Privacy Policy

To help explain things as clearly as possible in this Privacy Policy, the following terms have these meanings:

• Company: when this policy mentions “Company,” “we,” “us,” or “our,” it refers to Gud Token Inc., 2nd Floor, Ellen L. Skelton Building, Fishers Lane, Road Town, Tortola, British Virgin Islands, VG 1110, which is responsible for your information under this Privacy Policy.
• Country: where Spicy or the owners/founders of Spicy are based, in this case the British Virgin Islands.
• User: a person who accesses or uses Spicy, whether signed in or using the app as a guest.
• Device: any internet-connected device such as a phone, tablet, computer, or other device that can be used to access Spicy.
• IP address: a number assigned to a device connected to the internet. An IP address may be used to estimate the general location from which a device connects to the internet.
• Personal Data: information that directly or indirectly identifies, relates to, describes, or could reasonably be linked with an identifiable person.
• Service: the Spicy app, websites, and related services.
• Third-party service: a service provider that helps us operate Spicy, such as authentication, hosting, analytics, notification delivery, support, moderation, and infrastructure providers.
• App/Application: the Spicy mobile application.
• You: a person who accesses or uses Spicy.

We collect information from you when you use our app, create or sign in to an account, continue as a guest, create or interact with content, enable notifications, submit a report, or contact support.

• Name / Username - including your display name and profile information that you choose to provide, such as avatar type and bio.
• Email Addresses - collected when you sign in, create an account, or contact support.
• Authentication Information - authentication state and secure session tokens managed by Clerk to enable account creation, sign-in, and session management. We do not store your password or authentication credentials in plain text.
• Push Notification Token - collected with your explicit permission to send you app notifications. Stored on our servers and linked to your account.
• Pseudonymous Device Identifier - a randomly generated ID created on your device when you first open the app, used to associate your activity before you sign in. This identifier may be linked to your account if you later sign in and is stored securely on your device.
• User-Generated Content and App Activity - including polls created, votes cast, comments and replies posted, likes, profile activity, blocked users, in-app points or rewards activity, notification activity, and reports submitted within the app.
• AI-Assisted Poll Draft Information - if you use AI-assisted poll detail generation, we process the draft poll question and options you provide, generated details returned by the service, and related generation usage information.
• Search Information - including in-app search queries and related search parameters used to return poll search results.
• Analytics Information - including screen views, app lifecycle events, sign-in events, poll creation, voting, comments, reports, sharing, onboarding actions, and similar product usage events. For signed-in users, analytics may be linked to your user ID, name, and email address. For guest users, analytics may be associated with a pseudonymous analytics identifier.
• Device, Log, and Diagnostic Information - including IP address, device information, app lifecycle events, performance information, and diagnostic information used to operate, secure, troubleshoot, and improve the Service.
• Support and Contact Information - including your email address, reason for contacting us, subject, message, and any information you choose to include in support or feedback requests.
• Moderation and Safety Information - including report type, report reason, explanation, content or user being reported, and whether you choose to block another user.
• Local Device Storage - including secure session tokens, a pseudonymous device identifier, notification prompt preferences, and limited cached app data such as recent polls, profile information, and current user state to improve app performance.

Spicy may receive information from third-party services that you choose to use with the app, such as authentication providers used through Clerk, including Google Sign-In or Apple Sign-In where available. The information we receive may include your email address, authentication identifiers, and basic profile information provided by those services, depending on your settings and the sign-in method you choose.

We may also receive information from third-party service providers that help us operate the Service, such as authentication, hosting, analytics, customer support, and abuse prevention providers. We use this information only to provide, secure, maintain, and improve Spicy.

We do not sell your personal information. We do not currently use third-party advertising SDKs for ad personalization.

We may share information with service providers that process data on our behalf, such as authentication, hosting, database, analytics, notification delivery, customer support, moderation, e-mail or support tooling, and infrastructure providers. We may share personal information and non-personal information with these providers only as needed for them to perform services for us and for you.

We may process analytics and log information, which may include IP address, device information, app lifecycle events, screen views, and interaction events. This information is used to understand app performance, troubleshoot issues, prevent abuse, and improve the Service. We do not use this information for third-party advertising or ad personalization unless we update this Privacy Policy and our Google Play disclosures accordingly.

We may also share or transfer information to our current or future affiliated companies, transaction counterparties, or successors if we are involved in a merger, asset sale, financing, acquisition, reorganization, bankruptcy, or similar transaction, with legally appropriate notice where required.

We may disclose personal and non-personal information about you to government or law enforcement officials or private parties if we believe it is necessary or appropriate to respond to claims, legal process, court orders, laws, rules, regulations, government requests, protect rights and safety, prevent abuse, or stop illegal, unethical, or legally actionable activity.

Spicy collects personal information when you use the app, sign in or continue as a guest, interact with polls or comments, submit reports, enable notifications, update your profile, or contact us. We may also receive personal information about you from third-party services as described above.

We use information for the following purposes:

• To create, authenticate, and manage your account or guest session
• To provide core app features, including polls, votes, comments, replies, likes, profiles, AI-assisted poll detail generation, notifications, blocking, reports, and account deletion
• To personalize and improve your app experience, including returning relevant search results
• To send push notifications if you grant permission
• To respond to support, contact, feedback, or data rights requests
• To monitor app performance, diagnose issues, understand product usage, and improve the Service
• To detect, prevent, and respond to spam, abuse, security incidents, policy violations, and other harmful activity
• To comply with legal obligations and enforce our Terms of Service

We use your email address to create and manage your account, authenticate you through supported sign-in methods, communicate important account or service information, respond to support requests, process data rights or account deletion requests, and help protect the Service from abuse. If we send marketing emails in the future, we will provide an unsubscribe option where required by law.

We keep your information only for as long as reasonably necessary to provide Spicy, fulfill the purposes described in this policy, maintain security, prevent abuse, comply with legal obligations, and resolve disputes. Account, profile, activity, moderation, and analytics data may be retained while your account remains active.

When you delete your account, we will delete or de-identify personal information from active systems within 30 days, subject to legal, security, fraud prevention, and abuse-prevention retention needs. Backup copies may persist for up to 60 days before permanent removal.

Some information may be retained in a de-identified or aggregated form that no longer identifies you. Public or user-generated content may be removed, de-identified, or retained where necessary to protect other users, enforce our Terms, or comply with legal obligations.

We implement reasonable administrative, technical, and organizational measures designed to protect personal information. We transmit personal information using modern cryptography such as HTTPS/TLS where applicable.

We cannot, however, ensure or warrant the absolute security of any information you transmit to Spicy or guarantee that your information on the Service may not be accessed, disclosed, altered, or destroyed by a breach of our physical, technical, or managerial safeguards.

Spicy is incorporated in the British Virgin Islands. Information collected via our app, through direct interactions with you, or from support requests may be transferred to and processed by us, our service providers, or other parties described in this Privacy Policy in countries other than your country of residence. These countries may have data protection laws different from those in your country. Where required, we use appropriate safeguards for such transfers.

You may contact us to (1) update or correct your personal information, (2) change your preferences with respect to communications and other information you receive from us, or (3) delete personal information maintained about you on our systems, subject to the account deletion and retention terms described in this Privacy Policy. You may also update certain profile information directly in the app. To protect your privacy and security, we may take reasonable steps to verify your identity before granting access, making corrections, or processing deletion requests.

If you wish to update, delete, or receive information we have about you, you may do so through available in-app controls or by contacting us at [email protected].

You have the right to delete your Spicy account and associated personal data at any time. You may request deletion of your account and associated personal data through any of the following methods:

• Within the app: Go to Settings - Delete account
• Web portal: https://spicy.market/account - this web page is intended to let users request account deletion outside of the app.
• Email: [email protected]

Upon receiving your verified request, we will delete or de-identify your personal information from active systems within 30 days, subject to applicable legal, security, fraud prevention, and abuse-prevention retention needs. Backup copies may persist for up to 60 days before permanent removal.

Spicy does not use traditional browser cookies in the mobile app. Instead, we use local device storage, secure session tokens, and limited cached app data to maintain your authenticated session, support guest usage, remember app preferences, improve performance, and reduce loading time. This may include session tokens, a pseudonymous device identifier, notification prompt preferences, and limited cached user/profile/poll data. We do not store passwords or authentication credentials in plain text on your device.

You can control notifications through your device settings. You can also sign out, delete your account, or uninstall the app to remove locally stored app data from your device, subject to your operating system's storage behavior. Some secure tokens or cached data may remain until the app is deleted, the account is deleted, or the app clears its local storage.

The following third-party service providers are used in our app and may collect or process personal data on our behalf:

• Clerk (clerk.com) - Authentication and user identity management. Clerk processes your email address and authentication credentials to enable account creation and sign-in. See Clerk's privacy policy at clerk.com/privacy.
• PostHog (posthog.com) - Product analytics and event tracking. For signed-in users, PostHog may link analytics data to your user ID, name, and email address. For guest users, analytics may be associated with a pseudonymous analytics identifier. PostHog captures in-app events such as screen views, votes cast, polls created, comments submitted, reports submitted, onboarding actions, and app lifecycle events. See PostHog's privacy policy at posthog.com/privacy.
• Expo Push Notifications / Apple Push Notification service / Firebase Cloud Messaging - Push notification delivery. If you grant notification permission, your device push token may be processed by notification infrastructure providers to deliver notifications.
• Hosting and backend infrastructure providers - Server hosting, database storage, API delivery, monitoring, and related infrastructure used to operate the Service.

• Session Tokens: We store secure session tokens locally on your device to maintain your authenticated state and avoid requiring repeated sign-ins. These tokens are invalidated, deleted, or deactivated according to the retention and deletion periods described above.
• Authentication Data (Clerk): Authentication state is managed by Clerk, which uses secure tokens to verify your identity. No authentication credentials are stored in plain text on your device.
• Analytics (PostHog): PostHog captures in-app events such as screen views, votes cast, polls created, comments submitted, reports submitted, onboarding actions, and app lifecycle events. For signed-in users, events may be linked to your user ID, name, and email. For guest users, events may be associated with a pseudonymous analytics identifier.
• Push Notification Token: When you grant notification permission, we collect and store your device's push token to deliver app notifications. This token is linked to your account and deleted or deactivated according to the retention and deletion periods described above.
• Pseudonymous Device Identifier: A randomly generated UUID is created and stored securely on your device upon first launch. This identifier is used to support guest usage and associate your activity before sign-in, and it may be migrated to your account upon authentication.
• Local Cache: We may store limited cached app data, such as recent polls, current user state, and profile information, on your device for a limited time to improve performance and reduce loading time.

The Service is not directed to anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 13 without verification of parental consent, we take steps to remove that information from our servers.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you may have certain rights under applicable data protection laws, including the right to access, correct, delete, restrict, object to processing of, or request portability of your personal data.

We retain personal data only as long as reasonably necessary for the purposes described in this Privacy Policy, including providing the Service, maintaining security, preventing abuse, complying with legal obligations, and resolving disputes. If your account is deleted, we delete or de-identify personal information from active systems within 30 days, subject to applicable legal, security, fraud prevention, and abuse-prevention retention needs. Backup copies may persist for up to 60 days before permanent removal.

To exercise your rights, please refer to the “How to Delete Your Account” section above or contact us at [email protected].

California privacy laws may require us to disclose categories of Personal Information we collect, how we use it, categories of sources from whom we collect it, and third parties with whom we disclose it. These categories are described in the sections above.

California residents may have the following rights, subject to applicable law:

• Right to Know and Access. You may request information about the categories and specific pieces of Personal Information we have collected about you, the purposes for which we use it, the categories of sources from which we collect it, and the categories of third parties to whom we disclose it.
• Right to Delete. You may request that we delete Personal Information about you that we have collected, subject to applicable exceptions. You can also request deletion of your account and associated personal data by visiting https://spicy.market/account, using the Settings menu within the app, or contacting [email protected].
• Right to Correct. You may request correction of inaccurate Personal Information.
• Right to Non-Discrimination. We will not discriminate against you for exercising your privacy rights.
• Right to Opt Out of Sale or Sharing. We do not sell your Personal Information. We do not currently use third-party advertising SDKs for cross-context behavioral advertising. If we later engage in activities that qualify as a “sale” or “sharing” under applicable California privacy law, we will update this Privacy Policy and provide legally required choices.

If you make a request, we will respond within the time required by applicable law. To exercise these rights, contact us at [email protected].

This Privacy Policy applies only to the Service. The Service may contain links to websites or services not operated or controlled by Spicy. We are not responsible for the content, privacy policies, or practices of third-party websites or services. Your use of third-party websites or services is subject to their own rules and privacy policies.

We may update this Privacy Policy from time to time so that it accurately reflects our Service and practices. Unless otherwise required by law, we will notify you of material changes through the Service or another reasonable method. If you do not want to agree to an updated Privacy Policy, you can stop using the Service and delete your account.

This Privacy Policy is governed by the laws of the British Virgin Islands without regard to its conflict of laws provisions, except where applicable local law provides otherwise. Your use of the Service may also be subject to other local, state, national, or international laws.

Do not hesitate to contact us if you have any questions about this Privacy Policy or our privacy practices.

• Via Email: [email protected]