Privacy Policy

1. Interpretation and Definitions

Interpretation

Words with initial capital letters have defined meanings under the following conditions. These definitions apply whether they appear in singular or plural form.

Definitions

For the purposes of this Privacy Policy:

• Account means a unique account created for you to access our Service or parts of our Service.

• Affiliate means an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for election of directors or other managing authority.

• Application means the Therr mobile application, available on Apple App Store and Google Play Store.

• Company (referred to as "the Company," "we," "us," or "our") refers to Therr, Inc., 5900 Balcones Drive STE 100, Austin, TX 78731, United States.

• Data Controller (for purposes of GDPR) refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.

• Data Processor (for purposes of GDPR) means any natural or legal person who processes Personal Data on behalf of the Data Controller.

• Device means any device that can access the Service, such as a computer, smartphone, or tablet.

• Personal Data means any information that relates to an identified or identifiable individual. For purposes of GDPR, this includes any information relating to you such as a name, identification number, location data, online identifier, or factors specific to your physical, physiological, genetic, mental, economic, cultural, or social identity. For purposes of CCPA/CPRA, this includes any information that identifies, relates to, describes, or could reasonably be linked with you.

• Service refers to the Application, the Therr websites (therr.app and therr.com), and any related services provided by the Company.

• Service Provider means any natural or legal person who processes data on behalf of the Company to facilitate the Service, provide the Service on behalf of the Company, perform services related to the Service, or assist in analyzing how the Service is used. For purposes of GDPR, Service Providers are considered Data Processors.

• Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

• You (also referred to as "user") means the individual accessing or using the Service, or the company or other legal entity on behalf of which such individual is accessing or using the Service.

2. Data We Collect

2.1 Personal Data

When you use our Service, we may ask you to provide certain personally identifiable information, including but not limited to:

• Email address
• First name and last name
• Phone number
• Date of birth (for age verification)
• Profile information (bio, profile photo, interests)
• Payment information (processed by third-party payment processors; we do not store payment card details)

2.2 Usage Data

Usage Data is collected automatically when using the Service and may include:

• Your device's Internet Protocol (IP) address
• Browser type and version
• Pages of our Service that you visit, time and date of your visit, and time spent on pages
• Unique device identifiers and diagnostic data
• Mobile device type, unique device ID, mobile operating system, and mobile browser type

2.3 Location Data

Therr is a geo-social platform. Location data is central to how the Service works. With your permission, we collect:

• Precise location data — Your GPS coordinates, used to show you nearby content, enable proximity-activated posts, and power location-based features such as geofenced content discovery.
• Approximate location data — Derived from your IP address or network signals, used when precise location is not available.
• Background location data — If you enable background location access, we may collect your location while the app is not in active use, solely to deliver location-triggered notifications and proximity-activated content. You can disable background location access at any time through your device settings.

Location data is used to:

• Display content relevant to your current location
• Activate proximity-based posts and discoveries
• Provide local business and event recommendations
• Enable check-ins and location tagging

You can enable or disable location access at any time through your device settings. Disabling location access will limit your ability to use certain core features of the Service.

2.4 Camera and Photo Library

With your permission, we may access your device's camera and photo library to allow you to create posts, upload profile photos, and share visual content. This data is uploaded to our servers to provide the Service. You can revoke this permission at any time through your device settings.

2.5 Push Notifications

With your consent, we may send push notifications to your device for alerts about nearby content, messages, and Service updates. You can manage notification preferences in your device settings or within the Application.

3. How We Use Your Data

We use your Personal Data for the following purposes:

• To provide and maintain the Service, including monitoring usage, managing your account, and delivering location-based features.
• To manage your Account, including registration, authentication (MFA-verified accounts), and access to Service features.
• To perform contractual obligations, including processing purchases, delivering products or services, and facilitating transactions.
• To contact you via email, push notifications, SMS, or other electronic communication regarding updates, security notices, and information related to the Service.
• To provide marketing communications (with your opt-in consent) about goods, services, and events similar to those you have used or expressed interest in. You may opt out at any time.
• To manage your requests and support inquiries.
• For business transfers, such as evaluating or conducting a merger, acquisition, or asset sale where user data is among the transferred assets.
• For analytics and improvement, including data analysis, identifying usage trends, evaluating promotional campaigns, and improving the Service.
• To ensure safety and security, including fraud detection, content moderation, and enforcement of our Terms and Conditions.

3.1 Lawful Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your Personal Data under the following lawful bases:

Processing Activity	Lawful Basis
Account creation and management	Performance of a contract (Art. 6(1)(b))
Providing core Service features (location-based content, messaging)	Performance of a contract (Art. 6(1)(b))
Processing payments	Performance of a contract (Art. 6(1)(b))
Analytics and Service improvement	Legitimate interest (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Safety, fraud prevention, and security	Legitimate interest (Art. 6(1)(f))
Legal compliance	Legal obligation (Art. 6(1)(c))
Precise location data collection	Consent (Art. 6(1)(a))
Push notifications	Consent (Art. 6(1)(a))

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms.

4. How We Share Your Data

We may share your information in the following situations:

• With Service Providers: We share data with third-party vendors who help us operate, analyze, and improve the Service (e.g., hosting, analytics, payment processing, customer support). These providers are contractually required to protect your data and use it only for the purposes we specify.
• With other users: When you share content or interact in public areas of the Service, that information may be visible to other users. Your profile information and public posts may be visible based on your privacy settings.
• For business transfers: In connection with a merger, acquisition, financing, or sale of assets, your data may be transferred. We will provide notice before your data becomes subject to a different privacy policy.
• With Affiliates: We may share data with our affiliates, who are required to honor this Privacy Policy.
• With business partners: We may share data with business partners to offer you products, services, or promotions (e.g., local business rewards).
• With your consent: We may disclose your data for any other purpose with your explicit consent.
• For legal reasons: We may disclose data if required by law, court order, or governmental regulation, or to protect the rights, property, or safety of the Company, our users, or the public.

We do not sell your Personal Data. Therr does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration.

5. Data Retention

We retain your Personal Data only for as long as necessary for the purposes described in this Privacy Policy. Specific retention periods are as follows:

Data Type	Retention Period
Account information (name, email, profile)	Duration of your account, plus 30 days after account deletion request
User-generated content (posts, photos, comments)	Duration of your account, deleted upon account deletion unless required by law
Location data	Up to 12 months for Service features; aggregated/anonymized data may be retained longer for analytics
Usage data and analytics	Up to 26 months
Payment transaction records	7 years (legal/tax compliance)
Support correspondence	Up to 3 years after resolution
Marketing consent records	Duration of consent plus 3 years

After the applicable retention period, data is securely deleted or anonymized. We may retain data for longer periods where required by law or to resolve disputes.

6. International Data Transfers

Your information, including Personal Data, is processed at the Company's operating offices in the United States and may be transferred to and maintained on servers located outside your state, province, country, or other governmental jurisdiction where data protection laws may differ.

If you are located in the EEA, United Kingdom, or Switzerland, we ensure that any transfer of your Personal Data to countries outside the EEA is protected by appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries that have received an adequacy decision from the European Commission
• The EU-U.S. Data Privacy Framework, where applicable

You may request a copy of the applicable safeguards by contacting us at info@therr.com.

7. Data Security

We implement appropriate technical and organizational measures to protect your Personal Data, including encryption in transit (TLS/SSL), encryption at rest, access controls, and regular security assessments. However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
• Comply with all applicable U.S. state data breach notification laws

9. Third-Party Services

Our Service uses the following third-party services that may collect and process your data:

9.1 Analytics

• Google Analytics — Web analytics service by Google that tracks and reports website traffic. Google Privacy Policy

• Firebase — Analytics and app development platform by Google. Google Privacy Policy. See also: Safeguarding your data

9.2 Payment Processing

We do not store or collect your payment card details. Payment information is provided directly to our third-party payment processors, who adhere to PCI-DSS standards:

• Apple App Store In-App Payments — Apple Privacy Policy

• Google Play In-App Payments — Google Privacy Policy

• PayPal — PayPal Privacy Policy

• Braintree — Braintree Privacy Policy

9.3 Other Services

• Google Places — Used to provide location information and place data. Google Privacy Policy

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your experience, analyze usage, and deliver relevant content. Types of cookies we use:

• Essential cookies: Necessary for the website to function properly (e.g., session management, security).
• Analytics cookies: Help us understand how visitors interact with our website (e.g., Google Analytics).
• Preference cookies: Remember your settings and preferences.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect website functionality. For users in the EEA, we obtain consent before placing non-essential cookies.

11. Your Rights Under GDPR

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights:

• Right of access (Art. 15) — Request a copy of the Personal Data we hold about you.
• Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — Request deletion of your Personal Data ("right to be forgotten").
• Right to restrict processing (Art. 18) — Request that we limit how we use your data.
• Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format (JSON or CSV). This right applies to data you provided to us where processing is based on consent or contract performance.
• Right to object (Art. 21) — Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent (Art. 7) — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — You may file a complaint with your local Data Protection Authority. A list of EEA authorities is available at edpb.europa.eu.

To exercise any of these rights, contact us at info@therr.com. We will respond within 30 days (extendable by 60 days for complex requests, with prior notice).

12. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with the following rights:

12.1 Categories of Personal Information Collected

We may collect the following categories of personal information:

• Identifiers (name, email, IP address, account name) — Collected: Yes
• Personal information per Cal. Civ. Code § 1798.80(e) (name, address, phone number, financial information) — Collected: Yes
• Protected classification characteristics — Collected: No
• Commercial information (purchase history) — Collected: Yes
• Biometric information — Collected: No
• Internet or network activity (browsing history, Service interaction) — Collected: Yes
• Geolocation data (precise and approximate location) — Collected: Yes
• Sensory data (photos, audio) — Collected: Yes (user-uploaded content)
• Professional or employment information — Collected: No
• Education information — Collected: No
• Inferences from personal information — Collected: No
• Sensitive personal information (precise geolocation) — Collected: Yes

12.2 Your CCPA/CPRA Rights

• Right to know — You can request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete — You can request deletion of your personal information, subject to legal exceptions.
• Right to correct — You can request correction of inaccurate personal information.
• Right to opt out of sale/sharing — We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information — You may limit our use of sensitive personal information (such as precise geolocation) to purposes necessary to provide the Service.
• Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at info@therr.com. We will verify your identity before processing your request and respond within 45 days (extendable by an additional 45 days with notice).

13. Do Not Track

Our Service does not currently respond to "Do Not Track" browser signals. However, you can manage tracking preferences through your browser settings and device advertising settings.

14. Children's Privacy

The Service is not intended for children under the age of 13 (or under 16 in the EEA). We do not knowingly collect Personal Data from children under these ages. If we become aware that we have collected Personal Data from a child under the applicable age without verified parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us at info@therr.com so we can take appropriate action.

We may limit certain features for users between 13 and 18 years old to provide additional protections in accordance with applicable laws.

15. Account Deletion

You may request deletion of your account and associated Personal Data at any time by:

• Using the account deletion option within the Application (Settings > Account > Delete Account)
• Emailing us at info@therr.com with the subject line "Account Deletion Request"

Upon receiving your request, we will delete your account and Personal Data within 30 days, except for data we are legally required to retain (e.g., payment transaction records for tax compliance). We will confirm deletion via email.

16. Automated Decision-Making

Our Service uses algorithms to determine which content is displayed to you based on your location, interests, and interactions. This algorithmic content curation is driven by proximity and interest relevance, not by profiling for automated decisions that produce legal or similarly significant effects. You are not subject to decisions based solely on automated processing that significantly affect you.

17. Data Processing, Purposes, and Data Deletion (Facebook/Meta Platform Compliance)

In compliance with Meta Platform Terms and Developer Policies:

Data Processing: We collect and process personal data (identity, usage, location, and media data) as described in Sections 2-4 of this Privacy Policy.

Purposes: Data is processed for service provision, contractual obligations, communications, analytics, safety, and improvement as described in Section 3.

Data Deletion: To request deletion of data associated with your use of our Service via Facebook/Meta login:

1. Contact us at info@therr.com with the subject "Facebook Data Deletion Request"
2. Provide the email address associated with your Facebook account
3. We will process your request within 30 days and confirm via email

18. Links to Other Websites

Our Service may contain links to third-party websites or services not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites. We encourage you to review the privacy policy of every site you visit.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated Privacy Policy on this page with a new "Last updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice within the Application

We will provide at least 30 days' notice before material changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

20. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us:

• By email: info@therr.com
• By mail: Therr, Inc., 5900 Balcones Drive STE 100, Austin, TX 78731, United States

For GDPR-related inquiries, you may also contact our Data Protection team at info@therr.com.