Legal

Privacy Policy

Full transparency on every byte. Thinko is built with privacy-first architecture — here's exactly what we collect, why, and your complete rights under global law.

Last Updated: May 30, 2026 Controller: AroraLabs contact@aroralabs.org

01

Definitions and Interpretive Framework

Plain EnglishThis section defines the key words used throughout this policy so everything stays unambiguous. "Personal Data" means any info that can identify you. "Processing" means anything we do with that info — storing it, reading it, deleting it. "Data Controller" is us (AroraLabs). "Data Processor" is a company we use to handle data on our behalf (like Google Firebase).
  • "Personal Data" — any information relating to an identified or identifiable natural person ("Data Subject"), including identifiers, online identifiers, location data, and factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  • "Processing" — any operation or set of operations performed on Personal Data, whether or not by automated means, including: collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Controller" — AroraLabs, the natural or legal person that determines the purposes and means of Processing of Personal Data.
  • "Data Processor" — any natural or legal person that Processes Personal Data on behalf of the Data Controller, including Google LLC (Firebase), Anthropic PBC, and associated infrastructure providers.
  • "Application" — the Thinko mobile software application, including all versions, updates, features, and ancillary services.
  • "User" — any individual who installs, accesses, or uses the Application, including registered users, guest users, and unauthenticated visitors.

02

Data Controller Identity and Contact Information

Plain EnglishAroraLabs is the company responsible for your data. If you have any questions or want to exercise your privacy rights, email us at contact@aroralabs.org — we'll get back to you within 30 days.

AroraLabs ("we", "us", "our") is the Data Controller responsible for your Personal Data collected and Processed through the Application.

We endeavour to respond to all substantive privacy enquiries within 30 calendar days of receipt. Where a request is complex or involves a high volume of data, we may extend this period by a further 60 days, subject to providing notification within the initial 30-day period.

03

Categories of Personal Data Collected

Plain EnglishHere's everything Thinko collects about you, grouped by type. We only collect what's genuinely needed to run the app. We do not collect your precise location, contacts, camera, microphone, or any health data.

3.1 — Identity and Authentication Data

The Application supports multiple sign-in methods. The following data is received depending on the method chosen:

Google Sign-In: Full legal name or display name, primary email address, profile photograph URL, and unique Google account identifier. Transmitted pursuant to OAuth 2.0 authorisation flows and subject to Google's own privacy documentation.

Sign In with Apple: Name (provided on first sign-in only — Apple does not re-transmit on subsequent sign-ins), email address or an Apple-generated private relay address, and a unique Apple account identifier. Authentication is verified using a SHA-256 nonce via the Sign In with Apple framework.

Email and Password: When registering with an email address and password, we collect your email address, first name, last name, and a chosen public username. Your password is never stored or visible to AroraLabs — it is processed exclusively by Firebase Authentication, which stores only a secure cryptographic hash (bcrypt). We cannot retrieve, view, or recover your password under any circumstances.

Profile Photo (Email and Password users): To personalise your experience, we derive a one-way cryptographic hash (MD5) of your email address and transmit it to the Gravatar service operated by Automattic Inc. solely to check whether you have an associated public profile photograph. The email address itself is never transmitted — only the irreversible hash. If a photograph is found, the URL is stored exclusively on your device in local application preferences; it is not uploaded to or stored on AroraLabs servers. If no photograph is found, nothing is stored. Gravatar queries are performed using HTTPS and are governed by Automattic's own privacy documentation.

Username: Users registering via email choose a unique public username (minimum 6 characters, letters, numbers and underscores only). Usernames are stored in lowercase in our database, are visible to you within the Application, and serve as a unique account identifier. Usernames are checked for availability in real time against our database prior to account creation. If you change your username, your previous username is released and may be claimed by another user.

3.2 — Cognitive Performance and Gameplay Data

The Application records detailed cognitive performance data, including:

  • Individual game scores and completion times
  • Personal best scores per cognitive task
  • Session-level composite brain scores (calculated via proprietary algorithm)
  • Daily challenge participation and outcomes
  • Quiz performance metrics (accuracy, language selection, difficulty tier, response latency per item)
  • Longitudinal streak data and daily session history
  • Individual quiz session records — including topic, questions answered, score, duration, and estimated API cost — stored in your account and accessible to Thinko's internal analytics tools for product improvement purposes. This data is not shared with third parties.

3.3 — Behavioural and Interaction Analytics

Subject to applicable law and your consent where required, we collect anonymised or pseudonymised behavioural telemetry via Firebase Analytics, including:

  • Screen view events and navigation flow data
  • Feature engagement patterns and session duration metrics
  • In-app event data (game starts, completions, subscription interactions)
  • Device characteristics (OS version, hardware model, screen resolution tier)
  • Application version identifiers
  • Country and country code inferred from your device locale at launch and cross-referenced with a server-side IP geolocation lookup (using your public IP address at login time). Both signals are stored in your account to provide localised pricing and aggregate usage analytics. This is not precise location data (no GPS or fine location is accessed), is not used for tracking.

3.4 — Notification Infrastructure Data

Where you grant notification permissions, Firebase Cloud Messaging generates and stores a device-specific registration token ("FCM Token"). This token facilitates push notification delivery; while the token itself does not contain Personal Data, it is correlated with your account identifier and used to deliver targeted push notifications, including operationally important messages such as subscription updates and the engagement reminders described in Section 3.7. You may revoke notification permissions at any time in your device settings.

3.5 — Guest User Data

Guest Users are not required to provide a name or email address. However, when a User selects "Continue as Guest", the Application creates an anonymous account via Firebase Authentication, assigning a randomly generated identifier to enable data sync and crash reporting. This anonymous identifier is stored on Firebase servers. If a Guest User later signs in with Google or Apple, their anonymous account is merged into their authenticated account and the guest record is deleted. Anonymous analytics events may still be collected per Section 3.3.

3.6 — Purchase and Subscription Data

Where you purchase a subscription or game pack via the App Store or Google Play, we store your subscription tier, product identifier, subscription status, and transaction identifiers in your account record. Payment processing is handled entirely by Apple or Google — we do not receive or store payment card details.

Transaction verification. When you make a purchase, restore an existing purchase, or cancel a subscription, our backend verifies the transaction with the originating app store (Apple or Google) and records the verified status. We may also process automated subscription notifications received from the app stores about renewals, refunds, and cancellations to keep your subscription state accurate.

3.7 — Engagement Reminder Notifications

Where you grant notification permissions, the Application delivers engagement reminders — for example, your daily quiz reminder, a streak-at-risk poke, or a comeback nudge after a period of inactivity — via Firebase Cloud Messaging from our backend. To deliver these at the right time in your local timezone, the Application synchronises a small set of notification preferences to your user record: your IANA timezone identifier, your preferred hour and minute for the daily reminder, and whether you have reminders enabled. The Application also mirrors your current streak count and the timestamp of your last play so the backend scheduler can decide whether a streak-at-risk push is warranted on a given day.

We retain a per-user delivery log for up to 90 days, recording for each notification: the template identifier, the rendered title and body, the count of devices the push was sent to, the count of successful and failed deliveries reported by Firebase Cloud Messaging, any error codes returned, and the timestamp. This log is used solely for diagnostic and operational purposes and is not shared with any third party.

3.8 — Device-Integrity and Anti-Abuse Signals

To prevent fraud, abuse, and unauthorised access, the Application and our backend collect a small set of device-integrity signals derived from platform-provided APIs. These signals confirm that the running build is a genuine, store-installed copy of the Application on a real device, and are used solely for abuse prevention and security. We also store a per-install anonymous identifier and a per-session device identifier used to enforce one active session per account (see Section 3.9) and to detect compromised or duplicate sessions. These identifiers do not include the contents of your messages, quizzes, or personal communications, and are not used for advertising or profiling.

3.9 — Single-Session Enforcement Data

To protect your account, the Application allows only one active session per account at any time. To enforce this, we store a randomly generated per-install device identifier in your account record and compare it against the device currently signing in. Signing in on a new device will cause the previous device to be signed out. The device identifier is local to the install and is cleared automatically when the Application is uninstalled.

3.10 — Service and Operational Emails

From time to time we may email you about operational matters that affect your use of the Application — for example, a required app update, a security advisory, a hiccup with your subscription, an account-recovery confirmation, or the occasional honest "we shipped a bug, please update the app". These are transactional service messages, not marketing. They come from an @aroralabs.org address. You cannot unsubscribe from them while you have an active account — they are how we keep the service working for you — but they are sent sparingly and only when it actually matters. To stop receiving them entirely, you can delete your account at any time.

04

Legal Bases for Processing

Plain EnglishUnder GDPR we need a legal reason to use your data. The main ones are: (1) it's necessary to run the service you signed up for, (2) we have a legitimate business interest (like preventing fraud), (3) you gave us permission (like allowing push notifications), or (4) the law requires it.

4.1 — Performance of Contract (Art. 6(1)(b) GDPR)

Processing is necessary to perform the service agreement constituted by your acceptance of our Terms of Service, including providing account functionality, synchronising game data across devices, and delivering core Application features.

4.2 — Legitimate Interests (Art. 6(1)(f) GDPR)

We Process certain data on the basis of our legitimate interests in operating, maintaining, securing, and improving the Application — provided such interests are not overridden by your fundamental rights and freedoms. This includes fraud prevention, security monitoring, analytics for product improvement, and system stability.

4.3 — Consent (Art. 6(1)(a) GDPR)

Where Processing is not justified under the above bases, we rely on your freely given, specific, informed, and unambiguous consent. This applies to:

  • Push notification delivery
  • Certain advanced analytics features
  • Marketing communications where applicable

You retain the right to withdraw consent at any time without detriment.

4.4 — Legal Obligation (Art. 6(1)(c) GDPR)

We may Process Personal Data to comply with applicable legal obligations, including in response to lawful demands from governmental or regulatory authorities with competent jurisdiction.

05

Third-Party Data Processors and Sub-Processors

Plain EnglishThese are the companies that handle data on our behalf to make Thinko work. We don't sell your data to any of them — they only process it to deliver specific features (e.g. Google runs our database and push notifications; Anthropic generates quiz questions). None of them receive more data than strictly necessary.

Google LLC — Firebase Platform (United States)

  • Firebase Authentication — Manages credential verification for Google Sign-In, Sign In with Apple, and Email & Password flows, including anonymous authentication for Guest Users. Passwords are stored as secure cryptographic hashes and are never accessible to AroraLabs
  • Firebase Crashlytics — Crash reporting and stability diagnostics. Data includes device model, OS version, app version, and stack traces. No Personal Data is intentionally included in crash reports
  • Firebase Cloud Firestore — Encrypted NoSQL document storage with per-user data isolation via server-side security rules
  • Firebase Analytics — Aggregated behavioural telemetry, subject to data minimisation by default
  • Firebase Cloud Messaging — Push notification infrastructure

Anthropic PBC (United States)

Quiz question generation is performed via the Anthropic Claude API, accessed through a Firebase Cloud Function server-side proxy. Data transmitted to Anthropic comprises only:

  • Quiz topic and language selection
  • Difficulty parameters and formatting instructions

No Personal Data, account identifiers, or gameplay statistics are transmitted. Anthropic's usage policies prohibit use of API inputs for model training.

Open Trivia Database (opentdb.com) — Quiz Fallback

When primary AI quiz generation is unavailable, the Application retrieves general-knowledge questions via anonymous HTTP queries containing only topic category and difficulty level. No Personal Data is transmitted. No cookies or session identifiers are used.

Wikimedia Foundation — Wikipedia REST API

The Application retrieves random Wikipedia article summaries for the "Discover" section. Requests contain a standard User-Agent header identifying the Application. No Personal Data is transmitted. Content is licensed under Creative Commons Attribution-ShareAlike.

Numbers API (numbersapi.com)

Retrieves daily number and date trivia facts via anonymous requests containing no Personal Data.

Quotable.io / ZenQuotes — Daily Motivational Quotes

Retrieves daily motivational quotes via anonymous requests containing no Personal Data. Quotes are cached locally for 24 hours to minimise network requests.

Automattic Inc. — Gravatar (United States)

For Email and Password authenticated users, the Application transmits an MD5 hash of your normalised email address to gravatar.com via HTTPS to check for an associated public profile photograph. The hash is a one-way function — your email address cannot be reconstructed from it. No Personal Data beyond the hash is transmitted. If a photograph exists, only the photograph URL (not the image file itself) is cached locally on your device. No Gravatar data is stored on AroraLabs servers. Automattic's processing is governed by its own privacy policy at automattic.com/privacy.

Google LLC — Google AdMob (United States)

Free-tier users are shown advertisements served by Google AdMob. AdMob may use the advertising identifier (IDFA on iOS, GAID on Android) for ad personalisation, subject to your App Tracking Transparency consent (iOS) and device advertising settings (Android). Paid subscribers do not receive AdMob advertisements.

Apple Inc. — iOS Distribution & Sign In with Apple (United States)

Distribution via the Apple App Store and the Sign In with Apple authentication framework are subject to Apple's standard developer agreements. Apple may collect certain device and transactional data pursuant to its own privacy policy.

Google LLC — Google Play Distribution

Distribution via Google Play Store is subject to applicable Google Play developer policies. Google may independently collect device and installation data.

We do not sell, license, rent, or otherwise commercially transfer Personal Data to any third party for independent marketing or advertising purposes.

06

International Data Transfers

Plain EnglishBecause we use services like Firebase (Google, USA) and Anthropic (USA), your data may be stored on servers outside your home country. We make sure appropriate legal protections are in place — such as EU Standard Contractual Clauses — before doing so.

Given the geographic distribution of our sub-processors, Personal Data may be transferred to, stored in, and Processed in jurisdictions outside your country of residence, including the United States of America, where data protection laws may differ from those in your jurisdiction.

Where transfers occur to countries not recognised as providing an adequate level of protection, we implement appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (for EEA-originating transfers)
  • Google's participation in applicable cross-border data transfer frameworks for Firebase services

By using the Application, you acknowledge the international nature of our operations and the associated data transfers described herein.

07

Data Retention and Deletion

Plain EnglishWe keep your data for as long as your account is active. When you delete your account, your personal data is removed within 30 days. We keep an anonymised backup for up to 90 days in case you change your mind, then it's gone permanently. Analytics data (which doesn't identify you personally) is kept for up to 26 months.

7.1 — Authenticated User Data

Personal Data associated with authenticated accounts is retained for the duration of the active account relationship and for 90 days following account deletion, to facilitate account recovery and satisfy residual legal obligations.

7.2 — Analytics Data

Behavioural analytics data is retained in aggregated or pseudonymised form for a maximum of 26 months from the date of collection, consistent with Firebase Analytics default retention parameters.

7.3 — Guest User Data

Guest Users are assigned an anonymous Firebase Authentication identifier which is stored server-side (see Section 3.5). If a Guest User uninstalls the app without upgrading to a full account, their anonymous account data will be automatically purged by Firebase after 180 days of inactivity. Local device data (preferences, cached scores) is removed upon uninstallation.

7.4 — Account Deletion

To request deletion of your account and all associated Personal Data:

  1. Use the account deletion function in the Application's Profile section, or
  2. Contact us at contact@aroralabs.org

Upon verification, we will initiate deletion procedures within 30 days, subject to legal retention obligations.

08

Security Architecture and Technical Safeguards

Plain EnglishYour data is encrypted both when it travels over the internet (TLS) and when it's stored (AES-256). Only you can access your own data — our security rules prevent any other user from seeing it. If there's ever a breach that puts your data at risk, we'll notify you within 72 hours.

8.1 — Data in Transit

All communications between the Application and backend infrastructure are encrypted via Transport Layer Security (TLS) version 1.2 or higher.

8.2 — Data at Rest

Personal Data stored in Firebase Cloud Firestore is encrypted at rest using AES-256 encryption, consistent with Google's infrastructure security standards. On-device data is stored using platform-native encrypted shared preferences.

8.3 — Access Controls and Operator Actions

Firestore Security Rules enforce strict per-user data isolation — authenticated users can only access their own Personal Data. Administrative access is restricted on a least-privilege basis and requires multi-factor authentication.

Our operations team may, from time to time, make limited account-state adjustments (for example, resolving a payment dispute, restoring access after an erroneous revocation, applying compensatory access, or actioning a support ticket). All such adjustments are recorded with an immutable timestamp, the identity of the actioning operator, and the prior and new state. Users may request a copy of any operator-initiated action on their account by writing to contact@aroralabs.org.

8.4 — Incident Response

In the event of a Personal Data breach presenting risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours of becoming aware of the breach, where technically feasible and legally required.

No information security framework can guarantee absolute protection against all threats. We cannot warrant the absolute security of any transmission or storage.

09

Your Rights as a Data Subject

Plain EnglishYou have real, enforceable rights over your data. You can ask us what we have, correct it, delete it, get a copy of it, or ask us to stop using it — just email contact@aroralabs.org. We'll respond within the timeframe required by law (typically 30 days).

Right of Access (Art. 15)

Request a copy of all Personal Data we hold about you, including purposes, categories, and retention periods.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete Personal Data without undue delay.

Right to Erasure (Art. 17)

"Right to be Forgotten" — request deletion where data is no longer necessary or Processing is unlawful.

Data Portability (Art. 20)

Receive your data in a structured, machine-readable format and request transfer to another controller.

Right to Restriction (Art. 18)

Request restricted Processing in specified circumstances, including while accuracy is contested.

Right to Object (Art. 21)

Object to Processing based on legitimate interests on grounds relating to your particular situation.

Automated Decision-Making: The Application does not subject Users to solely automated decision-making producing legal or similarly significant effects without human review.

To exercise any right, submit a written request to contact@aroralabs.org. We will respond within the statutory timeframe applicable in your jurisdiction.

10

GDPR — Specific Provisions for EEA and UK Residents

Plain EnglishIf you're in the EU or UK, you have additional protections under GDPR. You can file a complaint with your local data protection authority (e.g. the ICO in the UK, or your national equivalent) if you think we've mishandled your data.

10.1 — Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority in your member state (e.g., the UK ICO, the Irish DPC, or your national equivalent) if you consider that our Processing infringes applicable data protection law.

10.2 — Data Protection Officer

Given the scale and nature of our Processing activities, we are not currently required to designate a Data Protection Officer (DPO). Privacy enquiries should be directed to contact@aroralabs.org.

10.3 — Legal Basis Transparency

In accordance with Article 13 GDPR, all lawful bases for Processing are set forth in Section 4 of this Policy. Supplementary information is available upon written request.

11

CCPA — Specific Provisions for California Residents

Plain EnglishIf you're in California, you have the right to know what data we have, delete it, correct it, and opt out of any sale of your data. We do not sell your data — full stop. Email us with subject "CCPA Request" to exercise any of these rights.

11.1 — Right to Know

You have the right to request disclosure of:

  1. The categories and specific pieces of Personal Information collected
  2. The categories of sources from which Personal Information is collected
  3. The business or commercial purpose for collecting Personal Information
  4. The categories of third parties with whom Personal Information is disclosed

11.2 — Right to Delete

You have the right to request deletion of Personal Information collected from you, subject to certain exceptions under Cal. Civ. Code § 1798.105.

11.3 — Right to Correct

You have the right to request correction of inaccurate Personal Information maintained about you.

11.4 — Non-Discrimination

We shall not discriminate against you for exercising any CCPA rights, including by denying services, charging different prices, or providing a different quality of service.

We do not sell Personal Information as defined under Cal. Civ. Code § 1798.140(t)(1), nor do we share Personal Information for cross-context behavioural advertising purposes. We have not sold or shared Personal Information within the preceding 12 months.

To submit a verifiable consumer request, contact contact@aroralabs.org with the subject line "CCPA Request".

12

Children's Privacy and COPPA Compliance

Plain EnglishThinko is not for children under 13 (or under 16 in the EU). We don't knowingly collect data from children. If you're a parent and believe your child has created an account, email us and we'll delete it promptly. Kids can still play in Guest Mode without creating an account.

The Application is not directed to children under:

  • 13 years in the United States (COPPA)
  • 16 years in the European Economic Area (Article 8 GDPR)

We do not knowingly solicit, collect, or Process Personal Data from children within the above age thresholds. The Google Sign-In pathway requires users to affirm compliance with Google's minimum age requirements as a prerequisite to account creation.

If you are a parent or legal guardian and believe your minor child has provided Personal Data to us without appropriate parental consent, contact us immediately at contact@aroralabs.org. We will take all commercially reasonable steps to promptly delete the relevant Personal Data.

Minors below applicable age thresholds may experience the cognitive training content of the Application in Guest Mode, which does not involve collection of Personal Data.

13

Cookies, Tracking Technologies, and Analytics Opt-Out

Plain EnglishThinko is a native mobile app — it doesn't use browser cookies. However, your device may have an advertising ID (similar to a cookie) that Firebase Analytics uses to understand how the app is used. You can reset or delete this ID in your device settings, or contact us to opt out of analytics entirely.

The native mobile Application does not employ cookies in the traditional browser-based sense. However, certain functionally analogous tracking mechanisms are utilised:

13.1 — Advertising Identifier (IDFA / GAID)

Firebase Analytics may utilise platform advertising identifiers for analytics attribution. To disable:

  • Android: Device Settings → Google → Ads → Reset advertising ID / Delete advertising ID
  • iOS 14+: Device Settings → Privacy & Security → Tracking → disable "Allow Apps to Request to Track"

13.2 — Firebase Analytics Opt-Out

To opt out of Firebase Analytics data collection, contact us at contact@aroralabs.org to request programmatic opt-out, or reset and delete your advertising identifier via your device settings (see Section 13.1 above).

13.3 — Instance ID

Firebase assigns an Instance ID to each Application installation for service-delivery purposes (messaging, crash reporting). This identifier is reset upon reinstallation and does not constitute persistent cross-application tracking.

13.4 — Device-Integrity and Anti-Abuse Identifiers

For fraud prevention, the Application generates anonymous identifiers used solely to confirm app authenticity and to enforce one active session per account (see Sections 3.8 and 3.9). These identifiers are not used for advertising or cross-application tracking and are cleared on reinstallation.

14

Third-Party Links and Embedded Content

Plain EnglishIf the app links to an external website (like a support page or social media), that site has its own privacy rules — this policy doesn't cover them. We recommend checking their privacy policy before sharing any personal information with them.

The Application may contain hyperlinks to third-party websites, external support portals, or social media platforms. This Privacy Policy does not govern the data practices of any third-party resource to which we link. We expressly disclaim any responsibility for the privacy practices, security measures, or content of such third-party resources.

We strongly encourage you to review the applicable privacy policy of any third-party service prior to providing Personal Data thereto.

15

Modifications to This Privacy Policy

Plain EnglishWe may update this policy when the app changes or the law changes. If it's a significant update (like collecting a new type of data), we'll tell you in the app or by email. Minor updates (like fixing typos) won't need a notification. The "Last Updated" date at the top always shows the latest revision.

We reserve the right to amend, update, or revise this Privacy Policy at any time in our sole discretion, including in response to changes in applicable law, technological developments, or modifications to our data Processing activities.

Material changes — defined as modifications that substantively alter the categories of data collected, the purposes of Processing, or your rights — will be communicated via:

  • In-application notification
  • Email to authenticated users, where technically feasible

The "Last Updated" date at the head of this Policy reflects the most recent revision. Continued use of the Application following the effective date of any modification constitutes acceptance of the revised Policy.

We maintain a version history of this Policy; prior versions are available upon written request to contact@aroralabs.org.

16

Governing Law and Dispute Resolution

Plain EnglishThis policy is governed by whichever privacy laws apply to you based on where you live — GDPR (EU/UK), CCPA (California), Australian Privacy Act, or others. If you have a dispute, please contact us first and we'll try to resolve it directly before anything formal is needed.

This Privacy Policy shall be governed by applicable international data protection law, including:

  • EU General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA / CPRA)
  • Australian Privacy Act 1988
  • All other applicable regional data protection statutes

Nothing herein limits your right to pursue remedies before the competent data protection supervisory authority in your jurisdiction of residence.

Prior to initiating formal dispute resolution proceedings, we encourage you to contact us at contact@aroralabs.org to seek an amicable resolution.

17

Contact Information and Data Subject Requests

Plain EnglishWant to access, correct, or delete your data? Just email us at contact@aroralabs.org. Include your name and what you'd like us to do. We'll reply within 30 days.

All privacy-related enquiries, data subject access requests, complaints, and correspondence should be directed to:

Please include in your correspondence:

  1. Your full name (for account verification)
  2. The nature of your request or enquiry
  3. Your preferred contact method for our response
  4. Where relevant, the specific Personal Data or Processing activity to which your request pertains
We are committed to responding to all substantive privacy enquiries within the timeframes prescribed by applicable data protection law, and in no case later than 30 calendar days from the date of receipt of a verifiable request.