Privacy Policy

Introduction

Welcome to Donny Wonny ("we," "our," or "us"). We are committed to protecting your privacy and ensuring you understand how we collect, use, and safeguard your personal information.

This Privacy Policy applies to the Donny Wonny mobile application, website, and all related services (collectively, the "Services"). By using our Services, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

Account Information:

• Email address
• Username/display name
• Password (hashed with Firebase Authentication's scrypt; we never see or store the plaintext)
• Age attestation — at first launch you enter your age (for example, 16) to confirm you meet the minimum age for your region. We do not require your full date of birth for global signup. If you optionally provide a date of birth during registration, we use it only for age eligibility and minor protections.
• Profile picture (optional)

User-Generated Content:

• Journal entries (encrypted)
• Mood tracking data
• Goals and achievements
• Donny AI conversation history
• Creative works (art, stories, scrapbooks)
• Community posts and comments
• Voice journal audio recordings (processed for transcription, then immediately deleted — not stored)

Engagement Features Data:

• Challenge participation progress and completion data
• Badge/title awards and display preferences
• Community comment threads and emoji reactions
• Notification frequency preferences (per-category: instant, daily digest, weekly digest, or off — managed in Settings → Notifications)
• Pending digest notifications queued for delivery (title, body, category, channel, dispatched flag) — auto-deleted within 30 days of send
• Rewards marketplace redemption history
• User matching interests and bio (opt-in "Find Your Tribe" feature — you choose what to share)
• AI-generated journal prompts (based on mood tags, time of day, and goal titles — no raw journal text sent to AI)- Bug reports (title, description, reproduction steps, severity, and automatically detected device/platform information submitted with the report) Social Features Content:
• Journey data: When you set a Journey to public, your progress score breakdown (consistency, volume, completion, streak momentum, milestones) and activity statistics are visible to all users. Private Journeys are not shared. You control this setting per Journey.
• Blueprint data: When you publish a Blueprint, the personality type, traits, greeting style, appearance settings, description, and your display name are shared publicly. No journal content, conversation history, or private account data is included.
• Spark Series data: When you create a Spark Series, the title, description, daily spark challenges, category, difficulty, and your display name are visible publicly. Your subscribers' individual day-by-day progress is private.

Family/Group Information:

• Group connections (with consent)
• Group membership information
• Family dashboard settings
• Parental control preferences

Social & Collaboration Data:

• Friend connections and friend request history
• @Mentions in posts and comments (who you tagged and who tagged you)
• Collaborative project membership, roles, and content contributions
• Project invitations sent and received

Cloud-Synced Wellness Data:

• Journal entries, mood check-ins, streaks, and habit tracking data are synced to our servers to enable cross-device access and prevent data loss
• XP, levels, coins, and progression data are synced to our servers (server is the source of truth for progression)
• Habit definitions, completion logs, and statistics
• This data is encrypted in transit and at rest; only you can access your own wellness data

Let It Out (Venting / Scream Section) Data:

• When you use the "Let It Out" feature, your venting text and selected emotions are processed by our AI to assess emotional intensity and provide supportive responses
• We store session history (emotion, type, duration, timestamp, and crisis level) to track your wellbeing over time
• Venting content is encrypted at rest and is never shared with other users
• If a crisis-level session is detected for a minor user, a safety alert (containing only the crisis level — not the venting content) is sent to the linked parent or guardian
• Emergency resources (such as the 988 Suicide & Crisis Lifeline) may be surfaced automatically based on detected crisis levels

Phone Verification Data:

• If you choose to verify your phone number, we collect your phone number and send a one-time verification code via SMS
• Your phone number is stored in hashed form and is used only for account verification and security purposes
• We do not use your phone number for marketing or share it with third parties

Offline Cache & Background Sync Data:

• When your device is offline, we temporarily store pending actions (spark completions, achievements, chat messages) on your device using encrypted local storage
• When connectivity is restored, a background sync service automatically uploads pending data to our servers. This may occur while the app is not in the foreground
• Offline cached data is cleared upon successful sync or upon logout
• Background sync does not collect any new data — it only transmits previously queued actions

Language & Locale Preferences:

• Your selected language preference is stored locally on your device (encrypted)
• We support 8 languages: English, Spanish, French, German, Japanese, Arabic, Korean, and Chinese
• Your device locale may be automatically detected to suggest a default language; this detection happens locally and is not transmitted to our servers

Payment Information:

• Web payments are processed by Stripe; mobile in-app purchases are processed by Apple App Store (iOS) and Google Play Store (Android) via RevenueCat
• We store only: subscription tier, status, and transaction IDs
• We do NOT store credit card numbers or banking details
• Apple and Google handle all payment method data for in-app purchases; we never receive your card details for those transactions

Product Catalog & Virtual Currency Data:

• Purchase history for customization packs (outfits, personalities, animations, rooms), content packs (wellness toolkits, meditation programs), and virtual currency (Donny Coins and Gems)
• Virtual currency balances (coins and gems) and transaction history (credits, debits, purchase source)
• We store: product ID, category, price paid, purchase timestamp, and Stripe session ID
• Virtual currency transactions are recorded for balance accuracy and dispute resolution

Refund Request Data:

• Refund requests store: user ID, requested amount, eligible amount, reason, status, and timestamps
• Refund data is retained for 90 days after processing for dispute resolution and accounting purposes
• After 90 days, refund records are anonymized but retained for aggregate reporting

Donny Den (Private Spaces) Data:

• When you create or join a Donny Den, we collect the Den name, description, rules, and your membership role (owner, moderator, or member)
• Chat messages, shared media, and reactions within a Den are stored on our servers and encrypted at rest
• Den membership lists are visible to other Den members. Public Dens display their name, description, and member count to all users
• Den moderation actions (warnings, mutes, bans) are logged for abuse prevention
• Den invitation codes are stored temporarily and expire after use or after 7 days
• If you are a minor (under 18), Dens with age-restricted content are not accessible to you

Merchandise Store Data:

• When you browse or purchase physical or digital merchandise, we collect: items viewed, items added to cart, purchase history, shipping address (for physical items), and order status
• Shipping addresses are stored only for the duration needed to fulfill and deliver your order, plus 90 days for returns/disputes, and are then permanently deleted
• Payment for merchandise is processed through Stripe (see Payment Information above); we never store your card details

Print-on-Demand Vendors (Data Processors):

• Physical merchandise is fulfilled by third-party print-on-demand providers — currently Printful, Inc. (apparel, accessories, posters) and Lulu Press, Inc. / Lulu Direct (books, journals, printed paper goods).
• For each physical order, we transmit the following minimum data to the relevant vendor: your name, shipping address, email address (for shipping notifications), the SKU of the item ordered, and a unique order reference. We do not share your Donny Wonny account ID, in-app activity, journal entries, or any companion-related personal data with these vendors.
• The vendors send signed webhook events back to us reporting fulfillment status, tracking numbers, and any cancellations or returns. We retain a separate fulfillment audit log (not linked to your journal or companion data) for fraud prevention and refund processing, with each vendor event de-duplicated by event ID.
• Each vendor processes your data under its own privacy policy: Printful — https://www.printful.com/policies/privacy; Lulu — https://www.lulu.com/about/privacy.
• You may request that we delete your shipping address from our systems after the 90-day returns window by contacting privacy@donnywonny.com.

Games & Mini-Games Data:

• When you play games or mini-games within the app, we collect: game scores, completion status, time played, and any virtual rewards earned
• Game data is used to award XP, coins, and badges and to track your progress
• Leaderboard participation is optional; if you opt in, your display name and score are visible to other players
• Game performance data may be used in anonymized aggregate form to improve game balance and design

1.2 Information Automatically Collected

Device Information:

• Device type and model
• Operating system version
• Unique device identifiers
• Mobile network information
• Device fingerprint (used solely for ban evasion prevention — see Section 2.5)

Usage Data:

• Features used and interaction patterns
• Session duration and frequency
• App performance and crash reports
• Clickstream data

Location Data:

• General location (city/region) based on IP address
• Precise location only if explicitly granted (for location-based features)

Network Information (for platform integrity):

• IP address at time of login and registration (used solely for ban evasion prevention — see Section 2.5)

1.3 Information from Third Parties

• Social media profile information (if you choose to connect accounts)
• Authentication data from Firebase Authentication
• Payment confirmation from Stripe

2. How We Use Your Information

2.1 To Provide and Improve Services

• Create and manage your account
• Deliver personalized AI companion experiences
• Generate mood insights and analytics
• Provide journaling and wellness features
• Enable family/group features (Connections, Groups)
• Enable Donny Den private spaces (creation, moderation, messaging)
• Fulfill merchandise orders and manage shipping/returns
• Provide in-app games, track scores, and award virtual rewards
• Process payments and manage subscriptions

2.2 For Safety and Security

• Detect and prevent fraud or abuse
• Enforce our Terms of Service
• Protect against security threats
• Monitor for crisis language (for safety interventions)
• Verify user age for COPPA compliance
• Enforce permanent bans and timed suspensions (see Section 2.5)
• Prevent ban evasion via IP address and device fingerprint matching

2.5 Ban Evasion Prevention

When a user is permanently banned for violating our Terms of Service, we record their IP address and device fingerprint at the time of the ban. These identifiers are stored in a separate "banned identifiers" collection and are checked during registration and login to prevent the banned user from creating new accounts.

What we store:

• IP address (hashed document ID) linked to the banned user ID
• Device fingerprint (hashed document ID) linked to the banned user ID
• Timestamp and reason for the ban

What we do NOT do:

• We do NOT use device fingerprinting for advertising, tracking, or analytics
• We do NOT share banned identifier data with third parties
• We do NOT fingerprint users who are in good standing

Retention: Banned identifier records are retained for as long as the associated ban is active. If a ban is lifted by an admin, the corresponding identifier records are removed. Appeals can be submitted through the platform (see our Terms of Service for the appeals process).

2.3 For Communication

• Send important service updates
• Respond to customer support requests
• Notify you of new features or changes
• Send promotional communications (with your consent)

2.4 For Analytics and Research

• Understand usage patterns
• Improve AI models and recommendations
• Conduct anonymized research
• Generate aggregate statistics (never personally identifiable)

2.4.1 AI Training Data & Your Control

We may use anonymized conversation data and interaction patterns to fine-tune our custom Donny model. You have full control over whether your future conversations are eligible:

• Opt-Out by Default (Affirmative Opt-In Required): New users are opted out of AI training. The onboarding flow shows a dedicated AI Training Consent modal where you must affirmatively toggle ON to participate. This matches GDPR's "freely given, specific, informed" consent standard and the CCPA / CPRA opt-in expectation for sensitive uses.

• Easy Opt-Out: If you previously opted in, go to Settings > Privacy > AI Training Preferences to opt out anytime with one tap.

• What Happens When You Opt Out:

  • Your future conversations and journal entries will NOT be added to the training dataset.
  • Only anonymized aggregate statistics (e.g., "users in age group 25-34 prefer evening journaling") may be used.
  • Your personalized experience continues normally.
  • You can change your preference anytime.

• How We Protect Training Data:

  • Every record passes through a multi-stage redaction pipeline before storage: regex sweeps for emails / US + international phone numbers / SSNs / credit cards / ZIPs / street addresses / authentication tokens, plus offline NER (named-entity recognition) for people and organizations, plus a per-user allow-list of names you've explicitly asked Donny to remember.
  • The saved record contains no user ID, no IP, no granular timestamp — only the redacted text plus date-only metadata. The result is anonymized: it cannot be linked back to your account.
  • Encrypted in transit (TLS 1.2+) and at rest (Firestore field-level AES-256).
  • OpenAI is our fine-tuning provider; per OpenAI's org-level Data Controls dashboard (verified 2026-05-15) all "Share inputs/outputs", "Share evaluation and fine-tuning data", and "Share feedback" toggles are Disabled, so OpenAI does NOT use our prompts/outputs to train their own foundation models.
  • Training datasets are stored in a segregated, anonymized dataset that is never linked or joined back to your account or profile.

• Retention: Anonymized training records are retained for as long as they remain useful for ongoing model improvement. This is the standard approach used by every major AI lab (OpenAI, Anthropic, Google) for fine-tuning corpora. Because the records contain no identifiers, individual records cannot be located or deleted on request once they enter the corpus — they are not linked to any user account. This is permitted under GDPR Recital 26 (which excludes truly anonymous information from the scope of personal-data deletion rights) and the CCPA de-identification carve-out. You can still delete your underlying Donny conversations or your whole account at any time; doing so removes the personal-data source records before the next redaction pass, so no further redacted excerpts are produced from your account.

2.4.2 Photo Transcription (Handwriting OCR) for the Donny Wonny Guided Journal

When you photograph a handwritten journal page using the in-app "Transcribe handwritten page" button, the image is uploaded over TLS to our backend and sent to OpenAI's vision-capable model for handwriting recognition. The transcribed text is returned to you so you can review and edit it before saving.

• Image storage: By default, the raw photo bytes are NOT retained after transcription completes. Only a non-reversible image hash is logged for abuse prevention.
• Vision learning (opt-in only): If you have opted in via Settings > Privacy > AI Training Preferences > Help improve handwriting recognition, we may store the image, the AI's draft transcription, and your final corrected text together as a private training pair. This is used solely to improve OCR accuracy and is excluded by default for new users.
• Revocation: You can disable this at any time in the same settings panel. Pre-existing training pairs can be deleted on request via privacy@donnywonny.com.

2.4.3 Voice Transcription (Whisper) for Journal Entries

When you tap the microphone button to dictate a journal entry, the audio clip is uploaded over TLS to our backend and sent to OpenAI's Whisper model for speech-to-text. The transcript is returned to you so you can review and edit before saving.

• Audio storage: By default, audio is NOT retained after transcription. Only the transcript text and an audio length value are kept (the transcript is part of your journal entry; the length is used for analytics and abuse prevention).
• Voice learning (opt-in only): If you have opted in to Help improve voice transcription, we may store the audio + corrected transcript pair to improve our models. Off by default.
• Revocation: Disable any time in Settings > Privacy > AI Training Preferences.

3. How We Share Your Information

3.1 We Do NOT Sell Your Personal Data

We do not and will never sell your personal information to third parties.

3.2 Service Providers

We share data with trusted service providers who assist us:

• Firebase/Google Cloud: Authentication, database, hosting
• Stripe: Web payment processing
• SendGrid (Twilio Inc.): Transactional email delivery (e.g., welcome emails, receipts, security alerts, purchase confirmations)
• Apple App Store / Google Play Store: Mobile in-app purchase processing (iOS and Android subscriptions)
• RevenueCat: Mobile subscription management and lifecycle events (does not store payment method data)
• OpenAI: AI conversation generation (encrypted in transit; per OpenAI's API data usage policy, API inputs and outputs are not used to train OpenAI models)
• Google Cloud Translation API: Language translation when the user has enabled auto-translate (and, for end-to-end encrypted content, separately enabled the explicit Translate end-to-end encrypted messages opt-in). Per Google's terms, translation request content is not used to train Google's models.
• Cloud infrastructure providers: Google Cloud Platform
• Analytics services: Anonymized usage analytics

All service providers are contractually required to protect your data in accordance with applicable privacy laws.

3.3 Legal Requirements

We may disclose information if required by law, such as:

• In response to valid legal requests (court orders, subpoenas)
• To protect rights, safety, or property
• To prevent fraud or security threats
• To comply with regulatory obligations

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you and ensure continued protection.

3.5 With Your Consent

We may share information for other purposes with your explicit consent.

3.6 Public Features (Journeys, Blueprints, Spark Series)

Certain features are opt-in public:

• Journeys (public): When you set a Journey to public in Journey settings, your progress score, milestone badges, and activity statistics (entry count, streak length, and similar aggregates) are visible to other Donny Wonny users who view or follow that Journey. Journal entries and private notes are never included — only the aggregate stats shown on your Journey page.
• Blueprints: Your published Blueprint (Donny personality settings and description) is visible to all users. Subscribers receive a separate Donny copy; they have no access to your account or conversation data.
• Spark Series: Your created series and its daily challenges are publicly visible. Individual subscriber progress is private.

You control public/private settings for Journeys in the Journey settings. Blueprints and Spark Series can be unpublished at any time.

3.7 Donny Dens (Family Plan)

If you join or create a Donny Dens (family) plan, two distinct chat surfaces exist:

• Family Donny — private (per-user thread): Each member of the den has their own 1-to-1 conversation with the shared Family Donny. Your messages in your private thread are NOT visible to other den members. The Family Donny is aware of high-level family context (member moods, shared activities) for personalization but does not surface another member's private messages to you.
• Family Chat (shared thread): A den-wide group room where every member of the den + the Family Donny appear in a single feed. Every message you post here is visible to every other den member, including parents and children. This is opt-in: before you can post for the first time, you must explicitly accept a consent notice that explains this visibility. We record the date you accepted and the version of the notice. You can stop posting at any time by leaving the screen, but messages you previously posted remain visible until soft-deleted.
• Den admin actions: a parent in the den can soft-delete any Family Chat message. A member can soft-delete their own messages. Soft-deletion removes the text and marks the message as removed; it is not recoverable.
• Children and shared visibility: parents and legal guardians of children in the den can read everything the child posts in Family Chat by default — this is the same visibility model as any group text thread the family already participates in elsewhere. If you do not want a child's messages visible to other family members, do not enable them in Family Chat; the per-user private Family Donny thread remains available to them.
• Automated moderation: every Family Chat message is screened for harm indicators (self-harm content, harassment, sexually explicit content) before delivery. Messages flagged as high-severity are hidden from other members pending review and may generate a safety alert to the den's parent guardians.

You can find both surfaces under "My Donny Den" on the mobile app.

4. Data Security

4.1 Encryption

• In Transit: All data transmitted using HTTPS/TLS 1.3 encryption
• At Rest: All databases encrypted at rest (AES-256) via Google Cloud Platform
• Local Storage: Sensitive on-device data (journal entries, mood logs, gratitude entries) is encrypted using AES-256 with key derivation before it is written to device storage. Non-sensitive caching (usage counters, UI preferences) uses an in-memory store.
• Passwords: One-way hashed using bcrypt (14 rounds)
• AI Processing: Journal content is processed in-memory for AI analysis and is not stored outside of your encrypted database

4.1.1 Direct Messages and End-to-End Encryption

• Supported clients: For purposes of this policy and in-app disclosures, a supported client means the current Donny Wonny mobile application for Android or iOS from official app stores, on a build that includes our end-to-end encryption (E2E) feature, for a conversation where E2E is enabled. Web-only access, legacy builds without E2E, and conversation types that are server-readable by design (see below) are not described as E2E on device.
• End-to-end encryption (live): Direct messages and circle (group) chat are end-to-end encrypted on your device before they leave it, using the Olm and Megolm protocols — the open, audited, Apache-2.0 implementation of the Double Ratchet maintained by The Matrix.org Foundation, used in production by Element. 1:1 chats use Olm; circles use Megolm group sessions whose session keys are wrapped per-recipient with Olm. Only the intended recipient device — and any required parental supervisor device, see below — can decrypt. Our servers store and relay only ciphertext; we cannot read your messages, and a database breach or compelled legal process against us cannot expose plaintext.
• Family pods and couples spaces default to E2E: Group chats created with the family type, and shared spaces created via Couples Mode, are end-to-end encrypted by default at creation time using the same Megolm protocol as circles. The choice is immutable for the life of the group/space — toggling it later would orphan the existing key chain and is therefore not permitted. Other group types (general, friends, support) remain server-readable by default; the group creator can enable end-to-end encryption when the group is created. Therapist-supervised couples spaces may be created without end-to-end encryption when server access is required for clinical record-keeping.
• Forward secrecy and post-compromise security: Every message rotates symmetric keys via the Double Ratchet, so compromise of a long-term identity key does not retroactively decrypt past traffic, and a compromised session self-heals after one round-trip. When a member leaves a circle, the sender's group session is rotated before the next message so the departed member cannot read future messages. Identity keys are TOFU (trust-on-first-use) on first contact; the Safety Number screen surfaces an Ed25519 fingerprint for out-of-band verification.
• Family escrow for supervised minors: When a parent enables supervision for a child (default for users under 13, opt-in for 13–17), every message in or out of that child's conversations is sealed in a separate ciphertext envelope to each parent's E2E identity key, in addition to the recipient's. For circles, the parent's device is added to the Megolm session-key distribution so the parent can decrypt every group message the child can read. The server still cannot decrypt any of these; only the parent's device can open the parent's envelope. The supervised child sees a visible "Your parent can read these messages" badge in every supervised chat. Parents see only their own child's messages — never another family's. This is a deliberate, disclosed trade-off that prioritizes child safety over message secrecy.

4.1.2 Fraud & Safety Signals (Cross-Account Abuse Detection)

To stop one person from harassing users by spinning up many throwaway accounts, we collect a small set of safety signals on direct-message attempts:

• Hashed IP: We HMAC-SHA256 your IP address with a server-side secret (pepper). The plaintext IP is never written to the abuse database, and the hash cannot be reversed without the pepper.
• Device fingerprint: A platform-provided per-installation identifier (Android application ID or iOS vendor identifier). This is per app install, not a hardware serial, and is reset when the app is uninstalled or the device is factory-reset.
• Behavioural: Send timing and a 16-character hash of the message preview. We do not store the plaintext.

These signals are kept for 30 days and then automatically deleted. They are stored separately from your profile, messages, and advertising data, and are used exclusively to:

1. Match a sending account against other accounts that share the same fingerprint cluster in the same time window.
2. Decide a tier: log only (low confidence), silent shadowban (medium — requests dropped without telling the sender), or suspend + notify victim (high — 5+ distinct victims in 24 h sharing one cluster).

We do not use these signals for advertising, profiling, or any non-safety purpose. The 30-day retention is the legitimate-interest minimum for catching abuse patterns; the legal basis is GDPR Art. 6(1)(f).

4.2 Access Controls

• Role-based access control (RBAC)
• Multi-factor authentication for admin access
• Employee access limited to need-to-know basis
• Periodic internal security reviews

4.3 Security Monitoring

• Application error monitoring via Sentry
• Rate limiting and abuse detection on all API endpoints
• Firebase infrastructure security managed by Google Cloud Platform
• Our infrastructure providers (Google Firebase, Stripe, SendGrid/Twilio, Apple, Google Play, RevenueCat, OpenAI) maintain their own independent security audit programs

No system is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security.

5. Your Privacy Rights

5.1 Access and Portability

• Access: Request a copy of your personal data
• Portability: Download your data in machine-readable format
• Rectification: Correct inaccurate information

5.2 Deletion and Restriction

• Right to Delete: Request deletion of your data
• Restrict Processing: Limit how we use your data
• Object: Object to certain types of processing

5.3 How to Exercise Your Rights

Email: privacy@donnywonny.com
In-App: Settings > Privacy > Data Rights
Response time: Within 30 days (GDPR) or 45 days (CCPA)

All data-rights requests are tracked in our compliance system with unique request IDs. You can check the status of any pending request in-app or by contacting us. We maintain a full audit log of compliance actions and consent changes for accountability.

5.4 California Privacy Rights (CPRA / CCPA)

California residents have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CPRA"). Specifically, you have the right to:

1. Know what categories of personal information ("PI") and sensitive personal information ("SPI") we have collected, the sources, the business or commercial purpose, and the categories of third parties with whom we share it.
2. Access the specific pieces of PI we hold about you.
3. Delete PI we have collected from you, subject to limited exceptions (e.g. where retention is required by law, for security, or to complete a transaction).
4. Correct inaccurate PI we hold about you.
5. Portability — receive your PI in a structured, commonly used format (JSON, Markdown, and PDF are supported via Settings → Privacy → Export My Data).
6. Opt out of the sale or sharing of your PI for cross-context behavioral advertising. We do not sell your PI and we do not share PI for cross-context behavioral advertising. Because we do not engage in either activity, there is nothing to opt out of, but the statutory right is preserved and a "Do Not Sell or Share My Personal Information" link is provided in the website footer and in the Settings → Privacy screen of the mobile app.
7. Limit the use and disclosure of your Sensitive Personal Information to purposes necessary to provide the service. Sensitive PI we collect includes your precise geolocation (only if you grant the permission), account credentials, and the contents of your communications (DMs, journal entries, "Let It Out" recordings — the latter two are end-to-end encrypted and not readable by us). A "Limit the Use of My Sensitive Personal Information" link is provided in the same locations as #6 above. Selecting it will disable any non-essential SPI use.
8. Non-discrimination — we will not deny you service, charge you a different price, or provide a lower quality service because you exercised any of the rights above.
9. Authorized agent — you may designate an authorized agent (such as a family member or attorney) to make a request on your behalf. Verification of your identity and the agent's authority is required.

We do not knowingly collect or sell the personal information of consumers under 16 years of age without affirmative authorization. For users under 13, see Section 6 (COPPA).

To exercise any CPRA right, email privacy@donnywonny.com or use Settings → Privacy in the mobile or web app. We will respond within 45 days as required by statute, with a one-time 45-day extension if the request is complex.

5.5 European Privacy Rights (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018:

1. Access (Article 15) — confirm whether we process your personal data and obtain a copy.
2. Rectification (Article 16) — correct inaccurate data.
3. Erasure / "Right to be Forgotten" (Article 17) — delete your personal data, subject to limited exceptions.
4. Restriction of processing (Article 18) — limit how we use your data while a dispute is pending.
5. Data portability (Article 20) — receive your data in a structured, commonly used, machine-readable format.
6. Objection (Article 21) — object to processing based on our legitimate interests, including profiling for safety detection.
7. Withdraw consent at any time, where we rely on consent as the lawful basis (Article 6(1)(a)).
8. Lodge a complaint with your national supervisory authority. A list is published by the European Data Protection Board.

5.5.1 Automated Decision-Making and Profiling (GDPR Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects concerning you. The following describes the automated processing we perform and your rights with respect to each:

• Crisis detection in "Let It Out" recordings. Voice recordings classified as expressing high-severity self-harm intent or imminent danger trigger an automated parental notification (for minors) and surface a "Reach out for help" prompt to the user. The classifier is a third-party AI service. A human reviewer is involved in any follow-up by our trust & safety team. You may opt out of automated crisis classification by disabling the "Let It Out" feature in Settings → Privacy. If you are a minor, your parent/guardian controls this setting.
• Safety / abuse detection on direct messages and circle posts. Automated content moderation flags posts that match defined patterns (CSAM, violent threats, doxxing, harassment). Flagging may temporarily hide the post pending human review by our trust & safety team. The decision to permanently remove or apply an account action is taken by a human reviewer, not the automated system.
• Ban-evasion detection. Cross-account fraud and abuse signals (described in §4.1.2) feed an automated risk score. We do not auto-ban on score alone. A human reviewer makes the final decision on any account suspension. You have the right to contest a suspension via the appeals process described in our Terms of Service §3.5.
• Personalized recommendations (Spark Series suggestions, mentor matches, content discovery). These are based on your declared preferences and on-platform activity. They do not produce legal or similarly significant effects. You can opt out via Settings → Privacy → Personalization.

To exercise any of the rights above, email privacy@donnywonny.com. For users in the EU/UK, you may also email dpo@donnywonny.com (subject line: "GDPR request"). Where GDPR Article 27 requires an EU/UK representative, use the Euverify contact path shown on our Privacy summary page. If we are required to appoint a Data Protection Officer under GDPR Article 37, dpo@donnywonny.com is the contact point for that role.

5.5.2 AI Training and Your Personal Data

We do not use the contents of your direct messages, journal entries, or "Let It Out" recordings to train our AI models or any third-party AI provider's models. Specifically:

• DM and journal contents are end-to-end encrypted; we do not have the decryption keys and cannot read them.
• "Let It Out" voice recordings are processed in-memory for crisis classification only and are deleted immediately after classification. We retain only the classification label and timestamp.
• Conversations with our Donny Wonny AI companion are processed by our third-party AI provider under a data-processing agreement that prohibits the provider from using your conversation contents to train its models. Our current AI and infrastructure sub-processors (including OpenAI), the categories of data each receives, and their locations are listed in Section 2 (Sub-processors) of our Data Processing Agreement. OpenAI processes API requests under its API data-use terms (inputs/outputs are not used to train OpenAI's foundation models when our organization-level data controls are enabled, as described in §2.4.1 above).
• You may opt out of all AI processing of your data by disabling the AI companion in Settings → Privacy → AI Features. Doing so will disable the conversational features but will not affect your access to other parts of the service.

6. Children's Privacy (COPPA Compliance)

6.1 Age Verification

• Users must be 13+ to create an account in the United States and other regions where 13 is the applicable minimum.
• Higher regional minimums apply where required by law (for example 16+ in Australia and Malaysia for account creation from those countries' IP addresses; 18+ in India at signup from India IP addresses — verified parental consent for under-18 is not offered in-app today; 14+ in South Korea under PIPA). We derive region from network signals at signup and enforce the applicable minimum.
• We do not knowingly create accounts for users below the applicable minimum age.
• Default age signal: numeric age attestation at first launch (not full date of birth). Where law requires stronger assurance for social or community features, we may require third-party age verification that confirms you are in an eligible age band (for example, 16+) without us storing your ID or date of birth — only a verification result and audit token.

6.1.1 Australia (pre-launch note)

Australia's Online Safety Amendment (Social Media Minimum Age) Act may apply to services classified as age-restricted social media platforms (ARSMP). We treat our community and messaging features as potentially in scope and enforce 16+ signup from Australia. Before marketing in Australia we plan third-party age assurance (see legal/AGE_ASSURANCE_APPROACH.md) in addition to age attestation. Counsel review is required before AU campaigns.

6.1.2 Malaysia (pre-launch note)

Malaysia's Online Safety Act 2025 Child Protection Code (effective 1 June 2026) requires licensed large social media platforms to block under-16 accounts and verify age with official ID. We enforce 16+ signup from Malaysia regardless of scale and will implement vendor age verification if counsel confirms we are in scope. We do not retain government ID images or numbers on our servers when using a verification provider.

6.2 Parental Controls

Parents can:

• Review their child's information
• Request deletion of their child's data
• Refuse further collection of information
• Monitor activity through Family Dashboard
• Receive automated safety alerts if their child uses the "Let It Out" feature at a medium or high crisis level (alerts include crisis level only — not venting content)
• Restrict or allow their child's access to specific features (including conversations and the "Let It Out" feature) via Family Content Settings

6.3 Limited Data Collection for Minors

For users between the applicable regional minimum age and 18:

• We collect only necessary information
• No targeted advertising
• Enhanced content moderation
• Limited community features

Contact for parental requests: parents@donnywonny.com

7. Data Retention

7.1 Active Accounts

• Account data: Retained while account is active
• Journal entries: Retained indefinitely (unless deleted by user)
• Mood, habit, and progression data: Retained while account is active
• Friend connections and project data: Retained while account is active
• Analytics data: Automatically purged after 2 years; aggregated and anonymized after 90 days
• Temporary/session data: Automatically purged after 90 days
• Compliance request records: Retained for 7 years for regulatory purposes
• Consent change history: Retained indefinitely for audit trail
• Logs: Retained for 90 days

7.2 Deleted Accounts

• Account deletion is processed within 30 days
• Backups may retain data for up to 90 additional days
• Some data may be retained for legal/compliance purposes
• Anonymized analytics may be retained indefinitely

7.3 Legal Holds

Data subject to legal obligations may be retained beyond standard periods.

8. International Data Transfers

8.1 Where Your Data Lives

Donny Wonny LLC is based in the United States and our entire production infrastructure runs in US-region Google Cloud Platform:

• Cloud database — United States multi-region (Iowa, South Carolina, Oklahoma)
• Cloud storage (uploads, backups) — United States (Iowa)
• Application servers — United States (Iowa)

If you use Donny Wonny from the EU, EEA, UK, or any other country outside the United States, your personal data is transferred to the United States for processing and storage. We do not operate separate regional data centers.

8.2 Lawful Transfer Mechanisms

We rely on the following lawful transfer mechanisms (layered for defense in depth):

1. EU-US Data Privacy Framework (DPF) — adopted by the European Commission in July 2023. Provides an adequacy decision under GDPR Article 45. Used by our US-based sub-processors that are DPF-certified (Google Cloud, Stripe, Vercel — verify at https://www.dataprivacyframework.gov).
2. UK Extension to the EU-US Data Privacy Framework (the "UK Data Bridge") — active since 12 October 2023. Provides the equivalent adequacy basis for UK residents under UK GDPR. The UK Government recognises participating US organisations as providing an adequate level of data protection.
3. Standard Contractual Clauses (SCCs) — the 2021 EU Commission-approved modules (Implementing Decision (EU) 2021/914) — incorporated into our data-processing agreements with sub-processors that are NOT DPF-certified (currently OpenAI, SendGrid/Twilio, RevenueCat, Sentry). Each of these sub-processors has signed Google Cloud-style or vendor-specific SCCs with us.
4. UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs — applied alongside SCCs for UK-origin data transfers to sub-processors that have not separately certified under the UK Extension to the DPF.

8.3 Transfer Impact Assessment

For each non-adequacy-decision sub-processor, we maintain an internal Transfer Impact Assessment ("TIA") that evaluates:

• The legal regime of the destination country (US)
• The category of personal data transferred
• The supplementary measures in place (encryption at rest, encryption in transit, access controls, sub-processor audit reports)

Our TIA is part of our internal Record of Processing Activities (Article 30 record) and is available to EU/UK supervisory authorities on request via our Article 27 representatives.

8.4 Your Rights Regardless of Location

EU, EEA, UK, and Swiss data subjects retain all rights under their applicable data-protection law (right of access, rectification, erasure, restriction, portability, objection, withdrawal of consent, complaint to supervisory authority) regardless of where the data is processed. Exercise those rights via:

• Your account Settings → Privacy in the mobile app
• Our Article 27 representatives — Euverify Ltd (EU and UK) — see Section 5 above
• privacy@donnywonny.com

9. Cookies and Tracking Technologies

9.1 Types of Cookies

• Essential: Required for service functionality
• Analytics: Understand usage patterns (anonymized)
• Preferences: Remember your settings
• Marketing: Deliver relevant content (with consent)

9.2 Cookie Management

• Manage cookies in your browser settings
• Opt out of analytics cookies
• Use Do Not Track (DNT) signals

Note: Opting out of analytics cookies is separate from opting out of AI training. To control AI training, see Section 2.4.1 or go to Settings > Privacy > AI Training Preferences.

See our Cookie Policy for details.

10. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to read their privacy policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• In-app notifications
• Email to your registered address
• Prominent notice on our website

Continued use after changes constitutes acceptance.

12. Contact Us

Privacy Questions

Email: privacy@donnywonny.com
Mail:
Donny Wonny LLC
Privacy Department
539 W. Commerce St #5827
Dallas, TX 75208

Data Protection Officer

Email: dpo@donnywonny.com

Complaints

EU/EEA residents can lodge complaints with their local supervisory authority.

13. State-Specific Disclosures

13.1 California

• We do not sell personal information
• Categories of data collected: See Section 1
• Purposes: See Section 2
• Categories shared: See Section 3

13.2 Nevada

Nevada residents may opt out of the sale of personal information (we don't sell data).

13.3 Virginia, Colorado, Connecticut, Utah

Residents have rights similar to CCPA. Contact privacy@donnywonny.com to exercise rights.

14. Additional Information

14.1 De-Identified Data

We may create de-identified or aggregated data that cannot reasonably identify you. This data is not subject to this Privacy Policy.

14.2 AI and Automated Decision-Making

• AI is used for content recommendations and insights
• You can request human review of automated decisions
• AI decisions do not have legal or similarly significant effects

14.3 Marketing Communications

• You can opt out of marketing emails anytime
• You will still receive transactional/service emails
• SMS marketing requires explicit consent (where offered)

By using Donny Wonny, you acknowledge that you have read and understood this Privacy Policy.

Last Updated: May 19, 2026
Effective Date: February 28, 2026