PioKo User Agreement & Privacy Framework
Effective: March 31, 2025

1. Acceptance of Terms

By accessing, registering for, or utilizing PioKo’s services (the ​“Platform”​), you confirm your understanding and acceptance of these binding Terms. Continued use of the Platform after any modifications constitutes your agreement to future revisions. These Terms govern all interactions with our website, mobile applications, APIs, and related services.

Key Obligations:

• Users must be at least 18 years old or meet jurisdictional age requirements.

• Providing false information may result in account termination.

• You are responsible for maintaining account security and reporting unauthorized access.

2. Data Collection Scope

2.1 User-Provided Information

Collected during account creation and service usage:

• Profile Identifiers: Username, profile image, and unique user ID to personalize your experience.

• Demographic Data: Birthdate and country to comply with regional regulations and tailor content.

• Preferences: Language settings and notification choices to customize your interaction with the Platform.

2.2 Automated Interaction Tracking

Data captured during Platform usage:

• Navigation Patterns: page views, and feature usage frequency to optimize interface design.

• Session Records: Timestamps and interaction sequences for troubleshooting and user journey analysis.

2.3 Technical System Details

Gathered to ensure cross-device compatibility:

• Device Specifications:Device ID,Hardware model, operating system version, and screen resolution to diagnose performance issues.

• Network Data: IP address, ISP details, and connection type (Wi-Fi/mobile) to enhance connectivity stability.

• Diagnostic Logs: Crash reports, API error codes, and system activity records for real-time service monitoring.

3. Data Utilization Practices

3.1 Functional Enhancements

• Technical Optimization:
Use device specifications and crash logs to prioritize bug fixes. For instance, recurring crashes on specific Android models trigger targeted updates.

• Feature Development:
Test beta features (e.g., new chat layouts) with subsets of users based on their usage habits before full rollout.

3.2 Security Measures

• Fraud Detection:
Monitor login locations and device changes to flag suspicious activity. Unusual login attempts trigger multi-factor authentication prompts.

• Data Protection:
Implement AES-256 encryption for stored data and TLS 1.3 for data in transit. Regular penetration testing ensures compliance with ISO 27001 standards.

3.3 Communication Protocols

• Critical Alerts:
Send mandatory notifications about security breaches or policy changes via in-app banners and registered email.

• Service Updates:
Notify users of new features or scheduled maintenance through push notifications (customizable in settings).

3.4 Analytical Processes

• Behavior Mapping:
Aggregate anonymized data to identify trends (e.g., peak usage times) for server capacity planning.

• Log Analysis:
Use tools like Elasticsearch to parse server logs, reducing API response times by 30% during high-traffic periods.

4. Data Sharing Policy

4.1 Consent-Driven Disclosures

• Share data with third-party partners only after obtaining explicit opt-in consent.
Example: Request permission before connecting your profile to external fitness tracking apps.

4.2 Legal Compliance

• Disclose information under valid legal requests (e.g., court orders, subpoenas).
Process: Legal team reviews all requests for jurisdictional validity before responding.

4.3 Partner Collaborations

• Marketing Partners:
Share aggregated engagement data with Appsflyer to measure campaign ROI.

• Payment Processors:
Transmit transaction amounts and user IDs to Stripe/PayPal for payment verification.

4.4 Corporate Transactions

• During mergers or acquisitions, user data may transfer to successor entities under existing privacy terms.
Example: If acquired by a parent company, your data remains protected by pre-existing GDPR commitments.

5. Device Permissions & Controls

5.1 Media Access

• Photo Library & Camera:

     For uploading images or participating in video calls.

• Microphone:
Activate only during voice/video calls. A visible indicator confirms active microphone use.

5.2 Storage Permissions

• External Storage:
To save or manage downloaded files.

5.3 Connectivity Features

• Bluetooth:
For improved audio experiences with compatible devices.

• Advertising IDs: 
For analyzing marketing campaign performance.

To improve our services and marketing efforts, we may share limited, non-personal, or pseudonymized data with trusted third-party analytics providers like Appsflyer or Meta (Facebook). These partners are contractually obligated to:

• Use your data only for the purposes we specify (e.g., campaign measurement, ad optimization).

• Protect your information with industry-standard security measures.

• Comply with applicable privacy laws, including GDPR and CCPA.

6. User Rights & Governance

6.1 Consent Management

• Withdraw consent for non-essential data processing (e.g., personalized ads) without affecting core services.

6.2 Data Governance

• Access Requests:
Submit a Data Subject Access Request (DSAR) via the in-app support portal. Receive a response within 30 days.

• Deletion Process:
Account deletion triggers a 14-day grace period before permanent data removal (excluding legally retained records).

6.3 Policy Updates

• Receive email notifications for material term changes. Continued use 30 days post-update implies acceptance.

7.Legal Foundations & User Protections

7.1 Lawful Processing Bases

We process personal data in strict compliance with global privacy regulations, relying on multiple lawful bases to ensure transparency and legal compliance:

• Contractual Necessity:
When you create an account or purchase premium services, we process necessary data to fulfill our contractual obligations. This includes payment processing, account verification, and service delivery. For example, when you subscribe to our premium plan, we collect billing information to process payments and maintain your subscription status.

• Explicit Consent:
For sensitive data processing (such as biometric authentication or precise location tracking), we obtain separate, granular consent through clear opt-in mechanisms. Our consent management platform records when and how consent was given, allowing you to modify preferences at any time in your account settings.

• Legitimate Business Interests:
We analyze aggregated usage patterns to improve service quality, develop new features, and prevent fraudulent activities. For instance, by monitoring login attempts across devices, we can detect and block suspicious activities while minimizing false positives that might inconvenience legitimate users.

• Legal Compliance:
We retain certain records to meet regulatory requirements. Financial transactions are stored for 7 years to comply with tax laws, while age verification data is maintained to adhere to child protection regulations in various jurisdictions.

7.2 Global Privacy Compliance

1. Regional Regulatory Frameworks
Our compliance program addresses specific requirements in each operating region:

• EU/EEA (GDPR):
We've implemented Data Protection Impact Assessments (DPIAs) for high-risk processing activities and appointed an EU representative as required by Article 27. Our data processing agreements with vendors include Standard Contractual Clauses for international transfers.

• California (CCPA/CPRA):
California residents can opt-out of data "sales" through our dedicated web portal. We've established processes to honor requests for access, deletion, and correction within the mandated 45-day response period.

• Brazil (LGPD):
Our Brazilian operations are overseen by a designated Data Protection Officer who ensures compliance with all LGPD requirements, including data subject rights and security obligations.

2. Cross-Border Data Transfers
We've implemented multiple transfer mechanisms to facilitate global operations while protecting user data:

• EU-US Transfers:
Following the invalidation of Privacy Shield, we now rely on the EU Commission's adequacy decisions and implement supplementary measures like data minimization and enhanced encryption.

• APAC Region:
For data transfers within Asia-Pacific, we comply with the ASEAN Data Management Framework and maintain CBPR certifications where applicable.

8. Security & Retention Protocols

8.1 Comprehensive Access Governance

Our access control framework ensures data is only available to authorized personnel:

• Role-Based Access Control (RBAC):
Employees are granted permissions based on their specific job functions. For example, customer support agents can view account details but cannot access payment information.

• Just-In-Time Privileges:
Engineers requesting production access must provide business justification and receive time-limited credentials that expire after each session.

• Third-Party Vendor Management:
All service providers undergo rigorous security assessments and must sign data processing agreements that include audit rights and breach notification requirements.

8.2 Multi-Layered Threat Mitigation

We employ advanced security measures to protect against evolving threats:

• Network Security:
Our next-generation firewall infrastructure processes over 15 million security events daily, using machine learning to identify and block malicious traffic patterns.

• Endpoint Protection:
All corporate devices have mandatory disk encryption, mobile device management, and continuous monitoring for suspicious activities.

• Incident Response:
Our 24/7 Security Operations Center (SOC) follows a detailed playbook for containment, eradication, and recovery from security incidents.

9. User Control Center

9.1 Rights Enforcement Mechanisms

We provide multiple channels for exercising your privacy rights:

• Self-Service Portal:
Through Settings > Privacy Dashboard, users can:

• Generate comprehensive data reports (GDPR Article 15)

• Initiate account deletion (CCPA right to erasure)

• Download data in machine-readable formats (right to portability)

• Manual Request Processing:
For complex cases, our privacy team handles:

• Bulk data corrections (>500 records)

• Guardian requests for minor accounts

• Disputes regarding automated decision-making

9.2 Advanced Control Options

Users have granular control over data processing:

• Processing Restrictions:
Temporarily pause specific data uses during:

• Regulatory investigations

• Accuracy disputes

• Lawfulness challenges

• Purpose-Specific Opt-Outs:
Choose which processing activities to allow:

• AI-driven content recommendations

• Personalized advertising

• Voice data analysis for service improvement

10. Dispute Resolution

10.1 Multi-Tiered Complaint Handling

We've established clear escalation paths for privacy concerns:

1. First-Level Resolution:
Initial complaints are handled by our customer experience team within 5 business days.

2. Privacy Office Review:
Unresolved issues escalate to our Data Protection Officer for independent assessment.

3. External Mediation:
As a last resort, we participate in alternative dispute resolution through approved third parties.

10.2 Binding Arbitration Terms

For unresolved disputes, our arbitration agreement specifies:

• Venue: Singapore International Arbitration Centre

• Rules: ICC Arbitration Rules

• Cost Structure: Sliding scale based on claim amount

• Discovery Process: Limited to essential documents

11. Policy Administration

11.1 Version Control System

We maintain a transparent policy history:

• Public Changelog:
Documents all substantive modifications with:

• Effective dates

• Summary of changes

• Legal basis for amendments

• Archival Process:
Previous versions remain available in:

• Machine-readable JSON format

• Digitally signed PDF copies

• Accessible through our legal documentation portal

11.2 Update Notification Protocol

We employ multiple channels to inform users of changes:

• In-App Notices:
Mandatory banners for material changes requiring affirmative consent.

• Email Alerts:
Detailed summaries sent 30 days before implementation of significant updates.

• SMS Notifications:
Reserved for critical security-related modifications that may impact user protections.

12.Your Privacy Rights by Applicable Law

12.1 California Consumer Privacy Act (CCPA/CPRA) Rights

If you are a California resident, you have the right to:

• Know/Access

￮ Request categories and specific pieces of personal information collected.

￮ Learn about data sources, business purposes, and third-party sharing.

• Delete

￮ Request deletion of personal data, subject to legal exceptions (e.g., fraud prevention).

• Opt-Out of Sale/Sharing

￮ Direct us not to "sell" (as defined by CCPA) or share your data for cross-context behavioral advertising.

• Correct

￮ Request correction of inaccurate personal information.

• Non-Discrimination

￮ Receive equal service and pricing even if you exercise privacy rights.

12.2 Virginia Consumer Data Protection Act (VCDPA) Rights

If you are a Virginia resident, you have the right to:

• Access

￮ Confirm whether we process your data and obtain a copy.

• Delete

￮ Request deletion of personal data provided by or obtained by you.

• Portability

￮ Obtain a portable copy of your data in a usable format.

• Opt-Out

￮ Opt out of:

▪ Targeted advertising.

▪ Sale of personal data.

▪ Profiling in furtherance of automated decisions.

• Appeal

￮ Challenge our response to a rights request through a designated appeals process.

12.3 Brazil General Data Protection Law (LGPD) Rights

If you are in Brazil, you have the right to:

• Confirm Processing

￮ Request confirmation of whether your personal data is being processed.

• Access

￮ Obtain clear information about processing activities and data retention periods.

• Anonymize, Block, or Delete

￮ Request unnecessary data be anonymized, blocked, or deleted.

• Portability

￮ Request transfer of your data to another service provider.

• Revoke Consent

￮ Withdraw previously given consent at any time.

• Information About Sharing

￮ Know with which public and private entities your data has been shared.

12.4 EU/UK General Data Protection Regulation (GDPR) Rights

If you are in the European Union or United Kingdom, you have the right to:

• Access

￮ Obtain a copy of your personal data and processing details.

• Rectification

￮ Request correction of incomplete or inaccurate data.

• Erasure ("Right to Be Forgotten")

￮ Request deletion under specific conditions (e.g., withdrawal of consent).

• Restrict Processing

￮ Limit how we use your data (e.g., during accuracy disputes).

• Portability

￮ Receive your data in a structured, machine-readable format.

• Object

￮ Object to processing for direct marketing or legitimate interests.

• Withdraw Consent

￮ Revoke consent for processing based on prior authorization.

How to Exercise Your Rights

To submit a request under any applicable law:

1. Contact Method

• Email: Send your request to [bastiendassonville7@gmail.com] with the subject line:

￮ CCPA: "CCPA Rights Request"

￮ VCDPA: "VCDPA Rights Request"

￮ LGPD: "LGPD Rights Request"

￮ GDPR: "GDPR Rights Request"

2. Verification Requirements

• Account holders: Log in to verify identity.

• Non-account holders: Provide a signed affidavit and government-issued ID (for sensitive requests).

3. Response Timeframe

• CCPA/VCDPA/LGPD: We will respond within 45 days (extendable to 90 days with notice).

• GDPR: We will respond within 30 days.

4. Appeal Process (VCDPA Specific)

If we decline your request under VCDPA, you may appeal by:

• Emailing [bastiendassonville7@gmail.com] within 30 days of our decision.

Note: We will not discriminate against you for exercising your privacy rights. Some services may be limited if required data is deleted (e.g., losing purchase history for warranty claims).

13.Children's Privacy Protection

Our services are exclusively intended for users aged 18 and above. We maintain strict protocols to ensure compliance with children's privacy regulations:

1. Age Restriction: The platform is neither designed for nor targeted at individuals under 18 years of age.

2. Data Collection Policy: We do not knowingly solicit, collect, or maintain any personal information from minors under 18.

3. Compliance Measures: In the event we discover any inadvertent collection of data from underage users, we will:

￮ Immediately initiate deletion procedures

￮ Secure the permanent removal of such information from our systems

￮ Implement corrective measures to prevent recurrence

4. Parental Notification: Should we identify cases where minors' data may have been processed without proper authorization, we will make reasonable efforts to notify relevant guardians or parents.

14. Data Protection Officer(DPO):

• Name: Bastien Dassonville

• Contact Address:
Kranichsteiner Str. 81
Frankfurt am Main- 60598
Germany

• Email: bastiendassonville7@gmail.com.

15. Contact Us

We value your trust and are committed to answering any questions, comments, or concerns you may have about this privacy policy. If you wish to exercise your privacy rights or need further clarification, please feel free to contact us:

• Email:
You can reach out to us anytime by sending an email to bastiendassonville7@gmail.com. We strive to respond within five business days of receiving your email. Your feedback is very important to us, and we will do our best to address your questions or concerns in a reasonable timeframe.

Thank you for choosing PioKo as your social application. We appreciate your trust and are committed to providing you with a safe and enjoyable community experience while protecting your privacy.