Privacy Policy

Effective: December 18, 2025 | Last updated: March 17, 2026

Welcome to Currot ("we," "our," or "us"), a service owned and operated by Eliary Inc. We respect your privacy and are committed to protecting your personal data. We only collect data that is necessary for the purposes described in this policy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "Service"). Currot is a mobile-only application and is not available as a web service or desktop application.

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide when using our Service:

• Account Information: Username, phone number (required for account creation), date of birth, email address (optional), and profile information
• Date of Birth: For age verification, safety measures for users under 18, and legal compliance
• User Content: Photos, messages, comments, and other content you create, upload, or share
• Communications: Direct messages and support communications
• Social Connections: Information about your friends, followers, and blocked users

1.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Device Information: Device type, model, OS version, unique device identifiers, mobile carrier, time zone, and language settings
• Usage Data: Features you use, actions you take, time and duration of activities, content you view, search queries
• Log Data: IP address, access times, pages viewed, app crashes, and system activity
• Clipboard Data: We may read your device clipboard to detect invitation codes when you interact with the invitation input field. Clipboard data is only accessed in user-initiated contexts and is not stored

1.3 Firebase and Google Cloud Services

We use Google Firebase and Google Cloud Platform services:

• Firebase Analytics: App usage events and user engagement metrics
• Firebase Crashlytics: Crash logs and error reports
• Firebase Cloud Messaging: Push notification delivery
• Google Cloud Spanner: All user data stored with encryption at rest

Firebase Analytics and Crashlytics are integrated in the mobile application client. These services collect data directly from your device — our backend servers do not access this data.

2. Your Social Profile and Public Information

2.1 Public Profile Information

The following is visible to other Currot users:

• Username: Your unique @username is always public
• Profile Picture: Visible to anyone who can see your profile
• Display Name and Bio: Your chosen name and description
• Follower/Following Counts
• Public Posts: Content you choose to share publicly

2.2 Private Profile Information

The following is NOT visible to other users:

• Your email address
• Your phone number
• Your date of birth
• Your device information

3. Content You Share

3.1 Content Visibility

• Public Content: Visible to all users and automatically reviewed by our admin team
• Direct Messages: Visible only to you and recipients

3.2 Admin Access to Public Content

All public content is automatically visible to administrators for moderation. Our admin team may review, delete, or take action on content that violates guidelines.

3.3 Content That Was Previously Public

If you delete content that was previously public, our moderation team retains the right to investigate and take action based on that content during the retention period (see Section 7).

4. Social Interactions and Connections

4.1 Engagement Data

We collect information about how you interact with others:

• Who you follow and who follows you
• Posts you like, comment on, or share
• Users you block
• Content and users you report

4.2 Message Security

• Encryption in Transit: All messages encrypted using TLS 1.3
• Encryption at Rest: Messages stored with Google Cloud encryption
• Not End-to-End Encrypted: Messages can be accessed on our servers when necessary

4.3 Admin Access to Messages

Authorized administrators can access message content only under specific circumstances:

• Legal Requirements: When required by law or valid legal process
• User Reports: When a message is reported for policy violations
• Protection of Minors: When reviewing communications to protect users under 18
• Safety Investigations: When investigating threats to user safety

Message review is conducted upon report, investigation, or legal request. Review may include messages between adults and minors, and messages between minors. Automated content scanning is not currently employed; review is initiated by user reports or safety investigations.

4.4 Anonymous Asks

When you send an anonymous Ask:

• Recipient View: The recipient cannot see your identity
• Data Retention: We retain your identity as the sender in our systems
• Admin Access: Administrators can identify anonymous Ask senders when required

5. How We Use Your Information

5.1 Providing and Improving the Service

• Create and manage your account
• Enable content creation and sharing
• Develop and test new features, which may include experiments (such as A/B tests) where different users receive different versions of features or content to help us improve the Service
• Apply age-appropriate safety measures

5.2 Safety and Security

• Verify your identity and prevent fraud
• Monitor for unauthorized access
• Enforce Terms of Service and community guidelines
• Apply enhanced safety measures for users under 18
• Analyze interaction patterns to identify potentially harmful behavior
• Review messages to protect minors

5.3 Legal Compliance

• Comply with applicable laws and regulations
• Respond to lawful requests from public authorities
• Establish, exercise, or defend legal claims

5.4 Academic and Safety Research

We may use anonymized and de-identified data for research purposes. All anonymized data has personally identifiable information removed — including names, phone numbers, email addresses, and user-generated content text — and user identifiers are replaced with irreversible cryptographic hashes. This data cannot be used to identify individual users.

5.4.1 General Academic Research

General academic research datasets are limited to data from users aged 18 and older at the time of data extraction. No behavioral, network, or engagement data from users under 18 is included in general academic research datasets.

General academic research use is limited to:

• Analysis of aggregate usage patterns, network structures, and engagement metrics
• Study of platform growth dynamics and community formation
• Analysis of anonymized experimental data, including treatment assignments and outcomes from service experiments (such as A/B tests)
• Publication of research findings in academic papers, conference proceedings, and dissertations
• Collaboration with academic institutions for peer-reviewed research

5.4.2 Child Safety Research

To evaluate and improve our safety measures for users under 18, we may analyze anonymized data that includes users under 18. Child safety research is conducted solely to enhance protections for younger users and is subject to additional safeguards:

• Purpose is strictly limited to evaluating and improving safety measures for users under 18
• Exact ages are replaced with age ranges
• No user-generated content text is included
• All analysis is conducted at the aggregate or pattern level — no individual-level behavioral profiles are created for users under 18
• Published findings contain only aggregate statistics that cannot be used to re-identify any individual
• Data is not shared with external parties except as aggregate, non-re-identifiable statistics in peer-reviewed publications focused on child safety

No individually identifiable information is included in any published research. All published datasets and findings contain only aggregate statistics or data that has been irreversibly anonymized so that no individual user can be re-identified.

5.5 Legal Basis for Processing (EEA/UK)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

• Contract Performance (Article 6(1)(b)): Account creation, login, content sharing, direct messaging, and core Service functionality
• Consent (Article 6(1)(a)): Push notifications
• Legitimate Interest (Article 6(1)(f)): Fraud prevention, spam detection, security monitoring, service improvement, academic research using anonymized data, child safety research using anonymized data, service experiments to improve features, and Firebase Analytics/Crashlytics for app stability and improvement
• Legal Obligation (Article 6(1)(c)): Age verification, minor protection measures, responding to lawful government requests, and data retention required by law
• Vital Interests (Article 6(1)(d)): Emergency situations involving threats to life or safety of users

Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights. You have the right to object to processing based on legitimate interest at any time by contacting support@currot.com.

6. Who Can See Your Information

We do not sell your personal information.

6.1 Service Providers

We share information with third-party vendors who process data on our behalf:

• Cloud Hosting and Database: Google Cloud Platform (US)
• Object Storage: Cloudflare R2 (Global)
• Content Delivery: Bunny CDN (Global)
• Phone Verification: Twilio (US)
• Email Delivery: Mailgun (US)
• Analytics: Firebase Analytics (US)
• Push Notifications: Firebase Cloud Messaging (US)
• Crash Reporting: Firebase Crashlytics (US)

We have entered into Data Processing Agreements (DPAs) with all third-party processors to ensure they handle your data in compliance with applicable data protection laws, including GDPR. A full list of sub-processors is available upon request by contacting support@currot.com.

6.2 For Legal Reasons

We may disclose information when required to:

• Comply with law, legal process, or government requests
• Respond to valid subpoenas or court orders
• Enforce our Terms of Service
• Protect rights, property, or safety

We respond to legal requests from government authorities. We do not respond to private parties without valid legal process from a court.

6.3 Academic and Safety Research

Anonymized and de-identified data may be shared with academic researchers or used in published research (see Section 5.4). General academic research datasets are limited to users aged 18 and older. Child safety research data includes aggregate patterns from all users with additional safeguards (see Section 5.4.2). All shared research data:

• Contains no personally identifiable information (names, phone numbers, emails, content text are removed)
• Uses irreversible cryptographic hashing for all user identifiers
• Is limited to network structure, behavioral patterns, aggregate metrics, and anonymized experimental data
• Cannot be used to re-identify individual users

External researchers receiving data must agree to: (a) use data only for stated research purposes, (b) not attempt re-identification, (c) maintain security standards equivalent to ours, and (d) delete data upon completion of the research project.

Research findings may be published in academic journals, conference proceedings, and dissertations. Published results contain only aggregate statistics or irreversibly anonymized data.

7. Content Retention and Deletion

7.1 When You Delete Content

• Immediately removed from public view
• Processed versions retained for up to 90 days
• Backup copies may be retained longer for recovery and legal purposes

7.2 Extended Retention (365+ days)

We may retain data longer in these circumstances:

• Ongoing investigations
• Reported content or accounts
• Suspended or terminated accounts
• Legal preservation requests
• Minor protection matters

7.3 Ask Responses

You may request deletion of your Ask responses by contacting support@currot.com. If your response has already been viewed by others, we will anonymize it (remove your identity) rather than fully delete the content, to maintain conversation integrity. Upon account deletion, all Ask responses are anonymized.

7.4 Retention Schedule by Data Type

We retain different types of data for different periods based on the purpose of collection:

• Account Information (phone, username, email, profile): Duration of account + 30 days after deletion
• User Content (posts, pictures): Duration of account; 90 days after deletion from public view
• Direct Messages: Duration of account; deleted when both parties delete or 90 days after account deletion
• Device Information and Log Data: 90 days from collection
• IP Addresses: 90 days from collection
• Usage and Analytics Data: 12 months from collection
• Anonymous Ask Sender Records: 12 months from submission
• Reported Content and Safety Records: 365 days or longer as required for investigations
• Suspended or Terminated Account Data: 365 days or longer as required by law
• Anonymized Research Data: Retained for the duration of the research project and any required post-publication verification period, in accordance with academic data retention standards. Because this data is irreversibly anonymized, it is no longer personal data and is not subject to individual deletion requests

After the applicable retention period, data is permanently deleted or irreversibly anonymized. Legal obligations or ongoing investigations may require extended retention.

8. Data Security

8.1 Technical Safeguards

• All data encrypted in transit between your device and our servers (TLS 1.3), and at rest via Google Cloud Platform
• Database encryption via Google Cloud Spanner
• Regular security audits
• JWT token-based authentication

8.2 Organizational Safeguards

• Access controls limiting data access to authorized personnel

While we strive to protect your information, no method of transmission over the Internet is 100% secure.

8.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

9. Your Privacy Rights and Controls

9.1 Privacy Controls

• Blocking: Block users you don't want to interact with
• Download Your Data: Request a copy of your data by emailing support@currot.com
• Research Opt-Out: You may opt out of having your data included in future anonymized research datasets by contacting support@currot.com. Data already anonymized and included in published research cannot be retroactively removed, as it is no longer identifiable

9.2 Your Legal Rights

Depending on your location, you may have these rights:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (subject to retention policies)
• Portability: Receive your data in a structured format
• Objection: Object to certain processing
• Withdraw Consent: Withdraw consent where processing is based on consent (for push notifications, use your device settings; for other matters, contact support@currot.com)

To exercise these rights, contact support@currot.com. We will respond within 30 days.

10-11. California (CCPA) and European (GDPR) Privacy Rights

California residents have rights under CCPA: right to know, delete, correct, opt-out of sale/sharing (we do not sell data), and non-discrimination.

European residents have rights under GDPR: access, rectification, erasure, restriction, data portability, objection, and rights related to automated decision-making.

Automated Processing

We use rate limiting to protect the Service from abuse. This may temporarily restrict your ability to perform certain actions (e.g., sending messages, creating content) if usage thresholds are exceeded. Content moderation and account enforcement decisions are made by human administrators, not automated systems.

If we introduce automated decision-making that significantly affects you in the future, we will update this policy and notify you. You may contact support@currot.com with questions about how your data is processed.

Eliary Inc. is the data controller. Contact us at support@currot.com.

EU Representative: As our EU user base grows, we will designate a representative in the European Union in accordance with Article 27 of the GDPR. Until a representative is appointed, all data protection inquiries can be directed to support@currot.com.

You may lodge a complaint with a supervisory authority in your country if you believe we've violated applicable law.

12. Children's Privacy

Currot is not intended for children under the minimum age required by their jurisdiction. We do not knowingly collect information from underage children.

12.1 Minimum Age by Jurisdiction

• Default: 13 years old
• European Economic Area (EEA): 16 years old (varies by country, minimum 13)
• South Korea: 14 years old
• Other Jurisdictions: As required by local law

12.2 Enhanced Safety for Users Under 18

• Feature Restrictions: Certain features may be limited
• Enhanced Content Moderation
• Active Interaction Monitoring
• Message Review: Communications involving minors may be reviewed

12.3 Monitoring Adult-Minor Interactions

We may analyze interaction patterns between adults and users under 18. Adult accounts contacting multiple minors may be restricted, suspended, or terminated. Records may be retained for 365+ days and reported to authorities where permitted.

If you're a parent and believe your underage child has an account, contact safety@currot.com immediately.

12.4 Anonymized Data for Safety Research

To evaluate and improve our safety measures for users under 18, we may use anonymized aggregate data as described in Section 5.4.2. This research is conducted solely to enhance protections for younger users and is subject to additional safeguards, including the use of age ranges instead of exact ages and analysis at the aggregate level only.

13-17. Cookies, International Transfers, Third-Party Services, Changes, Contact

As a mobile app, we use mobile tracking technologies (device identifiers, SDKs) rather than cookies. You can control tracking through device settings.

Your data may be transferred to and processed in the United States and other countries where our service providers operate (see Section 6.1 for locations). For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, and other approved transfer mechanisms to ensure adequate protection of your data.

We use Google Cloud Platform, Firebase, Twilio, Mailgun, Cloudflare, and Bunny CDN as third-party services. Their privacy policies apply to their processing.

We may update this Privacy Policy. Material changes will be notified through the app.

Contact

Eliary Inc. (operating as Currot)

1111B S Governors Ave, STE 37260, Dover, DE 19904, US

• Support: support@currot.com

We aim to respond to all inquiries within 30 days.