Privacy Policy

1.1 Information You Provide to Us

Account Information

• Email address
• Name
• Password (stored as a cryptographic hash, never in plain text)
• Payment information (processed through our payment provider)
• Profile settings and preferences

Photos and Videos

• Digital media files you upload or sync to RollApp
• Metadata associated with your media (EXIF data, timestamps, location data if embedded)
• Albums, tags, and organizational information you create

Communications

• Support requests and correspondence
• Feedback and survey responses
• Communications preferences

1.2 Information We Collect Automatically

Usage Data

• Pages visited and features used
• Time spent on the service
• Device information (type, operating system, browser)
• IP address and general location data
• Referring URLs and search terms

Technical Data

• Log files and error reports
• Performance metrics
• Session information
• Cookies and similar tracking technologies

1.3 Information from Third-Party Sources

When you connect external services (Google Photos, iCloud, Dropbox, etc.), we collect:

• Access tokens to sync your media
• Basic profile information from connected services
• Media files and metadata from connected accounts

2.1 Provide and Improve Our Service

• Store and sync your photos and videos
• Enable search, organization, and sharing features
• Process your uploads and downloads
• Maintain and improve service performance
• Develop new features and functionality

2.2 Security and Protection

• Verify your identity and authenticate access
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Enforce our Terms of Service

2.3 Communications

• Send service-related notifications
• Respond to your requests and support inquiries
• Send marketing communications (with your consent)
• Conduct surveys and gather feedback

2.4 AI and Machine Learning Features

• Facial recognition for photo organization (processed locally on your device or in encrypted form)
• Content recognition for search functionality
• Automatic categorization and memory creation
• Duplicate detection

3.1 Service Providers

We work with third-party companies to provide:

• Cloud storage infrastructure
• Payment processing
• Customer support tools
• Analytics and performance monitoring
• Email delivery services

These providers are contractually obligated to protect your data and use it only for the services they provide to us.

3.2 Legal Requirements

We may disclose information if required to:

• Comply with applicable laws, regulations, or legal processes
• Respond to government requests or court orders
• Protect our rights, property, or safety
• Prevent fraud or security threats

3.3 Business Transfers

If RollApp is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

3.4 With Your Consent

We may share information for other purposes with your explicit consent.

4.1 Encryption

End-to-End Encryption

• All photos and videos are encrypted on your device using AES-256 encryption
• Encryption keys are derived from your password and never leave your device
• We cannot access your unencrypted photos or videos

In Transit

All data transmitted between your device and our servers uses TLS 1.3 encryption

At Rest

• Encrypted data is stored on secure servers
• Database encryption for account information
• Regular security audits and penetration testing

4.2 Access Controls

• Multi-factor authentication available
• Role-based access controls for our team
• Regular access reviews and credential rotation
• Employee background checks and security training

4.3 Monitoring and Incident Response

• 24/7 security monitoring
• Automated threat detection
• Incident response procedures
• Regular security assessments by third-party auditors

5.1 Federal Act on Data Protection (FADP)

We comply with Switzerland's Federal Act on Data Protection (FADP), which provides comprehensive data protection rights including:

• Strong consent requirements for data processing
• Strict limitations on automated decision-making
• Enhanced transparency obligations
• Robust rights for data subjects
• Severe penalties for non-compliance

5.2 Swiss Data Centers

Your data is stored exclusively in Switzerland:

• Primary data center: Zurich, Switzerland
• Backup facility: Geneva, Switzerland
• All data remains within Swiss borders unless you explicitly authorize otherwise
• Protected by Swiss banking-level physical security standards
• Powered by renewable Swiss hydroelectric energy

5.3 Jurisdictional Advantages

Switzerland offers unique privacy protections:

• Not part of the EU: While we comply with GDPR for EU users, we're not subject to all EU data sharing directives
• Not in the "14 Eyes" alliance: Switzerland is not part of the mass surveillance intelligence-sharing agreements
• Strong legal protections: Swiss courts require high standards of proof before compelling data disclosure
• No mandatory data retention laws: Unlike many countries, Switzerland doesn't require blanket data retention

5.4 Government Requests

Under Swiss law, government requests for user data must meet strict requirements:

Additionally, due to our zero-knowledge encryption architecture, we cannot provide access to the content of your photos and videos—only encrypted data and account metadata.

5.5 Federal Data Protection and Information Commissioner (FDPIC)

We are subject to oversight by Switzerland's Federal Data Protection and Information Commissioner (FDPIC), an independent authority that:

• Monitors compliance with Swiss data protection laws
• Investigates data protection complaints
• Has the power to impose binding orders
• Provides guidance on data protection best practices

5.6 Cross-Border Data Transfers

When transferring data outside Switzerland (e.g., to EU users or when connecting to third-party services), we ensure:

• Data is only transferred to countries with adequate data protection (as recognized by Switzerland)
• Use of Standard Contractual Clauses (SCCs) where required
• Additional security measures including encryption
• Your explicit consent for any data transfers

6.1 Active Accounts

We retain your data for as long as your account is active or as needed to provide services.

6.2 Deleted Data

When you delete photos or videos:

• They are immediately removed from your account
• Encrypted files are deleted from our storage within 30 days
• Backups are purged within 90 days

When you delete your account:

• All your data is permanently deleted within 90 days
• Backups are purged within 180 days
• Some metadata may be retained for legal or operational purposes

6.3 Legal Obligations

We may retain certain data longer if required by law or to resolve disputes.

7.1 Access and Portability

• Request a copy of your personal data
• Download all your photos and videos in original quality
• Receive your data in a structured, machine-readable format

7.2 Correction and Deletion

• Update or correct your account information
• Delete specific photos, videos, or your entire account
• Request deletion of your personal data (subject to legal requirements)

7.3 Control and Objection

• Control marketing communications preferences
• Object to certain data processing activities
• Withdraw consent where processing is based on consent
• Opt out of cookies (except essential ones)

7.4 Restrict Processing

• Request restriction of processing in certain circumstances
• Opt out of automated decision-making and profiling

7.5 Lodge a Complaint

File a complaint with your local data protection authority if you believe your rights have been violated

10.1 Types of Cookies We Use

10.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may limit functionality.

Third-Party Cookies

We use analytics services that may set their own cookies. See their privacy policies:

• Google Analytics
• Stripe (payment processing)

11.1 European Economic Area (EEA)

Legal Basis for Processing

• Performance of contract (to provide our services)
• Legitimate interests (improve services, prevent fraud)
• Consent (marketing communications, certain cookies)
• Legal obligations (compliance with laws)

11.2 California Residents (CCPA/CPRA)

California residents have additional rights:

• Know what personal information we collect and how it's used
• Request deletion of personal information
• Opt out of sale of personal information (we don't sell your data)
• Non-discrimination for exercising your rights

California Contact: california-privacy@rollapp.com

11.3 United Kingdom

RollApp complies with UK GDPR. UK-specific inquiries:

Email: uk-privacy@rollapp.com