Kuwboo Privacy Policy

Effective date: 15 April 2026 · Last updated: 15 April 2026

1. Who we are

Kuwboo is operated by Guess This Ltd, a company registered in the United Kingdom. In this policy, "Kuwboo", "we", "us", or "our" refers to Guess This Ltd.

Guess This Ltd is the data controller for personal data processed through the Kuwboo mobile app and website. Contact details are in Section 13.

2. What we collect

We collect only what we need to run Kuwboo. The categories below reflect the features enabled in your account.

Category	Examples	When collected
Account identifiers	Phone number, email address, Apple/Google sign-in ID, username, date of birth	At sign-up and when you sign in
Profile content	Display name, bio, photos, interests, module preferences (video, marketplace, dating, social)	When you complete your profile
User-generated content	Videos, images, posts, marketplace listings, comments, reviews	When you post
Communications	Chat messages, group conversations, voice notes, reports you file against other users	When you use chat or moderation tools
Location data	Approximate city (IP-derived) always; precise GPS only with your explicit permission (used for nearby discovery and event proximity)	While the app is in use
Transaction data	Purchase history, listing prices, payment timestamps. We do not store card numbers — payments are processed by our payment provider	At checkout
Device and log data	Device model, OS version, app version, crash logs, IP address, session timestamps, language	Automatically, for security and reliability
Age assurance signals	Self-declared age, optional age-estimation signals (if you opt in to photo-based verification)	Per UK and US child-safety law (see Section 9)
Biometric-derived data	Face-match templates, if you opt in to photo verification. Raw photos are not retained after template generation.	Only if you enable photo verification
Cookies and similar	Session cookies on our website. The mobile app does not use web cookies.	When you visit our website

We do not sell personal data, and we do not collect sensitive categories of data (race, religion, political opinions, health) unless you voluntarily post them as profile content.

3. How we use your data

Run your account and the service — authenticate you, show your profile to others you've allowed to see it, match you with content and people based on your preferences.
Messaging — deliver chats, notifications, and push alerts to your devices.
Safety and moderation — detect illegal content, fraud, spam, harassment, and ban-evasion. We scan uploads with automated tooling (image moderation, hash matching against known illegal-content databases) and respond to user reports.
Marketplace — process transactions, generate receipts, resolve disputes, comply with anti-money-laundering and consumer-protection law.
Improve the product — aggregate, anonymised analytics to understand which features are used and where the app is slow or crashing.
Comply with the law — respond to legal requests, court orders, and regulator enquiries (ICO, Ofcom, FTC, state attorneys general).

4. Legal basis (UK/EU users)

Under UK GDPR, each processing activity needs a lawful basis:

Contract — operating your account, delivering messages, processing transactions.
Legal obligation — illegal-content scanning (Online Safety Act), transaction-record retention (tax law), age assurance, law-enforcement cooperation.
Legitimate interests — fraud prevention, service security, product analytics (in anonymised form). You can object to processing based on legitimate interests; see Section 7.
Consent — precise GPS location, marketing email, photo-based age verification, biometric face-match. You can withdraw consent at any time in the app settings.

Infrastructure providers — Amazon Web Services (data hosting, eu-west-2 London region), Cloudflare (CDN and edge caching).
Authentication providers — if you sign in with Apple or Google, we receive identity tokens from them and send them tokens to verify you. We never receive your Apple or Google password.
Push notifications — Firebase Cloud Messaging (Google) for cross-platform push delivery.
Crash and performance analytics — anonymised crash reports and performance telemetry.
Moderation tooling — automated image and text moderation services that scan content on upload.
Payment processors — card-handling is delegated to a PCI-compliant processor; we never see raw card numbers.
Law enforcement and regulators — when legally required, or when necessary to prevent imminent harm.

We require all processors to meet UK GDPR / EU GDPR standards via data-processing agreements. We do not sell or rent personal data to advertisers, data brokers, or any third party.

6. How long we keep data

Data type	Retention
Active account data	For as long as your account exists
Deactivated account (partial deletion)	Up to 30 days, then moves to full deletion unless you reactivate
Deleted account — personal identifiers	Purged within 30 days of full-deletion request
Deleted account — legal/financial records	6 years (UK Companies Act / HMRC requirement for transaction records)
Deleted account — messages sent to others	Remain in the recipient's inbox, attributed to "Deleted user". Your identifier is removed.
Content under active moderation or legal hold	Until the investigation closes, then per the row it belongs in
Aggregated, anonymised analytics	Indefinitely — no longer personal data
Device and log data	90 days, then purged or anonymised
Crash reports	90 days

7. Your rights (UK GDPR / EU GDPR)

You have the right to:

Access — request a copy of your personal data.
Rectification — correct inaccurate data. Most profile data can be edited directly in the app.
Erasure — delete your account (see Section 8).
Restriction — ask us to pause processing while we investigate a complaint.
Portability — receive your data in a machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — for any processing based on your consent, at any time.
Lodge a complaint — with the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority.

To exercise any of these rights, email us at neildouglas33@hotmail.co.uk. We respond within 30 days; complex requests may take up to 90 days with notice.

8. Deleting your account

You can delete your Kuwboo account at any time. We offer two options:

Deactivate (partial deletion) — your profile is hidden, messaging and notifications stop, your identity is removed from search and discovery. Your data is retained for up to 30 days so you can reactivate by signing back in. After 30 days, if you haven't signed back in, we proceed to full deletion.
Delete my account (full deletion) — removes your personal data per the retention rules in Section 6. This is not reversible after the 30-day grace period.

Full instructions and the in-app path are on our Delete Account page.

9. Children and age verification

Kuwboo is not for children under 13 (USA, COPPA) or under 16 for certain features in the UK and EU. We apply age assurance per the UK Online Safety Act and the ICO Age Appropriate Design Code:

We ask for date of birth at sign-up.
We may request additional age-estimation signals (e.g., photo-based age estimation) before enabling higher-risk features such as dating, direct messaging with adults, or marketplace transactions.
If we believe a user is under 13, we close the account and delete the data.
Parents or guardians who believe their child has an account can email neildouglas33@hotmail.co.uk and we will delete it within 14 days.

10. US state privacy rights

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or other US states with comprehensive privacy laws, you have rights similar to those in Section 7: to know what we collect, to delete it, to correct it, to receive a copy, and to opt out of any sale or sharing for targeted advertising. We do not sell personal data and do not share it for cross-context behavioural advertising.

If you are a resident of Illinois and you opt in to photo-based verification, you are consenting to the collection and use of biometric-derived data under the Illinois Biometric Information Privacy Act (BIPA). Biometric templates are deleted within 3 years of your last login or when you delete your account, whichever is sooner. You may revoke this consent at any time in the app settings or by emailing us.

To exercise US rights, email neildouglas33@hotmail.co.uk. We verify your identity before acting on the request.

11. Security

We protect your data with TLS in transit, encryption at rest (AES-256), scoped-access credentials managed in AWS Secrets Manager, and least-privilege access controls. Chat messages are transport-encrypted; they are not end-to-end encrypted at this time. No system is perfectly secure — if we ever have a breach that affects you, we will notify you and the ICO as required by UK GDPR (within 72 hours).

12. International transfers

Our primary data residency is the United Kingdom (AWS eu-west-2, London). Some processors (e.g., Apple, Google, Firebase) may process data in the United States. We rely on UK International Data Transfer Agreements and EU Standard Contractual Clauses for these transfers, together with the provider's own safeguards.

13. Contact

Guess This Ltd
Email: neildouglas33@hotmail.co.uk
Data Protection Officer enquiries: same email, subject line "DPO".

For complaints you can also contact the UK Information Commissioner's Office: ico.org.uk/make-a-complaint.

14. Changes to this policy

We may update this policy from time to time. If we make a change that materially affects your rights, we will notify you in the app and by email. The "Last updated" date at the top of this page always shows the current version. Previous versions are available on request.