PRIVACY POLICY — TCHAO

PRIVACY POLICY — TCHAO Last updated: May 18, 2026 Tchao ("we", "our application") is committed to protecting the privacy of its users. This policy describes the data we collect, the purposes for which we use it, and your rights, in accordance with the GDPR. ────────────────────────────────────────────── 1. DATA WE COLLECT ────────────────────────────────────────────── 1.1 Identification data • Email address (authentication via Google, Apple, Facebook, or OTP) • Username chosen by the user • Firebase User ID (UID) 1.2 User-generated content • Events you create (title, description, date, location name and address entered freely) • Messages posted in event chats • Guestbook entries (text + up to 5 photos per entry) • Conversations with the AI assistant (Visionnaire subscribers only) 1.3 Payment data • No banking data is collected or stored by Tchao. • Contributions to gift pools are processed by Stripe Checkout (hosted by Stripe). We transmit the following to Stripe: first name/username, email address, and contribution amount. • Subscriptions are handled exclusively through Apple In-App Purchase (iOS) or Google Play Billing (Android). We only receive a validated transaction receipt. 1.4 Technical data • Push notification token (FCM) to send you alerts related to your events. • Purchase history and subscription tier (Free, Pro, Visionnaire). We do NOT collect: your GPS location, your contacts, your health data, your advertising identifier (IDFA), your browsing history, or any behavioral analytics data. ────────────────────────────────────────────── 2. PURPOSES OF PROCESSING ────────────────────────────────────────────── Your data is used exclusively to: • Authenticate your account and secure access • Allow you to create and manage events, gift pools, and guestbooks • Process payments through our providers (Stripe, Apple, Google) • Send you transactional notifications related to your events • Provide AI assistant responses (Visionnaire subscription) • Prevent fraud and ensure the security of the service We do not use your data for any advertising, marketing, or behavioral analytics purposes. ────────────────────────────────────────────── 3. SHARING WITH THIRD PARTIES ────────────────────────────────────────────── • Google Firebase (Google LLC) — hosting, authentication, database, file storage, push notifications. Data hosted in the European Union (europe-west1). • Stripe Inc. — processing of gift-pool payments. • Apple Inc. / Google LLC — processing of In-App Purchase subscriptions. • Amazon Web Services (AWS Bedrock) — for Visionnaire users only: your queries to the AI assistant and the related event context are transmitted to AWS Bedrock to generate a response. No data is used to train models. No data is sold to third parties. ────────────────────────────────────────────── 4. HOSTING ────────────────────────────────────────────── Your data is hosted on Google Cloud Platform (Firebase), in the europe-west1 region (Belgium). Some technical operations may involve transfers outside the EU, governed by the Standard Contractual Clauses of the European Commission. ────────────────────────────────────────────── 5. DATA RETENTION ────────────────────────────────────────────── • Account data: as long as your account is active. • Events, guestbooks, chats: duration of the event + 12 months after its closure. • Payment history: 10 years (legal accounting requirement). • Notification token: until the application is uninstalled. ────────────────────────────────────────────── 6. YOUR RIGHTS (GDPR) ────────────────────────────────────────────── In accordance with the General Data Protection Regulation, you have the following rights: • Right of access to your data • Right of rectification • Right to erasure ("right to be forgotten") • Right to data portability • Right to object to and restrict processing • Right to lodge a complaint with the CNIL (www.cnil.fr) or your local data protection authority To exercise these rights, contact us at: support@tchao.app You can also delete your account directly from the application (Settings → Account → Delete my account). ────────────────────────────────────────────── 7. SECURITY ────────────────────────────────────────────── Your data is protected by encryption in transit (HTTPS/TLS) and at rest on Google servers. Authentication uses Firebase Auth standards (OAuth 2.0, OTP). ────────────────────────────────────────────── 8. MINORS ────────────────────────────────────────────── Tchao is not intended for children under 13. We do not knowingly collect data from minors without parental consent. ────────────────────────────────────────────── 9. CHANGES ────────────────────────────────────────────── This policy may be updated. Significant changes will be notified within the application. ────────────────────────────────────────────── 10. CONTACT ────────────────────────────────────────────── Data controller: Tchao Contact: support@tchao.app