTENT MODERATION

8.1 Client-Side Content Filter

The App contains a client-side content filter (`ContentFilter`) that performs unicode/leetspeak normalization (Cyrillic → Latin homoglyph swap, 0→o, 3→e, etc., repeated-character collapse, separator removal) and matches against three lists: severe phrases (KYS, CSAM-related, terrorism, threats, doxxing, school shooting), moderate phrases (sexual solicitation, harassment, drug dealing), and contextual word lists with whitelist guards to avoid false positives ("assassin," "nighttime," etc.). The filter is applied to captions, comments, messages, and profile text fields before they are sent to the server.

8.2 Server-Side Content Filter

Independent of the client filter, the server applies its own content filter (`check_content_filter`) on submission captions, comment bodies, message bodies, and the concatenation of username + display name + bio. Its block list contains a strict subset of severe-only patterns including KYS, CSAM references, ISIS recruitment, Holocaust glorification, doxxing solicitation, swatting solicitation, mass-shooting threats. A violation raises a database exception that prevents the row from being inserted — so even a compromised or tampered client cannot bypass these rules.

8.3 Community Reporting and Auto-Moderation

When users report a post, comment, or account, our `handle_new_report` trigger runs. Reports filed by accounts younger than 24 hours (for post reports) or 7 days (for account reports) are not counted, which limits coordinated brigading by fresh accounts. When enough reports accumulate within a rolling 30-day window (14 days for comments), automated action follows:

• A submission is auto-hidden when its rolling-30-day report count exceeds `max(5, 0.5% of views)` AND `max(3, 10% of likes)` — the scaling prevents weaponized mass-reporting of popular posts.

• A comment is auto-deleted at 5 reports in 14 days.

• An account is auto-suspended at `max(10, 2% of followers)` reports in 30 days. The suspension duration escalates: 1 day for a first suspension, 7 days for a second, 30 days for a third, permanent for a fourth.

Severe automated detections (CSAM, terror content, credible threats) bypass the gradual ladder and result in an immediate permanent suspension.

8.4 CSAM-Specific Path

Because Huzzah is a photo app, every uploaded image is run through AWS Rekognition's nudity and face-age detection. If nudity is detected AND any detected face has an estimated age range with a lower bound below 18, the image is treated as suspected CSAM: the post is immediately hidden, the account is permanently suspended, the image is deleted from storage, a `reason: underage` auto-report is created, and the incident is queued for NCMEC CyberTipline reporting per 18 U.S.C. § 2258A. We retain records of CSAM-related reports for as long as required by law.

8.5 Appeals

If your content was removed or your account was suspended and you believe it was in error, contact us at huzzahapp@yahoo.com with your username and a description of the issue. We aim to respond to appeals within 7 business days. Permanently suspended accounts have 90 days to appeal before data is deleted.

9. CHILDREN AND TEEN PROTECTIONS

Huzzah implements layered, age-aware privacy and safety protections in line with the U.S. Children's Online Privacy Protection Act (COPPA), the California Age-Appropriate Design Code (AADC), New York's SAFE for Kids Act, Florida's HB 3, the Texas SCOPE Act, the Utah Social Media Regulation Act, the UK's Age Appropriate Design Code (Children's Code), the EU Digital Services Act Article 28, and the EU General Data Protection Regulation Article 8.

9.1 Minimum Age (13)

Huzzah is not directed at children under 13 and we do not knowingly collect personal information from children under 13. We ask for date of birth at signup and the `complete_profile` server-side RPC rejects any DOB that produces an age less than 13. If a user under 13 abandons signup partway through, the App calls `delete_underage_signup` to immediately purge their incomplete profile, phone number, and `auth.users` row.

If you become aware that a user under 13 has nonetheless created an account, please report them via the in-app "underage" report reason or email us at huzzahapp@yahoo.com. We will delete confirmed under-13 accounts upon receipt of such notice in accordance with our COPPA obligations.

9.2 Under-16 Defaults and Locks

At signup, accounts whose DOB makes them under 16 receive the following defaults:

• `hide_follow_lists = true` — friend/follower lists are hidden by default.

• `hide_streak = true` — streak count is hidden on profile by default.

• `notif_streak_reminder = false` — push notifications about losing a streak are turned off by default AND legally locked. The server trigger `validate_profile_update` reverts any attempt by an under-16 account to set this column back to true.

• `allow_dms = 'friends'` — direct-message permission is set to "Friends Only" by default AND legally locked against the "Anyone" setting. Under-16 accounts may choose between "Friends Only" (mutual followers only, the default) and "Nobody" (no DMs at all), but they cannot select "Anyone." The server trigger silently reverts any attempt to set `allow_dms = 'everyone'` back to `'friends'`. The Settings UI also hides the "Anyone" picker option for under-16 accounts and shows a "Teen Restricted Account" footer explaining the restriction. This aligns with the California Age-Appropriate Design Code, the New York SAFE for Kids Act, and the UK Children's Code requirement that minors not be exposed to unsolicited messaging from non-mutuals by default.

The defaults that are not legally locked (`hide_follow_lists`, `hide_streak`) can be turned off by the under-16 user in Settings if they choose; the streak-reminder lock and DM-Anyone lock cannot.

9.3 Under-18 Defaults and Locks

At signup, accounts whose DOB makes them under 18 receive the following defaults, which are LEGALLY LOCKED:

• `ads_personalized = false` — every AdMob request is sent with `npa=1` (non-personalized ads); the server trigger reverts any attempt to set this column to true.

• `quiet_hours_enabled = true` — push notifications are silenced between 10pm and 6am in the user's local timezone; the server trigger reverts any attempt to set this column to false.

• `location` is locked NULL — under-18 cannot attach a profile location (city/state). Any attempt to write a non-empty value is silently reverted by the `validate_profile_update` trigger. See Section 6.16 for the related per-post location coarsening rule (which applies to all users, not just minors).

• OTHER users' profile links are hidden — the `link` column on every OTHER user's profile is redacted to NULL when returned to an under-18 viewer. This is enforced at the database column level: SELECT on `link` is REVOKEd from the authenticated role, and the only path that yields a non-null value is the `get_safe_profile` SECURITY DEFINER RPC, which checks the viewer's date of birth on every call and returns NULL for the `link` field when the viewer is under 18 AND is not the target. The under-18 user's own `link` on their own profile is always visible to them (so they can manage it from Edit Profile). Adult users continue to see everyone's link.

The Settings UI disables the corresponding toggles for users under 18 and displays a "Teen Restricted Account" footer explaining that these settings are required by law until the user is 18.

9.4 Server-Side Enforcement

All teen-account protections are enforced at the database level by the `validate_profile_update` trigger, which silently reverts any client-side write that would weaken a legally-required minor protection. Silent revert (rather than raising an exception) means a tampered client cannot detect the lock by error message — the write succeeds, but the protected value is preserved. The trigger fires on every UPDATE regardless of the caller and regardless of whether the protected column appears in the update payload.

9.5 Teen Account Transparency View

Settings → Teen Account is a read-only view showing each user which (if any) age-based restrictions are active on their account. Adult users see "No age-based restrictions apply to your account." Users aged 16–17 see the four under-18 locks (Personalized ads off; Quiet hours 10pm–6am; Other users' profile links hidden; Profile location off). Users aged 13–15 see all six locks: the four under-18 locks plus the two under-16 locks (Streak reminders off, Direct messages limited to mutual friends or no one).

9.6 Image-Age Estimation

Independent of the user's self-reported DOB, the image moderation pipeline estimates the apparent age of faces in every uploaded image (Section 8.4). Images depicting suspected minors in nudity contexts are removed and reported regardless of who uploaded them.

9.7 No Profiling of Minors

For users under 18 we do not perform any behavioral profiling for advertising, recommendation tuning, or marketing. Feed ranking continues to use social-graph signals (who you follow, mutuals) and engagement signals (likes, comments on individual posts), but no advertising profile or interest model is constructed.

9.8 Parental Resources

If you are a parent or guardian and need to:

• Confirm that a minor user is using the App appropriately

• Request deletion of a minor's account

• Inquire about specific data we hold about a minor

contact us at huzzahapp@yahoo.com with "Parent Request" in the subject line. We will verify your relationship to the minor before responding.

10. YOUR RIGHTS

10.1 Right to Access (GDPR Art. 15, CCPA § 1798.110)

You can request a full export of your personal data via Settings → Other → Export My Data. The export contains: account data (username, display name, DOB, avatar URL, etc.), all privacy settings, all content you created (submissions, comments, messages), all actions you took (likes, comment-likes, reposts, shares, saves, follows, blocks, dismissed suggestions, invites with last-4 phone digits only, tags, reports filed), and all account-status data (moderation actions against you, hidden posts, retake redemptions). The export does not include interactions other users took on your content, because those are their personal data. Photos are referenced by storage path; download URLs are issued separately. Exports are rate-limited to one per day.

10.2 Right to Rectification (GDPR Art. 16)

You can edit your profile fields directly in the App. If you cannot edit a field that is incorrect (e.g. your date of birth, which is locked once set), contact huzzahapp@yahoo.com.

10.3 Right to Deletion / Erasure (GDPR Art. 17, CCPA § 1798.105)

You can permanently delete your account and all associated personal data via Settings → Other → Delete Account. See Section 7 for what is deleted and what is retained.

10.4 Right to Restriction (GDPR Art. 18)

You can restrict our processing of your data by changing your privacy settings (Private Account, Hide Friends & Followers, Hide Likes, Hide Streak, Allow DMs: Nobody, Do Not Sell or Share). For more granular restrictions, contact huzzahapp@yahoo.com.

10.5 Right to Data Portability (GDPR Art. 20)

The data export described in 10.1 is provided in structured machine-readable JSON form.

10.6 Right to Object (GDPR Art. 21)

For processing that uses your data on a "legitimate interests" basis (such as some safety/fraud-prevention activities), you may object via huzzahapp@yahoo.com.

10.7 Right to Withdraw Consent

For any feature that depends on permission (contacts, location, photo library, camera, notifications) you can withdraw consent at any time via iOS Settings → Privacy → [permission] → Huzzah. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

10.8 Right to Lodge a Complaint with a Supervisory Authority

EU/EEA residents may lodge a complaint with their member-state Data Protection Authority. UK residents may complain to the Information Commissioner's Office (ICO).

10.9 California-Specific Rights (CCPA / CPRA)

California residents have the right to (a) know what categories and specific pieces of personal information we collect, (b) know whether we sell or share personal information for cross-context behavioral advertising — we do not "sell" and we do not "share" except as you direct, (c) opt out of any such sale or sharing (Settings → Privacy → "Do Not Sell or Share My Personal Information"), (d) limit use of sensitive personal information — we do not use sensitive personal information for any secondary purpose, (e) request correction or deletion as above, (f) not be discriminated against for exercising any of these rights. You may also designate an authorized agent to make requests on your behalf — contact huzzahapp@yahoo.com.

10.10 Other U.S. State Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana, Iowa, Tennessee, Indiana, New Jersey, Delaware, New Hampshire, Maryland, Minnesota, Rhode Island, and other states with comprehensive consumer privacy laws have substantially the same access, correction, deletion, and opt-out rights described above. To exercise these rights, use the in-app tools or contact huzzahapp@yahoo.com.

10.11 No Discrimination

We will not deny you service, charge you a different price, or provide you a lower-quality experience because you exercised any privacy right.

10.12 Identity Verification

For deletion or export requests submitted by email rather than through the in-app tools, we may ask you to verify your identity (typically by sending you an OTP to the phone number on your account) to prevent unauthorized requests.

11. SECURITY

11.1 Encryption in Transit and at Rest

All data is transmitted between the App and our backend over TLS 1.2 or higher. All data stored on Supabase is encrypted at rest using AES-256.

11.2 Database-Level Authorization (Row-Level Security)

Every public-schema table has Row-Level Security ("RLS") policies enabled. RLS is enforced by the PostgreSQL database itself — application code cannot bypass it without obtaining a service-role key (which is held only by our backend, never exposed in the App, never sent to clients). Each table's policies are designed so that even if our App or backend code had a bug, the underlying database would still refuse to return data the user has no right to see.

11.3 Rate Limiting

Every user-triggered write operation is rate-limited (see Section 13 for the full list). Rate limits prevent enumeration attacks, content spamming, brigading, and resource-exhaustion attacks.

11.4 Input Validation

All user-supplied input is length-limited at the database level (e.g. caption ≤500, message ≤1000, bio ≤150, username ≤20). Search queries are sanitized to alphanumerics + space + underscore. Image uploads are size-limited (avatars 2 MB, submissions 10 MB) and MIME-limited. Phone numbers are normalized to digits only.

11.5 Authentication

We authenticate via Supabase Auth's phone-OTP system. We never store or see your OTP code (Supabase's auth provider — Twilio/Vonage — handles the SMS roundtrip). Session tokens are short-lived and refreshed automatically; signing out invalidates the local session and clears all caches.

11.6 Client Integrity Checks

The App performs on-device checks for jailbreak, debugger attachment, app tampering, and tampered UserDefaults state (Section 2.3). If a tamper is detected, the App may refuse to operate in certain features and/or report a generic incident category to our servers.

11.7 Push Notification Authentication

Our push notification sender authenticates to APNs using an ES256-signed JWT generated from a P8 key held only on our backend. The JWT is regenerated every 50 minutes. We send only to device tokens that we have validated as belonging to the receiving user's account. Tokens that APNs reports as invalid (400 or 410 responses) are removed from our database.

11.8 Incident Response

In the event of a security incident affecting your personal information, we will (a) investigate immediately, (b) contain the incident, (c) notify affected users without undue delay, and (d) notify supervisory authorities and other parties as required by law (e.g. GDPR Art. 33 requires notification to the lead supervisory authority within 72 hours of awareness for incidents involving personal data of EU residents; equivalent timing applies under state laws).

11.9 No Guarantees

No system is perfectly secure. While we implement reasonable and industry-standard security measures, we cannot guarantee absolute security. You also have responsibilities: keep your phone secure (use a passcode, biometric lock, and "Find My"); do not lend your phone with Huzzah logged in; if you lose your phone, sign out of Huzzah on the lost device by going to Settings → Other → Delete Account from another device (we do not currently offer remote logout).

12. INTERNATIONAL DATA TRANSFERS

Huzzah's data is stored in the United States (US-East-2, Ohio). If you access the App from outside the United States, your information will be transferred to, stored, and processed in the United States. By using Huzzah you consent to such transfer. For EU/EEA, UK, and Swiss residents, transfers are made under appropriate safeguards: where Supabase relies on Standard Contractual Clauses as a transfer mechanism, the SCCs are incorporated into our Data Processing Agreement with Supabase. You may request a copy of the SCCs by contacting huzzahapp@yahoo.com.

13. RATE LIMITS

The following rate limits are enforced server-side. Exceeding a limit results in a temporary rejection of the action; persistent abuse may result in account suspension.

• Submissions: 5 per hour

• Comments: 60 per hour

• Messages sent: 60 per hour

• New non-friend conversations (when recipient has "Allow DMs: Everyone"): 5 per 24 hours

• Likes: 500 per hour

• Comment likes: 200 per hour

• Reposts: 30 per hour

• Shares (global): 10 per minute

• Shares (per post): 5 per 10 seconds

• Submission views: 500 per hour

• Profile views: 300 per hour

• Friendships (follows): 20 per hour

• Blocks: 20 per hour

• Tags (per post): 30 per hour

• Invites: 30 per hour

• Dismissed suggestions: 100 per hour

• Reports: 5 per hour

• Notifications generated by one user: 50 per hour (silently dropped beyond limit)

• Device-token registrations: 10 per hour

• Typing-status updates: 1 per 2 seconds (silently dropped beyond limit)

• `complete_profile` attempts: 5 per hour

• Data export requests: 1 per 24 hours

• Device-compromised self-reports: 1 per 24 hours

Hard caps:

• 1000 friends (followed users)

• 1000 blocks

• 5 device tokens per account

• 1000 notifications per account

14. ADVERTISING IN DETAIL

14.1 When Ads Are Shown

Ads are shown to users who are not Huzzah Pro subscribers, in feed slots dedicated to ads. Pro subscribers see no ads.

14.2 What Information Goes to AdMob

Standard ad-request metadata: device model, OS version, App identifier, IP address, ad-unit ID, screen orientation, language/locale. For confirmed adults who have not opted out, AdMob may consult standard targeting signals available through its system (e.g. interests inferred from cross-app activity if the user has allowed Apple App Tracking Transparency permission). For users under 18, and for users who have opted out via Settings → Privacy → "Do Not Sell or Share My Personal Information," the request is tagged with `extras: {"npa": "1"}` and no behavioral profile is consulted.

14.3 Apple App Tracking Transparency (ATT)

Apple requires apps to request explicit user permission before tracking the user across apps and websites owned by other companies. Huzzah does not request ATT permission because we do not perform cross-app tracking. Google AdMob's SDK may request ATT permission of its own; if it does, you can deny it without affecting Huzzah's functionality. We do not use Apple's IDFA or any cross-app identifier in our own systems.

14.4 Apple SKAdNetwork

For measurement of advertising effectiveness, we participate in Apple's SKAdNetwork program, which provides privacy-preserving conversion attribution without exposing your identity to advertisers.

14.5 Ad Content Rating

The AdMob SDK is configured with `maxAdContentRating = .teen`, capping ad content at Teen-appropriate ratings across the entire user base (because 13 is the App's minimum age).

14.6 Opt-Out

Adults may opt out of personalized advertising at any time via Settings → Privacy → "Do Not Sell or Share My Personal Information." This change takes effect immediately for the next ad request (it does not wait for a profile refetch). Under-18 users are opted out automatically and the toggle is disabled with a "Teen Restricted Account" indicator.

15. THIRD-PARTY SERVICES

A complete list of third parties that receive data about you, in addition to those listed in Section 5.2:

• Supabase (database, auth, storage, edge functions, realtime). https://supabase.com/privacy

• Google AdMob (ads — non-Pro users only). https://policies.google.com/privacy

• Amazon Web Services (Rekognition for image moderation). https://aws.amazon.com/privacy/

• Apple (App Store, In-App Purchase, MusicKit, APNs, CoreLocation, Contacts, Photo Library, Camera). https://www.apple.com/legal/privacy/

• Cloudflare (DDoS protection on Supabase endpoints). https://www.cloudflare.com/privacypolicy/

• NCMEC CyberTipline (mandatory CSAM reporting when triggered). https://www.missingkids.org/

We do not use: Facebook, Twitter, TikTok, or any other social-network SDK. We do not use Firebase, Mixpanel, Amplitude, Segment, Branch, Adjust, AppsFlyer, Sentry, Crashlytics, or any third-party analytics or crash-reporting SDK.

16. COOKIES AND SIMILAR TECHNOLOGIES

The App is not a web browser and does not use HTTP cookies for its own functionality. The Google AdMob SDK may use device-side advertising identifiers and similar technologies for ad serving and measurement, subject to your ATT permission and to the personalization opt-out described in Sections 9 and 14. The App does not embed third-party web views, tracking pixels, or fingerprinting libraries.

17. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this policy indicates the most recent revision. For material changes — meaning changes that meaningfully reduce your privacy rights, that add new data collection categories, or that affect protections for minors — we will provide reasonable advance notice via in-app banner or push notification, and where law requires we will obtain your express consent before the change takes effect. Continued use of the App after the effective date of a non-material change constitutes acceptance of the revised policy.

We maintain a history of material revisions on request — email huzzahapp@yahoo.com.

18. JURISDICTION-SPECIFIC NOTICES

18.1 Notice for Nevada Residents

Nevada residents have the right to direct us not to sell their personal information. We do not sell personal information. If you have any questions about this, contact huzzahapp@yahoo.com.

18.2 Notice for Quebec Residents

Quebec's Law 25 grants additional rights including the right to information about decisions based exclusively on automated processing. Most decisions made by Huzzah's systems (feed ranking, auto-moderation, suspension) are partly automated; in cases of automated suspension you may request human review via the appeal process in Section 8.5.

18.3 Notice for Brazilian Residents

Brazil's LGPD grants substantially equivalent rights to GDPR. Brazilian residents may exercise their rights via huzzahapp@yahoo.com. Our Data Protection Officer for LGPD purposes may be reached at the same email.

18.4 Notice for U.S. Federal Government and Defense Personnel

Huzzah is a consumer social application and is not authorized under FedRAMP or DoD compliance regimes. We do not recommend Huzzah for use in the conduct of official duties.

19. ACCESSIBILITY

This policy is also available in plain-text format on request. If you have difficulty reading or accessing this policy, email huzzahapp@yahoo.com and we will provide it in an accessible format.

20. CONTACT

For any question, complaint, or request related to this Privacy Policy or our handling of your data:

Email: huzzahapp@yahoo.com

Subject line: "Privacy Inquiry" (for general questions), "Data Request" (for access/export/deletion/correction), "Parent Request" (parental/guardian inquiry), "Law Enforcement" (legal process — please use a verifiable agency email).

For account deletion you can also use the in-app tool (Settings → Other → Delete Account). For data export use Settings → Other → Export My Data. These are the fastest routes.