Privacy Policy — Scorella

Last updated: 2026-05-06 Effective date: 2026-05-06

⚠️ Template notice. This document was drafted by the engineering team

as a starting point that reflects the data flows actually implemented in

the Scorella backend and mobile app. It is not legal advice. Before

publishing, have a privacy lawyer review it against the laws of every

jurisdiction you intend to operate in (in particular the EU GDPR, UK GDPR,

California CCPA/CPRA, Saudi PDPL, and the UAE PDPL).

This Privacy Policy explains how Scorella ("we", "us", "the App") collects, uses, shares, and protects information when you use the Scorella mobile application and related services.

1. Who we are

Scorella is operated by Ahmed Tolbh (the "Operator"). You can contact us at [email protected] for any privacy-related questions, requests, or complaints.

2. Information we collect

2.1 Information you provide

• Account information: email address, username, password (stored as a

bcrypt hash — we never see or store your plaintext password), date of birth, profile bio, profile photo.

• Authentication identifiers: Google ID or Apple ID if you sign in with

those providers.

• Content you create: videos you upload, video titles and descriptions,

comments, likes, follows, direct messages, account blocks, and reports.

• Support correspondence: anything you send us by email.

2.2 Information collected automatically

• Device push token (FCM): an opaque identifier issued by Firebase Cloud

Messaging that lets us deliver push notifications to your device.

• Usage signals: which videos you view (counted as views), follow/unfollow

events, daily app-open events used to maintain your activity streak.

• Diagnostic data: uncaught application errors, performance traces, and

crash reports sampled at ~10% in production. Authorization headers, cookies, and API keys are stripped before this data leaves your device.

• Request metadata: IP address, user-agent string, and a per-request UUID

used to correlate logs while debugging.

2.3 Information we do NOT collect

• We do not collect contacts, calendar, microphone, or location data unless

the corresponding feature is used (e.g., camera & microphone are accessed only while you record a video).

• We do not sell your information to third parties.
• We do not use your videos to train AI models.

3. How we use the information

We use the data above to: 1. Provide the core service: account creation, sign-in, video upload, playback, follows, messaging, notifications. 2. Keep the service safe and abuse-free: rate limiting, account moderation, content moderation (see §5), audit logging of sensitive actions (account deletion, blocking, data export, moderation rejection). 3. Deliver transactional email such as password resets and email verification. 4. Diagnose and fix problems via aggregated error tracking. 5. Comply with our legal obligations and respond to lawful requests.

We do not use your information for advertising or for automated profiling that produces legal or similarly significant effects.

4. Legal bases (EU/UK GDPR)

Where GDPR applies we rely on the following legal bases:

• Performance of a contract — providing you the service you signed up

for.

• Legitimate interests — securing the service, preventing fraud and

abuse, fixing bugs, and operating the platform efficiently.

• Consent — push notifications (you can revoke at any time from your

device settings) and any optional permissions you grant.

• Legal obligation — responding to lawful requests from public

authorities.

5. Content moderation

When you upload a video, a thumbnail is automatically scanned by Sightengine (a third-party image-classification service) for nudity, weapons, drugs, alcohol, gore, and offensive imagery before the video is published. Videos that fail this check are deleted and never reach the public feed. This is a fully automated decision; you can appeal a rejection by contacting us.

6. Sharing & sub-processors

We do not sell or rent your information. We share data only with the sub-processors needed to run the service:

| Sub-processor | Purpose | Data shared | Region | |---|---|---|---| | DigitalOcean | Hosting (compute), object storage (Spaces), CDN | All service data at rest | Europe (Amsterdam) | | Google Firebase (FCM) | Push notification delivery | FCM device token + notification payload | Multi-region | | Google OAuth / Apple Sign in with Apple | Sign-in | Email + provider account ID (only if you choose this sign-in) | Multi-region | | Resend | Transactional email (password reset, verification) | Email address + message body | Europe / US | | Sightengine | Content moderation | Video thumbnail image (binary) | EU | | Sentry (mureai org) | Error & performance monitoring | Anonymized stack traces, request IDs (auth/cookies stripped) | EU |

We do not transfer personal data to any other recipient unless required by law.

7. Retention

• Account data: kept until you delete your account.
• Videos & posts: kept until you delete the item or your account.
• Notifications history: last 50 per user.
• Audit logs: kept for at least 12 months for security/compliance.
• Error/diagnostic data: kept for 90 days.
• Email transactional logs (Resend): kept according to Resend's policy

(currently 30 days).

When you delete your account we permanently remove your profile and content from our database; backup copies are removed within 30 days during the next backup rotation.

8. Your rights

Wherever you live, you can:

• Access the personal data we hold about you — request via

GET /users/me/export from the app or by emailing us.

• Delete your account and all associated content — via

Settings → Delete account, or by emailing us.

• Correct inaccurate data — via Settings → Edit profile.
• Withdraw consent for push notifications — via Settings → Notifications,

or your device settings.

If you are in the EU/UK you additionally have the right to object to processing based on legitimate interests, the right to restrict processing, the right to portability of your data, and the right to lodge a complaint with your local data protection authority.

If you are in California you have the right to opt-out of the sale or sharing of personal information (we don't sell or share for advertising) and the right to non-discrimination for exercising your rights.

We respond to verifiable rights requests within 30 days.

9. Children

Scorella is not directed at children under 13 (under 16 in some EU jurisdictions). We do not knowingly collect data from children under those ages. If you believe a child has created an account, please contact us and we will delete it.

10. Security

• Passwords are hashed with bcrypt at cost factor 10.
• Refresh tokens are hashed before storage and rotated on each refresh.
• Connections to the API are encrypted with TLS 1.2+.
• Push notification credentials and SMTP credentials are stored only as

environment variables, never in source control.

• Sensitive request headers (Authorization, Cookie, X-API-Key) are

stripped from error reports.

No system is perfectly secure. If you believe your account has been compromised, please contact us and change your password immediately.

11. International transfers

Our primary infrastructure is in Amsterdam (EU). Some sub-processors process data in the United States; in those cases we rely on the appropriate transfer mechanisms (Standard Contractual Clauses or equivalent).

12. Changes to this policy

We may update this Privacy Policy. The "Last updated" date at the top will change accordingly. Material changes will be announced in-app or by email at least 14 days before they take effect.

13. Contact

For privacy questions or to exercise your rights: [email protected]