Privacy Policy

Effective Date: 2026-02-24 | Two Pop

Notice: This privacy policy was auto-generated by privacy-gen based on a scan of the Two Pop codebase. It is not a substitute for legal counsel. We recommend having this document reviewed by a qualified attorney before publishing.

Data We Collect
Legal Basis for Processing
Third-Party Services and Data Sharing
How Long We Keep Your Data
Your Privacy Rights
International Data Transfers
Children's Privacy
Automated Decision-Making and AI
How to Exercise Your Rights
Contact Information
Effective Date and Changes
Do Not Track and Global Privacy Control

1. Data We Collect

Two Pop collects and processes the following categories of personal data, each for a specific purpose described below. We only collect data that is necessary for the app to function as described.

Data Category	Specific Data	Purpose	Legal Basis
Account Information	Email address, hashed password, user ID, session tokens	To create and manage your account, authenticate your identity, and maintain your login session	Contract performance (GDPR Art. 6(1)(b)); necessary for service delivery (CCPA); consent (LGPD Art. 7(I))
Locally Stored Data	App preferences, cached data, and settings stored on your device	To remember your preferences and provide a consistent experience	Legitimate interest (GDPR Art. 6(1)(f)); necessary for service (CCPA); legitimate interest (LGPD Art. 7(IX))
Server-Stored Data	User-generated content and app data stored in our database (tables: table)	To persist your data across devices and sessions	Contract performance (GDPR Art. 6(1)(b)); necessary for service (CCPA); consent (LGPD Art. 7(I))
Uploaded Files	Files, images, or documents you upload to the app	To store and serve your uploaded content	Contract performance (GDPR Art. 6(1)(b)); necessary for service (CCPA); consent (LGPD Art. 7(I))
Network & Technical Data	IP address, device type, operating system version, app version (collected during network requests)	To deliver app content, maintain security, and diagnose technical issues	Legitimate interest (GDPR Art. 6(1)(f)); necessary for service (CCPA); legitimate interest (LGPD Art. 7(IX))

2. Legal Basis for Processing Your Data

We process your personal data only when we have a valid legal basis to do so. Depending on the specific data and how it is used, we rely on the following legal grounds:

Your Consent (GDPR Art. 6(1)(a); LGPD Art. 7(I)): For data that requires your explicit permission — such as and push notifications — we ask for your consent through Apple's system permission prompts before collecting any data. You can withdraw consent at any time through your device Settings, and we will stop collecting that data going forward.
Contract Performance (GDPR Art. 6(1)(b); LGPD Art. 7(V)): For data necessary to provide the service you signed up for — such as your account credentials, your stored app data — processing is necessary to fulfill our agreement with you (the Terms of Use).
Legitimate Interest (GDPR Art. 6(1)(f); LGPD Art. 7(IX)): For data collected to maintain app security, prevent fraud, and ensure technical functionality — such as IP addresses and device information transmitted during network requests, locally cached preferences, and basic diagnostic data — we have a legitimate interest in keeping the app functional and secure. We have balanced this interest against your rights and determined that this processing does not override your fundamental rights and freedoms.

For users in the United States: Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar state privacy laws, we collect and process your personal information for the business and commercial purposes described in the "Data We Collect" section above. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising unless you have opted in through the App Tracking Transparency prompt.

3. Third-Party Services and Data Sharing

Two Pop uses the following third-party services that may receive or process your personal data. Each service acts as a data processor on our behalf and is contractually required to process your data only as instructed by us and in accordance with applicable privacy laws.

Supabase Inc.

What they provide: Backend infrastructure including user authentication, database hosting, file storage, and API services.

Data they receive: Account credentials (email, hashed password), session tokens, and authentication events. User-generated data stored in the application database. Files and media you upload through the app.

Why: Supabase provides the server infrastructure that Two Pop relies on to store your data, authenticate your identity, and deliver app functionality. Without Supabase, the app cannot operate.

Data location: Your data is hosted on Amazon Web Services (AWS) infrastructure managed by Supabase Inc. Row Level Security (RLS) is enabled, meaning your data is access-controlled at the database level — other users cannot query your data.

Privacy policy: https://supabase.com/privacy

Data Processing Agreement: https://supabase.com/legal/dpa

Data Sharing Summary

In the preceding 12 months, we have disclosed the following categories of personal information for a business purpose:

Identifiers (email, user ID) — disclosed to Supabase Inc. for authentication services
User-generated content — disclosed to Supabase Inc. for data storage services
Internet/network activity (IP address, device info) — disclosed to service providers during normal app operation

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising unless you have explicitly opted in.

4. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law. Below are the specific retention periods for each category of data we collect:

Data Category	Retention Period	Rationale
Account data (email, user ID)	Until you delete your account	Necessary to maintain your account and provide the service
Session tokens	30 days, or until sign-out	To keep you logged in and secure your sessions
Server-stored user data	Until you delete your account or request deletion	Necessary to provide the service; deleted within 30 days of account deletion request
Uploaded files	Until you delete them or delete your account	You control the lifecycle of your uploaded content
Local device data (preferences, cache)	Until you uninstall the app or clear app data	Stored locally on your device; we have no server-side copy
Technical/network data (IP, device info)	365 days	Retained for security monitoring, fraud prevention, and technical diagnostics

When the retention period expires, or when you request deletion, we delete or anonymize your data within 30 days. Backups may retain data for up to an additional 30 days before being overwritten, after which the data is irrecoverable.

We may retain certain data beyond these periods where required by law (for example, to comply with tax, legal reporting, or auditing obligations).

5. Your Privacy Rights

You have specific rights regarding your personal data under applicable privacy laws. We are committed to honoring these rights and making it easy for you to exercise them.

If You Are in the European Economic Area (EEA) or United Kingdom

Under the General Data Protection Regulation (GDPR), you have the following rights:

Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data, or completion of incomplete data.
Right to Erasure ("Right to be Forgotten") (Art. 17): You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent.
Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and to transmit that data to another controller.
Right to Restrict Processing (Art. 18): You have the right to request that we limit how we process your data in certain circumstances — for example, while we verify the accuracy of your data following a dispute.
Right to Object (Art. 21): You have the right to object to processing based on legitimate interest or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds.
Right Not to be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.
Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

You also have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe we have not handled your data in accordance with GDPR.

If You Are a California or US Resident

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar state privacy laws in Colorado, Connecticut, Virginia, Utah, and other states, you have the following rights:

Right to Know (§1798.100): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes, and the third parties with whom we share it.
Right to Delete (§1798.105): You have the right to request deletion of your personal information, subject to certain exceptions (such as data needed to complete a transaction or comply with legal obligations).
Right to Correct (§1798.106): You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing (§1798.120): You have the right to opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioral advertising. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information (§1798.121): Where applicable, you have the right to limit our use and disclosure of your sensitive personal information to only what is necessary to provide the service.
Right to Non-Discrimination (§1798.125): We will not discriminate against you for exercising any of these rights. You will not receive a different level of service or be charged different prices for exercising your privacy rights.

If You Are in Brazil

Under the Lei Geral de Proteção de Dados (LGPD), you have the following rights:

Right to Confirmation and Access (Art. 18(I)-(II)): You have the right to confirm whether we process your data and to access it.
Right to Correction (Art. 18(III)): You have the right to request correction of incomplete, inaccurate, or outdated data.
Right to Anonymization, Blocking, or Deletion (Art. 18(IV)): You have the right to request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD.
Right to Data Portability (Art. 18(V)): You have the right to request portability of your data to another service provider.
Right to Deletion (Art. 18(VI)): You have the right to request deletion of personal data processed with your consent.
Right to Information about Sharing (Art. 18(VII)): You have the right to know which public and private entities your data has been shared with.
Right to Withdraw Consent (Art. 18(IX)): You may withdraw consent at any time through a simple, free process.
Right to Challenge Automated Decisions (Art. 20): You have the right to request review of decisions made solely on the basis of automated processing that affect your interests.

You may exercise these rights by contacting the Autoridade Nacional de Proteção de Dados (ANPD) or by contacting us directly using the information provided below.

6. International Data Transfers

Two Pop uses service providers that may store and process your data in countries outside your own, including the United States. When your data is transferred internationally, we ensure appropriate safeguards are in place:

Supabase infrastructure: Your data is stored on Amazon Web Services (AWS) servers managed by Supabase Inc., which is headquartered in the United States. Supabase maintains a Data Processing Agreement (DPA) that includes Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring GDPR-compliant data transfers from the EEA to the US.

For EEA users: Where we transfer your personal data outside the European Economic Area, we rely on one or more of the following transfer mechanisms as required by GDPR Art. 46:

Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
Data Processing Agreements with our service providers that incorporate GDPR-compliant protections
Where applicable, adequacy decisions by the European Commission recognizing that the recipient country provides adequate data protection

For Brazilian users: International transfers of your data comply with LGPD Art. 33 through contractual clauses with our service providers that ensure an adequate level of protection for your personal data.

7. Children's Privacy

Two Pop is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13.

United States (COPPA): In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect, use, or disclose personal information from children under 13 years of age. If we discover that we have inadvertently collected data from a child under 13, we will delete that data promptly.

European Economic Area (GDPR): Under GDPR Art. 8, the processing of personal data of children below the age of 16 (or such lower age as specified by the member state, not below 13) requires consent from the holder of parental responsibility. Two Pop does not target users below this age and does not knowingly process their data.

Brazil (LGPD): Under LGPD Art. 14, the processing of children's and adolescents' personal data must be carried out in their best interest. We do not knowingly collect data from children or adolescents without the consent of at least one parent or legal guardian.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us at twopopapp@gmail.com. We will take steps to delete the information from our systems within 30 days.

8. Automated Decision-Making and AI

Two Pop does not currently use automated decision-making or profiling that produces legal effects or similarly significant effects on you, as defined by GDPR Art. 22.

If we introduce any form of automated decision-making, AI-based processing, or algorithmic profiling that could significantly affect you, we will:

Update this privacy policy to describe the logic involved, its significance, and the envisaged consequences for you (GDPR Art. 13(2)(f))
Provide you with the right to obtain human intervention, express your point of view, and contest any such decision (GDPR Art. 22(3))
Disclose the use of automated decision-making technology as required by the CCPA's 2026 AI provisions
Allow you to request a review of automated decisions that affect your interests (LGPD Art. 20)

9. How to Exercise Your Rights

To exercise any of the rights described in this privacy policy, you may submit a Data Subject Access Request (DSAR) by contacting us at:

Email: twopopapp@gmail.com
Website: twopopapp.com

When submitting a request, please include sufficient information for us to verify your identity and locate your data (for example, the email address associated with your account). We will not require you to create an account solely for the purpose of submitting a request.

Response Times

We will respond to your request within the timeframes required by applicable law:

GDPR (EEA/UK): Within 30 days of receipt. If your request is complex or we receive a high volume of requests, we may extend this period by up to 60 additional days, and we will notify you of the extension with an explanation.
CCPA/CPRA (California/US): Within 45 days of receipt. If reasonably necessary, we may extend this period by an additional 45 days (90 days total), and we will notify you of the extension.
LGPD (Brazil): Within 15 days of receipt for simplified requests. Complex requests will be addressed within a reasonable timeframe with an explanation of the factors involved.

All requests are free of charge unless manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request, as permitted by law.

Account Deletion

You may delete your account and all associated data by contacting us at twopopapp@gmail.com. Upon account deletion:

Your account credentials and profile data will be permanently deleted
Your stored data will be removed from our active databases within 30 days
Your uploaded files will be permanently deleted
Backup copies will be overwritten within 30 additional days
Locally stored data on your device will remain until you uninstall the app

10. Contact Information

If you have any questions about this privacy policy, your personal data, or wish to exercise your privacy rights, please contact us:

Data Controller / Developer	Spirit Forward, LLC
Email	twopopapp@gmail.com
Postal Address	2108 N St. Ste. N, Sacramento, CA 95816
Website	twopopapp.com

Data Protection: As an independent developer, Spirit Forward, LLC serves as the data controller for your personal data. If you have concerns about data protection practices, you may also contact your local supervisory authority (Data Protection Authority).

11. Effective Date and Changes to This Policy

This privacy policy is effective as of 2026-02-24.

We may update this privacy policy from time to time to reflect changes in our data practices, the app's features, or applicable laws. When we make material changes, we will:

Update the "Effective Date" at the top of this policy
Provide notice through the app or via email where required by law
Obtain your consent for material changes to processing where consent is the legal basis (GDPR Art. 6(1)(a))

We encourage you to review this policy periodically to stay informed about how we protect your data.

12. Do Not Track and Global Privacy Control

Global Privacy Control (GPC): We honor Global Privacy Control (GPC) signals as required by the California Consumer Privacy Act (CCPA §1798.135(e)), the Colorado Privacy Act, the Connecticut Data Privacy Act, and similar state privacy laws. When we detect a GPC signal from your browser or device, we treat it as a valid opt-out request for the sale or sharing of personal information.

Do Not Track (DNT): Some web browsers transmit "Do Not Track" (DNT) signals. As Two Pop is a mobile application and not a website, standard DNT browser headers do not apply to our data collection practices. However, we respect the equivalent Apple platform privacy controls — specifically, if you have enabled "Limit Ad Tracking" or declined the App Tracking Transparency prompt, we honor those preferences and do not track you for advertising purposes.