Smiddy — Privacy Policy (Beta)

1. Who we are

Smiddy is a mobile app that helps creatives — such as photographers, videographers, models and stylists — and the people who hire them find each other, post and discover opportunities, follow people and message to arrange work. This policy explains what personal data we collect when you use the Smiddy beta, how we use it, and the rights you have over it.

The data controller responsible for your information is John Flynn (operating Smiddy as an individual during the beta). You can contact us about privacy at contact@smiddy.app. As the project grows, the controller will become a limited company and we will update this policy to reflect that.

2. Who this applies to

Smiddy is currently in a closed, invite-only beta distributed through Apple TestFlight. It is intended only for adults aged 18 or over who have been personally invited. If you are under 18, please do not use the Smiddy beta. We explain more in section 11.

3. What data we collect

We collect the following categories of personal data:

Account data — when you sign in with Apple, we receive your name and an email address (which may be a private Apple relay address) to create and secure your account.
Profile data — information you choose to add, such as your creative role, bio, location/availability signal and the photos or videos in your portfolio.
Content you upload — images, videos, opportunities and other posts you create on Smiddy.
Messages — the private messages you send and receive (including any images you share in a chat, which are stored in a private store), and your messaging-privacy choices (who may start a chat with you). Please read section 5 carefully on how messages are handled.
Social actions — who you follow, and any users you block.
Device, usage and crash data — because Smiddy is distributed through TestFlight, Apple automatically collects crash logs and basic usage information and shares it with us, including your name and email address. Apple states you cannot opt out of this collection while testing a beta app.
Support and feedback — anything you send us directly, such as beta feedback or emails.

4. How we use your data, and our lawful basis

Under UK data protection law we must have a lawful basis for using your data. The table below sets out what we do and why.

What we do with your data	Why (purpose)	Lawful basis (UK GDPR)
Create and run your account; show your profile to other users	To provide the Smiddy service you signed up for	Performance of a contract
Let you post, discover, follow, and message	Core functionality of the app	Performance of a contract
Scan and review uploads and content; operate blocking and suspension	To keep Smiddy safe and lawful, and meet our online-safety duties	Legal obligation; legitimate interests in user safety
Secure accounts and prevent abuse	To protect users and the service	Legitimate interests in security
Collect crash and usage data via TestFlight	To fix bugs and improve the beta	Legitimate interests in improving the app
Respond to your feedback or requests	To support you	Legitimate interests; performance of a contract

Where we rely on legitimate interests, we have considered your rights and only use your data in ways you would reasonably expect. You can object to that use — see section 9.

5. Content moderation and access to your messages

Keeping Smiddy safe is central to how it works, and that affects your privacy in ways we want to be completely clear about.

Every photo and video you upload is automatically checked before or shortly after it appears, and items that may breach our rules are held for a person to review. Images you send in a private chat are also automatically scanned for unsafe content before they are delivered. We can review, approve, reject or remove content, suspend accounts, and act on reports.

We also screen uploaded images against databases of known child sexual abuse material using image-matching technology. Any match is blocked, preserved securely, and reported to the relevant authorities, as the law requires.

Your messages are private, but they are not end-to-end encrypted

Your messages are protected while travelling over the internet and while stored (see section 10), but they are not end-to-end encrypted. This means we are technically able to access message content where necessary — for example to investigate a report, prevent harm, or comply with the law. We do not read messages routinely or for advertising. We keep messages this way deliberately, because being able to act on harmful content is part of keeping Smiddy safe and meeting our legal responsibilities. If you need a fully private channel, Smiddy's messaging is not designed for that.

6. Who we share your data with

We do not sell your personal data. We share it only with the service providers that help us run Smiddy, and where the law requires:

Supabase — our backend provider, which hosts the Smiddy database and stores your account data, content and messages on our behalf.
Apple — provides Sign in with Apple and TestFlight, and collects the crash and usage data described above. Apple's own privacy terms apply to that collection.
Sightengine — helps us automatically screen uploaded images and video for unsafe content.
Microsoft PhotoDNA — helps us detect known child sexual abuse material so it can be blocked and reported.
Didit — when Smiddy opens beyond the invite-only beta, provides age-assurance (age-estimation) checks; it returns only a pass/over-or-under result and we do not store identity documents or dates of birth.
Law enforcement or regulators — where we are legally required to disclose information, or to report illegal content such as child sexual abuse material.

Each provider acts under our instructions as a data processor, except where they operate as independent controllers of their own services (such as Apple).

7. Where your data is stored and international transfers

Your data is hosted on our behalf by Supabase in the European Economic Area (Stockholm, Sweden). The EEA is covered by UK "adequacy", so your data stays in Europe and remains protected to UK standards. Some of our providers — including Supabase (a US company) and Apple — may store or access data outside the UK and EEA; where that happens, we rely on an appropriate safeguard, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with a transfer risk assessment. We keep a list of our sub-processors and can provide it on request.

8. How long we keep your data

We keep your data for as long as your account is active. If you pause (suspend) your account, your data is preserved but hidden from other users, and reappears when you sign back in. If you ask us to delete your account, we will delete or anonymise your personal data within a reasonable period, except where we must keep certain information to comply with the law (for example, records relating to a safety report). If you delete a conversation, it and any images shared in it are permanently deleted 30 days later. Because this is a beta, please also be aware that beta data may occasionally be reset as we develop the app.

9. Your rights

Under UK data protection law you have the right to:

access a copy of the personal data we hold about you;
ask us to correct inaccurate data;
ask us to delete your data;
object to, or ask us to restrict, certain processing;
ask us to provide your data in a portable format; and
withdraw any consent you have given, without affecting earlier processing.

To exercise any of these, email us at contact@smiddy.app. During the beta we handle these requests manually and will respond within one month. You also have the right to complain to the UK's data protection regulator, the Information Commissioner's Office (ICO), at ico.org.uk — though we'd appreciate the chance to put things right first.

10. How we protect your data

We use appropriate technical measures to keep your data secure. Connections between the app and our backend are encrypted in transit using HTTPS/TLS, and your data is encrypted at rest in our database and file storage. Access to the live data is restricted, and our database enforces row-level rules governing who can see and change what. No system can be guaranteed completely secure, but we take these protections seriously and keep them under review.

11. Children

Smiddy is not intended for anyone under 18, and the beta is invite-only to adults. We do not knowingly collect data from children. Before Smiddy opens to the public we will add highly effective age-assurance (facial age-estimation, via Didit, with a document fallback). If you believe a child has used the Smiddy beta, please contact us so we can remove their data.

12. Changes to this policy

We may update this policy as Smiddy develops — for example when we move from beta to public launch, or when the controller becomes a limited company. We will change the 'last updated' date above and, where changes are significant, let you know in the app.

13. How to contact us

For any privacy question or request, contact John Flynn at contact@smiddy.app.