# Shelfd Privacy Policy This Privacy Policy explains how **Shelfd** collects, uses, stores, shares, and protects information when you use the Shelfd app, website, and related services (collectively, the "Service"). By using Shelfd, you agree to this Privacy Policy. This Policy applies to all users worldwide, regardless of country, state, province, or territory of residence. Where local law grants you additional non-waivable rights, those rights continue to apply. --- ## 1. Information We Collect Shelfd collects the following categories of information. ### Account Information When you sign in with email and password, Sign in with Apple, or Sign in with Google, we may receive or store: - Email address (or Apple-provided private relay email) - Display name - Profile photo (when provided by you or your sign-in provider) - Authentication identifier (Firebase UID) - Sign-in provider type (email, Apple, Google) - Account creation date and last-sign-in timestamps ### Profile Information You may choose to provide: - Display name and nickname - Profile picture - Bio - Linked social profiles (Instagram, X, Letterboxd, IMDb, Spotify, Apple Music, YouTube, Steam, etc.) - Display preferences (theme, rating scale, anime title language) - Profile showcase favorites - Custom Top 3 character cards - Public profile visibility settings ### Media Tracking Information Shelfd stores information you create about media, including: - Movies, TV shows, anime, manga, books, video games, and music in your shelves - Ratings (0.5–5 stars, half-step) - Watch / play / read / listen status (watching, watched, paused, planned, dropped, etc.) - Episode and season progress - Track ratings, favorite tracks, and album reviews - Personal reviews and review text - Comments on titles - Tier list placements - Imported titles or progress data from Steam, Letterboxd, IMDb, MyAnimeList, AniList, Backloggd, and similar services - Tags, notes, and list organization ### Social and Community Information Shelfd stores: - Friend requests, friends, and mutual connections - Public reviews, comments, and replies - Direct messages and message requests - Activity feed events (added to shelf, rated, watched, completed, etc.) - Watch Together / shared session data - Reports you submit about other users or content - Users you have blocked - Push notification tokens (for activity and message alerts) ### Technical and Usage Information We may collect: - Device type and model - Operating system and version - Browser type and version (web users) - App version - IP address (used transiently for security and routing) - Login and session timestamps - Error logs and crash reports - Performance and load timing - Basic usage activity (which pages opened, which sections used) - Service worker / cache state - Capacitor / native platform identifiers (iOS / Android) ### Cookies, Local Storage, and Device Storage Shelfd uses cookies, `localStorage`, `IndexedDB`, and similar technologies to: - Keep you signed in - Save preferences (theme, rating scale, terms agreement) - Cache app shell for fast loading and offline support (service worker / PWA) - Improve performance - Prevent fraud, spam, and abuse - Maintain security You can clear cookies and local storage through your browser or device settings, but some features may stop working correctly. --- ## 2. How We Use Information Shelfd uses information to: - Create and manage your account - Authenticate you (email/password, Apple, Google) - Let you track media, games, books, ratings, and progress - Display your profile, lists, comments, ratings, and activity - Power friend, social, activity feed, and direct messaging features - Save preferences and app settings - Process imports and match titles to media metadata - Display posters, covers, trailers, descriptions, and third-party metadata - Send push notifications (when you have opted in) for friend activity, replies, comments, and direct messages - Debug errors and improve performance - Prevent spam, abuse, fraud, and security threats - Moderate content (including reports submitted by users) - Enforce these Terms of Service - Respond to support, privacy, and deletion requests - Comply with legal obligations --- ## 3. Legal Bases for Processing (EU/UK/EEA) Where required by law, Shelfd processes personal information based on one or more of the following legal bases: - Your consent - Performance of a contract with you (providing the Service you signed up for) - Legitimate interests, such as operating, improving, securing, and protecting Shelfd - Legal compliance - Protection of users, Shelfd, or the public --- ## 4. Public and Social Visibility Shelfd is social by design. Depending on your settings and the feature used, other users may see: - Your display name and profile picture - Your bio and linked social profiles - Your ratings, reviews, comments, and tier lists - Your shelves and progress (when visible) - Activity feed items (added to shelf, rated, completed, etc.) - Friend-related activity Some features are private or restricted by default (direct messages, blocked users, account settings). However, no online privacy setting is guaranteed perfect. Do not post or share anything you would not want others to see. --- ## 5. Direct Messages Direct messages are stored on our servers so the messaging feature can function across your devices. Shelfd may access, review, restrict, or remove messages when necessary for safety, abuse prevention, moderation, technical support, legal compliance, or enforcement of these Terms. --- ## 6. Reports, Blocks, and Content Moderation When you submit a report about another user or piece of content, we store: - Your user ID (the reporter) - The reported user's ID and the content type (review, message, etc.) - The content identifier - The reason you selected (Spam, Offensive content, Harassment, Other) - A timestamp When you block another user, we store the blocked user's UID in your account record so the activity feed and DM system can filter accordingly. We use this information to review reports within 24 hours, take action on confirmed violations, and protect users from abuse. --- ## 7. Third-Party Services Shelfd uses third-party services to operate, including: - **Firebase (Google)** — authentication, Firestore database, storage, push notifications - **Cloudflare** — hosting, Workers, edge security, image and asset delivery - **Apple** — Sign in with Apple, App Store distribution, push notifications (APNs) - **Google** — Sign in with Google, Google Identity Services - **TMDB, OMDb, IMDb (via OMDb)** — movie and TV metadata, posters, ratings - **IGDB / Twitch** — video game metadata, covers, screenshots - **RAWG** — supplementary game data - **Trakt** — TV show progress and import support - **AniList / Jikan (MyAnimeList)** — anime and manga metadata - **Deezer** — music metadata and previews - **Steam (via OpenID)** — Steam library import (optional) - **Tavily** — image search for character cards - **YouTube** — trailer embeds These services may process information according to their own privacy policies and terms. Shelfd does not control third-party services, websites, APIs, or platforms. --- ## 8. Apple User Data If you sign in with Apple, Shelfd uses Apple account information only to: - Authenticate your account - Identify you in the app - Display your name (if shared) on your profile - Operate Shelfd features If you use Apple's private email relay, we never see your real email. We comply with Apple's Sign in with Apple guidelines and do not use Apple user data for advertising. --- ## 9. Google User Data If you sign in with Google, Shelfd uses Google account information only to: - Authenticate your account - Identify you in the app - Display your profile information - Operate Shelfd features Shelfd does not sell Google user data, does not use it for unrelated advertising, and does not transfer it except as necessary to operate the app, comply with law, protect users, or with your consent. --- ## 10. How We Share Information Shelfd does not sell your personal information. Shelfd may share information only when needed to: - Operate the app through service providers (Firebase, Cloudflare, Apple APNs) - Display public, social, friend, or messaging features (e.g., your username appears in another user's activity feed) - Comply with laws, legal requests, court orders, or subpoenas - Protect Shelfd, users, or the public - Investigate abuse, spam, fraud, security incidents, or Terms violations - Complete a business transfer, merger, restructuring, or similar event, if applicable --- ## 11. Sale, Sharing, and Targeted Advertising Shelfd does not currently sell personal information. Shelfd does not currently share personal information for cross-context behavioral advertising or targeted advertising. Shelfd does not engage in profiling or automated decision-making that produces legal or similarly significant effects. If Shelfd ever adds advertising, analytics partners, or data-sharing practices that legally require opt-out rights, this Privacy Policy will be updated and applicable opt-out tools will be provided. --- ## 12. Push Notifications If you enable push notifications, Shelfd stores your Apple Push Notification service (APNs) device token so we can send you: - Activity notifications (friend activity, completed titles, etc.) - Comment replies - Direct messages and message requests - Friend requests You can disable push notifications at any time in your device's system settings. --- ## 13. Data Retention Shelfd keeps information for as long as needed to: - Provide the Service - Maintain your account - Operate social and tracking features - Resolve disputes - Enforce Terms - Prevent abuse - Maintain security - Comply with legal obligations When you delete your account via **Profile → Settings → Account → Delete Account**, your Shelfd profile document and associated personal data are removed from our active systems. Some information may remain for a limited time in encrypted backups, security logs, moderation records, legal records, cached data, or where another user's content or activity already includes it (for example, a direct message you sent to another user remains in their inbox). --- ## 14. Security Shelfd uses reasonable technical and organizational safeguards to help protect user information, including: - HTTPS / TLS encryption in transit - Encrypted storage at rest via Firebase and Cloudflare - Firebase Authentication for password security - Firestore security rules to enforce per-user data access - Server-side validation for sensitive operations However, no website, app, database, or internet transmission is completely secure. You use Shelfd at your own risk. --- ## 15. International Data Transfers Shelfd may be accessed from any country. Your information may be processed in the United States and other countries where Shelfd's service providers operate (Firebase data centers, Cloudflare global edge network, Apple APNs servers). By using Shelfd, you understand that your information may be transferred to and processed in countries that may have different privacy laws than your country. Where required for users in the European Union, United Kingdom, or European Economic Area, we rely on Standard Contractual Clauses or equivalent legal mechanisms approved by relevant data protection authorities for international transfers. --- ## 16. Your Privacy Rights Depending on where you live, you may have rights to: - Access the personal information we have about you - Request correction of inaccurate information - Request deletion of your information (you can also do this yourself in-app) - Request a copy of your information (data portability) - Object to or restrict certain processing - Withdraw consent where processing is based on consent - Opt out of sale, sharing, targeted advertising, or certain profiling where applicable - Appeal a denied privacy request where required by law - Not be discriminated against for exercising privacy rights To make a privacy request, contact: **Shelfd@proton.me** We may need to verify your identity before completing a request. --- ## 17. California Privacy Notice (CCPA/CPRA) If you are a California resident, you have rights under California privacy law, including: - Right to know what personal information we collect and how it is used - Right to access your personal information - Right to delete your personal information - Right to correct inaccurate personal information - Right to opt out of the sale or sharing of personal information - Right to limit the use of sensitive personal information - Right to not be discriminated against for exercising your rights Shelfd does not currently sell personal information. Shelfd does not currently share personal information for cross-context behavioral advertising. To exercise California privacy rights, contact **Shelfd@proton.me**. --- ## 18. U.S. State Privacy Rights Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, Nebraska, Rhode Island, and other U.S. states with comprehensive privacy laws may have additional rights, including: - Right to access, delete, correct, and obtain a copy of personal information - Right to opt out of targeted advertising - Right to opt out of sale of personal information - Right to opt out of certain profiling - Right to appeal a privacy decision To exercise these rights, contact **Shelfd@proton.me**. --- ## 19. European Union, United Kingdom, and EEA Rights (GDPR / UK GDPR) If you are in the EU, UK, EEA, Switzerland, or another region with similar privacy laws, you have rights to: - Access your personal data - Rectify inaccurate personal data - Erase personal data ("right to be forgotten") - Restrict processing - Object to processing (including direct marketing) - Data portability - Withdraw consent at any time where processing is based on consent - Lodge a complaint with a supervisory authority (e.g., your national Data Protection Authority) The data controller for the purposes of GDPR is the creator of Shelfd. To exercise these rights, contact **Shelfd@proton.me**. --- ## 20. Brazil Privacy Rights (LGPD) Residents of Brazil have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to confirmation of processing, access, correction, anonymization, blocking, deletion, portability, information about data sharing, and revocation of consent. Contact **Shelfd@proton.me** to exercise these rights. --- ## 21. Canada, Australia, and Other International Rights Residents of Canada (PIPEDA), Australia (Privacy Act), Japan (APPI), South Korea (PIPA), and other jurisdictions with national privacy laws may exercise applicable rights by contacting **Shelfd@proton.me**. --- ## 22. Children's Privacy Shelfd is not intended for children under 13 (or the higher minimum age set by your local law, such as 16 in parts of the European Economic Area). Shelfd does not knowingly collect personal information from children below the applicable minimum age. If we learn that a child below that age has provided personal information, we will take reasonable steps to delete it. Users under 18 (or the age of majority in their jurisdiction) should use Shelfd only with permission from a parent or legal guardian. --- ## 23. Sensitive Information Do not submit sensitive personal information through Shelfd, including government ID numbers, financial account numbers, payment card information, medical information, biometric data, precise geolocation, passwords, or other private personal details. Shelfd is not designed to store sensitive personal information. --- ## 24. Account Deletion You can delete your account at any time directly inside the app: **Profile → Settings → Account → Delete Account** Deletion is one tap and does not require contacting support or sending an email. If you would prefer to delete via email, you can also contact **Shelfd@proton.me**. After deletion, some information may remain where legally allowed or technically necessary, including encrypted backups, security logs, fraud-prevention records, legal records, moderation records, cached data, or content already shared with or visible to other users. --- ## 25. Do Not Track and Global Privacy Controls Some browsers send "Do Not Track" or Global Privacy Control (GPC) signals. Shelfd does not currently sell personal information or share personal information for cross-context behavioral advertising, so these signals have no effect on our current practices. If Shelfd begins using practices that require honoring opt-out signals, this Privacy Policy will be updated and applicable opt-out tools will be provided. --- ## 26. Automated Decision-Making and Profiling Shelfd does not use automated decision-making or profiling that produces legal or similarly significant effects on users. Activity feed ranking, recommendations, and content sorting use simple algorithmic rules (recency, friends list, ratings) and do not involve sensitive automated decision-making. --- ## 27. Apple-Specific Disclosures (App Store) If you use Shelfd on an Apple device: - Shelfd's App Privacy disclosures on the App Store list the categories of data we collect, link those categories to their purposes, and indicate whether the data is linked to your identity. - We do not use App Tracking Transparency for cross-app tracking and do not track you across other apps and websites. - Apple devices may collect anonymous crash and diagnostic reports unless you have opted out in iOS Settings. --- ## 28. Changes to This Privacy Policy Shelfd may update this Privacy Policy from time to time. If changes are material, we will notify users through the app or website. Continuing to use Shelfd after changes means you accept the updated Privacy Policy. --- ## 29. Contact For privacy questions, account deletion, data requests, copyright complaints, or any other concern, contact: **Shelfd@proton.me**