# PolaPop Privacy Policy

Effective date: May 29, 2026
Last updated: June 3, 2026

PolaPop is a mobile instant-photo camera app that lets users create film-style photos and manage Film Sheets, in-app purchases, subscriptions, rewarded ads, and account recovery features.

This Privacy Policy explains how JoCoding, Inc. ("PolaPop", "we", "us", or "our") collects, uses, discloses, transfers, and protects personal information when you use PolaPop (the "App" or "Service").

## 1. Controller Information

- Legal name: JoCoding, Inc.
- Business form: Delaware corporation
- Registered address: 1111B S Governors Ave, STE 80543, Dover, DE 19904, United States
- Contact email: mu07010@jocoding.net
- Phone: +1 (231) 450-5622
- Website: https://jocoding.io
- App bundle identifier: com.jocoding.polapop

## 2. Summary

| Topic | Summary |
| --- | --- |
| Main data we process | Supabase user ID, Apple account-linking identifiers, Film Sheet balance and ledger records, purchase and subscription status, rewarded-ad events, support information |
| Main purposes | Account and session operation, Film Sheet grants and spending, purchase and subscription validation, fraud prevention, support, legal compliance |
| Photos | Photos are processed primarily on your device and are not automatically uploaded to our servers by default. |
| Key service providers | Apple, RevenueCat, Supabase, Google AdMob |
| International transfers | We are a U.S. company and use global infrastructure and service providers. |
| Contact | mu07010@jocoding.net |

## 3. Personal Information We Collect

We collect or process the following categories of information, depending on how you use the App.

| Area | Required or optional | Examples |
| --- | --- | --- |
| App account and session | Required | Supabase anonymous user ID, authentication token, session information, account creation and access timestamps |
| Sign in with Apple account protection | Optional, or required before some commerce/reward actions | Apple user identifier, Apple identity token, Apple account-linking status. The App does not request the Sign in with Apple email scope. |
| Film Sheet ledger | Required | User ID, Film Sheet balance, starter grant, capture spend, rewarded-ad grant, Plus monthly grant, refund reversal, ledger event ID, timestamps |
| In-app purchases and subscriptions | Required for purchases | RevenueCat user ID, Apple transaction ID, product ID, purchase status, refund status, cancellation status, renewal status, subscription entitlement, RevenueCat webhook event ID |
| Rewarded ads | Optional | Ad event ID, whether an ad was completed, reward status, daily reward limit, and device or advertising information processed by the ad network. The current App does not request App Tracking Transparency permission or access IDFA. |
| Camera and photos | Permission-based | Camera input, photos created in the App, local in-app storage, and share/export actions you choose. Photos are not automatically sent to our servers by default. |
| Support | Optional | Email address, message content, app version, device model, iOS version, purchase order ID, screenshots or photos you choose to attach |
| Automatically collected technical information | Required for service operation | IP address, request time, app and OS version, network errors, server request logs, security and abuse-prevention logs |

We do not intentionally collect government identifiers, payment card numbers, bank account credentials, health information, biometric identifiers for unique identification, political or religious beliefs, or other sensitive personal information. Please do not include sensitive information in support requests or photos you send us.

## 4. Sources of Personal Information

We collect personal information from:

- you, when you use the App, contact support, or choose to attach information;
- your device and App session;
- Apple, for App Store transactions, subscription status, refunds, and Sign in with Apple;
- RevenueCat, for purchase and subscription validation;
- Supabase, for authentication, database records, and server function processing;
- Google AdMob or other ad networks, for rewarded-ad delivery and verification.

## 5. How We Use Personal Information

We use personal information to:

1. create and operate App sessions and backend account identifiers;
2. create, display, grant, spend, restore, and audit Film Sheet balances;
3. validate App Store purchases, consumable Film Sheet packs, and PolaPop Plus subscriptions;
4. process refunds, cancellations, subscription changes, and unused Film Sheet reversals;
5. protect accounts through Sign in with Apple and support recovery after reinstalling or switching devices;
6. verify rewarded-ad completion, enforce daily limits, and prevent duplicate rewards;
7. respond to support requests and troubleshoot purchase, subscription, or App issues;
8. detect, prevent, and investigate fraud, abuse, security incidents, and policy violations;
9. comply with legal obligations and enforce our Terms;
10. maintain and improve the App.

## 6. Retention

We keep personal information only as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.

| Information | Retention period or criteria |
| --- | --- |
| Supabase account, Film Sheet balance, and ledger | Until account deletion, service termination, or when no longer needed, except transaction, dispute, security, and legal records may be retained longer. |
| App Store purchase and subscription validation records | Generally up to 5 years after the transaction or as needed for tax, accounting, dispute, fraud-prevention, and legal purposes. |
| Refund, cancellation, and dispute records | As needed to resolve the issue and comply with applicable law. |
| Rewarded-ad events and abuse-prevention logs | Generally up to 1 year, unless longer retention is needed for fraud, dispute, security, or legal reasons. |
| Support requests | Generally up to 3 years after resolution, unless longer retention is needed for legal or dispute reasons. |
| Server access and security logs | Generally up to 3 months, unless longer retention is needed for security, fraud, or legal reasons. |
| Photos stored on your device | Until you delete them from the App or your device. We do not store these photos on our servers by default. |

## 7. How We Disclose Personal Information

We may disclose personal information to:

- service providers and processors that operate the App, payment validation, backend services, advertising rewards, customer support, and security features;
- Apple, RevenueCat, Supabase, Google AdMob, and similar platform providers when needed to provide the requested service;
- legal, regulatory, law enforcement, or government authorities if required by law or valid legal process;
- professional advisors, such as lawyers, accountants, auditors, and insurers;
- parties involved in a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards;
- other parties with your direction or consent.

We do not sell personal information for money. The current App does not request App Tracking Transparency permission and does not access IDFA. Rewarded ads may still require ad request data, device information, diagnostics, and fraud-prevention signals for ad delivery and reward verification. If we later configure advertising features that use data for cross-app tracking or other tracking that requires Apple's App Tracking Transparency permission, we will update this Privacy Policy and request permission before using those features.

## 8. Service Providers

| Provider | Purpose | Information processed |
| --- | --- | --- |
| Apple Inc. and affiliates | App Store distribution, StoreKit in-app purchases, subscription management, refunds, Sign in with Apple | Apple account identifier, transaction ID, purchase and subscription status, Apple identity token |
| RevenueCat, Inc. | Purchase and subscription status management, entitlement validation, webhook delivery | RevenueCat user ID, product ID, purchase, refund, subscription, and event data |
| Supabase, Inc. | Authentication, database, Edge Functions, Film Sheet ledger storage | User ID, authentication session, Film Sheet balance and ledger, server request logs |
| Google LLC | Google AdMob rewarded ads and reward verification | Ad event data, ad completion status, ad request data, and device information |

These providers process information according to their own terms and privacy policies when they act as independent controllers, and according to our instructions where they act as processors or service providers.

## 9. International Transfers

We are based in the United States and use service providers with global infrastructure. Your information may be transferred to, stored in, or processed in the United States and other countries where we or our service providers operate.

If you are located in the EEA, UK, Switzerland, or another region with cross-border transfer rules, we rely on appropriate safeguards where required, such as standard contractual clauses, adequacy decisions, platform terms, or other lawful transfer mechanisms.

## 10. Photos and On-Device Processing

PolaPop processes camera input, filters, and instant-photo effects primarily on your device. Photos you create are stored in the App's local storage on your device. We do not automatically upload your personal photos to our servers by default.

The current App uses local in-app storage and the iOS share sheet for photos you choose to export or share. It does not currently request photo-library permission or automatically save photos to your device photo library. If we add optional photo-library saving, cloud sync, backup, or server sharing later, we will update this Privacy Policy and request any required permission before using those features.

If you choose to send screenshots or photos to support, the information you choose to submit may be transmitted to us or to relevant service providers.

## 11. Advertising Identifiers and Rewarded Ads

PolaPop does not use always-on banner ads. The App may offer rewarded ads that you choose to watch to receive free Film Sheets.

Rewarded-ad providers may process ad request data, completion status, device information, and advertising-related information needed to deliver and verify rewarded ads. The current App does not request App Tracking Transparency permission and does not access IDFA. If we later add IDFA-based tracking or cross-app tracking that requires Apple's App Tracking Transparency permission, we will update this Privacy Policy and request permission where required before using it.

You can limit advertising tracking through your device settings:

- iOS: Settings > Privacy & Security > Apple Advertising > Personalized Ads
- App permissions: Settings > PolaPop, where you can manage camera permission and other permissions shown by iOS

Changing device advertising settings should not prevent core camera features from working, but it may affect ad availability, ad personalization, or reward verification.

## 12. Automated Processing

PolaPop does not use automated decision-making to make decisions that have legal or similarly significant effects, such as credit, employment, insurance, housing, healthcare, or education decisions.

We do use rule-based automated processing for service operations, such as Film Sheet grants, duplicate reward checks, purchase validation, refund reversals, fraud prevention, and abuse limits. If you believe an automated operational result is incorrect, contact us at mu07010@jocoding.net and we will review it.

## 13. Your Privacy Rights

Depending on where you live, you may have rights to:

- request access to personal information we hold about you;
- request correction of inaccurate personal information;
- request deletion of personal information;
- request a copy of personal information in a portable format;
- object to or restrict certain processing;
- opt out of sale, sharing, targeted advertising, or certain profiling where applicable;
- limit the use or disclosure of sensitive personal information where applicable;
- appeal a denied privacy request where applicable;
- withdraw consent where processing is based on consent.

To exercise rights, contact us at mu07010@jocoding.net. We may need to verify your identity before fulfilling a request. We will respond within the time required by applicable law.

## 14. U.S. State Privacy Notice

This section applies to residents of U.S. states with comprehensive privacy laws when those laws apply to us, including California.

In the last 12 months, we may have collected the following categories of personal information:

| Category | Examples | Sources | Purposes |
| --- | --- | --- | --- |
| Identifiers | User ID, Apple identifier, RevenueCat user ID, IP address, email address if you contact support | You, your device, Apple, RevenueCat, Supabase | Account operation, purchase validation, support, security |
| Commercial information | Product IDs, purchase status, subscription status, refund status, Film Sheet ledger | Apple, RevenueCat, Supabase, App activity | Purchase and subscription validation, Film Sheet grants, refunds, support |
| Internet or network activity | App requests, server logs, ad reward events, device or network metadata | Your device, Supabase, Google AdMob | Service operation, security, rewarded ads, troubleshooting |
| Audio, electronic, visual, or similar information | Photos or screenshots you choose to send to support | You | Support and troubleshooting |
| Inferences | Limited operational flags, such as suspected duplicate reward or abuse indicators | App activity, server logs | Fraud prevention and service integrity |

We do not knowingly sell personal information. The current App does not request App Tracking Transparency permission or access IDFA. Rewarded-ad providers may process ad request, device, diagnostic, and fraud-prevention information for ad delivery and reward verification. If future advertising features qualify as "sharing" or targeted advertising under applicable U.S. state privacy laws, we will provide any required opt-out method or honor applicable platform signals.

We do not knowingly sell or share personal information of consumers under 16 years of age.

We do not intentionally collect sensitive personal information as defined by California law. If you send us sensitive information in a support message or photo, we will use it only as needed to respond to your request, protect safety or security, comply with law, or delete it.

We will not discriminate against you for exercising privacy rights. This means we will not deny service, charge a different price, or provide a different level of service solely because you exercised a privacy right, except where permitted by law.

You may designate an authorized agent to submit a privacy request where allowed by law. We may require proof of authorization and verification of your identity.

## 15. Children

The App is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If local law requires a higher age for parental consent, users below that age may use the App only with the required permission.

If you believe a child has provided us personal information without the required consent, contact us at mu07010@jocoding.net and we will take appropriate action.

## 16. Security

We use administrative, technical, and organizational measures designed to protect personal information, including:

- access controls and Supabase Row Level Security for ledger data;
- keeping service-role keys, RevenueCat webhook secrets, and similar server secrets out of the iOS client;
- duplicate-event checks for purchase and reward grants;
- authenticated server requests;
- limiting access to information based on operational need;
- logging and monitoring relevant server events;
- HTTPS for data in transit.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

## 17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice through the App, App Store metadata, our website, or another appropriate method. Where required by law, we will ask for your consent.

The "Last updated" date above shows when this Privacy Policy was last revised.

## 18. Contact

Questions, privacy requests, complaints, and support requests should be sent to:

JoCoding, Inc.
1111B S Governors Ave, STE 80543
Dover, DE 19904
United States
mu07010@jocoding.net
+1 (231) 450-5622