Privacy Policy

Effective date: 19 May 2026 · Last Updated: 19 May 2026 · Applies to: The Lounge iOS & Android apps and lounge.k22hub.com

1. Who We Are

Lounge is operated by Kayan22 FZ LLC, incorporated in the Fujairah Free Zone / Creativity City, Dubai, UAE. References to "we", "us", or "our" mean Kayan22 FZ LLC

Contact: privacy@k22hub.com

2. Data We Collect

2.1 Account Data

• Email address, username, display name, profile photo
• Phone number (optional, for two-factor authentication)
• Date of birth (age verification only — not stored after verification)
• OAuth tokens (Apple Sign-In, Google Sign-In) — we store only the provider ID, not your password

2.2 Content You Create

• Posts, comments, voice notes, images you upload
• Messages sent in private chats and lounges
• Live session recordings (only if you enable recording)
• Live stream content (video, audio, chat) is routed through AWS IVS in Mumbai before being delivered to viewers. We do not retain stream recordings beyond 90 days unless explicitly saved by the broadcaster.

2.3 Usage Data

• App interactions (screens viewed, features used, session duration)
• Device type, OS version, app version, language setting
• IP address (used for fraud detection and geo-compliance — not sold)
• Crash logs and performance diagnostics

2.4 Payment Data

• Subscription and purchase history (amounts, dates, plan names)
• Stripe Connect identity verification data (for creators only — processed by Stripe, not stored by us)
• We do not store card numbers, CVVs, or bank account details

2.5 Data We Do Not Collect

• Advertising identifiers (IDFA, GAID) — we do not run ads
• Contacts (unless you explicitly grant permission for "People You May Know")
• Precise GPS location

3. How We Use Your Data

• Service delivery: to provide, personalise, and improve the Lounge app
• Safety & moderation: to detect abuse, spam, and policy violations
• Payments: to process subscriptions, one-time purchases, and creator payouts
• Communications: to send transactional emails (receipts, security alerts) — no marketing without consent
• Legal compliance: to meet obligations under UAE, DIFC, and applicable GCC laws

4. Legal Basis for Processing

Under DIFC Data Protection Law 2020 and applicable UAE regulations, we process your data on the following bases:

• Contract performance: to deliver the service you signed up for
• Legitimate interests: fraud prevention, security, service improvement
• Legal obligation: compliance with UAE/UAE law
• Consent: optional features (contacts access, marketing emails)

5. Data Sharing

We do not sell your personal data. We share data only with:

• Supabase (Asia Pacific — Mumbai region, ap-south-1) — database, storage, authentication, and serverless functions
• AWS (Asia Pacific — Mumbai region, ap-south-1) — live streaming infrastructure and content delivery. We selected Mumbai for proximity to UAE/GCC users, regulatory compatibility under DIFC standards, and operational stability. We monitor AWS Middle East (me-central-1, Bahrain/UAE) availability and may migrate to it when regional service maturity meets our reliability requirements.
• Expo / EAS — push notification delivery
• Legal authorities — when required by valid legal process under UAE/UAE law

All third-party processors are bound by data processing agreements consistent with DIFC standards.

6. Data Retention

• Active account data: retained while your account is active
• Deleted account data: purged within 30 days of deletion request (except where legally required to retain)
• Financial records: retained for 7 years per UAE commercial law
• Moderation logs: retained for 2 years to support appeals

7. Your Rights

Under DIFC Data Protection Law 2020, you have the right to:

• Access a copy of your personal data — email privacy@k22hub.com
• Rectify inaccurate data — update in-app under Settings → Profile
• Delete your account and data — see Delete Account or Delete My Data
• Restrict processing in certain circumstances
• Object to processing based on legitimate interests
• Portability — request a machine-readable export of your data

Respond time: within 30 days of receiving your request.

8. Children's Privacy

Lounge is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact privacy@k22hub.com and we will delete it promptly.

9. Security

• All data in transit is encrypted via TLS 1.2+
• Data at rest is encrypted (AES-256)
• Voice notes are transmitted over TLS and stored encrypted at rest (AES-256) on our infrastructure. Like all message content, they may be accessed by our moderation team in response to user reports or legal requests. We are evaluating end-to-end encryption for future releases.
• Access to production systems is restricted to authorised personnel with MFA

10. Cross-Border Transfers

Data is primarily processed in India (Mumbai region) for both database (Supabase) and content delivery (AWS). Payment processing occurs through Apple's and Google's app store infrastructure (geographically distributed) and RevenueCat (US-based aggregator). Cross-border transfers from the UAE rely on DIFC Data Protection Law adequacy mechanisms and our processors' Standard Contractual Clauses. We do not transfer data to jurisdictions without adequate data protection frameworks.

11. Changes to This Policy

We will notify you of material changes via in-app notification at least 14 days before the effective date. Continued use after the effective date constitutes acceptance.

12. Contact

Kayan22 FZ LLC · Fujairah Free Zone, UAE
privacy@k22hub.com · legal@k22hub.com