Reunite - Privacy Policy

1. Definitions and Interpretation

For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below:

"Personal Data" or "Personal Information"

Any information relating to an identified or identifiable natural person (data subject), including but not limited to name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

"Sensitive Personal Data" or "Special Categories of Data"

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, data concerning health, sex life, or sexual orientation, and financial information.

"Processing"

Any operation or set of operations performed on personal data, whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Controller" or "Data Fiduciary"

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Reunite acts as the Data Controller/Fiduciary for personal information collected through our Services.

"Data Processor"

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

"Data Subject" or "Data Principal"

The identified or identifiable natural person to whom personal data relates; the user of our Services.

"Consent"

Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or clear affirmative action, signify agreement to the processing of personal data relating to them.

"Cross-Border Data Transfer"

The transfer of personal data from one jurisdiction to another, subject to specific legal requirements and safeguards.

"Data Breach"

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

"Supervisory Authority" or "Regulatory Authority"

An independent public authority established by a jurisdiction to oversee the application of data protection law and ensure compliance.

2. Data Controller/Fiduciary Information

Reunite acts as the Data Controller (under GDPR), Data Fiduciary (under DPDP Act), or equivalent designation under applicable laws for all personal information processed through our Services.

3. Information We Collect

We collect various categories of personal information to provide, maintain, improve, and protect our Services. The information collected includes:

3.1 Account and Profile Information

• Identification Data: Full legal name, username, date of birth, age, gender, nationality
• Contact Information: Email address, phone number, postal address
• Authentication Data: Password (encrypted), security questions and answers, two-factor authentication credentials
• Profile Details: Profile photograph, bio, language preferences, timezone
• Verification Documents: Government-issued ID (passport, driver's license, national ID card), proof of address, verification selfies

3.2 Missing Person Report Information

• Subject Information: Full name, age, date of birth, gender, physical description (height, weight, eye color, hair color, distinguishing marks), photographs, last known location, date and time last seen, clothing description, medical conditions, mental health status
• Reporter Information: Relationship to missing person, contact details, address
• Case Details: Circumstances of disappearance, police report number, investigating agency details, case status
• Supporting Documentation: Police reports, missing person posters, witness statements

3.3 Communications and Interactions

• Tips and Sightings: User-submitted tips, sighting reports, location information, timestamps, supporting photos/videos
• Messages: In-app messages, customer support communications, emails
• Social Interactions: Comments, shares, likes, follows, user-generated content
• Feedback: Surveys, reviews, ratings, feature requests

3.4 Device and Technical Information

• Device Identifiers: Device type, model, manufacturer, operating system and version, unique device identifiers (UDID, IMEI, Android ID, Advertising ID/IDFA)
• Network Information: IP address, MAC address, mobile network carrier, connection type (Wi-Fi, cellular)
• Browser and App Data: Browser type and version, app version, screen resolution, language settings, installed fonts
• Technical Logs: Access logs, error logs, crash reports, diagnostic data, performance metrics

3.5 Location Information

• Precise Location: GPS coordinates, latitude/longitude (with explicit permission)
• Approximate Location: City, state, country, postal code (derived from IP address)
• Location History: Historical location data associated with reports and sightings

3.6 Usage and Behavioral Data

• App Usage: Features accessed, pages viewed, time spent on pages, navigation paths, search queries
• Engagement Metrics: Session duration, frequency of use, interaction patterns
• Content Preferences: Saved searches, favorites, notification preferences, alert settings
• Analytics Data: User flows, conversion funnels, A/B test participation

3.7 Financial and Transaction Information

• Payment Data: Payment method details (credit/debit card last 4 digits, bank account information), billing address, transaction history
• Reward Information: Reward claims, payout methods, tax identification numbers (if required)
• Note: Full payment card details are processed by PCI-DSS compliant third-party payment processors and are not stored on our servers

3.8 Biometric and Sensitive Information

• Facial Recognition Data: Facial geometry, biometric templates derived from photographs for identification purposes
• Health Information: Medical conditions, disabilities, mental health status (only when relevant to missing person cases)
• Genetic Data: DNA information (only if voluntarily provided for identification purposes)

3.9 Information from Third-Party Sources

• Social Media: Profile information from Facebook, Google, Apple Sign-In (name, email, profile picture)
• Law Enforcement: Official missing person reports, case files, investigation updates
• Public Records: Publicly available missing person databases, news articles, public social media posts
• Third-Party Services: Identity verification services, fraud detection services, analytics providers

3.10 Cookies and Tracking Technologies

• Cookies: Session cookies, persistent cookies, preference cookies
• Pixels and Beacons: Web beacons, tracking pixels in emails
• SDKs and APIs: Third-party software development kits, application programming interfaces
• Local Storage: HTML5 local storage, cache data

4. How We Collect Information

We collect personal information through various methods:

4.1 Direct Collection

Information you voluntarily provide when:

• Creating an account and setting up your profile
• Submitting missing person reports
• Providing tips, sightings, or updates
• Communicating with us via email, phone, chat, or in-app messaging
• Completing surveys or providing feedback
• Participating in promotions, contests, or events
• Verifying your identity
• Requesting customer support

4.2 Automatic Collection

Information automatically collected when you use our Services:

• Device information, IP address, and usage data collected via cookies and similar technologies
• Location data collected through GPS, Wi-Fi, Bluetooth, and cellular triangulation (with permission)
• App analytics and performance monitoring
• Error and crash reports
• Log files and server logs

4.3 Third-Party Sources

Information received from external sources:

• Social media platforms (when you connect your social accounts)
• Law enforcement agencies and government authorities
• Public databases and records
• Identity verification services
• Analytics and advertising partners
• Other users (when they mention or tag you in content)

4.4 Inferred Information

Information we derive from other data:

• Approximate location derived from IP address
• User preferences inferred from behavior patterns
• Risk assessments for fraud prevention
• Device fingerprints for security purposes

5. Purposes of Processing

We process your personal information for the following specific, explicit, and legitimate purposes:

5.1 Service Provision and Core Functionality

• Creating, maintaining, and authenticating user accounts
• Publishing and broadcasting missing person information to maximize reach
• Facilitating tips, sightings, and information sharing
• Sending real-time alerts and notifications based on location and preferences
• Enabling communication between users, families, and authorities
• Matching reported sightings with missing person profiles
• Providing location-based services and alerts

5.2 Safety, Security, and Verification

• Verifying the identity and credibility of users
• Authenticating missing person reports to prevent false reports
• Detecting, preventing, and investigating fraud, abuse, and illegal activities
• Protecting the safety and rights of users, missing persons, and third parties
• Securing our systems and preventing unauthorized access
• Monitoring for suspicious behavior and security threats
• Complying with age verification requirements

5.3 Communication and Customer Support

• Responding to inquiries, requests, and complaints
• Providing technical support and troubleshooting
• Sending service-related announcements and updates
• Notifying you of account activity and case updates
• Conducting user surveys and collecting feedback

5.4 Analytics and Service Improvement

• Analyzing usage patterns to understand user behavior
• Improving app functionality, features, and user experience
• Conducting research and development
• Testing new features and conducting A/B testing
• Measuring app performance and identifying technical issues
• Generating aggregated, anonymized statistical data

5.5 Marketing and Promotional Activities

• Sending promotional communications about new features and services (with consent)
• Personalizing content and recommendations
• Conducting marketing campaigns and measuring effectiveness
• Managing contests, sweepstakes, and promotional events
• Remarketing and retargeting (with consent where required)

5.6 Legal Compliance and Law Enforcement

• Complying with legal obligations, court orders, and regulatory requirements
• Cooperating with law enforcement investigations
• Responding to lawful requests from government authorities
• Establishing, exercising, or defending legal claims
• Maintaining records as required by law
• Reporting to regulatory authorities as mandated

5.7 Financial and Transaction Processing

• Processing payments for premium services (if applicable)
• Distributing rewards to users who assist in locating missing persons
• Preventing payment fraud and chargebacks
• Maintaining financial records and tax compliance

5.8 Public Interest and Vital Interests

• Protecting the life, health, and safety of missing persons (vital interests)
• Assisting in emergency response situations
• Contributing to public safety and crime prevention
• Collaborating with non-profit organizations and NGOs focused on missing persons

6. Legal Basis for Processing

Our processing of your personal data is based on the following legal grounds, as applicable under various jurisdictions:

6.1 Consent (Article 6(1)(a) GDPR and Equivalent)

You have given explicit, informed, and freely given consent for specific processing activities, including:

• Location tracking for real-time alerts
• Processing of sensitive personal data (health information, biometric data)
• Marketing communications
• Cookies and tracking technologies (non-essential)
• Sharing information with third parties for specific purposes

You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

6.2 Contract Performance (Article 6(1)(b) GDPR)

Processing is necessary to perform our contract with you (Terms of Service), including:

• Creating and managing your account
• Providing core app features and services
• Processing transactions and payments
• Delivering customer support

6.3 Legal Obligation (Article 6(1)(c) GDPR)

Processing is required to comply with legal obligations, such as:

• Cooperating with law enforcement and judicial authorities
• Complying with court orders and legal process
• Meeting tax and financial reporting requirements
• Adhering to data breach notification laws
• Maintaining records as required by applicable laws

6.4 Vital Interests (Article 6(1)(d) GDPR)

Processing is necessary to protect the vital interests of an individual, particularly:

• Protecting the life, health, and safety of missing persons
• Emergency response situations
• Preventing immediate harm or danger

6.5 Public Interest (Article 6(1)(e) GDPR)

Processing is necessary for the performance of a task carried out in the public interest:

• Assisting in locating missing persons
• Contributing to public safety and crime prevention
• Collaborating with authorities on humanitarian efforts

6.6 Legitimate Interests (Article 6(1)(f) GDPR)

Processing is necessary for our legitimate interests or those of a third party, provided they do not override your fundamental rights and freedoms:

• Fraud prevention and security
• Network and information security
• Analytics and service improvement
• Direct marketing (where consent is not required)
• Business operations and administration

Right to Object: You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

6.7 Special Categories of Personal Data

For sensitive personal data (biometric, health, racial/ethnic information), we rely on:

• Explicit Consent: You have provided explicit consent (Article 9(2)(a) GDPR)
• Vital Interests: Processing is necessary to protect vital interests when you are incapable of giving consent (Article 9(2)(c))
• Manifestly Made Public: Data has been manifestly made public by you (Article 9(2)(e))
• Legal Claims: Processing is necessary for the establishment, exercise, or defense of legal claims (Article 9(2)(f))
• Substantial Public Interest: Processing is necessary for reasons of substantial public interest (Article 9(2)(g))

7. Information Sharing and Disclosure

We may share your personal information with the following categories of recipients under specific circumstances:

7.1 Public Sharing (Missing Person Cases)

Nature of Sharing: Missing person reports you submit are publicly shared within the app, on our website, and potentially on social media platforms to maximize visibility and assist in locating missing individuals.

Information Shared: Name, age, physical description, photographs, last known location, date last seen, case details.

Purpose: Increasing public awareness and facilitating community assistance in locating missing persons.

Control: By submitting a report, you explicitly consent to this public sharing. You may request removal or modification by contacting us.

7.2 Law Enforcement and Government Authorities

We cooperate with law enforcement agencies, government authorities, and regulatory bodies:

• When: Required by law, court order, subpoena, or legal process
• When: Requested for missing person investigations
• When: Necessary to protect rights, property, and safety
• When: To prevent or investigate fraud, abuse, or illegal activities
• When: To comply with national security or law enforcement requirements

Information Shared: Any information relevant to the investigation, including account details, communications, location data, and usage logs.

7.3 Service Providers and Business Partners

We engage trusted third-party service providers to perform functions on our behalf:

Categories of Service Providers:

• Cloud Hosting and Storage: Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure
• Analytics: Google Analytics, Firebase Analytics, Mixpanel
• Push Notifications: Firebase Cloud Messaging (FCM), Apple Push Notification Service (APNs)
• Payment Processing: Stripe, PayPal, Razorpay (PCI-DSS compliant)
• Email Services: SendGrid, Amazon SES
• SMS Services: Twilio, AWS SNS
• Customer Support: Zendesk, Intercom
• Identity Verification: Onfido, Jumio
• Mapping and Location: Google Maps API, Mapbox
• Crash Reporting: Crashlytics, Sentry
• Content Delivery Network (CDN): Cloudflare, Fastly

Legal Safeguards: All service providers are contractually obligated to:

• Process data only as instructed by us (Data Processing Agreements)
• Implement appropriate technical and organizational security measures
• Maintain confidentiality
• Comply with applicable data protection laws
• Delete or return data upon termination of services

7.4 Business Transfers and Corporate Transactions

In the event of a merger, acquisition, reorganization, sale of assets, bankruptcy, or other corporate transaction, your personal information may be transferred to the successor entity. We will notify you via email and/or prominent notice within the app before your information is transferred and becomes subject to a different privacy policy.

7.5 Affiliates and Subsidiaries

We may share information with our corporate affiliates, parent companies, and subsidiaries for business operations, analytics, and service improvement, subject to this Privacy Policy.

7.6 Non-Profit Organizations and NGOs

We may share information with verified non-profit organizations and NGOs focused on missing persons, human trafficking prevention, and humanitarian efforts, with appropriate safeguards and consent where required.

7.7 Social Media Platforms

When you choose to share missing person cases on social media (Facebook, Twitter, Instagram, WhatsApp), information is shared according to your social media privacy settings and the respective platform's privacy policy.

7.8 Aggregated and Anonymized Data

We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you with third parties for research, analytics, benchmarking, and reporting purposes. Such data is not considered personal information.

7.9 With Your Consent

We may share your information for purposes not described in this Policy with your explicit consent or at your direction.

7.10 Information We Do NOT Sell

We do not sell your personal information to third parties for monetary consideration. However, under certain privacy laws (e.g., CCPA), "sharing" for targeted advertising purposes may be considered a "sale." We may share certain information (identifiers, usage data) with advertising and analytics partners. You have the right to opt out of such sharing.

8. International Data Transfers

Reunite operates globally, and your personal information may be transferred to, stored in, and processed in countries other than your country of residence, including but not limited to:

• United States (cloud hosting, analytics)
• India (development and operations)
• European Union (EU users' data storage)
• Singapore (Asia-Pacific operations)

These countries may have data protection laws that differ from those in your jurisdiction. We ensure that all international data transfers comply with applicable laws through the following mechanisms:

8.1 Adequacy Decisions

We transfer data to countries recognized by the European Commission (or equivalent authorities) as providing an adequate level of data protection.

8.2 Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions, we implement Standard Contractual Clauses (SCCs) approved by the European Commission, UK Information Commissioner's Office (ICO), or other competent authorities. SCCs are legally binding contractual commitments between data exporters and importers to protect personal data.

8.3 Binding Corporate Rules (BCRs)

For intra-group transfers, we may rely on Binding Corporate Rules approved by relevant supervisory authorities.

8.4 Consent

Where required, we obtain your explicit consent for data transfers to countries without adequate protection.

8.5 Necessary for Contract Performance

Transfers may be necessary to perform our contract with you or implement pre-contractual measures at your request.

8.6 Necessary for Vital Interests or Public Interest

Transfers may occur to protect vital interests (e.g., life-threatening emergencies) or for reasons of substantial public interest.

8.7 Supplementary Measures

In accordance with the Schrems II decision, we implement supplementary technical and organizational measures for data transfers, including:

• End-to-end encryption
• Pseudonymization and anonymization
• Data minimization
• Access controls and authentication
• Contractual restrictions on government access

8.8 Right to Information

You have the right to obtain information about the safeguards we use for international data transfers. Please contact our DPO at support.reunite@mail.com.

9. Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

9.1 Retention Periods by Data Category

We retain personal information only as long as necessary for the purposes outlined in this Privacy Policy or as required by applicable law. Specific retention periods may vary based on:

• The nature and sensitivity of the information
• Legal and regulatory requirements
• Operational needs and service provision
• User requests for deletion (subject to legal exceptions)

General Retention Policy: We typically retain data for the shorter of: (a) the period necessary to fulfill the stated purpose, or (b) as required by applicable law. We reserve the right to modify retention periods as our business needs evolve and legal requirements change.

9.2 Criteria for Determining Retention Periods

• Purpose Fulfillment: Whether the purpose for which data was collected has been achieved
• Legal Requirements: Statutory retention obligations under tax, employment, and commercial laws
• Contractual Obligations: Terms of contracts with users and third parties
• Limitation Periods: Time limits for bringing legal claims (varies by jurisdiction, typically 3-6 years)
• User Requests: Your exercise of deletion rights (subject to legal exceptions)
• Public Interest: Ongoing public interest in missing person cases
• Vital Interests: Potential need to protect life and safety

9.3 Secure Deletion

Upon expiration of retention periods, we securely delete or anonymize personal information using industry-standard methods:

• Secure overwriting of storage media
• Cryptographic erasure (destroying encryption keys)
• Physical destruction of hardware
• Irreversible anonymization and aggregation

9.4 Archived Data

For historical, statistical, or scientific purposes, we may retain anonymized or pseudonymized data beyond standard retention periods, subject to appropriate safeguards and legal compliance.

9.5 Backup Data

Personal information may persist in backup systems for disaster recovery purposes for up to 90 days after deletion from production systems. Backup data is subject to the same security controls and is not used for operational purposes.

10. Security Measures

We implement comprehensive technical, administrative, and physical security measures to protect your personal information against unauthorized access, alteration, disclosure, loss, misuse, or destruction.

10.1 Technical Security Measures

• Encryption:
  • Data in transit: TLS 1.2+ (Transport Layer Security) / SSL encryption for all data transmission
  • Data at rest: AES-256 encryption for database storage
  • End-to-end encryption for sensitive communications
• Access Controls:
  • Role-based access control (RBAC) and principle of least privilege
  • Multi-factor authentication (MFA) for employee access
  • Unique user credentials and strong password policies
  • Regular access reviews and deprovisioning
• Network Security:
  • Firewalls and intrusion detection/prevention systems (IDS/IPS)
  • Virtual Private Networks (VPNs) for remote access
  • Network segmentation and isolation
  • DDoS protection and rate limiting
• Application Security:
  • Secure software development lifecycle (SDLC)
  • Regular security code reviews and penetration testing
  • Input validation and output encoding (protection against injection attacks)
  • Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) protection
  • API security (authentication, rate limiting, monitoring)
• Vulnerability Management:
  • Regular vulnerability assessments and patch management
  • Automated security scanning tools
  • Bug bounty program for responsible disclosure
  • Security incident response plan
• Data Loss Prevention (DLP):
  • Automated backups and disaster recovery procedures
  • Redundant data storage across multiple geographic locations
  • Business continuity planning

10.2 Administrative Security Measures

• Privacy and Security Policies: Comprehensive internal policies and procedures
• Employee Training: Regular mandatory training on data protection, privacy laws, and security best practices
• Background Checks: Pre-employment screening for employees with access to personal data
• Confidentiality Agreements: All employees and contractors sign non-disclosure agreements (NDAs)
• Vendor Management: Due diligence and ongoing monitoring of third-party service providers
• Incident Response Team: Dedicated team for handling security incidents and data breaches
• Privacy Impact Assessments (PIAs): Conducted for new features and processing activities

10.3 Monitoring and Auditing

• 24/7 security monitoring and logging
• Anomaly detection and behavioral analysis
• Regular internal and external security audits
• Compliance audits (GDPR, ISO 27001, SOC 2)
• Continuous improvement based on threat intelligence

10.4 Certifications and Compliance

We are committed to implementing appropriate security measures and compliance frameworks as our business grows. We may pursue relevant certifications and compliance standards including:

• ISO/IEC 27001 (Information Security Management)
• SOC 2 Type II (Service Organization Control)
• PCI-DSS compliance (via certified payment processors)
• GDPR, CCPA, and other applicable privacy law compliance

Note: Specific certifications may be obtained as our service scales and business requirements evolve.

10.5 Limitations of Security

Important Notice: While we implement reasonable security measures appropriate for a service of our size and nature, no system is 100% secure. Internet transmission and electronic storage carry inherent risks, and we cannot guarantee absolute security. By using our Services, you acknowledge and accept these inherent risks. We disclaim any liability for security breaches beyond our reasonable control, including but not limited to acts of third parties, natural disasters, or system failures.

10.6 Your Security Responsibilities

You play a critical role in protecting your personal information:

• Use a strong, unique password for your Reunite account
• Enable two-factor authentication (2FA) if available
• Keep your login credentials confidential; never share your password
• Log out after using shared or public devices
• Keep your devices and apps updated with the latest security patches
• Be cautious of phishing attempts; verify the authenticity of communications
• Report suspicious activity or unauthorized access immediately to support.reunite@mail.com

11. Your Rights and How to Exercise Them

Depending on your jurisdiction, you have comprehensive rights regarding your personal information. We respect and facilitate the exercise of these rights.

11.1 Right to Access (Right to Know)

What it means: You have the right to request confirmation of whether we process your personal data and obtain a copy of your personal information.

Information you can request:

• Categories of personal data we collect
• Specific pieces of personal data we hold about you
• Sources from which data was collected
• Purposes of processing
• Recipients or categories of recipients
• Retention periods
• Your rights and how to exercise them

How to exercise: Submit a request via email to support.reunite@mail.com with subject line "Data Access Request"

Response time: 30 days (may be extended by 60 days for complex requests)

Cost: Free for the first request in a 12-month period; subsequent requests may incur a reasonable fee

11.2 Right to Rectification (Correction)

What it means: You have the right to request correction of inaccurate or incomplete personal data.

How to exercise: Update information directly in your account settings or contact support.reunite@mail.com

Our obligation: We will correct verified inaccuracies and notify third parties to whom data was disclosed (where feasible)

11.3 Right to Erasure (Right to be Forgotten / Deletion)

What it means: You have the right to request deletion of your personal data under certain circumstances.

When you can request deletion:

• Data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• Data was unlawfully processed
• Deletion is required to comply with a legal obligation

Exceptions (we may retain data when):

• Required to comply with legal obligations
• Necessary for the establishment, exercise, or defense of legal claims
• Required for public interest or archiving purposes
• Necessary to protect vital interests
• Related to active missing person investigations

How to request account deletion: Send an email to support.reunite@mail.com with subject line "Account Deletion Request" and include:

• Your full name
• Registered email address
• Phone number
• Reason for deletion (optional)

What happens: We will verify your identity and delete your account and associated personal data within 30 days, except for data subject to legal retention requirements.

11.4 Right to Data Portability

What it means: You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Applies to: Data you provided to us and processed based on consent or contract

How to exercise: Contact support.reunite@mail.com with subject "Data Portability Request"

Format: We will provide data in JSON or CSV format

11.5 Right to Object

What it means: You have the right to object to processing of your personal data in certain circumstances.

Processing based on legitimate interests: You may object at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Direct marketing: You have an absolute right to object to processing for direct marketing purposes. We will cease immediately upon receipt of objection.

Profiling and automated decisions: You may object to automated decision-making and profiling (see Section 16)

11.6 Right to Restriction of Processing

What it means: You have the right to request that we limit how we use your data in specific situations:

• You contest the accuracy of data (restriction during verification)
• Processing is unlawful, but you oppose erasure
• We no longer need data, but you need it for legal claims
• You object to processing (restriction pending verification of legitimate grounds)

Effect: We will store restricted data but not process it further without your consent (except for legal claims, protection of rights, or public interest)

11.7 Right to Withdraw Consent

What it means: Where processing is based on consent, you have the right to withdraw consent at any time.

How to exercise: Adjust settings in the app or contact support.reunite@mail.com

Effect: Withdrawal does not affect the lawfulness of processing prior to withdrawal. We may continue processing if another legal basis applies.

11.8 Right Not to be Subject to Automated Decision-Making

What it means: You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Exceptions: Automated decisions may be made if necessary for contract performance, authorized by law, or based on explicit consent.

Your rights: Request human intervention, express your point of view, contest the decision

11.9 Right to Lodge a Complaint

What it means: You have the right to lodge a complaint with a supervisory authority (data protection authority) in your jurisdiction.

When: If you believe your data protection rights have been violated

Where: In the EU member state of your habitual residence, place of work, or place of alleged infringement (see Section 22 for authority contacts)

11.10 Right to Non-Discrimination

What it means: You have the right to non-discriminatory treatment for exercising your privacy rights.

We will not:

• Deny goods or services
• Charge different prices or rates
• Provide a different level or quality of service
• Suggest you will receive different pricing or services

Exception: We may offer financial incentives or different prices/services if reasonably related to the value of your data

11.11 Verification Process

To protect your privacy and security, we verify your identity before processing rights requests:

• For account holders: Login to your account to verify identity
• For non-account holders or high-risk requests: Provide government-issued ID, answer security questions, or complete a verification challenge
• For authorized agents: Provide written authorization or power of attorney

11.12 Response Times and Fees

• Response time: We will respond to valid requests within timeframes required by applicable law, typically within 30-45 days (may extend as permitted by law for complex requests)
• Verification: We reserve the right to verify your identity and the validity of requests before processing
• Fees: We may charge reasonable fees for excessive, repetitive, or manifestly unfounded requests as permitted by law
• Limitations: We may decline requests that are technically infeasible, would compromise others' privacy, or are not required by applicable law
• Legal exceptions: Certain rights may be limited by legal obligations, legitimate interests, or technical constraints

Important: The availability and scope of these rights may vary depending on your jurisdiction and applicable laws. We will comply with rights as required by the laws that apply to our processing of your information.

12. Children's Privacy

Age Restrictions: Our Services are not intended for children under the age of:

• 13 years (United States - COPPA)
• 16 years (European Union/EEA - GDPR)
• The minimum age required by law in your jurisdiction

We do not knowingly collect, use, or share personal information from children below these age thresholds without verifiable parental consent.

If you are a parent/guardian: If you believe your child has provided personal information to us without consent, contact us immediately at support.reunite@mail.com with subject "Child Privacy Concern" and we will promptly investigate and delete such information.

Parental Rights: Parents may request access, correction, or deletion of their child's information.

13. Cookies and Tracking Technologies

We use cookies, web beacons, pixels, SDKs, and similar tracking technologies to enhance your experience, analyze usage, and provide personalized content.

Types of Cookies

• Strictly Necessary: Essential for app functionality (session management, security)
• Functional: Remember your preferences and settings
• Analytics: Help us understand usage patterns (Google Analytics, Firebase Analytics)
• Advertising: Deliver relevant ads (currently not used; will notify if implemented)

Your Choices: Manage cookie preferences through device settings or browser settings. Disabling cookies may limit app functionality.

Do Not Track: We respond to Do Not Track (DNT) signals by not tracking users who enable DNT.

14. Data Breach Notification

In the unlikely event of a data breach that may affect your personal information, we will take appropriate steps to investigate and respond to the incident. Our response may include:

• Investigation: Promptly assess the nature and scope of the incident
• Containment: Take reasonable steps to contain and remediate the breach
• Notification: Notify affected users and relevant authorities as required by applicable law and within timeframes specified by law
• Information provided: Share relevant information about the incident as appropriate and legally required

Notification methods: We may notify you via email, in-app notification, or website notice, depending on the circumstances and legal requirements.

Disclaimer: Our notification obligations are limited to what is required by applicable law. We reserve the right to determine the appropriate response based on the specific circumstances of any incident.

15. Complaints and Grievances

If you have concerns about our privacy practices, we encourage you to contact us first so we can address your concerns:

1. Contact us directly: support.reunite@mail.com
2. Regulatory authorities: You may also have the right to lodge a complaint with applicable data protection authorities in your jurisdiction, subject to their procedures and requirements

Resolution Process: We will make reasonable efforts to address valid privacy concerns. However, our ability to resolve complaints may be limited by technical, legal, or business constraints. Any resolution is subject to applicable law and our Terms of Service.

No Guarantee: While we strive to address concerns, we cannot guarantee specific outcomes or remedies beyond what is required by applicable law.

16. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or business operations.

How we notify you of changes:

• Update the "Last Updated" date at the top of this Policy
• Post the updated Policy on our website and in our app
• For material changes, we may provide additional notice via email or in-app notification

Effective date: Changes become effective immediately upon posting unless otherwise specified. Your continued use of our Services after changes are posted constitutes acceptance of the updated Policy.

Review responsibility: It is your responsibility to review this Policy periodically. We encourage you to check for updates regularly.

Material changes: What constitutes a "material change" is determined at our sole discretion. We will provide notice of material changes as required by applicable law.

17. Contact Information