PRIVACY POLICY

Last updated: 2 May 2026

1. DATA CONTROLLERS The data controllers are: Simone Copetti, Andrea Citton, Bernardo Andrea Cecchini, Matteo Bertini. Privacy email: privacy@spaceeapp.com

The controllers act as joint controllers pursuant to Art. 26 GDPR. No DPO has been appointed.

2. DATA WE COLLECT

Data you provide: • Email, username and login credentials. • Avatar, bio and profile privacy settings. • Photos, folder covers, comments, internal likes and favourite photos (reposts). • Friend requests, friendships, folder invitations and folder roles.

Data generated by your use: • Content metadata: identifiers, timestamps, file dimensions. • Folder data: members, roles, invite status, share links. • In-app notifications and per-category notification preferences. • Push notification tokens (APNs/FCM).

Data you provide for feedback and support: • App ratings (score, highlights, improvement suggestions). • Bug reports (title, steps to reproduce, expected behaviour, screen). • User reports (reason and optional description).

Technical and local data: • Technical logs and session tokens (SecureStore/Keychain/Keystore). • Local preferences, theme and cache (device-only, cleared on logout). • Photo library, media library, clipboard and share sheet access, if chosen. • Temporary E2E identity credential (password stored in hardware-encrypted secure storage between account creation and email confirmation; automatically deleted at first login).

3. END-TO-END ENCRYPTION (PRIVATE FOLDERS) "Private" folders apply end-to-end encryption (E2E) to photo content: each photo is encrypted on your device before being sent to the server, so the controllers and Supabase cannot access the visual content in plaintext. Only encrypted data and user-wrapped cryptographic keys are stored on the server.

Important: E2E encryption covers photo content only. Metadata (folder name, member list, roles, timestamps, photo titles) are not end-to-end encrypted and remain accessible to the controllers and Supabase for service management purposes.

Cover images: Only explicitly uploaded cover photos (the optional image set as a Space cover) are not end-to-end encrypted and are stored in plaintext on the server. When no explicit cover is set, the app displays recent encrypted photos from the folder as card previews on the home screen — those photos remain E2E-protected.

E2E identity setup and email confirmation: Cryptographic identity setup (keypair generation) is deferred to your first login after email confirmation, not performed at registration. Between account creation and email confirmation, the credentials required for key derivation are temporarily stored in the device's hardware-encrypted secure storage (SecureStore / Keychain / Keystore) and permanently deleted as soon as identity setup completes at first login. These credentials are never transmitted to the server in plaintext.

Password reset: Resetting your password generates an entirely new E2E keypair. The previous private key is irreversibly discarded — the controllers cannot recover it. All existing private folders become permanently inaccessible. To regain access, the folder owner or an admin must re-invite you so the folder encryption key can be re-wrapped for your new public key.

4. PURPOSES AND LEGAL BASIS • Provide and manage the service: performance of a contract (Art. 6.1.b GDPR). • Feedback, bug reports and moderation: legitimate interest (Art. 6.1.f) and, for explicit feedback, consent (Art. 6.1.a GDPR). • Security and abuse prevention: legitimate interest (Art. 6.1.f GDPR). • Legal obligations: compliance with law (Art. 6.1.c GDPR). • Device features (photo library, push notifications, sharing): consent (Art. 6.1.a GDPR).

5. CONTENT VISIBILITY BETWEEN USERS • Shared folders are visible only to collaborators. • Favourite photos (reposts / "Best Moments") are visible to accepted friends, even if they are not collaborators of the original folder. Internal likes are never visible outside the folder. • Folder share links are multi-use: anyone with the token can join within 7 days of creation.

6. RECIPIENTS AND PROVIDERS • Authorised staff of the controllers. • Supabase Inc. (database, authentication, storage) — servers in Ireland (EU). • Expo Inc. (app distribution, push notifications). • Public authorities where required by law. We do not sell personal data. Full processor list available at: privacy@spaceeapp.com

7. TRANSFERS OUTSIDE THE EEA Supabase servers are in Ireland (EU). Expo's push service may involve transfers to the USA; GDPR safeguards apply (Standard Contractual Clauses).

8. RETENTION • Account/profile: until account deletion. • Content in shared folders: on account deletion, author references are anonymised (not the content itself), to preserve the integrity of shared content. Content in folders where you are the sole member is permanently deleted. • Folders in the bin: up to 30 days. • Push tokens: for the duration of the active session. • Feedback and reports: for the time needed for review. • Technical logs: as long as strictly necessary.

9. SECURITY We apply: authentication and session management; secure device storage for tokens; Row Level Security; time-limited signed URLs; E2E encryption of photo content in private folders; temporary E2E identity credentials stored exclusively in hardware-encrypted device storage (SecureStore / Keychain / Keystore) and automatically deleted at first login after email confirmation. No system can guarantee absolute security; we apply risk-appropriate measures.

10. YOUR RIGHTS You may exercise your rights to: access, rectification, erasure, restriction, objection, portability and withdrawal of consent. You may also lodge a complaint with the competent data protection authority. Contact: privacy@spaceeapp.com

11. MINORS The service is not intended for users under 14 years of age. For users in countries with a higher age threshold, or for users under 14, processing is lawful only with parental consent.

12. CHANGES We may update this policy. Material changes will be notified via the app.

13. CONTACT Email: privacy@spaceeapp.com Controllers: Simone Copetti, Andrea Citton, Bernardo Andrea Cecchini, Matteo Bertini