Privacy Policy

1. Data Controller

The data controller responsible for your personal data is thejudgy.app, operated from Amsterdam, the Netherlands. Contact: hello@thejudgy.app

2. Data We Collect

We collect the following categories of personal data:

• Account data: Email address and name provided via Google Authentication (OAuth 2.0).
• Profile data: Your chosen username, bio, and avatar (randomly generated for anonymity by default).
• User-generated content: Disputes, comments, votes, and evidence images you submit.
• Direct messages: Content of private messages exchanged between mutually-following users. To initiate or receive a direct message, both users must follow each other — this requirement is enforced at the technical level and cannot be circumvented. Messages are stored in our database and are only accessible to the two participants of a conversation. Message content is never transmitted to AI systems or third parties. You may delete a conversation at any time, which permanently and irreversibly removes all messages in it for both participants.
• Social graph data: Follow and unfollow relationships between user accounts (i.e., which accounts you follow and which accounts follow you). Follower and following counts are publicly visible on user profiles. When you follow a user, they receive a notification. Mutual follow status determines eligibility to send and receive direct messages.
• Notification data: Records of in-app notification events triggered by platform activity (e.g., new messages, votes, comments). These are stored per-user and deleted upon being marked as read or upon account deletion.
• Payment data: Token purchase records. Payment card data is processed exclusively by our payment provider (DodoPayments) and is never stored on our servers.
• Usage data: Basic session activity (pages visited, actions taken) for security and performance purposes. We do not use third-party analytics trackers.
• Technical data: IP address (for abuse prevention), browser type, and session cookies (essential only).

3. Legal Basis for Processing (GDPR Art. 6)

We process your data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account, content submissions, and votes is necessary to provide the service you signed up for.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, platform abuse detection, and improving the service.
• Legal obligation (Art. 6(1)(c)): Retaining transaction records as required by Dutch fiscal and accounting regulations.
• Consent (Art. 6(1)(a)): Processing your content through AI systems (OpenAI) to generate verdicts. You consent to this when submitting a dispute.

4. How We Use Your Data

• Providing and maintaining user accounts and platform functionality
• Generating AI-powered verdicts for submitted disputes
• Processing token purchases and maintaining payment records
• Delivering direct messages between mutually-following users
• Maintaining follow/follower relationships to enable social features (DMs, profile discovery)
• Generating and delivering in-app notifications for relevant platform activity
• Enforcing community guidelines and preventing abuse (including misuse of the messaging system)
• Communicating essential service updates
• Complying with legal and regulatory obligations

5. Third-Party Data Processors

We share data with the following trusted third-party processors, each bound by data processing agreements and GDPR-compliant safeguards:

• Supabase (Supabase Inc., EU region servers): Our database and authentication provider. Stores your account data, content, and votes. Data is stored in EU data centers.
  Supabase Privacy Policy →
• OpenAI (OpenAI, L.L.C., USA): Used to generate AI verdicts. Dispute content and descriptions are transmitted to OpenAI's API. OpenAI is a third-country recipient (USA). Transfers are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46.
  OpenAI Privacy Policy →
• DodoPayments (payment processor): Handles all token purchase transactions. We never process or store payment card data directly.
  DodoPayments Privacy Policy →
• Google LLC (Google Auth / OAuth 2.0): Used for account authentication. Your Google account email and name are shared with us upon login.
  Google Privacy Policy →

International transfers: OpenAI is based in the USA. Data transfers to OpenAI are governed by Standard Contractual Clauses (SCCs) pursuant to GDPR Article 46(2)(c), ensuring an adequate level of protection.

6. Data Retention

• Account data: Retained for the duration of your account and up to 30 days after deletion request.
• User content (disputes, comments, votes): Retained while the platform is active. Anonymized or deleted upon verified account deletion request.
• Direct messages: Retained until either participant deletes the conversation, or upon account deletion. Deleting a conversation permanently removes all its messages for both participants.
• Follow relationships: Retained until the user unfollows the other account, or upon account deletion.
• Notifications: Retained until marked as read or upon account deletion, whichever comes first.
• Payment records: Retained for 7 years in accordance with Dutch accounting law (Burgerlijk Wetboek, Boek 2, Art. 10).
• Session & security logs: Retained for up to 90 days for abuse prevention purposes.

7. Cookies

We use only essential cookies required for authentication (Supabase session tokens) and security. We do not use marketing, tracking, or third-party advertising cookies. No cookie consent banner is required under the Dutch Telecommunications Act (Telecommunicatiewet) for essential-only cookies.

8. Your Rights Under GDPR

As an EU resident, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure / "Right to be forgotten" (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to restriction of processing (Art. 18): Request we limit how we use your data while a dispute is resolved.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): Withdraw consent for AI processing at any time (note: this will prevent verdict generation on future disputes).

To exercise any of these rights, email hello@thejudgy.app. We will respond within 30 days as required by GDPR Art. 12.

You also have the right to lodge a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens (AP) at autoriteitpersoonsgegevens.nl.

9. Data Security

We implement appropriate technical and organizational security measures including TLS encryption in transit, row-level security (RLS) in our database, hashed authentication tokens, and access control policies. No system is 100% secure; in the event of a personal data breach that poses a risk to your rights, we will notify you and the Autoriteit Persoonsgegevens within 72 hours as required by GDPR Art. 33.

10. Children's Privacy

Judgyapp is not directed at individuals under the age of 16. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, contact us immediately at hello@thejudgy.app and we will promptly delete it.

11. Changes to This Policy

We may update this policy to reflect changes in law or our practices. Material changes will be communicated via email or prominent in-app notice at least 14 days before taking effect. The "Last updated" date at the top will always reflect the most recent revision.

12. Contact

Data protection inquiries, access requests, or complaints:
hello@thejudgy.app
thejudgy.app, Amsterdam, Netherlands, European Union