PlayMeWhen Privacy Policy

Last Updated: May 21, 2025

PlayMeWhen is committed to protecting your privacy. This Privacy Policy explains what personal data we collect from you, how we use and share it, and your rights with respect to that data. We strive to comply with privacy laws around the world, including the EU and UK General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Brazil’s Lei Geral de Proteção de Dados (LGPD), India’s Digital Personal Data Protection Act, 2023 (DPDP Act), and other applicable laws. We’ve designed this Policy to be transparent and user-friendly, using plain language. 

By using PlayMeWhen, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service. We may update this Policy from time to time (see Section 11 on changes). ​

1. Scope of this Policy

This Privacy Policy applies to the PlayMeWhen website, app, and any services we provide (collectively, the “Service”). It covers personal information we collect from users of the Service, as well as information we collect through any communication or interaction you have with us (such as customer support). It does not apply to any third-party websites or services that you may interact with via PlayMeWhen, which have their own privacy practices

Key terms: - “PlayMeWhen” or “we” (and “us”/“our”) refers to PlayMeWhen Inc. - “You” or “User” refers to the individual using our Service (including senders of capsules, recipients of capsules, and parents/ guardians of minor users). - “Personal Data” (or “Personal Information”) means any information that relates to an identified or identifiable individual. It can include obvious things like your name or email, and also less obvious things like your IP address or device ID, when those can be linked to you. We treat information associated with a specific person or household as Personal Data, wherever required by law

3. How We Use Your Information

In simpler terms, here are the main ways we use personal data (some of which are already described in the table above)

•  To Provide the Service: We use data to create your account, log you in, enable you to upload content, store your capsules, and deliver them to recipients. This includes using data to identify you, to process transactions if you make a purchase, and to deliver notifications (for example, emailing a recipient when a capsule is ready to view).
• To Enforce Age Restrictions and Parental Controls: We use birthdate to ensure compliance with age-based laws. If a user is under the required age, we use parent contact info to obtain consent and tie the child’s account to the parent’s control. We may use technical measures to verify ages and retain proof of parental consent as required by laws (like COPPA and GDPR-K).
• To Communicate with You: We’ll use your email (or other provided contact) to send important account or service messages. These include verification emails, password resets, notifications about your capsules (e.g. preview confirmation, deletion reminders, upcoming delivery notices), and updates to terms or policies. These are not marketing messages, but rather operational communications. You cannot opt out of these essential communications without closing your account, because they are necessary to provide our service responsibly
• To Send Optional Updates and Marketing: [If applicable] With your consent, we might send newsletters, promotional offers, or updates about new features. For example, we might announce new capsule types or partner offers. We will only send such communications if you have opted in (for instance, by signing up for our newsletter). You can opt out at any time by clicking “unsubscribe” in those emails or adjusting your preferences. We do not spam, and we do not share your email with third parties for their own marketing.
• To Ensure Service Functionality and Performance: We use device and usage data to make sure PlayMeWhen works well on different devices and to troubleshoot issues. For instance, if our app crashes, we might analyze a crash log (which could include device model and technical info) to fix it. Usage data (like how many users open a certain feature) helps us improve features and user experience.  
• To Maintain Security and Prevent Fraud/Misuse: We monitor certain data (IP addresses, activity patterns) to detect and prevent malicious activities. For example, we might use IP info to detect if someone is trying to hack accounts or if an account login is coming from a suspicious location. We may also use automated systems to flag unusual usage that might indicate terms of service violations or other abuses. This is important to keep our platform safe for everyone.  
• To Comply with Legal Requirements: Where necessary, we use personal data to comply with laws for example, keeping transaction records for tax audits, responding to valid legal requests (court orders or subpoenas), or honoring opt-out signals (like “Do Not Sell” requests under California law, though we don’t sell data as noted in Section 7)
• For Aggregated Analytics: We might combine data to generate aggregated metrics (like total number of capsules created in a year, or percentage of users in each region). This aggregated data does not identify individuals and is used to understand our business and may be shared in reports or public updates. For any analytics that involve personal data, we will either seek consent or ensure it falls under legitimate interests with minimal privacy impact (and provide opt-outs where needed)  

We will not use your personal data for new purposes that are materially different from the purposes above without updating this Privacy Policy and obtaining consent if required.

3. How We Use Your Information

In simpler terms, here are the main ways we use personal data (some of which are already described in the table above)

• To Provide the Service: We use data to create your account, log you in, enable you to upload content, store your capsules, and deliver them to recipients. This includes using data to identify you, to process transactions if you make a purchase, and to deliver notifications (for example, emailing a recipient when a capsule is ready to view).
• To Enforce Age Restrictions and Parental Controls: We use birthdate to ensure compliance with age-based laws. If a user is under the required age, we use parent contact info to obtain consent and tie the child’s account to the parent’s control. We may use technical measures to verify ages and retain proof of parental consent as required by laws (like COPPA and GDPR-K).
• To Communicate with You: We’ll use your email (or other provided contact) to send important account or service messages. These include verification emails, password resets, notifications about your capsules (e.g. preview confirmation, deletion reminders, upcoming delivery notices), and updates to terms or policies. These are not marketing messages, but rather operational communications. You cannot opt out of these essential communications without closing your account, because they are necessary to provide our service responsibly
• To Send Optional Updates and Marketing: [If applicable] With your consent, we might send newsletters, promotional offers, or updates about new features. For example, we might announce new capsule types or partner offers. We will only send such communications if you have opted in (for instance, by signing up for our newsletter). You can opt out at any time by clicking “unsubscribe” in those emails or adjusting your preferences. We do not spam, and we do not share your email with third parties for their own marketing.
• To Ensure Service Functionality and Performance: We use device and usage data to make sure PlayMeWhen works well on different devices and to troubleshoot issues. For instance, if our app crashes, we might analyze a crash log (which could include device model and technical info) to fix it. Usage data (like how many users open a certain feature) helps us improve features and user experience.  
• To Maintain Security and Prevent Fraud/Misuse: We monitor certain data (IP addresses, activity patterns) to detect and prevent malicious activities. For example, we might use IP info to detect if someone is trying to hack accounts or if an account login is coming from a suspicious location. We may also use automated systems to flag unusual usage that might indicate terms of service violations or other abuses. This is important to keep our platform safe for everyone.  
• To Comply with Legal Requirements: Where necessary, we use personal data to comply with laws for example, keeping transaction records for tax audits, responding to valid legal requests (court orders or subpoenas), or honoring opt-out signals (like “Do Not Sell” requests under California law, though we don’t sell data as noted in Section 7)
• For Aggregated Analytics: We might combine data to generate aggregated metrics (like total number of capsules created in a year, or percentage of users in each region). This aggregated data does not identify individuals and is used to understand our business and may be shared in reports or public updates. For any analytics that involve personal data, we will either seek consent or ensure it falls under legitimate interests with minimal privacy impact (and provide opt-outs where needed)  

We will not use your personal data for new purposes that are materially different from the purposes above without updating this Privacy Policy and obtaining consent if required.

4. Legal Bases for Processing (for residents of EU/UK and similar jurisdictions)

Under laws like the GDPR (and comparable regulations), we must have a valid “legal basis” to process your personal data. We generally rely on the following bases  

• Contractual Necessity: Much of our processing is to fulfill our contract with you – i.e., to provide the PlayMeWhen service you requested. When you agree to our Terms and use our Service, a contract is formed, and we must process certain data (like account info, your content, etc.) to deliver on that contract.  
  
• Consent: We will request your consent for certain processing that is not strictly necessary for the service but is useful to improve your experience or is required by law. For example, we rely on consent for:  
• Placing non-essential cookies and doing analytics/tracking (especially for EU users – see Section 5 on cookies). 
• Sending marketing or promotional emails. 
• Processing of personal data of children, where a parent’s consent is required (the parent’s consent serves as the legal basis for the child’s data in many jurisdictions). 
• Any situation where applicable law requires consent (certain sensitive data processing, etc.). If we ask for consent, you have the right to withdraw it at any time (which will not affect processing already done, but will stop future processing of that kind)
• Legitimate Interests: We process some data under the doctrine of legitimate interests. This means we have a genuine and legitimate reason, and we believe it does not outweigh your rights or interests. For example, our legitimate interests include: 
  
• Ensuring network and information security (protecting our Service and users from fraud, abuse, etc.).
• Understanding how people use our service (to improve it).
• Enforcing our Terms and defending our legal rights. 
• Sending service-related communications to our users (some laws consider this legitimate interest when not strictly contractual) 

 When we rely on this basis, we ensure our interests are balanced with your privacy rights. You have the right to object to processing based on legitimate interests in certain cases (see Section 9 on your rights).

• Legal Obligation: We will process data if necessary to comply with a legal obligation. For instance, retaining transaction records for tax law, responding to government requests where required, or handling user data in accordance with consumer protection laws. If the law requires us to collect or retain certain data, that is our basis. 
• Vital Interests: This is rarely applicable for us, but if ever there is a situation where processing your data is necessary to protect someone’s life or prevent serious harm, we could rely on vital interests. (For example, if we become aware of a life-threatening situation in a user’s content, we might, in extreme cases, provide information to authorities to help – though normally we do not monitor content in that way. This is a very unlikely scenario.

We have attempted to identify the legal basis for each category of data in the table above. If you need more detail on the legal justification for any specific processing, please contact us.  

5. Cookies and Tracking Technologies

We use cookies and similar technologies to collect usage data and improve our Service, especially on our website. When you visit our site or use our app, we or authorized third parties may set small data files on your device – these could be cookies (in your browser), or local storage objects, or SDKs (for mobile app tracking)   

• Necessary Cookies: These are essential for our site’s functionality. For example, when you log in, we set a session cookie to keep you logged in as you navigate pages. Without it, you’d have to log in for every page. Other necessary cookies may include those that remember your language or accessibility preferences. These do not require consent under most laws, but we still want you to know about them.
• Analytics Cookies: We may use analytics tools like Google Analytics to understand how users find and use our site. These tools might set cookies that collect information such as your IP address (which we would anonymize if possible), pages visited, time on site, and links clicked. This helps us improve content and usability. For EU/UK users (and others where required), we will not load analytics cookies unless you opt-in via the cookie banner. You can change your preferences at any time via our cookie settings link (e.g., “Cookie Preferences” on the site footer).
• No Advertising Cookies: As of the latest update, PlayMeWhen does not display third-party ads on our platform, and we do not use advertising cookies or trackers that follow you across other sites. We also do not “sell” your data for advertising purposes. So you shouldn’t see tracking for advertising via our site. If this ever changes, we will update this Policy and ask for appropriate consent.
• Cookie Banner (EU/UK and similar jurisdictions): If you are in a region where consent is required (e.g., EU countries under GDPR, Brazil under LGPD, etc.), when you first visit our site you will see a cookie consent banner. This banner will give you the option to Accept or Reject non-essential 21 cookies. It may also have a “Preferences” option where you can pick and choose categories of cookies (e.g., analytics). Your choice will be remembered via a cookie (so if you say “Reject,” we set a cookie to remember that preference). If you clear your cookies or use a different device/browser, you may see the banner again.
• Managing Cookies: You can always control cookies through your browser settings as well. Browsers allow you to delete cookies or block them entirely. However, please note that if you block all cookies, our site may not work properly (especially things like login). We suggest allowing at least first-party cookies for full functionality. For analytics cookies, you can also use tools like browser extensions to block them (like ad-blockers or the Google Analytics opt-out extension). Also, some browsers have global settings like “Do Not Track” or Global Privacy Control (GPC); if we detect such signals and they are legally recognized, we will treat them as opt-outs for tracking cookies.
• Mobile App Tracking: If you use our mobile app, we might use mobile identifiers or SDKs for analytics (similar to cookies but for apps). Your device’s operating system may allow you to opt-out of certain tracking (for example, “Limit Ad Tracking” on iOS or “Opt out of Ads Personalization” on Android) which would inform us not to use your device ID for ad targeting (not that we do ads, but if any third-party SDK was present). We do not currently use any advertising SDKs. For analytics in the app, we treat it like above – we would ask for your consent via an in-app prompt if required.
• For more detailed information on specific cookies we use and their lifetimes, please see our Cookie Notice [if available on site]. Here’s a quick summary of likely cookies: - SessionID (PlayMeWhen) – keeps you logged in; expires after you log out or after a short period of inactivity. - CookieConsent – remembers your choice on the cookie banner; maybe 6 months to a year expiry. - Analytics cookies (e.g., _ga from Google Analytics) – if enabled, helps count visitors and track usage; typically expires 6-24 months. We will only set these if you opt-in. If you have any questions about our use of cookies or how to manage them, contact us at support@playmewhen.com.

6. How We Share Your Information

We treat your personal data with care and do not sell it to data brokers or marketers. We share data only in the following circumstances:    

• With Service Providers (“Sub-Processors”): We use trusted third-party companies to help us operate PlayMeWhen. These include cloud hosting providers, data storage services, email delivery services, payment processors, analytics services, and customer support tools. We share data with them only to the extent necessary for them to perform their functions on our behalf. For example: We might store data on cloud servers (e.g., Azure). We use an email service to send out emails (like Microsoft Entra or similar) which means your email address and message content passes through their system. If you make a payment, your info goes to our payment processor (like Stripe) which processes the transaction. For analytics, if enabled, data is shared with the analytics provider (e.g., Google). 

We ensure that all our service providers are bound by contracts that require them to protect your data to standards equivalent to our own policies and applicable law. They are not allowed to use your data for anything other than providing services to us.

• Within Our Corporate Family: If PlayMeWhen is part of a corporate group in the future (e.g., subsidiaries, affiliates), we may share data within that group as necessary to provide the service or for internal administration. All recipients will still follow this Policy.
• With Recipients You Designate: The very nature of PlayMeWhen is to deliver your content to your chosen recipients. When a capsule is delivered, the recipient will typically receive an email notification and a link to view the content. Thus, we share the necessary information with them, which includes:
• The fact that you (the sender, by your name) have sent them a capsule. 
• Possibly the title or description of the capsule (if you provided one and it’s meant to be seen by them). 
• The video/message content itself, when they access it (of course) 

By using our Service to send a capsule, you are explicitly instructing us to share that content with the recipient. We are not responsible for what the recipient does with the content or any personal data contained in it once delivered. (For example, if they download the video or share it with others, that’s outside our control.

• Legal Requirements and Safety: We may disclose personal data if required to do so by law or valid legal process (e.g., a subpoena, court order, or search warrant). We may also disclose information if we believe in good faith that it’s necessary to: 
• Comply with legal obligations or regulatory requirements (this includes responding to lawful requests by public authorities, including to meet national security or law enforcement requirements). 
• Protect and defend the rights, property, or safety of PlayMeWhen, our users, or others. For instance, we might disclose information to investigate or stop illegal activities (like fraud or an imminent threat). 
• Enforce our Terms of Service or other agreements, or to collect any amounts owed to us.

When possible and lawful, we will notify you if we are compelled to disclose your data to third parties in a legal process.

• Business Transfers: If PlayMeWhen is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your data may be transferred as part of that transaction. For example, if another company acquires PlayMeWhen, user information will likely be part of the assets transferred to that company so that service can continue. In such cases, we will ensure the new owner is contractually obligated to respect the privacy commitments we’ve made. We will also notify you (e.g., via email or a prominent notice on our site) of any such change in ownership or control of your personal data, and any choices you may have as a result.
• Business Transfers: If PlayMeWhen is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your data may be transferred as part of that transaction. For example, if another company acquires PlayMeWhen, user information will likely be part of the assets transferred to that company so that service can continue. In such cases, we will ensure the new owner is contractually obligated to respect the privacy commitments we’ve made. We will also notify you (e.g., via email or a prominent notice on our site) of any such change in ownership or control of your personal data, and any choices you may have as a result. No Selling or Sharing for Marketing: We do not sell personal information to third parties . We also do not “share” personal information for cross-context behavioral advertising as defined under 10 23 the CPRA. This means we don’t provide your personal data to third-party advertisers to target you with ads on other sites. Because we don’t sell or share data in this way, we do not provide a “Do Not Sell or Share” opt-out link (it’s not needed). If this ever changes, we will update our Policy and provide appropriate opt-out mechanisms.
• Aggregate or De-Identified Data: We may share information that has been aggregated or anonymized (so it’s no longer personally identifiable) with third parties. For example, we could publish blog posts or reports about usage statistics (“X% of capsules are set to deliver 5+ years in the future”). This information will not identify any individual user
• Third-Party Plugins or Links: Our Service might include links to third-party websites (for example, a link to a help article, social media, etc.). We might also include “plugins” from other services (like a Facebook “Share” button, though unlikely for our use-case). Clicking those links or interacting with those plugins can allow the third party to collect some information (like your IP or that you visited our site). This Privacy Policy does not cover the privacy practices of those third parties. We encourage you to read their privacy policies. We do not share data with them beyond what is necessary for the integration to function (and typically, those interactions are initiated by you).

If you require more specifics about who our service providers (sub-processors) are, you can contact compliance@playmewhen.com. In some cases, we may list key sub-processors on our website. For example, typical sub-processors might include: - Azure (cloud infrastructure hosting in [Canada/USA/EU regions]), - Microsoft Entra (for sending emails), - Stripe (for payment processing), [Any analytics provider name, if used], - [Customer support tool, if used]. All such parties are bound by confidentiality and data protection obligations. 

7. International Data Transfers

PlayMeWhen is based in Canada, and we have users around the world. When you use our Service, your personal data may be transferred to and stored in countries other than your own. Specifically, our main operations are in Canada, and many of our systems (and third-party providers) may be in the United States or other regions.

Canada and Adequacy: The European Union has determined that Canada’s privacy laws (for commercial organizations like us) provide an “adequate” level of data protection . This adequacy decision means that personal data can flow from the EU/EEA to Canada without needing additional safeguards, as long as the Canadian organization is subject to PIPEDA (which we are). The United Kingdom has a similar stance, recognizing countries deemed adequate by the EU (Canada is included). Thus, if you are in the EU/UK, your data can be stored/processed in Canada under this adequacy framework.

However, note that if we transfer EU personal data onward from Canada to another country (like the U.S.), we need to ensure protection for that onward transfer.

Standard Contractual Clauses (SCCs): For personal data coming from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not deemed adequate (e.g., the United States), we rely on European Commission-approved Standard Contractual Clauses as a legal mechanism for transfer. These are standard agreements that commit the recipient of the data to protect it according to EU privacy standards. We have SCCs in place with our service providers where applicable. For UK transfers, we add the UK’s International Data Transfer Addendum or use the UK’s International Data Transfer Agreement, as needed . Similarly, for Switzerland, we ensure the Swiss-specific clauses are included.

Other Transfer Mechanisms: In some cases, we might rely on other lawful bases for cross-border transfer:- Your Consent: If you are in a jurisdiction that requires it, we might ask for your consent for the transfer of your data to a country like Canada or the U.S. (for example, when you sign up, by agreeing to this Policy you consent to such transfers if required). - Performance of Contract: Sometimes transferring data is necessary to perform the contract with you (e.g., to route data as needed to provide the service globally). Important Reasons / Legal claims: Rarely, transfers might be needed for important public interests or legal claims

LGPD (Brazil) and Other Countries: For users in Brazil, we transfer data internationally in accordance with LGPD requirements. Currently, Brazil recognizes some of the same mechanisms (adequacy decisions, SCCs, consent, etc.). As of now, Brazil does not yet have an official list of “adequate” countries, so our fallback is using contractual measures (SCCs) and your consent. By using our Service, you consent to the transfer of your data to Canada, U.S., or other jurisdictions as needed to provide the Service, in compliance with Article 33 of LGPD. We ensure these transfers have protection measures

For India’s DPDP Act: If you are in India, be aware that your data is transferred out of India to our servers in other countries. The DPDP Act may impose restrictions on cross-border data transfers (the Indian government will specify permitted destinations). Until those provisions are in force, our position is that by using PlayMeWhen you authorize us to transfer your data internationally. We will monitor Indian regulations and ensure compliance, such as only transferring data to jurisdictions allowed by the Indian government or implementing contractual safeguards as required .

Our Approach to Government Requests: We understand that when data is stored in another country, it could potentially be accessed by that country’s government under their laws. We carefully evaluate any government or law enforcement request and will challenge unlawful or overly broad requests. We also publish transparency information about such requests where feasible. That said, standard contractual clauses require us (and any U.S. providers we use) to notifies us if they get government requests and to try legal remedies to redirect requests to the EU authority when possible

In summary, no matter where we process your data, we promise to protect it consistently with this Privacy Policy and with applicable laws. We use contractual and technical measures to safeguard international transfers. If you want more information about cross-border handling of your data, please contact compliance@playmewhen.com.

8. Data Security

We employ a variety of security measures to protect your personal data from loss, misuse, and unauthorized access or disclosure . While no system is 100% secure, we strive to use industry best practices appropriate to the type of data and the risks involved. Our measures include:

Encryption: We use encryption to protect data in transit and at rest. For example, our website and app use HTTPS (TLS encryption) for all data transmissions, so that data between your device and our servers is encrypted. Sensitive data (like passwords) are stored in hashed or encrypted form. Videos and personal content are stored encrypted on our cloud storage.

Access Controls: We limit access to personal data to those employees, contractors, and service providers who need to know that information in order to process it for us, and who are subject to strict confidentiality obligations. Internally, we have permission controls and network segmentation in place to ensure that, for example, an engineer troubleshooting a technical issue doesn’t automatically get access to user content unless absolutely needed and authorized.

Security Testing and Updates: We keep our systems updated with security patches. We use f irewalls and monitoring to protect our network. We conduct periodic security assessments and may employ third-party security experts to test our systems (penetration testing, code reviews). We also have an internal response plan for security incidents.

Anonymization & Minimization: Where feasible, we minimize the personal data we store. For example, if we only need aggregate info, we anonymize the data. We avoid collecting unnecessary personal data (no excessive fields in sign-up, etc.). By limiting the data we have, we reduce risk.

Training: Our staff is trained on data protection and security practices. We ensure that everyone handling personal data understands how to keep it safe and to report any suspicious activity.

Despite all these measures, it’s important to note that no online service is completely risk-free. We cannot guarantee absolute security. Cyber threats evolve rapidly, and while we work hard to prevent them, breaches can happen. In the event of a data breach that affects your personal data: - We will act swiftly to contain and investigate the breach. - We will notify affected users and relevant authorities as required by law. For instance, under GDPR we’d notify the supervisory authority within 72 hours if the breach is likely to result in a risk to user rights, and we’d inform users promptly if there is a high risk. - We will take steps to mitigate any harm and prevent future incidents.

Your Responsibility: You also play a role in keeping your data secure. Please use a strong, unique password for your PlayMeWhen account and do not share it. Enable any available security features we offer (like two factor authentication, if provided in the future). Be cautious of “phishing” attempts – we will never ask you for your password via email. If you suspect any unauthorized access to your account, notify us immediately at support@playmewhen.com. 

9. Your Rights and Choices

Depending on where you live, you may have legal rights regarding your personal data. We are committed to honoring these rights and have built features and processes to enable you to exercise them. Below is an overview of rights by region and how you can use them:

For Users in the European Union, United Kingdom, and similar jurisdictions (GDPR, UK GDPR, etc.):

• Right of Access: You have the right to request a copy of the personal data we hold about you, as well as information on how we process it . This is often called a Subject Access Request. We will provide you with a copy of your data in a structured, commonly used format (usually electronic). Most data (like your profile info, capsule info) you can already see by logging into your account, but you can formally request full records via compliance@playmewhen.com.
• Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to ask us to correct it. Much of your basic info can be edited in your account settings (e.g., you can change your email or profile photo). For anything you cannot change yourself, contact us and we will rectify it if appropriate.
• Right to Erasure (Right to be Forgotten): You can request that we delete your personal data. This is not an absolute right – for example, if we have a legal obligation to keep certain data (like proof of a transaction, or a parental consent form), we might not delete that until the obligation is over. But we will honor deletion requests for data we no longer need. The primary way to exercise this is by deleting your account (which removes most data). If you want us to remove specific content (like a particular video or message), you can also delete that content through the app or ask us for help. When we fulfill deletion requests, we will also notify any third-party processors to delete the data they hold on our behalf. Keep in mind, deletion is irreversible – if you request account deletion, all your capsules and data will be gone, and we won’t be able to recover it.
• Right to Restrict Processing: In certain circumstances (for example, if you contest the accuracy of your data or have objected to processing and the decision is pending), you have the right to request that we restrict processing your data (just storing it without doing anything further). Essentially, you can ask us to pause using your data for certain things while issues are resolved.
• Right to Object: You have the right to object to our processing of your data when we do so under legitimate interests. If you object, we must stop unless we have compelling legitimate grounds that override your rights, or if we need to continue for legal reasons. For example, you can object to analytics tracking – in practice, you can just decline cookies and that suffices. If we ever did direct marketing, you could object to that (and we’d stop sending you marketing – you can also simply unsubscribe). If you object to processing that is integral to the service (like you object to us processing your videos at all), we may need to terminate your service as we cannot perform the contract without that processing. We will inform you if that’s the case.
• Right to Data Portability: You can request a copy of certain data in a machine-readable format to transfer to another service. This typically applies to data you provided us and that we process by automated means. For example, you might ask for a JSON or CSV export of all your account info, settings, and perhaps your content metadata. (Videos themselves are already downloadable by you after delivery, but we could allow you to get a copy of your own currently stored videos as part of a data export if needed.) We will provide the data in a commonly used format. If technically feasible, you might also ask us to transfer it directly to another service at your request.
• Rights related to Automated Decision-Making: PlayMeWhen does not make any legally significant decisions about you solely by automated means (no profiling that has legal or similarly significant effects). If that changes, you’d have rights to human review of decisions. For now, this is not applicable.
• Right to Withdraw Consent: If we are processing any of your data based on consent, you have the right to withdraw that consent at any time. For example, you can withdraw consent for marketing emails by unsubscribing, or withdraw consent for analytics cookies by changing your preference to “off” or via the cookie banner. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal. Also note that if you withdraw consent for things like parental oversight (i.e. a parent rescinds consent for a child’s account), we may have to close the child’s account since we cannot continue processing it lawfully.
• Right to Complain: If you have concerns about our data practices, you have the right to lodge a complaint with a Data Protection Authority (DPA) in your country. For example, if you’re in the EU, you can contact your country’s lead supervisory authority (like the ICO in the UK, CNIL in France, etc.). We would appreciate if you try to resolve any issue with us first by contacting us, but you always have the right to go to the authorities. The Office of the Privacy Commissioner of Canada (OPC) is our supervisory authority in Canada under PIPEDA, and you can also reach out to them if you’re not satisfied with how we handle your data.

For Users in California (CCPA/CPRA) and Certain U.S. States:

Even though we don’t sell data, California law gives residents certain rights which we fully extend: - Right to Know: California residents can ask for disclosure of the specific pieces and categories of personal information we have collected about them, the categories of sources, purposes for collection, and the categories of third parties with whom we share it. This is similar to the access right above. - Right to Delete: Similar to above, you can request deletion of personal info (with some exceptions as per CCPA, e.g., we may retain data needed to complete a transaction or for legal compliance). - Right to Correct: You can request correction of inaccurate personal info. - Right to Opt-Out of Sale/Sharing: We state we do not sell or share data for targeted advertising, so this is not applicable as we do not engage in those practices . Thus, by default, we treat all users as opted-out. If that ever changes, we will implement a “Do Not Sell or Share” mechanism. - Right to Limit Use of Sensitive PI: We do not use or disclose “sensitive personal information” (as defined by CPRA, e.g., precise geolocation, social security number, etc.) for any purpose that would trigger a right to limit. Any sensitive info we might have (perhaps account password, or maybe someone’s video content could contain sensitive info if they chose to include it) is only used to provide the service, not to infer characteristics or show ads. So this is not applicable in a way that requires an opt-out. If we ever collected something like racial or health data for some feature, we would get consent and only use it for that narrow purpose. - Non-Discrimination: We will not discriminate against you for exercising any CCPA rights. That means we won’t deny you service or give you different pricing/quality just because you exercised your privacy rights. (However, note that deletion of some data might affect our ability to provide the service – e.g. if you ask us to delete your email or content, we can’t deliver your capsules – but that’s a consequence of you opting to delete necessary data, not a punitive action from us. We will inform you if any requested deletion will mean you can no longer use the service.) - Authorized Agent: California users can designate an authorized agent to make requests on their behalf. If you do so, we will take steps to verify that the request is legitimate and that the agent has your permission (we might ask for a signed authorization or verify directly with you). We will also need to verify your identity to a reasonable degree of certainty (so someone doesn’t fraudulently get your data) .

Additionally, Virginia, Colorado, Connecticut, and Utah have similar rights for residents (right to access, correct, delete, opt-out of certain processing). We intend to honor those similarly. If you’re a resident of any U.S. state with privacy laws, you can exercise your rights in the same way described here.

For Users in Brazil (LGPD):

Brazilian users have rights similar to GDPR: - Confirmation of processing, - Access to data, - Correction of incomplete/inaccurate data, - Anonymization or deletion of unnecessary/excess data, - Data portability, Deletion of personal data processed with consent, - Info about public and private entities with whom we shared data, - Info about the possibility of denying consent and consequences, - Revocation of consent. You may use the methods below to exercise these.

For Users in India (DPDP Act):

Under the new DPDP Act, data principals have rights such as: - Right to access information about processing, - Right to correction and erasure, - Right of grievance redressal. We will enable Indian users to request correction or deletion of their data similar to others.

How to Exercise Your Rights (All Regions):

• Self-Service: Many rights can be exercised through our interface. For example, you can log in to see or update your profile info (access and rectification). You can delete content or your entire account in settings (erasure). You can change cookie preferences via our banner (opt-out of tracking). Use these tools whenever possible for fastest results.
• Contacting Us: For any requests or if you prefer not to use the app options, you can contact our privacy team at compliance@playmewhen.com. Please clearly state your request (e.g., “I am requesting a copy of my personal data” or “Please delete the following information…”). We may need to verify your identity before acting on the request – this is to protect your privacy (we don’t want to send your data to the wrong person). Verification may involve confirming information we already have (like sending the response to your registered email, or asking you to log in or provide certain account details).
• Timeline: We will respond to privacy requests as soon as possible, generally within 30 days. If we need more time (up to 60 more days), we will inform you of the reason and extension. For some jurisdictions, shorter timelines may apply and we will strive to meet those.
• Exceptions: Sometimes we may deny or partially fulfill a request if an exception applies. For example, if you request deletion but we are required by law to keep certain data, we will explain that. Or if fulfilling your request would adversely affect others’ rights (like if it involves disclosing someone else’s personal data or our trade secrets), we might not provide that. We will always try to give you as much as possible and explain any redactions or omissions.

We will not charge you for making a request or exercising your rights, in most cases. If a request is manifestly unfounded or excessive (e.g., repetitive without reason), some laws allow us to charge a reasonable fee or refuse. We will generally work with you to narrow the request first. 

Finally, we want all users worldwide to feel in control of their data. Even if you are in a region without clear legal rights, we extend many of these principles to you because it’s the right thing to do. So don’t hesitate to contact us with questions or requests about your data, regardless of location.

10. Children’s Privacy and Parental Controls

As noted in our Terms of Service and earlier sections, we take children’s privacy seriously:

For Users in the European Union, United Kingdom, and similar jurisdictions (GDPR, UK GDPR, etc.):

• No Direct Sign-Up Under 13: We do not allow children under 13 (or under the applicable age in your country) to sign up for PlayMeWhen on their own. Our Service is not directed to children under 13. We do not knowingly collect personal data from children under 13 unless a parent or guardian has created the account and provided consent. If we become aware that we have collected personal information directly from a child under 13 without parental consent, we will delete that information as quickly as possible.
•  Ages 13-15 (Under 16) Parental Consent: For users who are above 13 but under 16, we require verifiable parental consent before allowing them to fully use the Service . The sign-up process will prompt a minor in that age range to provide a parent’s email. We then contact the parent with details about the Service and what data will be collected from the child, and seek the parent’s consent. Our methods for obtaining verifiable parental consent comply with laws like COPPA and GDPR:
• We may ask the parent to fill out a consent form and sign it (electronically or physically) .
• Or we might ask the parent to perform a small credit card verification (charging a nominal refundable amount) to confirm identity. 
• We could also use ID verification or have the parent contact us via a live video call if needed

Once consent is obtained, the parent will be able to manage the child’s account (e.g., oversee content, delete account if desired, request data, etc.). The parent has the right to withdraw consent at any time. If consent is withdrawn, we will deactivate the child’s account and delete personal data (unless retention is required for legal reasons). We also follow any specific parental consent mechanism rules in the jurisdictions we operate

• Parental Account Control: A parent or guardian who creates an account for a child (or provides consent for one) effectively becomes the account holder for that child’s data. They will have login credentials or linked access to manage the child’s experience. We encourage parents to actively supervise their children’s use of PlayMeWhen. We design the platform such that a child user 30 experience might be slightly restricted—for example, perhaps limiting certain features or ensuring they cannot share content publicly (PlayMeWhen is generally private anyway).
• No Tracking or Targeted Ads for Minors: We do not profile or target children for marketing. In fact, for any users identified as under 16, we will automatically disable analytics tracking and, of course, we do not serve ads. We also comply with laws like DPDP Act in India which prohibits tracking or behavioral monitoring of children and targeted advertising directed at them.
• Information for Parents: If you are a parent or guardian and you have questions about your child’s use of PlayMeWhen, you can contact us at compliance@playmewhen.com or support@playmewhen.com. You have the right to review your child’s personal information, request that we delete it, and refuse to allow any further collection or use of the child’s information. Keep in mind, deleting data or refusing further collection might mean we cannot provide the Service to your child.
• Age Verification Limits: We try to implement age gates and verification, but we rely on users (and their parents) to provide truthful information. We are not liable if a minor misrepresents their age to gain access, but we will take prompt action to remove any underage accounts once discovered. If you believe we might have data from a child under 13 (or under applicable age) that was collected without parental consent, please inform us so we can investigate and address it.
• Global Differences: Note that the age thresholds can vary: e.g., in the EU it could be 16 (with some countries lower); in the US it’s 13; in India’s new law it’s under 18 requires parental consent by default. We choose to implement a uniform approach as described in the Terms (13 and 16) to be safe, but we will adjust if local law demands a stricter standard. For instance, if you’re in a country where the digital consent age is 14, we will comply with that and treat users under 14 like “under 16” in our system.

We are dedicated to protecting children’s privacy and safety online. Please see our Family/Youth Privacy Disclosure [if we have a separate summary for kids/parents, mention it] for a simplified explanation suitable for younger users and their parents (where we explain in simple terms what data might be collected and what to do). 

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. When we make a material change (something important that you should know about), we will let you know:

• We will post the updated Privacy Policy on our website (and in our app). 
• We will change the “Last Updated” date at the top. 
• If changes are significant, we may provide a more prominent notice or seek your consent as required by law. For example, we might email you or show an in-app pop-up about the key changes.

Material changes could include (for example) adding new data collection purposes, changing how we use data in a way that you might not expect, or launching new features that affect privacy. 31 If we plan to use your personal data for a new purpose that is not compatible with the purposes for which it was originally collected, we will obtain your consent (where required by law) or give you a clear opportunity to opt out before the new use. 

We encourage you to periodically review this Privacy Policy to stay informed about our data practices. Remember, your continued use of PlayMeWhen after any changes to this Policy means you acknowledge the updated terms. 

For historical reference or if you’re curious, we will keep prior versions of this Privacy Policy and make them available upon request, so you can see how things have changed

12. Contact Us

 If you have any questions, concerns, or requests regarding this Privacy Policy or how PlayMeWhen handles your personal data, please get in touch with us. We’re here to help.

• Email (Privacy & Compliance): compliance@playmewhen.com 
• Email (General Support): support@playmewhen.com 
• Postal Address: PlayMeWhen Inc., 228 Shuttleworth Dr, Ottawa, ON K1T 3W7, Canada

Attn: Privacy Officer / Compliance Department (on mail, please indicate it’s a privacy inquiry)

We will respond as promptly as we can. If you contact us by mail, please provide a way to contact you (email or phone) and as much detail about your question or request as possible. 

By using PlayMeWhen, you trust us with your precious memories and personal information. We value that trust and are committed to safeguarding your data. Thank you for reading our Privacy Policy