Privacy Policy

Effective Date: March 3, 2026 · Last Updated: March 3, 2026

Data Controller

The data controller responsible for your personal data is OhShie, contactable at hello@ohshie.app.

For all privacy-related inquiries, data protection requests, or to reach our Data Protection Officer (DPO), please contact us at hello@ohshie.app.

This Privacy Policy describes how OhShie ("OhShie," "we," "us," or "our") collects, uses, shares, and protects personal information when you access or use our website at ohshie.app and all related services, features, and content (collectively, the "Service").

OhShie is a social platform that permits users to upload and share content, including content that may contain nudity or adult material. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, you must not access or use the Service.

We encourage you to read this policy carefully. If you have questions, contact us at hello@ohshie.app.

Table of Contents

  1. Information We Collect
  2. How We Use Your Information
  3. Legal Bases for Processing (EEA/UK Users)
  4. How We Share Your Information
  5. Third-Party Service Providers
  6. International Data Transfers
  7. Data Retention
  8. Data Security
  9. Your Privacy Rights
  10. Rights for EEA/UK Residents (GDPR)
  11. Rights for California Residents (CCPA/CPRA)
  12. Cookies and Tracking Technologies
  13. Age Restrictions and Minors
  14. Adult Content and Sensitive Data
  15. Content Moderation and Safety
  16. Google OAuth and API Services Disclosure
  17. Changes to This Privacy Policy
  18. Contact Us

1. Information We Collect

1.1 Information You Provide Directly

  • Account Information: Email address, password, username, display name, date of birth, and the timestamp of your acceptance of our Terms of Service and Privacy Policy when you register for an account
  • Profile Information: Biography, profile picture, website URL, and content category preference (Personal or Meme)
  • User Content: Images, captions, and comments that you upload or post to the Service
  • Social Interactions: Follow relationships, likes on posts and comments, and mentions of other users
  • Communications: Messages you send to us, such as support requests, feedback, or reports of content or users
  • Referral Information: If you participate in our referral program, we collect your referral code and track referral conversions

1.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

  • Device Information: Browser type and version, operating system, and device type
  • Usage Data: Pages viewed, features used, interactions with content, and navigation patterns, collected through Vercel Analytics
  • IP Address: Collected for security purposes, fraud prevention, and referral tracking
  • User Agent: Your browser identification string, used for referral fraud detection
  • Security Verification Data: Interaction data collected by Cloudflare Turnstile during CAPTCHA challenges to distinguish human users from bots
  • Country: Your country of access, determined from your IP address at the time of registration. We store only the ISO country code (e.g., "US," "DE") — not your IP address, city, or precise location. This is used for aggregated demographic statistics and legal compliance

1.3 Information from Third-Party Sources

If you choose to register or log in using Google OAuth, we receive the following information from your Google account:

  • Your name
  • Your email address
  • Your Google profile picture

We only request basic profile scopes (email, profile, openid) from Google. We do not request access to your contacts, calendar, files, or any other Google services.

1.4 Information We Do Not Collect

We do not collect financial information (credit card numbers, bank accounts), government-issued identification, precise geolocation, or information from your contacts or address book.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Service: Create and manage your account, display your profile and content, enable social features (following, liking, commenting, notifications), operate the leaderboard and rewards system, and process customization purchases
  • Communications and Notifications: Send you in-app notifications about likes, comments, follows, mentions, and leaderboard results
  • Safety and Security: Verify your identity during registration, prevent fraud and abuse, enforce our age restriction (18+), moderate content, respond to reports, and rate-limit requests to prevent misuse
  • Improve the Service: Analyze aggregated, anonymized usage patterns through Vercel Analytics to understand how users interact with the Service and identify areas for improvement
  • Referral Program: Track referral clicks and conversions using cookies and session identifiers to attribute referrals and prevent fraud
  • Legal Compliance: Comply with applicable laws, regulations, and legal processes, including responding to lawful requests from public authorities
  • Demographic Statistics: We use your country information in aggregated, anonymized form to understand the geographic distribution of our user base. This data is never used to identify individual users

3. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

  • Performance of a Contract (Article 6(1)(b)): To provide the Service to you, including account creation, content hosting, social features, and the leaderboard/rewards system
  • Consent (Article 6(1)(a)): For processing your date of birth for age verification, for setting non-essential cookies, and where you voluntarily provide information (such as your bio or profile picture)
  • Legitimate Interests (Article 6(1)(f)): For security measures (CAPTCHA, rate limiting, fraud prevention), analytics to improve the Service, and enforcing our Terms of Service
  • Legal Obligation (Article 6(1)(c)): To comply with applicable laws, including reporting obligations for child sexual abuse material (CSAM) and responding to lawful data requests

Where we process special categories of data (such as data revealing adult content preferences derived from your usage), we do so on the basis that such data has been manifestly made public by you (Article 9(2)(e) GDPR).

4. How We Share Your Information

We do not sell, rent, or trade your personal data to third parties for monetary consideration. We do not share your personal data for cross-context behavioral advertising.

Publicly Visible Information

When you create a profile and post content on OhShie, certain information is publicly visible to all users, including: your username, display name, profile picture, bio, posts and captions, like counts, follower/following lists, and leaderboard rankings. Please be mindful that content you share publicly cannot be restricted after publication except by deletion.

Service Providers

We share information with third-party service providers who perform services on our behalf, as described in Section 5 below. These providers are contractually obligated to use your information only for the purposes of providing services to us and in accordance with this Privacy Policy.

Legal and Safety Disclosures

We may disclose your information if we believe in good faith that disclosure is necessary to:

  • Comply with applicable law, regulation, legal process, or governmental request
  • Enforce our Terms of Service, including investigation of potential violations
  • Detect, prevent, or address fraud, security, or technical issues
  • Protect the rights, property, or safety of OhShie, our users, or the public, including reporting suspected child sexual abuse material (CSAM) to the National Center for Missing & Exploited Children (NCMEC) or relevant law enforcement

Business Transfers

If OhShie is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via a prominent notice on the Service before your information becomes subject to a different privacy policy.

5. Third-Party Service Providers

We use the following third-party services to operate the Service. Each provider may process your data as described:

  • Supabase (database, authentication, file storage): Stores your account data, profile information, posts, images, and all social interaction data. Supabase hosts data on Amazon Web Services (AWS) infrastructure. See Supabase Privacy Policy
  • Vercel (hosting and analytics): Hosts the Service and provides privacy-focused, anonymized web analytics (page views, device type, browser). Vercel Analytics does not use cookies and does not track individual users. See Vercel Privacy Policy
  • Cloudflare (security/CAPTCHA): Provides Turnstile CAPTCHA verification during registration to prevent automated abuse. Cloudflare may process your IP address, browser information, and interaction data for bot detection. See Cloudflare Privacy Policy
  • Google (OAuth authentication): If you choose to sign in with Google, Google processes your authentication and shares your basic profile data with us. Our use of Google user data is limited to the practices described in this Privacy Policy. See Google Privacy Policy

6. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States, where our service providers (Supabase, Vercel, Cloudflare, Google) maintain servers.

If you are located in the EEA, UK, or Switzerland, we rely on appropriate safeguards for international transfers, including:

  • European Commission adequacy decisions for countries deemed to provide adequate data protection
  • Standard Contractual Clauses (SCCs) approved by the European Commission, as implemented by our service providers
  • The EU-U.S. Data Privacy Framework, where applicable

You may request a copy of the applicable transfer safeguards by contacting us at hello@ohshie.app.

7. Data Retention

We retain your personal data for as long as your account remains active or as needed to provide you the Service. Specific retention periods include:

  • Account and Profile Data: Retained until you delete your account
  • Posts, Comments, and Images: Retained until you delete the content or your account
  • Referral Tracking Data: IP addresses and user agents associated with referral clicks are retained for up to 90 days for fraud prevention
  • Leaderboard Snapshots: Historical leaderboard positions are retained indefinitely for historical record
  • Content Reports: Reports of content or user violations are retained for the duration necessary to investigate and resolve the report, and may be retained longer for legal compliance

When you delete your account, we delete your personal data, including your profile, posts, images, comments, likes, follows, and notifications. This deletion is performed immediately upon your request. Some data may be retained in encrypted backups for up to 30 days, after which it is permanently destroyed. We may retain certain data where required by law (for example, for tax, legal reporting, or CSAM investigation purposes).

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal data, including:

  • All data is transmitted over encrypted connections using HTTPS/TLS
  • Passwords are hashed using industry-standard bcrypt algorithms and are never stored in plain text
  • Row-Level Security (RLS) is enforced at the database level so users can only access their own private data
  • Rate limiting is applied to sensitive operations (authentication, image uploads, account deletion) to prevent abuse
  • CAPTCHA verification (Cloudflare Turnstile) is required during registration to prevent automated account creation
  • Administrative operations require authenticated admin credentials with constant-time secret comparison to prevent timing attacks

While we take reasonable measures to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Your Privacy Rights

Regardless of your location, you have the following rights:

  • Access and Update: You can access and update your profile information at any time through your account settings (username, display name, bio, profile picture, password, category)
  • Delete Your Account: You can permanently delete your account and all associated data from the Settings page. This action is irreversible
  • Delete Your Content: You can delete individual posts and comments at any time
  • Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal

To exercise any rights not available through the Service directly, contact us at hello@ohshie.app. We will respond to your request within 30 days.

10. Rights for EEA/UK Residents (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following additional rights under the GDPR:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
  • Right to Erasure (Art. 17): Request deletion of your personal data (subject to legal exceptions)
  • Right to Restrict Processing (Art. 18): Request that we limit how we use your data in certain circumstances
  • Right to Data Portability (Art. 20): Request a machine-readable copy of data you provided to us
  • Right to Object (Art. 21): Object to processing based on legitimate interests, including for analytics purposes
  • Right Not to Be Subject to Automated Decision-Making (Art. 22): We do not make automated decisions that produce legal effects concerning you

To exercise these rights, email us at hello@ohshie.app. You also have the right to lodge a complaint with your local data protection supervisory authority.

11. Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions
  • Right to Correct: You may request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

To exercise these rights, email hello@ohshie.app with the subject line "CCPA Request." We will verify your identity before processing the request and respond within 45 days.

12. Cookies and Tracking Technologies

We use the following cookies:

  • Authentication Session Cookies (Essential): Set by Supabase to maintain your logged-in session. These are strictly necessary for the Service to function and cannot be disabled
  • Theme Preference Cookie (Essential): Stores your visual theme preference
  • Referral Cookies (Functional): ref_code and ref_session_id cookies are set when you click a referral link. These are httpOnly, secure cookies with a 30-day expiry, used to attribute referral conversions
  • Cloudflare Turnstile (Security): May set cookies during CAPTCHA verification to assess security risk. These are controlled by Cloudflare

Vercel Analytics does not use cookies. It collects anonymized, aggregated usage data without tracking individual users.

We do not use advertising cookies or third-party tracking pixels. We use localStorage in your browser to cache non-sensitive preferences such as search history and feed preferences locally on your device. This data is never transmitted to our servers.

13. Age Restrictions and Minors

The Service is strictly limited to individuals aged 18 and older. Because OhShie permits content that may include nudity and adult material, we require all users to confirm that they are at least 18 years of age during registration by providing their date of birth.

We do not knowingly collect personal data from anyone under the age of 18. If we become aware that a user is under 18, we will promptly suspend or delete their account and associated data. If you believe that someone under 18 has created an account, please report it immediately to hello@ohshie.app.

Parents or guardians who believe their child has provided personal information to us may contact hello@ohshie.app to request deletion.

14. Adult Content and Sensitive Data

OhShie permits users to post content that may include nudity and adult material, subject to the rules in our Terms of Service. By using the Service, you acknowledge that you may be exposed to such content.

We do not specifically collect "special category" or "sensitive" personal data as defined by the GDPR (e.g., data about your health, sexual orientation, or political opinions). However, the content you choose to upload may incidentally reveal such information. You should exercise caution when sharing content that could reveal sensitive information about yourself or others.

15. Content Moderation and Safety

To maintain the safety of the platform, we may review user-generated content and account information for the purposes of:

  • Responding to user reports of content or account violations
  • Detecting and removing child sexual abuse material (CSAM), which we are legally obligated to report to the National Center for Missing & Exploited Children (NCMEC) and/or relevant law enforcement
  • Detecting and removing non-consensual intimate images (NCII)
  • Enforcing our Terms of Service and content policies

Content review may involve human moderators viewing user-generated content. We limit access to content to authorized personnel who require it for moderation and safety purposes.

16. Google OAuth and API Services Disclosure

OhShie's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only request and access the minimum Google user data necessary for authentication (email, name, profile picture via the email, profile, and openid scopes)
  • We use Google user data solely to authenticate your identity and create/maintain your OhShie account
  • We do not use Google user data for advertising, selling, or any purpose unrelated to the Service
  • We do not allow humans to read your Google user data except where necessary for security purposes, to comply with applicable law, or with your explicit consent
  • Google user data is stored securely in our database (Supabase) and is subject to the same protections described throughout this Privacy Policy
  • You can revoke OhShie's access to your Google account at any time via your Google Account permissions page

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will:

  • Post the updated policy on this page with a new effective date
  • Notify registered users through an in-app notification or via the email address associated with your account

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at hello@ohshie.app.

We aim to respond to all privacy-related inquiries within 30 days.

← Back to Home
Privacy Policy | OhShie