Privacy Policy

Version 2.2 · Effective May 3, 2026 · Last updated May 3, 2026

1. Who We Are

This Privacy Policy explains how TECHBAY SARL-AU, a société à responsabilité limitée à associé unique (SARL-AU) organised under the laws of the Kingdom of Morocco, with registered office at Bureau 842-4, 4ème étage, Imm 8 Khalij Ennakhil Founty, Agadir, Kingdom of Morocco, doing business as “Told.” (“Told,” “we,” “us,” or “our”), collects, uses, shares, and protects information about you when you use the Told mobile application (the “App”) and the website at told.pnkyx.com (together, the “Service”).

Told is a social prediction game. We act as the data controller for the personal data we process about you in connection with the Service, except where we act on behalf of another data controller.

Contact: TECHBAY SARL-AU, Bureau 842-4, 4ème étage, Imm 8 Khalij Ennakhil Founty, Agadir, Kingdom of Morocco — privacy@pnkyx.com.

Moroccan Law 09-08 & CNDP. As a controller established in the Kingdom of Morocco, our processing of personal data is also subject to Moroccan Law No. 09-08 of 18 February 2009 on the protection of individuals with regard to the processing of personal data, as implemented by Decree No. 2-09-165. Where required by Law 09-08, our processing activities are or will be declared to or authorised by the Commission Nationale de contrôle de la protection des Données à caractère Personnel (“CNDP”). Moroccan data subjects have the rights of information, access, rectification, opposition, and deletion, and may lodge a complaint with the CNDP at cndp.ma.

EU / UK / Swiss representative (GDPR Article 27). We are established outside the European Union, the European Economic Area, the United Kingdom, and Switzerland. The GDPR may apply to our processing of EU/EEA data subjects’ personal data under Article 3(2) where we offer the Service to them or monitor their behaviour in the Union. We do not specifically target the European Union as a primary market, do not engage in regular and large-scale processing of EU personal data, and do not process special categories of data on a large scale. On the basis of our current scale and offering we have not appointed a representative under Article 27 GDPR, under the UK GDPR, or under Article 14 nFADP. If our scale or targeting changes, we will appoint and publish the name and address of a representative here.

Digital Services Act — legal representative (Article 13). We do not maintain an establishment in the European Union. We qualify as a micro-enterprise under Recommendation 2003/361/EC, so the Article 13 designated-representative obligation does not currently apply to us. If our status changes (including if we cease to qualify as a micro- or small enterprise, or if the service becomes a Very Large Online Platform within the meaning of the DSA), we will appoint and publish the representative’s name and address here.

Digital Services Act — single point of contact (Article 11). EU Member State authorities, the European Commission, and the European Board for Digital Services may contact us at dsa@pnkyx.com. Communications may be in English.

2. Scope & Key Terms

This policy applies to information we collect through the App, our website, and our customer-support channels. It does not apply to third-party services that we link to and that operate under their own privacy policies (including Apple, Google, and the payment processors discussed below).

Capitalized terms used in this policy have the following meanings:

• Cred — the in-app virtual game point used in Told. Cred has no monetary value, cannot be cashed out, and cannot be exchanged for real currency, goods, or services.
• User Content — predictions, comments, usernames, profile text, and other content you submit through the Service.
• Personal Data — information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable individual.
• Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

3. Data We Collect

Category	Examples	Source
Account & identifiers	Name, email address, profile information, unique user ID, authentication tokens	You and your authentication provider (Apple or Google) at sign-up
User Content	Predictions, comments, usernames, profile text, payment-handle bio links you choose to add (e.g. Venmo username)	You
Game & usage data	Prediction activity, Cred balance and transactions (earned and purchased), streaks, leaderboard position, in-app interactions	Generated by your use of the App
Purchase information	Apple In-App Purchase transaction identifiers and signed receipts for Told Pro subscriptions and Cred Packs (we do not receive payment-card numbers)	Apple, on confirmation of an In-App Purchase
Push notification tokens	Device push tokens issued by Apple Push Notification service or Firebase Cloud Messaging via Expo	Your device, when you opt in to push notifications
Diagnostics	Crash reports, error logs, and performance metrics (e.g. memory, latency, request status codes) collected via the Expo runtime and our API logs	Your device and our servers
Communications	Messages you send to us by email or through in-app support	You

What we do not collect. We do not collect precise geolocation, contacts, photos, microphone, camera, health, financial-account, or biometric data. We do not use the Identifier for Advertisers (IDFA) and the App does not track you across other companies’ apps or websites for advertising purposes.

Sensitive personal information (CCPA/CPRA). We do not collect or process “sensitive personal information” as defined in California Civil Code §1798.140(ae) (such as government IDs, precise geolocation, racial or ethnic origin, religious beliefs, union membership, the contents of mail, email, or text messages, biometrics, health, or sex-life or sexual-orientation information).

4. How We Use Your Data & Legal Bases (GDPR & UK GDPR)

We use the data described above for the purposes set out in the table below. For users in the European Economic Area, the United Kingdom, or Switzerland, the table also states our lawful basis under Article 6 of the GDPR (and equivalent provisions of the UK GDPR).

Purpose	Categories used	Lawful basis
Create and operate your account; provide the prediction game; deliver core App features	Account, identifiers, User Content, game & usage data	Performance of a contract (Art. 6(1)(b))
Process Apple In-App Purchases (Told Pro and Cred Packs); validate receipts; credit purchased Cred	Purchase information, account, identifiers	Performance of a contract (Art. 6(1)(b))
Send transactional messages and push notifications you have opted into (prediction results, challenges, weekly Cred refill)	Account, push tokens	Consent (Art. 6(1)(a)) for opt-in push; performance of a contract for transactional messages
Moderate User Content; detect abuse, fraud, manipulation, and policy violations; protect users and the integrity of the prediction game	User Content, game & usage data, identifiers	Legitimate interests (Art. 6(1)(f)) — running a safe community
Maintain security, debug, prevent and investigate misuse, and improve App performance	Diagnostics, identifiers, game & usage data	Legitimate interests (Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c))
Respond to your support requests and legal claims	Communications, account	Legitimate interests (Art. 6(1)(f)); legal obligation where required
Comply with tax, accounting, and legal obligations (e.g. retaining transaction records)	Purchase information, identifiers	Legal obligation (Art. 6(1)(c))
Defend our legal rights and protect the safety of users and third parties	As required	Legitimate interests (Art. 6(1)(f)); vital interests (Art. 6(1)(d)) where applicable

We do not sell or “share” (as those terms are defined under U.S. state privacy laws) your Personal Data, and we do not engage in cross-context behavioural advertising or targeted advertising. We do not use Personal Data for any purpose materially different from those listed above without your consent.

5. Service Providers & Sub-Processors

We engage the following service providers, who process Personal Data on our behalf as data processors under written agreements that include the data-protection terms required by Article 28 GDPR (or equivalent law). We remain responsible for their handling of your data.

Provider	Service	Data shared	Primary location
Supabase, Inc.	Authentication, database, realtime, file storage	Account data, User Content, game & usage data, identifiers	United States
Expo, Inc.	App runtime, over-the-air updates, push notification delivery	Push tokens, device metadata, diagnostic events	United States
Fly.io, Inc.	API hosting	Request data processed by our API	United States (multi-region)
Apple Inc.	Sign in with Apple, App Store In-App Purchase, Apple Push Notification service, App Store Server Notifications	Authentication tokens, signed purchase transactions, device push tokens	United States and EU (Apple regional infrastructure)
Google LLC	Google Sign-In, Firebase Cloud Messaging (Android push, when applicable)	Authentication tokens, push tokens	United States

Apple acts as the merchant of record for all In-App Purchases. We do not receive your payment-card number, full billing address, or any payment instrument data; we receive only signed transaction receipts and product identifiers from Apple. Your interactions with Apple are governed by Apple’s privacy policy at apple.com/legal/privacy. Your interactions with Google sign-in are governed by Google’s privacy policy at policies.google.com/privacy.

We may also disclose Personal Data: (i) in response to a valid legal request, court order, or government demand; (ii) to enforce our Terms of Service or investigate suspected violations; (iii) to protect the rights, property, or safety of Told, our users, or others; or (iv) in connection with a corporate transaction such as a merger, acquisition, financing, or sale of assets, in which case we will require any successor to honour this Privacy Policy.

6. International Data Transfers

Told is established in the Kingdom of Morocco; our service providers are located primarily in the United States and the European Union. Personal Data is therefore typically transferred and processed across borders. When we transfer Personal Data of users in the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority, we rely on one or more of the following safeguards under Articles 44–49 GDPR (and equivalent UK and Swiss law):

• The European Commission’s Standard Contractual Clauses (Decision 2021/914), as supplemented by the UK Information Commissioner’s International Data Transfer Addendum or the Swiss Federal Data Protection and Information Commissioner’s addendum, where applicable;
• Self-certifications under the EU–U.S. Data Privacy Framework, the UK Extension, and the Swiss–U.S. Data Privacy Framework, where our processors maintain valid certification; and
• Supplementary technical and organisational measures including encryption in transit, encryption at rest, and access-control policies.

Transfers to Morocco. Where Personal Data is transferred to or accessed from Morocco (for example, by our staff for support and security operations), Morocco is not currently the subject of an adequacy decision under Article 45 GDPR. Such transfers therefore also rely on the Standard Contractual Clauses described above and on the supplementary measures listed above. Morocco is itself a party to the Council of Europe Convention 108 and Convention 108+ on the protection of individuals with regard to automatic processing of personal data, and Moroccan processing is supervised by the CNDP under Law 09-08.

You may request a copy of the relevant transfer mechanism by contacting privacy@pnkyx.com.

7. Data Retention & Deletion

We keep Personal Data only for as long as we need it for the purposes described in this policy, after which we delete or anonymize it. The table below summarizes our default retention periods.

Data	Retention
Account, profile, User Content, Cred balance	For the life of your account; deleted within 30 days of account deletion (subject to the survival rule below).
Apple In-App Purchase transaction records	Up to 7 years to comply with U.S. tax and accounting requirements.
Authentication and security audit logs	Up to 12 months for security investigations and fraud prevention.
Diagnostic and crash data	Up to 90 days, then deleted or aggregated.
Aggregated and anonymized analytics	Up to 24 months. Such data does not identify you.
Encrypted database backups	Purged within 30 days after the underlying account is deleted.
Records held to enforce our Terms or defend legal claims	For the period required by the applicable statute of limitations.

Deletion. You may delete your account at any time in the App (Settings → Delete Account) or by emailing privacy@pnkyx.com. On deletion we permanently remove your profile, predictions, comments, and Cred balance from our active systems within 30 days.

Survival. Some content may persist after account deletion to preserve the integrity of past resolved predictions, leaderboards, and share cards already distributed by other users. Where this content includes references to you, we will deidentify it (for example, by replacing your username with “[deleted user]”) within a reasonable time. Active subscriptions should be cancelled in your Apple ID settings before account deletion.

8. Your Privacy Rights

8.1 Rights for everyone

Regardless of where you live, you may at any time: (i) access the Personal Data in your account through the App; (ii) correct inaccurate Personal Data through the App or by contacting us; (iii) delete your account in the App; (iv) opt out of push notifications in iOS Settings; and (v) contact us at privacy@pnkyx.com for any privacy request.

8.2 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR / nFADP)

If you are in the EEA, the UK, or Switzerland, you have the right to:

• Access your Personal Data and obtain a copy of it;
• Have inaccurate Personal Data rectified or completed;
• Have your Personal Data erased (the “right to be forgotten”);
• Restrict or object to certain processing, including profiling and processing based on legitimate interests;
• Receive your Personal Data in a structured, commonly used, machine-readable format (e.g. JSON) and have it transmitted to another controller (data portability);
• Withdraw consent at any time, where processing is based on consent (this does not affect prior lawful processing); and
• Lodge a complaint with your local data-protection authority. A list of EEA authorities is available at edpb.europa.eu; the UK authority is the ICO at ico.org.uk; the Swiss authority is the FDPIC at edoeb.admin.ch.

You may also have rights under the EU Digital Services Act (Regulation (EU) 2022/2065), including the right to be informed of restrictions placed on your User Content, to submit a complaint through our internal complaint-handling system, and to refer disputes to a certified out-of-court dispute settlement body. To submit a DSA complaint, email legal@pnkyx.com with the subject line “DSA Complaint.”

8.3 United States — State privacy rights

Residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Florida (FDBR), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), New Jersey (NJDPA), Delaware (DPDPA), New Hampshire (NHPA), Nebraska (NDPA), Maryland (MODPA), Minnesota (MCDPA), Rhode Island, and other states with comprehensive consumer privacy laws have rights with respect to their Personal Data, which include some or all of the following:

• The right to know what categories and specific pieces of Personal Data we collect, use, and disclose;
• The right to access and obtain a copy of your Personal Data;
• The right to correct inaccurate Personal Data;
• The right to request deletion of your Personal Data;
• The right to opt out of the sale of Personal Data, the sharing of Personal Data for cross-context behavioural advertising, and certain forms of profiling for decisions that produce legal or similarly significant effects;
• The right to limit the use and disclosure of sensitive personal information; and
• The right not to be discriminated against for exercising any of these rights.

We do not sell or share Personal Data and do not engage in targeted advertising or profiling that produces legal or similarly significant effects, so opt-outs are not required for our processing — but if you would still like to record an opt-out preference, contact privacy@pnkyx.com. We honour Global Privacy Control (“GPC”) signals received via our website.

You may submit any of the requests above by emailing privacy@pnkyx.com. We will verify your identity by matching the request to information already associated with your account. You may use an authorized agent to submit a request on your behalf; we will require written proof of authorization. We will respond within the time required by the applicable law (generally 45 days, extendable as the law permits).

Appeals. If we deny your request, you may appeal by replying to our response email. Residents of California, Virginia (VCDPA §59.1-577(A)), Colorado (CPA §6-1-1308), Connecticut (CTDPA §42-520(d)), Texas (TDPSA §541.102), Oregon, Montana, Delaware, New Hampshire, Nebraska, New Jersey, Maryland, Minnesota, Indiana, Tennessee, Iowa, Florida, Rhode Island, and any other state that grants an appeal right have the right to appeal a denied request, and we will respond within the period required by the applicable law (typically 45 to 60 days). If your appeal is denied, you may contact your state attorney general or other competent regulator.

8.4 Other regions

Other regions. Residents of other regions have rights similar to those described above; contact privacy@pnkyx.com to exercise them. Without limiting the foregoing:

• Brazil — LGPD (Lei Geral de Proteção de Dados, Federal Law 13,709/2018). Under Article 18 you have the rights of confirmation of processing, access, correction of incomplete or inaccurate data, anonymization, blocking or deletion of unnecessary or excessive data, data portability, deletion of personal data processed with consent, information about public and private entities with which we have shared your data, information about the possibility of refusing consent and the consequences of refusal, and revocation of consent. Our representative for LGPD purposes is privacy@pnkyx.com; you may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).
• Canada — PIPEDA and provincial laws. You have the right to access your personal information, request correction, withdraw consent (subject to legal or contractual restrictions), and complain to the Office of the Privacy Commissioner of Canada or your provincial regulator. Residents of Quebec have additional rights under Law 25 (Act respecting the protection of personal information in the private sector), including the right to information about automated decisions, the right to data portability, and the right to lodge a complaint with the Commission d’accès à l’information.
• Australia — Privacy Act 1988 (Cth) and the Australian Privacy Principles. Under APP 6, 11, 12, and 13 you have the right to access and correct your personal information and to know the countries to which we are likely to disclose it. The likely overseas recipient countries for your personal information are the United States (Supabase, Cloudflare, OpenAI, Sentry, Apple, Google), the European Union (Cloudflare and Apple edge infrastructure), and the Kingdom of Morocco (Told’s registered office and where our staff process support and security operations). You may complain to the Office of the Australian Information Commissioner (OAIC).

9. Automated Decision-Making & AI Moderation

We use automated systems, including machine-learning models, to screen User Content (predictions, comments, usernames, profile text) for prohibited content such as harassment, hate, threats, sexual content, or attempts to imply real-money settlement. These systems may automatically remove content, hide content pending review, or apply temporary action against your account.

Article 22 GDPR — no solely automated decisions with legal or similarly significant effect. We do not make decisions about you that are based solely on automated processing and that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 of the GDPR (or the equivalent provisions of the UK GDPR, Swiss nFADP, or the California Privacy Rights Act). Where automated systems flag content or apply a temporary action, a human reviewer is involved before any lasting account-level decision is made.

Right to human review and to contest a decision. You have the right to obtain human review of any account action, to express your point of view, and to contest the decision. To request human review, email legal@pnkyx.com with the subject line “Moderation Appeal”; provide the affected content or action and any context you would like considered. We will review your request and respond promptly. If you are an EU recipient of the service, the Digital Services Act gives you additional rights described in our Terms of Service.

10. Children & Age-Appropriate Design

Told is not directed to children under 13, and we do not knowingly collect Personal Data from anyone under 13. Our Terms of Service require all users to be at least 13 years old. The App’s primary age rating on iOS 26 and later is 13+, with regional exceptions assigned by the App Store (Australia: R 18+; Brazil: A12; Korea: 12+). On iOS versions earlier than 26, the App’s global rating is 12+, but our Terms still require users to be at least 13.

If you believe a child under 13 has provided Personal Data to us, please contact privacy@pnkyx.com and we will delete the data promptly. Parents and guardians may also email us to request access to or deletion of a minor’s Personal Data. We comply with the U.S. Children’s Online Privacy Protection Act (“COPPA”).

Minors aged 13–17. For users between 13 and 17, we apply the same data-minimisation, transparency, retention, and security practices described in this policy. We do not profile minors for targeted advertising, do not sell or “share” their Personal Data within the meaning of CCPA / CPRA §1798.140, and apply the highest privacy default available in the App. We monitor the California Age-Appropriate Design Code Act (Cal. Civ. Code §§1798.99.28–1798.99.40), the Maryland Age-Appropriate Design Code Act, the New York SAFE for Kids Act, and analogous developing laws, and will update our practices and assessments as those laws come into effect against us.

11. Tracking, IDFA & Cookies

The App does not use the Identifier for Advertisers (IDFA) and does not implement Apple’s App Tracking Transparency prompt because we do not track you across other companies’ apps or websites. We do not use Personal Data for advertising and do not share data with advertising networks.

The website at told.pnkyx.com uses only strictly necessary cookies and no third-party advertising or analytics cookies. We do not display a cookie banner because we do not set non-essential cookies.

12. Sign in with Apple, Google & Biometrics

Sign in with Apple and Google Sign-In may use device biometrics (Face ID, Touch ID, fingerprint, or face unlock) as part of the system authentication flow controlled by your device’s operating system. Told does not collect, transmit, store, or process biometric data; biometric verification occurs entirely on your device.

If you choose Apple’s “Hide My Email” option, Apple provides a private relay email address. We treat that relay address as your contact email for the Service. If you later disable Apple’s relay, we may lose the ability to email you.

13. Security & Breach Notification

We use industry-standard security measures including TLS encryption in transit, encryption at rest for our database, row-level security policies, scoped access tokens, secrets management, and least-privilege access controls. We monitor our systems for unauthorized access. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security of your Personal Data.

If we become aware of a personal-data breach that affects your data, we will notify the relevant supervisory authority within 72 hours where required by GDPR Art. 33 (or equivalent law) and notify affected users without undue delay where required.

14. Push Notifications

We send service-related push notifications (prediction results, challenges, weekly Cred refills) only after you opt in during onboarding or in iOS Settings. Product news and promotional notifications are an additional, separately-controlled category: by default it is off, and you can turn it on or off at any time in the App under Settings → Notifications → Product news. This separation is designed to satisfy the granular-consent requirement of GDPR Article 7(2) and Article 13 of the ePrivacy Directive (2002/58/EC).

You may revoke push notification consent at any time at the operating-system level in iOS Settings → Notifications → Told. We deliver push notifications via Apple Push Notification service and (for Android, when supported) Firebase Cloud Messaging, in both cases through Expo’s push API.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. The “Last updated” date at the top of this page reflects the most recent revision. We will notify you of material changes through the App, by email, or by posting a notice on told.pnkyx.com at least 30 days before they take effect, and where the law requires it we will obtain your renewed consent. Older versions of this policy are available on request.

16. Contact

For privacy inquiries, data-subject requests, GDPR/UK GDPR/CCPA/CPRA/DSA/CNDP matters, or questions about this policy:

TECHBAY SARL-AU (trading as “Told.”)
Bureau 842-4, 4ème étage, Imm 8 Khalij Ennakhil Founty
Agadir, Kingdom of Morocco
Email: privacy@pnkyx.com

If you are in the EEA or UK and you are not satisfied with our response, you may also lodge a complaint with your local supervisory authority. If you are in Morocco, you may lodge a complaint with the CNDP at cndp.ma.

© 2026 TECHBAY SARL-AU. All rights reserved. “Told.” is a trade name of TECHBAY SARL-AU.