Privacy policy

RABBIT HOLE PRIVACY POLICY:

Effective Date: [Insert Full Date in MM/DD/YYYY Format]
Last Updated: [Insert Last Revised Date]

This Privacy Policy ("Policy") governs the collection, use, disclosure, and protection of personal information by Rabbit Hole (the “App”), a proprietary mobile application and digital platform owned and operated by Jordan Kennedy-Smith, d/b/a Rabbit Hole Labs, LLC, an Arizona limited liability company (hereinafter, "Rabbit Hole", "we", "us", or "our").

We are committed to maintaining the confidentiality, integrity, and security of your Personal Information (as defined below) in accordance with applicable U.S. and international data protection laws, including but not limited to the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) (if applicable), the Children’s Online Privacy Protection Act (COPPA), and other relevant privacy regulations.

By accessing or using the App, or by otherwise submitting your personal information to us, you acknowledge that you have read, understood, and agreed to the terms and practices described in this Privacy Policy. If you do not agree with the practices described herein, do not access or use the App.

2. Scope of this Privacy Policy

This Policy applies to:

  • All users of the Rabbit Hole App (including both registered and unregistered users);

  • Any personal, device, or usage-related information collected, processed, or stored by Rabbit Hole in the course of delivering its services;

  • Interactions with our App across all platforms, APIs, and associated third-party services used to support the functionality, personalization, or analytics of the App.

This Policy does not apply to any third-party websites, applications, or services that may be linked to or integrated with Rabbit Hole. We are not responsible for the privacy practices of such third parties, and users are encouraged to review the privacy policies of any external platforms they engage with through the App.

3. Definitions

For purposes of this Privacy Policy, the following definitions shall apply:

“Personal Information” means any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a specific individual, including but not limited to names, contact information, location data, unique identifiers, online activity, or behavioral profiles.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

“Data Controller” refers to Rabbit Hole, which determines the purposes and means of processing personal data.

“User” or “Data Subject” refers to any individual who accesses or uses the App and whose Personal Information is collected by Rabbit Hole.

“Device Data” means technical information automatically collected from a user’s mobile device, including IP address, device ID, operating system version, screen resolution, app version, system performance data, and diagnostic logs.

“Usage Data” means anonymized or pseudonymized data collected about how users interact with the App, including but not limited to search queries, filter settings, content viewed, and time spent per session.

1. INFORMATION WE COLLECT

Rabbit Hole ("we," "us," or "our") collects, uses, stores, and processes various categories of personal and non-personal data from users ("you," "your") of the Rabbit Hole application ("App"). The categories and scope of data collected are outlined below and are essential for the proper functioning, customization, analytics, and security of the App and its related services.

1.1 Personal Identification Information

We may collect personally identifiable information ("PII") that you voluntarily provide when registering an account, updating your profile, or interacting with certain features within the App. This includes, but is not limited to:

  • Full legal name

  • Username and display name

  • Email address

  • Mobile phone number

  • Date of birth (for age verification and legal compliance, e.g., COPPA, GDPR age limits)

  • Gender identity and/or pronouns (optional, for personalization)

  • Personal preferences, such as content preferences, communication settings, and visibility settings.

Legal Basis: Consent (GDPR Art. 6(1)(a)), Contract performance (Art. 6(1)(b)), and Legitimate interests (Art. 6(1)(f)).

1.2 Profile & User-Generated Content

You may choose to provide or create additional content within the App that becomes associated with your account or visible to other users:

  • Uploaded profile photographs, gallery images, and video snippets

  • Biography or descriptive text

  • Hashtags, filters, interest tags, or personality badges

  • Direct messages, comments, likes, matches, and engagement history

  • In-app posts, reactions, or story-like features.

This content may be stored on our servers and may be processed using automated systems for moderation, personalization, or recommendation algorithms.

Note: You control what content you upload. However, we reserve the right to remove content that violates our Community Guidelines or Terms of Use.

1.3 Device, System & Usage Information

To optimize platform functionality, security, and user experience, we automatically collect information about the devices and technology you use to access the App:

  • Unique Device Identifiers (e.g., UUID, IMEI, advertising ID)

  • Device hardware and operating system (iOS, Android, version number)

  • Browser type and settings (if applicable)

  • App version, language preferences, and screen resolution

  • Log data including session durations, app open/close times, crash reports

  • IP address, network carrier, connection type (Wi-Fi/cellular)

  • Cookies, pixel tags, and similar tracking technologies (subject to consent where required)

Usage Analytics: We may use tools such as Firebase Analytics, Mixpanel, or similar SDKs to generate aggregate insights and metrics.

1.4 Location Data

If and only if you grant express permission via your device settings or in-app prompts, we may collect, store, and process your location information for the following purposes:

  • Matching or discovery features based on proximity

  • Location-based filtering (e.g., show users within a 10-mile radius)

  • City-level data for market research and demographic reporting

  • Geofencing features (e.g., local events, regional content moderation)

Location data may be collected using GPS, Wi-Fi triangulation, Bluetooth beacons, or IP address approximation.

Note: You may revoke location access at any time via device-level settings.

1.5 Payment & Transaction Data

For users who purchase subscriptions, credits, or other premium features, we collect transactional data as follows:

  • Transaction amount, currency, timestamp, and status

  • Billing identifiers or subscription receipts

  • Payment method (e.g., credit card, Apple Pay, Google Pay)

  • Third-party payment processor references (e.g., Stripe, Paddle)

Important: We do not store full credit card or debit card numbers. All payment data is securely transmitted to and processed by our integrated third-party payment gateways, each of which is PCI-DSS compliant.

1.6 Inferred and Derived Data

We may use machine learning models, analytics tools, and behavioral patterns to infer preferences, engagement levels, or potential matches. These may include:

  • Personality traits based on interaction behavior

  • Predicted preferences based on swipe patterns or dwell time

  • Content performance metrics (e.g., engagement per photo)

Such data helps us improve user experience and provide relevant content recommendations.

1.7 Communication Data

When you interact with us directly — for example, by contacting support, reporting a user, or submitting feedback — we may collect:

  • Communication content and metadata

  • Contact information (email, phone, app ID)

  • Support tickets, resolution notes, and timestamps

These communications may be recorded for quality assurance, dispute resolution, and legal compliance.

1.8 Legal and Compliance Data

We may retain information that is required under applicable laws or regulations, including:

  • Data necessary for verifying age and legal eligibility

  • Audit logs for compliance with GDPR, CCPA, and COPPA

  • Records of user consent for data processing activities

  • Law enforcement or legal process requests (retained as required)

⚠️ Sensitive Data Disclosure

We do not intentionally collect or process sensitive data (e.g., health information, biometric data, political opinions, religious beliefs) unless required by law or explicitly provided by the user with their express consent.

If you voluntarily include sensitive data in your profile or communications, you acknowledge that you have no reasonable expectation of privacy regarding that specific data as it pertains to other users’ viewing permissions.

2. HOW WE USE YOUR INFORMATION

Rabbit Hole (“we”, “our”, or “us”) may use, process, and retain the personal data and other information we collect about you, as outlined in Section 1, for the following legally permissible and commercially justified purposes:

2.1 Account Registration and Identity Verification

We use Personal Identification Information (as defined in Section 1.1) to:

  • Register and authenticate your user account;

  • Verify your age and eligibility for lawful use under applicable jurisdictional laws, including age-related access restrictions (e.g., COPPA, GDPR Art. 8);

  • Enforce our Terms of Service, Community Guidelines, and other applicable agreements.

2.2 Provision and Enhancement of Core Services

We use your data to:

  • Operate the Rabbit Hole mobile application and provide core matchmaking functionality based on your stated preferences and interactions;

  • Deliver personalized content, features, and recommendations derived from your behavioral data, profile inputs, geolocation, and hashtags;

  • Improve algorithmic matchmaking using behavioral analytics and machine learning models;

  • Maintain continuity of service, including secure authentication and session retention across devices.

2.3 Communication and Notifications

We may use your contact and interaction data to:

  • Send service-related messages, such as account changes, password resets, transaction confirmations, or customer support replies;

  • Deliver marketing communications and promotional offers, where permitted by law and with opt-in consent as required under GDPR/CCPA;

  • Notify you of updates to the App, features, terms, or this Policy.

2.4 Security, Fraud Prevention, and Integrity Enforcement

We process usage and technical information (as defined in Section 1.3) to:

  • Detect, investigate, and mitigate fraudulent, abusive, or unauthorized activity;

  • Protect the rights, safety, and property of Rabbit Hole users, staff, partners, and the general public;

  • Enforce the integrity of our platform, including user report investigations and moderation systems;

  • Comply with app store policies (Apple/Google) and security frameworks such as OWASP Mobile Top 10.

2.5 Analytics, Performance Monitoring, and Product Development

We use non-identifiable aggregated data and anonymized metadata to:

  • Analyze user behavior, platform performance, and feature engagement to inform product strategy;

  • Perform A/B testing and usability assessments;

  • Evaluate marketing effectiveness and optimize campaign targeting;

  • Develop new services, features, or integrations.

2.6 Legal Compliance and Regulatory Cooperation

We may process your personal data where required to:

  • Respond to subpoenas, court orders, legal processes, or regulatory requests;

  • Comply with statutory obligations under the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), and other relevant privacy laws;

  • Enforce our rights under this Policy or other agreements.

2.7 Data Retention and Business Continuity

Your information may be retained:

  • For the duration of your use of the App and for a reasonable period thereafter in accordance with our Data Retention Policy;

  • As necessary to fulfill legal, contractual, or operational requirements including audit, dispute resolution, or system backup and recovery purposes.

3. LEGAL BASES FOR PROCESSING PERSONAL DATA (Applicable to Users Located in the European Union and European Economic Area)

For users who are natural persons located within the European Union (EU) or European Economic Area (EEA), Rabbit Hole processes personal data in compliance with Regulation (EU) 2016/679, commonly referred to as the General Data Protection Regulation (“GDPR”). In accordance with Articles 6 and 7 of the GDPR, Rabbit Hole shall collect, store, and otherwise process personal data solely where a lawful basis exists, as described below:

3.1 Consent (Article 6(1)(a) GDPR)

We may process personal data where you have freely given explicit, informed, and unambiguous consent for one or more specific purposes. This includes, but is not limited to:

  • Enabling location-based functionalities, proximity-matching, or discovery features;

  • Utilizing tracking technologies (e.g., cookies, pixels, SDKs) for analytics, advertising, or personalization;

  • Distributing marketing communications including newsletters, offers, event announcements, or promotional alerts;

  • Permitting user-generated content such as photos, bios, hashtags, and social engagement to be displayed, shared, or curated on the platform;

  • Any biometric or sensitive data processing, where applicable.

You may withdraw your consent at any time by modifying your preferences in the App’s Privacy Settings or by contacting us directly at [Insert Contact Email], without affecting the lawfulness of processing based on consent before its withdrawal.

3.2 Contractual Necessity (Article 6(1)(b) GDPR)

We process your personal data when it is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract. Examples include:

  • Creation and management of your user account;

  • Provision of the core Rabbit Hole services, including algorithmic matching, content curation, and interaction facilitation;

  • Enabling in-app purchases or subscription features via authorized payment processors;

  • Delivery of technical support, product updates, and user-requested communications.

Refusal to provide certain data may limit our ability to offer the full functionality of the App.

3.3 Compliance with a Legal Obligation (Article 6(1)(c) GDPR)

We may process your personal data where it is required for compliance with a legal obligation to which Rabbit Hole is subject, including:

  • Maintenance of transactional records and data logs as required by applicable tax, financial, or telecommunications laws;

  • Responding to lawful requests by public authorities, including courts or data protection agencies;

  • Ensuring compliance with age verification, COPPA, or data localization requirements, where legally mandated;

  • Documenting data subject requests (e.g., access, erasure, rectification) under GDPR Articles 15–22.

3.4 Legitimate Interests (Article 6(1)(f) GDPR)

We may process personal data where it is necessary for the purposes of our legitimate interests or those of a third party, provided such interests are not overridden by your fundamental rights or freedoms. These interests include:

  • Enhancing platform security, fraud prevention, and abuse detection;

  • Conducting analytics and algorithmic optimization to improve performance and personalization;

  • Enforcing our contractual rights, Terms of Use, and community guidelines;

  • Facilitating business operations, such as mergers, acquisitions, funding, or internal reorganizations;

  • Exercising or defending legal claims or regulatory compliance obligations.

In all such cases, we perform a documented legitimate interest assessment (LIA) to ensure proportionality and necessity.

3.5 Special Categories of Data (Article 9 GDPR)

Where we process data that qualifies as a “special category of personal data” (e.g., data revealing racial or ethnic origin, political opinions, biometric data, or health status), we will only do so where:

  • Explicit consent has been obtained (Article 9(2)(a)); or

  • The processing is otherwise specifically authorized under one of the lawful exceptions in Article 9(2) GDPR.

4. SHARING OF YOUR INFORMATION

4.1 User-Directed Sharing and Visibility Settings
 Subject to your selected privacy and visibility preferences configured within the App, we may make certain categories of your information—including your profile data, activity content, or interaction history—available to other registered users of Rabbit Hole for the purposes of enabling core functionalities such as social matching, content discovery, or user engagement. The degree of such information disclosure is governed strictly by your express in-app selections and consent mechanisms.

4.2 Disclosure to Authorized Third-Party Service Providers
 We may share your Personal Data and Technical Data with vetted third-party service providers, contractors, and subprocessors solely to the extent necessary for them to provide operational, infrastructural, or analytical support to Rabbit Hole. These may include, but are not limited to:

  • Cloud hosting providers (e.g., AWS, Google Cloud) for data storage and computational infrastructure;

  • Payment processors (e.g., Stripe, Apple Pay, Google Pay) for subscription and transaction management;

  • Analytics services (e.g., Mixpanel, Firebase) for behavioral analysis and usage insights;

  • Security providers for fraud detection, anti-abuse monitoring, and platform integrity enforcement.

All such third parties are contractually bound via Data Processing Agreements (DPAs) to maintain strict confidentiality, implement industry-standard security safeguards, and use your data solely in accordance with our instructions and applicable data protection laws (including, where applicable, Article 28 GDPR and equivalent CCPA requirements).

4.3 Legal and Regulatory Disclosures
 We may disclose your information (including Personal Data, Usage Data, or Communication Logs) without prior notice if we are legally required to do so, or if such disclosure is reasonably necessary to:

  • Comply with a valid legal obligation, subpoena, warrant, or court order;

  • Respond to lawful requests by public authorities, including to meet national security or law enforcement requirements;

  • Assert, enforce, or defend legal rights, contractual claims, or protect the safety, property, or rights of Rabbit Hole, its users, or the public, consistent with applicable law.

4.4 Corporate Transactions
 In the event of an actual or contemplated merger, acquisition, reorganization, bankruptcy, financing, due diligence process, or sale of all or substantially all of our business assets, your information (including user account data and system logs) may be transferred as part of such transaction, subject to customary confidentiality restrictions and compliance with applicable data protection standards. You will be notified via prominent notice on the App or via email (where feasible) before your information becomes subject to a materially different privacy policy.

4.5 Cross-Border Data Transfers
 Where information is shared with entities located outside of your country of residence, including jurisdictions that may not offer the same level of data protection as your home jurisdiction (e.g., transfers from the EU to the United States), such transfers shall be governed by appropriate legal safeguards, including the use of Standard Contractual Clauses (SCCs) or other GDPR-compliant mechanisms, as applicable.

4.6 No Sale of Personal Data
 We do not sell, rent, lease, or otherwise provide your personal data to third parties for their direct marketing or commercial use, as defined under applicable law, including the California Consumer Privacy Act (CCPA), without your explicit consent. We affirmatively opt out of any arrangements involving the monetization of user data profiles or behavioral segments.

4.7 Anonymized and Aggregated Data
 We reserve the right to process and share de-identified, anonymized, or aggregated information that does not directly or indirectly identify you, for purposes including but not limited to: market research, product development, performance benchmarking, or academic research. Such data shall not be considered "Personal Data" for the purposes of this Agreement.

5. YOUR RIGHTS AND CHOICES

Subject to applicable data protection laws, including but not limited to the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the UK Data Protection Act, and other regional regulations, you, as a data subject or user (“User”), are afforded specific rights regarding your Personal Information (as defined under applicable law). Rabbit Hole is committed to facilitating the exercise of these rights in a timely and transparent manner.

5.1 Right of Access

You have the right to request confirmation as to whether or not we process your Personal Information and, where that is the case, access to the following:

  • The categories and specific pieces of Personal Information we have collected about you;

  • The purposes for which your data is processed;

  • The categories of sources from which the Personal Information is collected;

  • The categories of third parties with whom we share Personal Information; and

  • The anticipated period for which the data will be stored or the criteria used to determine that period.

5.2 Right to Rectification

You may request correction or rectification of any inaccurate, outdated, incomplete, or otherwise incorrect Personal Information we hold about you. This right may also include supplementing incomplete data with a supplementary statement, where appropriate.

5.3 Right to Erasure (“Right to Be Forgotten”)

You may request the deletion or removal of your Personal Information under any of the following grounds:

  • The data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

  • You withdraw consent (where processing was based on consent) and there is no other legal basis for the processing;

  • You object to the processing and there are no overriding legitimate grounds;

  • The data has been unlawfully processed;

  • The data must be erased to comply with a legal obligation.

Rabbit Hole reserves the right to retain Personal Information where permitted by law (e.g., for compliance, dispute resolution, enforcement of agreements).

5.4 Right to Restrict Processing

You may request a restriction on processing of your data if:

  • You contest the accuracy of the Personal Information;

  • Processing is unlawful, but you oppose erasure;

  • We no longer need the data for processing, but it is required by you for the establishment, exercise, or defense of legal claims; or

  • You have objected to processing pending the verification of our legitimate grounds.

In such cases, we will ensure that the data is marked appropriately and processed only with your consent or for limited lawful purposes.

5.5 Right to Object to Processing

You have the right to object, on grounds relating to your particular situation, to the processing of your Personal Information where the legal basis for processing is our legitimate interest. We shall no longer process the Personal Information unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

Additionally, you may object to the use of your Personal Information for direct marketing purposes, including profiling related to such marketing, at any time. Upon objection, we will cease such processing immediately.

5.6 Right to Data Portability

Where technically feasible, and when processing is based on your consent or performance of a contract, you have the right to request and receive your Personal Information in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance from us.

5.7 Right to Withdraw Consent

Where we rely on your consent to process Personal Information (e.g., for marketing communications, geolocation data, or cookies), you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

5.8 Right to Non-Discrimination (CCPA-Specific)

We will not discriminate against you for exercising your rights under the CCPA or any other applicable data protection law, including by:

  • Denying you goods or services;

  • Charging you different prices or rates;

  • Providing a different level or quality of services;

  • Suggesting that you may receive a different price or rate for goods or services or a different level of quality.

5.9 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority (DPA) if you believe that our processing of your Personal Information violates applicable law. For EU/EEA users, a list of competent supervisory authorities is available at https://edpb.europa.eu. For UK users, the competent authority is the Information Commissioner's Office (ICO).

6. DATA RETENTION

6.1 Retention Period and Purpose
 We retain your Personal Data only for as long as is reasonably necessary to fulfill the purposes for which it was collected, including but not limited to:
a. The administration and operation of your user account;
b. The delivery, enhancement, and maintenance of the services and features provided via the Rabbit Hole App;
c. The resolution of technical or user support queries;
d. The enforcement of our legal rights, including in connection with any potential or actual legal disputes;
e. Compliance with our contractual obligations under this Agreement and applicable law, including statutory retention periods.

6.2 Retention Criteria
 The specific duration for which we retain Personal Data may vary depending on:
a. The category and sensitivity of the data;
b. The risk of harm from unauthorized use or disclosure;
c. The purposes for which the data was collected;
d. Applicable regulatory, tax, accounting, and legal requirements;
e. Whether continued retention is reasonably necessary for our legitimate business interests (such as fraud prevention, internal analytics, or maintaining service continuity).

6.3 Data Deletion and Account Termination Requests
 You may, at any time, request the deactivation or permanent deletion of your account and associated Personal Data by submitting a verifiable request through the in-app account settings or by contacting us at [insert designated contact email or portal].
Upon receipt of such a request, and subject to identity verification and any applicable statutory obligations, we will:
a. Delete or anonymize all Personal Data associated with your account within a commercially reasonable period;
b. Retain a limited subset of data as necessary to comply with legal retention obligations, enforce our Terms, or resolve disputes;
c. Notify you of the completion of the deletion process or provide justification for any data that must be retained under applicable laws.

6.4 Archival and Backup Policy
 Notwithstanding the above, your data may persist in encrypted backup archives or disaster recovery systems for a limited retention cycle, after which it will be automatically purged or overwritten in accordance with our internal data lifecycle management policy.

6.5 Survival
 Any data retained after account deletion will continue to be governed by this Agreement and our Privacy Policy, and will not be used for any purpose other than those expressly outlined herein or as required by law.

6.6 Jurisdiction-Specific Retention Rights
 If you are a resident of a jurisdiction that provides specific rights or timelines related to data retention (e.g., under the EU General Data Protection Regulation or California Consumer Privacy Act), we will comply with such requirements as applicable.

7. CHILDREN’S PRIVACY (COPPA DISCLAIMER)

7.1 Intended Audience and Age Restriction
 The Rabbit Hole platform, including all associated software, mobile applications, websites, and digital services (collectively, the “Services”), is intended solely for individuals who are at least thirteen (13) years of age. By accessing or using the Services, the user represents and warrants that they are thirteen (13) years of age or older. We do not knowingly or intentionally collect, solicit, or process Personal Information (as defined under applicable law) from individuals under the age of thirteen (13).

7.2 Prohibition on Use by Children Under 13
 Use of the Services by individuals under the age of thirteen (13) is expressly prohibited. If you are a parent or legal guardian and believe that your child under the age of thirteen (13) has provided Personal Information to us without your consent, you must contact us immediately at [insert privacy contact email or designated communication channel]. Upon verification of the claim and confirmation of the user’s age, we will take commercially reasonable steps to:
a. Immediately terminate the associated account, if applicable;
b. Permanently delete any Personal Information collected from the minor from our active databases;
c. Notify the parent or legal guardian of such action, where appropriate and feasible;
d. Log and retain non-identifiable metadata regarding the event solely for legal compliance purposes.

7.3 Compliance with COPPA and Related Regulations
 We operate in full compliance with the Children’s Online Privacy Protection Act of 1998 (“COPPA”), as amended, and applicable state and international privacy laws addressing the collection of data from minors. In jurisdictions that set a higher minimum age threshold for valid consent (e.g., 16 under the EU General Data Protection Regulation), we will treat any user under such age threshold in accordance with that jurisdiction’s applicable requirements and apply the same protections as described in this clause.

7.4 Use of Age-Gating and Parental Control Features
 To ensure compliance with age-related restrictions, Rabbit Hole may employ age-gating measures during account creation, login, or feature access, including but not limited to:
a. Affirmative age verification prompts;
b. Session-based age validation tokens;
c. Blocking or restriction of access to age-sensitive features or content.

We are not liable for false representations made by users during the age verification process; however, we maintain the right to investigate and suspend or terminate access to any account that is suspected of violating these provisions.

7.5 No Profiling or Behavioral Targeting of Minors
 To the extent any Personal Information is inadvertently collected from individuals under thirteen (13), such information will not be used for profiling, behavioral targeting, or any form of automated decision-making processes.

7.6 Ongoing Monitoring and Review
 Rabbit Hole maintains internal auditing and content moderation procedures designed to prevent the registration, use, or data submission by minors under the age of thirteen (13). We reserve the right to implement additional monitoring tools or automated filters to ensure continued compliance.

7.7 Policy Changes and Parental Rights
 In the event of any material changes to this policy affecting how we handle children’s data, we will provide notice in a manner consistent with applicable laws, including direct notification to parents or guardians where such data is held and contact information is available.

8. SECURITY

8.1 Commitment to Security
 The Licensor (hereinafter “Rabbit Hole”, “we”, “us”, or “our”) is committed to protecting the confidentiality, integrity, and availability of all data processed, transmitted, or stored in connection with the use of the Rabbit Hole platform and its affiliated services (the “Services”). To that end, we maintain a comprehensive information security program that incorporates industry-recognized best practices and is designed to prevent unauthorized access to, or use or disclosure of, Personal Data and System Data (each as defined below).

8.2 Definitions
 For purposes of this Agreement:
a. “Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to names, contact details, unique identifiers, IP addresses, usage data, or any other information regulated under applicable data protection laws such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other relevant U.S. state and federal privacy statutes.
b. “System Data” means operational, diagnostic, or aggregate data related to the performance, configuration, or usage of the Services, which may be generated automatically or manually.

8.3 Security Safeguards
 Rabbit Hole shall implement and maintain appropriate administrative, technical, organizational, and physical safeguards consistent with industry standards and applicable law. These safeguards include, but are not limited to:
a. Access Controls: Role-based access restrictions, authentication protocols (e.g., 2FA), and least-privilege principles for internal personnel and service providers.
b. Data Encryption: All Personal Data transmitted over public networks is encrypted using secure transport protocols (e.g., TLS 1.2 or higher). At-rest data within our systems is encrypted using AES-256 or an equivalent encryption standard.
c. Monitoring & Logging: Continuous monitoring of systems and infrastructure, including real-time threat detection, security incident event management (SIEM), and audit logging for all access to sensitive data.
d. Vulnerability Management: Regular vulnerability assessments and penetration testing, as well as patch management processes to promptly remediate identified security flaws.
e. Physical Security: Controlled access to physical environments hosting Rabbit Hole infrastructure, including biometric authentication, surveillance, and security personnel (if applicable, such as in third-party data center environments).
f. Personnel Training & Confidentiality: All employees and contractors with access to Personal Data undergo annual data security training and are bound by confidentiality obligations consistent with the sensitivity of the information handled.

8.4 Third-Party Subprocessors
 Where Rabbit Hole utilizes third-party service providers or subprocessors to support the Services (e.g., hosting, analytics, communication services), such parties are contractually bound to adhere to data protection and security obligations that are no less protective than those set forth in this Agreement. A list of current subprocessors is available upon written request.

8.5 Security Incidents & Notification
 In the event Rabbit Hole becomes aware of a confirmed Security Incident — defined as unauthorized access to or acquisition of unencrypted Personal Data that compromises the confidentiality, integrity, or availability of such data — we shall:
a. Notify the affected licensee(s) without undue delay and in accordance with applicable law;
b. Provide a detailed description of the nature of the incident, affected data categories, mitigation steps taken, and future remediation measures;
c. Cooperate in good faith with the licensee and, if applicable, regulators to address and resolve the incident, including any legally required notifications to individuals or authorities.

8.6 Limitations
 While Rabbit Hole takes commercially reasonable steps to safeguard the data it processes, no system can be guaranteed to be 100% secure. Therefore, we disclaim liability for any unauthorized access, breach, or other exposure of Personal Data resulting from events outside of our reasonable control, including but not limited to zero-day exploits, advanced persistent threats, or third-party criminal activity.

8.7 Customer Responsibilities
 Users and licensees are responsible for maintaining the security of their own devices, credentials, and account access. You agree not to share access credentials and to promptly notify Rabbit Hole of any suspected or known unauthorized use of your account or access credentials.

8.8 Security Program Review
 Rabbit Hole shall regularly review and update its security policies and practices to account for evolving threats, legal developments, and technological advancements. Material changes will be reflected in an updated version of this Agreement or our privacy/security documentation.

9. INTERNATIONAL DATA TRANSFERS

9.1 Jurisdictional Notice. By accessing or using the Rabbit Hole platform (“App”) from outside the United States, you expressly acknowledge and consent that your Personal Information, as defined under applicable data protection laws, may be collected, transferred to, stored, processed, and utilized in the United States and/or other jurisdictions in which Rabbit Hole Labs, LLC, its affiliates, partners, contractors, infrastructure providers, or data processors maintain facilities or operations (collectively, “Permitted Processing Locations”).

9.2 Legal Basis for Transfer. We shall only transfer Personal Information internationally in accordance with applicable legal requirements and industry best practices, including but not limited to:

  • (a) Adequacy Decisions under Article 45 of the General Data Protection Regulation (GDPR), if the destination country has been deemed to provide an adequate level of data protection;

  • (b) Standard Contractual Clauses (SCCs) approved by the European Commission or other equivalent data transfer mechanisms such as Binding Corporate Rules (BCRs);

  • (c) Data Subject Consent, where expressly required by applicable law;

  • (d) Any legally recognized derogation for specific situations as defined under Article 49 of the GDPR or equivalent statutes under other applicable regimes (e.g., UK GDPR, Swiss FADP, CCPA).

9.3 Safeguards and Risk Mitigation Measures. We implement and maintain a commercially reasonable combination of technical, organizational, and contractual safeguards designed to ensure that transferred data enjoys a level of protection essentially equivalent to that under the originating jurisdiction’s data protection framework. Such measures may include:

  • (a) End-to-end encryption during transmission and storage using industry-standard protocols (e.g., TLS 1.3, AES-256);

  • (b) Data minimization and pseudonymization practices;

  • (c) Vendor risk assessments and due diligence;

  • (d) Ongoing monitoring and audit rights with subprocessors;

  • (e) Execution of data processing addenda (DPAs) with all third-party processors;

  • (f) Limitation of access on a need-to-know and least-privilege basis.

9.4 Third-Country Risk Disclosure. You understand and agree that data protection laws in jurisdictions outside your home country may not afford the same level of protection as those in your jurisdiction. By continuing to use the App, you acknowledge that such transfers are necessary for the performance of the services provided under our agreement with you and you accept the associated risks.

9.5 User Rights and Remedies. Users whose data is transferred internationally may have additional rights under applicable data protection laws, including the right to request a copy of the applicable safeguards (e.g., executed SCCs) and to lodge a complaint with a supervisory authority in the user’s country of residence, habitual domicile, or place of work.

9.6 Changes in Transfer Mechanisms. Rabbit Hole reserves the right to modify or update its cross-border transfer mechanisms in response to changes in applicable law, regulatory guidance, or judicial rulings (e.g., Schrems II). In the event of such changes, we shall implement supplementary measures where necessary and notify affected users where legally required.

10. CALIFORNIA PRIVACY RIGHTS (CCPA)

10.1 Scope of Applicability. This Section applies solely to individuals who are residents of the State of California (“Consumers” or “California Residents”) as defined under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”), and any subsequent implementing regulations promulgated by the California Privacy Protection Agency.

10.2 Defined Terms. For purposes of this Section:

  • (a) “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked—directly or indirectly—with a particular consumer or household, as further defined under Cal. Civ. Code § 1798.140(v).

  • (b) “Sensitive Personal Information” includes government ID numbers, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, and other categories as defined in Cal. Civ. Code § 1798.140(ae).

  • (c) “Sell,” “Share,” and “Business Purpose” shall have the meanings ascribed under Cal. Civ. Code § 1798.140.

10.3 Consumer Rights Under the CCPA. Subject to verification of your identity and applicable legal exceptions, Rabbit Hole Labs, LLC (“Company,” “we,” “us,” or “our”) grants California residents the following rights regarding their Personal Information collected through use of the Rabbit Hole platform (“App”):

  • (a) Right to Know: You have the right to request disclosure of the following:


    • The categories of Personal Information we have collected about you;

    • The categories of sources from which the Personal Information is collected;

    • The business or commercial purposes for collecting, using, or disclosing the Personal Information;

    • The categories of third parties with whom we share Personal Information;

    • The specific pieces of Personal Information we have collected about you.

  • (b) Right to Access and Data Portability: You have the right to request a portable, readily usable copy of your Personal Information collected over the past 12 months.

  • (c) Right to Delete: You have the right to request that we delete Personal Information that we have collected from you, subject to exceptions authorized by law (e.g., to complete transactions, detect security incidents, comply with legal obligations, etc.).

  • (d) Right to Correct Inaccurate Personal Information: You have the right to request correction of inaccurate Personal Information we maintain about you.

  • (e) Right to Limit Use and Disclosure of Sensitive Personal Information: You may request that we limit the use and disclosure of Sensitive Personal Information to that which is necessary to perform services or provide goods reasonably expected by an average consumer.

  • (f) Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your Personal Information. However, we do not sell or share your Personal Information as defined under the CCPA. If this policy changes in the future, we will provide the required notice and opt-out mechanisms.

  • (g) Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights, including by denying services, charging different prices, or providing a different level or quality of services.

10.4 Exercising Your Rights. To exercise any of your rights under this Section, you may submit a verifiable Consumer request by contacting us via one of the following methods:

  • Email: [Insert designated email address]

  • Postal Mail: [Insert company mailing address]

  • Online Request Form: [Insert URL or hyperlink to request portal, if applicable]

We may require that you provide sufficient information to verify your identity (or that of your authorized agent) before processing your request. Verification methods may include, but are not limited to, authentication via email, phone, account login, or submission of a government-issued identification number.

10.5 Authorized Agents. You may designate an authorized agent to submit requests on your behalf, provided that the agent furnishes proof of authorization (e.g., signed written permission or power of attorney). We reserve the right to require verification of your identity directly from you.

10.6 Response Timeline. We will confirm receipt of your request within 10 business days and endeavor to respond substantively within 45 calendar days. Where necessary, we may extend the response period by an additional 45 days, in which case we will notify you of the extension and provide an explanation.

10.7 Recordkeeping and Audits. In accordance with 11 CCR § 7102, we will maintain records of consumer rights requests and our responses for at least 24 months and make such records available to the California Privacy Protection Agency upon lawful request.

11. CHANGES TO THIS PRIVACY POLICY

11.1 Right to Amend. Rabbit Hole Labs, LLC (“Rabbit Hole”, “we”, “us”, or “our”) reserves the sole and absolute right, in its discretion and without prior notice to you, to revise, update, modify, amend, or replace this Privacy Policy, in whole or in part, at any time to reflect changes in applicable laws, regulatory guidance, industry standards, our data processing practices, or product features and services.

11.2 Notification of Material Changes. In the event of any material modification to the Policy that meaningfully impacts your rights, obligations, or our data handling practices, we shall make reasonable efforts to provide advance notice by one or more of the following means:

  • Posting a prominent notice within the App;

  • Sending you a direct communication through the contact information associated with your account (e.g., email or in-app alert); or

  • Requiring affirmative acceptance (e.g., click-through or checkbox acknowledgment) where legally required.

11.3 Effective Date and Version Control. Each revised version of this Privacy Policy will be identified by an “Effective Date” at the top of the document. It is your responsibility to review this Policy periodically for any changes. Continued use of the App, Platform, or Services after the updated Policy becomes effective constitutes your binding acceptance of the modified terms, except where such acceptance is restricted or modified by applicable law.

11.4 Retroactivity and Legal Constraints. No changes to this Privacy Policy will apply retroactively unless (i) permitted under applicable law, or (ii) necessary to comply with a legal obligation or governmental directive. Where prior consent is required by applicable data protection laws (e.g., the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA)), we shall obtain your express consent before implementing any change affecting your rights.

11.5 Archival and Recordkeeping. For transparency and regulatory compliance purposes, previous versions of this Privacy Policy will be archived and made available upon reasonable request to the extent required by law.

12. CONTACTING US REGARDING THIS PRIVACY POLICY

12.1 Privacy Inquiries. If you have any questions, concerns, requests, complaints, or require clarification regarding this Privacy Policy, our data handling practices, or your rights under applicable data protection laws, you may contact us through any of the methods below. We are committed to responding to verifiable user inquiries in a timely and legally compliant manner.

12.2 Authorized Communication Channels. You may reach our Privacy Compliance Team using any of the following secure channels:

  • Email (Preferred for CCPA/GDPR Inquiries):
     [email protected]
    Please include the subject line: “Privacy Inquiry – [Your Full Name] – [Jurisdiction]” and provide sufficient detail to allow us to verify your identity and understand the nature of your concern.

  • Mailing Address:
     Rabbit Hole Labs, LLC
     Attn: Data Privacy Officer
    [Insert Physical Address: Street, Suite #, City, State, ZIP, Country]
    Note: For mailed requests, please allow 10–15 business days for acknowledgment.

  • In-App Support Submission (Mobile App Users):
     Navigate to:
    App Settings → Support → Privacy Inquiry
     You will be prompted to complete a secure web form, after which our Privacy Compliance Team will follow up via your registered email address.

12.3 Verification of Identity. For security, regulatory, and fraud-prevention purposes, we may require additional information to verify your identity before processing any requests related to access, correction, deletion, or restriction of your personal information. This is especially applicable for requests under the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), and other jurisdiction-specific privacy regimes.

12.4 Response Timeline. We aim to respond to all verifiable data privacy requests:

  • Within 10 calendar days of acknowledgment for inquiries under U.S. state laws (e.g., CCPA, CPA, VCDPA).

  • Within 30 calendar days for GDPR-related requests, subject to lawful extensions when necessary.

12.5 Escalation and Appeals. If you are dissatisfied with the response received or believe your rights have been violated, you may escalate your concern by submitting a written request for supervisory review to our Data Protection Officer (DPO) at the above mailing address. Additionally, EU/EEA users have the right to lodge a complaint with their local Data Protection Authority.

12.6 No Unauthorized Use of Contact Channels. The contact methods outlined in this Section are solely for user privacy and data protection-related communications. Unsolicited legal service offers, marketing inquiries, or abuse of these contact channels may result in your communications being ignored or flagged as non-compliant under our Acceptable Use Policy.

Terms & ConditionsPrivacy PolicyPricingSupportLICENSING AGREEMENT