Privacy Policy

1. Introduction

Chuppah LLC ("we," "our," "us," or "Company") is committed to protecting your privacy and ensuring transparency in our data practices. This Privacy Policy explains in detail how we collect, use, disclose, retain, and safeguard your personal information when you:

• Visit our website at chuppah.app
• Use any mobile applications we develop or publish
• Engage with our services, including app development and consulting
• Communicate with us via email, phone, or contact forms

Data Controller: Chuppah LLC is the data controller responsible for your personal information. For any privacy-related inquiries, please contact our Data Protection Officer at: support@chuppah.app

By accessing or using our services, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.

2. Categories of Personal Information We Collect

We collect the following categories of personal information, as defined under California law:

A. Identifiers

Information that identifies you personally, including:

• Full name
• Email address
• Phone number
• IP address
• Device identifiers (mobile device ID, advertising ID)
• Account credentials (if you create an account)
• Company or business name

B. Commercial Information

Records of services purchased, obtained, or considered, including:

• Project inquiries and proposals
• Service agreements and contracts
• Transaction history and payment information
• Customer preferences and requirements

C. Internet or Network Activity

Information about your interaction with our website and mobile applications, including:

• Browser type and version
• Operating system
• Pages visited, time spent on pages, and navigation paths
• Referring website addresses and exit pages
• Date and time stamps of visits
• Clickstream data and search queries

D. Geolocation Data

General location information derived from your IP address (city and state level, not precise location).

E. Professional or Employment Information

Information you provide about your business or professional context, such as job title, company size, industry, and business needs.

Sources of Personal Information

We collect personal information from the following sources:

• Directly from you: When you fill out contact forms, request services, or communicate with us
• Automatically: Through cookies and similar tracking technologies when you use our website or apps
• Third-party services: Analytics providers, advertising networks, and service providers

3. Business and Commercial Purposes for Collecting Personal Information

We use your personal information for the following specific business and commercial purposes. For each purpose, we identify the lawful basis under GDPR:

• Service Delivery: To provide mobile app development services, respond to inquiries, process transactions, and deliver project deliverables. (Lawful Basis: Performance of a Contract)
• Customer Support: To respond to your questions, provide technical assistance, and resolve issues. (Lawful Basis: Performance of a Contract)
• Communication: To send you service-related announcements, project updates, newsletters (with consent), and marketing communications about our services. (Lawful Basis: Performance of a Contract for service-related communications; Consent for marketing)
• Website and App Improvement: To analyze usage patterns, test features, conduct research, and optimize user experience across our platforms. (Lawful Basis: Legitimate Interest)
• Security and Fraud Prevention: To detect, prevent, and investigate security incidents, fraudulent activity, and violations of our terms. (Lawful Basis: Legitimate Interest)
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests. (Lawful Basis: Legal Obligation)
• Business Operations: To maintain our systems, conduct internal auditing, data analysis, and maintain business records. (Lawful Basis: Legitimate Interest)
• Marketing and Analytics: To understand user preferences, personalize content, conduct market research, and improve our marketing efforts. (Lawful Basis: Legitimate Interest, with your right to object)

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice and obtaining your consent where required by law.

4. Disclosure of Personal Information

Sale and Sharing of Personal Information

We do not sell your personal information. In the preceding 12 months, we have not sold personal information of consumers as defined under the CCPA/CPRA.

Important Notice About Third-Party Advertising: If we use third-party advertising networks or analytics services that collect information via cookies or similar tracking technologies, this may constitute "sharing" under CCPA/CPRA for cross-context behavioral advertising purposes. California residents have the right to opt out of such sharing. See Section 8 for more information on exercising this right.

We may share personal information with third parties for business purposes. In the preceding 12 months, we have disclosed the following categories of personal information for business purposes:

• Identifiers (name, email, IP address)
• Commercial information (project inquiries, service preferences)
• Internet or network activity information
• Professional or employment information

Categories of Third-Party Recipients

We disclose your personal information to the following categories of third parties:

• Service Providers: Cloud hosting providers, email service providers, analytics services, payment processors, and customer relationship management (CRM) platforms that assist us in operating our business
• Professional Advisors: Attorneys, accountants, auditors, and consultants who provide professional services to us
• Government Entities and Law Enforcement: When required by law, subpoena, court order, or other legal process, or when necessary to protect our rights, property, or safety
• Business Transaction Parties: In connection with or during negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction, or proceeding involving sale, transfer, or disposal of all or a portion of our business or assets

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Contact Form Submissions: Retained for up to 3 years from the date of submission or until you request deletion
• Client Project Data: Retained for the duration of the project plus 7 years for legal and accounting purposes
• Website Analytics Data: Anonymized and aggregated data retained for up to 26 months
• Marketing Communications: Until you unsubscribe or request deletion
• Legal and Compliance Records: As required by applicable laws and regulations

When we no longer need your personal information for the purposes described in this policy, we will securely delete or anonymize it in accordance with applicable law.

6. Data Security

We implement and maintain reasonable administrative, technical, and physical security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using SSL/TLS protocols
• Encryption of sensitive data at rest
• Regular security assessments and penetration testing
• Access controls and authentication requirements for our systems
• Employee training on data protection and security best practices
• Incident response procedures and monitoring systems
• Regular backups to ensure data recovery in case of disaster or attack
• Firewalls to protect our network from unauthorized access
• Regular updates and patches to our software to address security vulnerabilities
• Security audits to identify vulnerabilities and improve security measures

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

7. Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities and to provide functionality and improve our services. The types of cookies we use include:

• Essential Cookies: Necessary for the website to function properly (e.g., security, network management)
• Analytics Cookies: Help us understand how visitors interact with our website by collecting and reporting information anonymously
• Functional Cookies: Enable enhanced functionality and personalization (e.g., remembering your preferences)
• Marketing Cookies: Used to track visitors across websites to display relevant advertisements

Do Not Track Signals and Global Privacy Control

Some web browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want to be tracked. Currently, there is no universal standard for how DNT signals should be interpreted. At present, our website does not respond to DNT signals.

Global Privacy Control (GPC): We recognize and honor the Global Privacy Control (GPC) signal as a valid request to opt out of the "sale" or "sharing" of personal information under CCPA/CPRA. If you enable GPC in your browser or browser extension, we will treat this as a valid opt-out request for your browser on our services.

Third-Party Tracking: Third parties, including advertising networks and analytics providers, may collect personally identifiable information about your online activities over time and across different websites when you use our website or mobile applications. These third parties may use cookies, web beacons, and similar tracking technologies to collect this information for purposes including serving you targeted advertisements.

Your Cookie Choices

You can control cookies through your browser settings and other tools. Most browsers allow you to refuse or accept cookies, delete cookies, or be notified when a cookie is set. Please note that if you disable or refuse cookies, some parts of our website may become inaccessible or not function properly.

To manage your cookie settings, you can find instructions for commonly used browsers:

• Cookie settings in Chrome
• Cookie settings in Firefox
• Cookie settings in Microsoft Edge
• Cookie settings in Safari (web and iOS)

Google Analytics

We may use Google Analytics to help us understand how visitors use our website. We use the information we get from Google Analytics only to improve our services. We do not combine the information collected through the use of Google Analytics with personally identifiable information. Please refer to Google's Privacy Policy for more information. You may also choose to download the Google Analytics opt-out browser add-on.

Personalized Advertising

We may use targeted advertising cookies to deliver tailored advertising on our services and other websites that you may visit. You can learn more about how to control advertising cookies by visiting:

• Network Advertising Initiative's Consumer Opt-Out
• Digital Advertising Alliance's Consumer Opt-Out (for browsers)
• Digital Advertising Alliance's opt-out (for mobile devices)

Please note that electing to opt-out will not stop advertising from appearing in your browser or applications and may make the ads you see less relevant to your interests.

8. Your Privacy Rights Under California Law

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information:

Right to Know

You have the right to request that we disclose to you:

• The categories of personal information we have collected about you
• The categories of sources from which the personal information is collected
• Our business or commercial purpose for collecting, selling, or sharing personal information
• The categories of third parties to whom we disclose personal information
• The specific pieces of personal information we have collected about you

Right to Delete

You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions under California law.

Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you.

Right to Data Portability

You have the right to request, in certain circumstances, a portable copy of your personal information in a format that allows you to transmit the data to another entity.

Right to Opt-Out of Sale or Sharing

You have the right to opt out of the "sale" or "sharing" of your personal information as those terms are defined under California law. To exercise this right, you may:

• Click on the "Do Not Sell or Share My Personal Information" link available on our website and in our mobile applications
• Enable the Global Privacy Control (GPC) signal in your browser
• Contact us at support@chuppah.app with your request

Right to Limit Use of Sensitive Personal Information

If we use or disclose sensitive personal information for purposes other than those permitted by the CPRA, you have the right to limit such use or disclosure.

Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising your privacy rights. We will not:

• Deny you goods or services
• Charge you different prices or rates for goods or services
• Provide you a different level or quality of goods or services
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services

How to Exercise Your Rights

To exercise your rights described above, please submit a verifiable consumer request to us by:

• Emailing us at: support@chuppah.app
• Contacting us through our website contact form

Only you, or an authorized agent registered with the California Secretary of State, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

We will respond to verifiable consumer requests within 45 days of receipt. If we require more time (up to 90 days total), we will inform you of the reason and extension period in writing.

Verification Process

To protect your privacy and security, we will verify your identity before processing your request. We may ask you to provide identifying information that matches information we have on file about you. The information required for verification may vary depending on your relationship with us and the sensitivity of the request.

Authorized Agents

If you use an authorized agent to submit a request on your behalf, we may require: (1) a signed permission demonstrating the agent's authority to act on your behalf, or (2) proof that the agent has power of attorney. We may also require you to verify your identity directly with us.

Appeal Process

If we decline to take action in response to your request to exercise a privacy right, we will provide a timely response detailing the reasons for not taking the action. Depending on your jurisdiction, you may have the right to appeal our decision. To appeal, please contact us at support@chuppah.app within 30 days of receiving our decision, and we will review your appeal and respond within a reasonable timeframe as required by applicable law.

9. Your Privacy Rights Under GDPR (European Union/EEA)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access

You have the right to obtain confirmation as to whether we process your personal data, and where that is the case, to request access to your personal data along with information about the purposes of processing, categories of data, recipients, and retention periods.

Right to Rectification

You have the right to have inaccurate personal data concerning you rectified without undue delay.

Right to Erasure ("Right to be Forgotten")

You have the right to obtain the erasure of personal data concerning you in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when you object to processing based on legitimate interests.

Important: If we have made your personal data public and are obligated to erase it, we will take reasonable steps, including technical measures, to inform other controllers processing the data that you have requested erasure of any links to, copies of, or replication of that data.

Right to Restriction of Processing

You have the right to restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance from us, where processing is based on consent or contract and is carried out by automated means.

Right to Object

You have the right to object at any time to processing of your personal data based on legitimate interests or for the performance of a task carried out in the public interest. You have an absolute right to object to the processing of your personal data for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes GDPR.

Automated Decision-Making and Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in automated decision-making or profiling that produces legal or similarly significant effects.

How to Exercise Your GDPR Rights

To exercise any of your GDPR rights, please contact us at:

• Email: support@chuppah.app
• Or through our website contact form

We will respond to your request within one month of receipt. In certain cases, we may extend this period by an additional two months where necessary, taking into account the complexity and number of requests, and will inform you of any such extension.

10. Children's Privacy (COPPA Compliance)

Age Restriction

Our website and mobile applications are not directed to children under the age of 13 (or 16 for residents of California and the European Union). We do not knowingly collect, use, or disclose personal information from children under these ages without verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA), CCPA/CPRA, and GDPR.

Our Compliance Procedures

If we obtain actual knowledge that we have collected personal information from a child under 13 (or the applicable age in other jurisdictions), we will:

• Immediately suspend the account
• Delete all personal information associated with that account as quickly as possible
• Notify the parent or guardian if contact information is available
• Take reasonable steps to prevent future access by that user

Reporting Underage Users

If you believe that a child under the applicable age has provided us with personal information or is using our services, please contact us immediately at:

• Email: support@chuppah.app
• Subject Line: "Underage User Report"

We will investigate all reports promptly and take appropriate action in accordance with COPPA and other applicable laws.

Parental Rights

If we discover that we have inadvertently collected information from a child under 13, parents have the right to:

• Review the personal information collected from their child
• Request that we delete their child's personal information
• Refuse to permit further collection or use of their child's information

11. Third-Party Links and Services

Our website and mobile applications may contain links to third-party websites, services, or applications that are not owned or controlled by us. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you use.

When you leave our website or use a third-party service integrated into our applications, this Privacy Policy no longer applies, and you should review the applicable third-party privacy policy.

12. International Data Transfers

Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those of your country of residence.

Transfers from the EU/EEA

If you are located in the European Union or European Economic Area, please note that we transfer your personal data to the United States and potentially other countries outside the EU/EEA. We ensure that such transfers comply with applicable data protection laws by implementing appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses for transfers of personal data to third countries, which provide appropriate safeguards for your personal information.
• Adequacy Decisions: Where applicable, we may rely on adequacy decisions issued by the European Commission recognizing that certain countries provide an adequate level of data protection.
• Additional Safeguards: We implement supplementary measures, including technical and organizational security measures, to ensure that your data receives a level of protection substantially equivalent to that guaranteed within the EU/EEA.

You may obtain a copy of the safeguards we have in place for international transfers by contacting us at support@chuppah.app.

Data Security During Transfer

All data transfers are encrypted in transit using industry-standard protocols (TLS/SSL). We take appropriate technical and organizational measures to protect your personal information during international transfers and ensure it remains protected in accordance with this Privacy Policy.

13. Change of Control

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of our assets or stock, financing, public offering of securities, or acquisition of all or a portion of our business by another company, or in the event of a similar transaction or proceeding, your personal information may be transferred to the successor entity or acquiring company.

If we sell, merge, or transfer any part of our business, part of the sale may include your personal information. You will be notified via email and/or a prominent notice on our website of any change in ownership, as well as any choices you may have regarding your personal information.

14. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. When we make material changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you by posting a prominent notice on our website
• Email you at the address you have provided (if applicable)
• Provide any other notification required by law

We encourage you to review this Privacy Policy periodically. Your continued use of our services after any changes to this Privacy Policy constitutes your acceptance of such changes.

Material changes to this Privacy Policy will be effective 30 days after notice is provided, unless otherwise required by applicable law.

15. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals and relevant supervisory authorities as required by applicable law, including GDPR and CCPA/CPRA.

For GDPR compliance, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to your rights and freedoms. For high-risk breaches, we will notify affected individuals without undue delay.

For CCPA/CPRA compliance, in the event of a data breach, California residents may have a private right of action if we fail to implement and maintain reasonable security procedures and practices.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For California Residents

If you have a complaint regarding our privacy practices or wish to exercise your California privacy rights, you may contact us at support@chuppah.app. You also have the right to lodge a complaint with the California Privacy Protection Agency (CPPA) or the California Attorney General.

For EU/EEA Residents

If you are located in the European Union or European Economic Area and you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

Methods for Submitting Rights Requests

To exercise your privacy rights under CCPA/CPRA or GDPR, you may contact us through the following methods:

• Email: support@chuppah.app

We will respond to verifiable consumer requests within the timeframes required by applicable law (45 days for CCPA/CPRA, 30 days for GDPR).