Privacy Policy - SayBoard

Introduction: Fn First Holdings LLC ("Fn First," "we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains what data we collect through our mobile application SayBoard and related services (collectively, the "Services"), how we use and share that data, and your choices regarding your information. This Policy is intended to comply with applicable privacy laws including (but not limited to) the California Consumer Privacy Act (CCPA/CPRA), Canada's PIPEDA, the EU/UK General Data Protection Regulation (GDPR), and other relevant laws for our global users.

1. Scope of this Policy

This Privacy Policy applies to personal information we collect from you:

When you use our App or any related website or online service (including visiting fnfirst.com or sayboard.com).
When you communicate with us (such as via email support, feedback forms, or social media pages under our control).
When you participate in any promotions, beta programs, surveys, or events that we organize.

This Policy does not apply to data processing by third-party platforms that distribute or host SayBoard (such as Apple's App Store or Google Play Store) except to the extent those platforms pass your data to us. For example, if Apple or Google provides us information for subscription validation or sign-in, this Policy governs how we handle that information once we receive it. Be sure to review the privacy policies of any platform or service you use to download or access our App.

2. Information We Collect and Why

We only collect personal information that is necessary to provide and improve our Services, or as required by law. Below is an overview of categories of data we collect, with examples and purposes:

Category	Typical Data Points	Purpose & Legal Basis
Account & Subscription Data	– Identifiers: Unique user ID (for Apple Sign-in, an Apple-provided identifier), email address (if you create an account via email/password or if Apple Sign-In provides it), display name (if you choose to provide one). – Subscription info: Subscription tier (Free or VIP), purchase receipts or transaction IDs, subscription status and renewal dates.	Purpose: To create and maintain your account, allow login, verify and manage purchases (e.g., check your subscription status), and deliver the features you are entitled to. Legal Basis: Fulfillment of contract (GDPR Art. 6(1)(b)) – we need this info to provide the Services you signed up for; plus our legitimate interest in fraud prevention and service security.
Authentication Data	– Credentials: If you use email/password, the email and hashed password are stored via our auth provider (Firebase). – Third-Party Auth Tokens: If using Sign in with Apple, we receive a token and any user info Apple shares (like name/email if not hidden).	Purpose: To let you securely log into SayBoard and sync your data across devices, and (if you consent) derive a hashed key for first-party product-analytics cohorts. We use third-party authentication (Apple Identity, Firebase) to handle login securely. Legal Basis: Fulfillment of contract (to provide you access to your account) and legitimate interest in account security.
Anonymous Session ID	Random UUID created on first launch, stored in Firebase and Keychain, not linked to name or email	Purpose: Authenticate requests, enforce usage limits, prevent fraud. Legal Basis: Legitimate interest in service security (GDPR Art. 6(1)(f)).
Usage Data (Analytics)	– Device info: Device model, OS version (e.g., iOS 17), app version. – App usage events: Feature usage stats, session length, crashes or error reports. (Analytics are opt-in* where required.)*	Purpose: To understand how users interact with SayBoard and improve the app's stability, features, and user experience. For example, knowing which features are most used helps us focus development, and crash reports help us fix bugs. Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)) in improving our Services. Where required by law, we will obtain your consent for analytics.
Support & Feedback Data	– Contact info: Email address and/or phone number (if you provide it when contacting support). – Content of communications: Any details you provide when seeking support (such as screenshots, logs, or descriptions of a problem), and correspondence history.	Purpose: To assist you when you contact us, to troubleshoot issues, and to improve the Service based on feedback. If you email support, we use your email to communicate with you and resolve your inquiry. Legal Basis: Fulfillment of contract (answering your questions as part of customer support) and legitimate interest in maintaining high-quality service.
Marketing (Opt-In)	– Identifiers: First name, email address, region (if you subscribe to a newsletter or promotional updates). – Marketing preferences: Your consent choices for receiving marketing emails.	Purpose: To send you updates, newsletters, or promotional offers only if you have opted in. For example, if you join our mailing list, we may send product news or special offers. Legal Basis: Consent (GDPR Art. 6(1)(a)). You can withdraw consent at any time (each marketing email will have an "unsubscribe" link).
Payment Data	– None collected by Fn First. When you make a purchase, all payment processing (credit card, etc.) is handled by Apple or Google. We do not receive your credit card number or financial info. We only receive confirmation of payment and basic subscription details from the platform.	Purpose: Not applicable for payment card data since we don't collect it. For purchase confirmations, we use receipt info to activate your premium features and maintain access as long as you're subscribed. Legal Basis: Fulfillment of contract – to grant the service you paid for.

We do not knowingly collect any sensitive personal data such as precise GPS location, health or medical data, biometric identifiers, or data on children under 16. If you believe a child under 16 has provided personal data to us, please contact us so we can remove it.

3. How We Use Your Information

We use the collected information for the following purposes:

Provide and Improve the Service: Operate, maintain, and enhance SayBoard's features and performance. For example, account data is used to log you in and sync your content, and usage data helps us identify bugs or areas for improvement.
Process Transactions: Verify and manage your in-app purchases or subscriptions (using receipt information from Apple/Google to ensure premium features are unlocked appropriately).
Enforce Terms and Prevent Misuse: Monitor for fraudulent, abusive, or illegal activity. For instance, we may use certain identifiers or analytics to detect excessive usage that violates our terms or attempts to bypass restrictions.
Communicate with You: Send administrative or account-related messages such as subscription renewal notices, security alerts (e.g., if we detect a new login to your account), or responses to your support inquiries. These are transactional communications, not marketing.
Customer Support: Troubleshoot and resolve your requests and support tickets. Any information you provide us via support (like screenshots or logs) will be used only to address your issue and improve the app as relevant.
Marketing (if consented): If you opted into our mailing list, send occasional product updates, newsletters, or promotional offers. (You can opt out at any time.)
Legal Compliance: Comply with legal obligations, such as maintaining transaction records for tax/audit purposes, or responding to lawful requests by public authorities (more details in Sharing section below).

We do not use your personal information for any purposes incompatible with those above. Importantly, we do not sell or rent your personal data to third-party advertisers or marketers. Any analytics we perform is primarily to improve user experience, and where possible, we use aggregated or anonymized data.

4. Sharing and Disclosure of Information

Fn First understands the importance of keeping your information private. We only share your personal data in a few specific scenarios, outlined below:

Service Providers and Processors: We use trusted third-party service providers to operate our Services. These include cloud hosting and database providers, analytics services, authentication and user account management (e.g., Google Firebase for authentication and database, Microsoft Azure for servers, and possibly third-party AI services for voice generation). These providers process data on our behalf only for the purposes described in this Policy. We have agreements (including Data Processing Addendums and, where needed, Standard Contractual Clauses) in place with such processors to protect your data and comply with privacy laws. They are not permitted to use your data for their own purposes.
Platform Operators (Apple/Google): When you make purchases or use platform-specific features (like Sign in with Apple), those companies will receive and process your data under their own privacy policies. They may in turn share with us only the information needed to facilitate the service. For example, Apple may share a confirmation of your subscription and an anonymous identifier, or Google may provide a purchase token. Similarly, if you use Sign in with Apple, we receive either the email you allowed Apple to share (which could be a private relay email) and your name if you consented. We handle that info per this Policy. Note: Any data collected directly by Apple or Google as part of their platform operations is governed by their privacy terms; we only receive a subset relevant to SayBoard.
Legal Requirements and Safety: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government demand). We may also disclose information if we believe in good faith that such action is necessary to (a) comply with a legal obligation, (b) protect and defend the rights or property of Fn First, (c) prevent or investigate possible wrongdoing (such as fraud or misuse of our app), (d) protect the personal safety of users or the public, or (e) protect against legal liability. We will narrowly scope any disclosure to what the law requires.
Business Transfers: If Fn First is involved in a merger, acquisition, investment, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of that deal. We would ensure the receiving party is bound to respect your personal data in a manner consistent with this Privacy Policy. In the event of such a change, we would notify users (for example, via email or a notice on our website) before your personal data becomes subject to a different privacy policy.
With Your Consent: In cases where you have given us explicit consent to share your information with third parties, we will do so according to the terms of that consent. For instance, if in the future we run a co-sponsored promotion or you agree to have your details shared with a partner for a specific purpose, we will honor the agreement made at that time. (Currently, we do not do this, and any such scenario would be clearly explained to you.)

We do not share personal information with advertisers or social media companies for their independent marketing purposes. Any sharing that occurs is mainly to support functionality (like cloud processing) or because you initiate it (like sending an audio clip to a friend).

International Data Transfers: Our servers and service providers are primarily located in the United States. If you reside outside the U.S., be aware that your data may be transferred to and stored on servers in the U.S. or other jurisdictions that may not have the same data protection laws as your home country. However, if you are outside the U.S., we will take steps to ensure appropriate safeguards (such as Standard Contractual Clauses for EU personal data) are in place to protect your information. We strive to abide by the data residency requirements of our users' regions to the extent feasible.

5. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Below are our general retention practices:

Account Data: Kept for as long as you have an active account. If you use the in-app Delete My Account feature, authentication records and cloud content are removed immediately; encrypted backups are purged within 30 days. Purchase receipts remain for seven years as required by tax law.
Purchase and Subscription Records: Retained for at least 7 years to comply with tax and financial regulations (IRS and state law requirements in the U.S.) and for audit purposes.
Support Communications: Saved for approximately 12 months after your last correspondence with us, then permanently deleted or anonymized. This helps us if you have follow-up issues and to analyze common problems.
Analytics Data: Any raw analytics or log data we collect (if you have opted in) is generally retained for 18 months. Older data may be aggregated or anonymized so it no longer can identify you, and we may keep these aggregate statistics indefinitely for historical analysis.
Marketing Email List: Retained until you unsubscribe or the email address is no longer valid (e.g., emails bounce). Once you opt-out, we will stop sending and will remove your contact from marketing distribution, though we may keep a record of your request to not be emailed further (to comply with anti-spam laws).

When we no longer have a legitimate need or legal obligation to retain your personal information, we will securely delete it or anonymize it.

6. Security Measures

We take data security seriously and implement reasonable administrative, technical, and physical safeguards to protect your information from unauthorized access or disclosure. Our security measures include:

Encryption: All data transmission between the SayBoard app (or our websites) and our servers is encrypted using TLS (Transport Layer Security, e.g., TLS 1.3) to prevent eavesdropping. Sensitive data stored in our databases (if any) is encrypted at rest (for example, using AES-256 encryption on cloud storage). Passwords, if stored (for email logins), are never stored in plaintext – they are hashed and salted.
Access Controls: We limit access to personal data to authorized personnel who need it to operate, develop, or support our Services. Strict access controls and authentication measures (like multi-factor authentication for our internal admin accounts) are in place to prevent unauthorized internal access.
Third-Party Security: We choose reputable third-party providers (such as Firebase, Azure) which have strong security practices and relevant certifications (e.g., ISO 27001, SOC 2 Type II). We review their compliance materials and ensure our agreements with them require protecting your data.
Testing and Monitoring: We conduct periodic security assessments and code reviews. We also have an incident response plan. In the unlikely event of a data breach that affects your personal information, we will notify you and the appropriate authorities as required by law, typically within 72 hours of becoming aware of the breach (per GDPR requirements).

Please note that no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. You also play a role in security: keep your account credentials confidential and use a unique, strong password. If you suspect any unauthorized access to your account, please let us know immediately.

7. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information. We honor all users' rights as applicable under their local laws. These may include:

Access and Portability: You have the right to request a copy of the personal data we hold about you, and to receive it in a structured, commonly used, and machine-readable format. This helps you to verify the information and even transfer it to another service.
Correction: If any personal information we have is inaccurate or incomplete, you have the right to request that we correct or update it. For example, if you change email addresses, you can update your account or ask us for help.
Deletion: You can request that we delete your personal data. Note that we may retain certain information as required by law or for legitimate business purposes (see Data Retention above). If you request deletion, we will remove what we can and inform you if anything must be retained. Deleting your account or the app does not automatically delete all your personal data — please send us a deletion request to ensure your data is fully removed. Fastest method: tap Settings → Account → Delete My Account inside the app; the process is automatic and final.
Restriction of Processing: In certain circumstances (for instance, if you contest the accuracy of your data or object to our processing), you have the right to ask us to restrict processing of your data until the issue is resolved.
Objection to Processing: If we are processing your information based on legitimate interests, you have the right to object to that processing if you believe it impacts your fundamental rights and freedoms. You also have an unconditional right to object to your personal data being used for direct marketing (which we only do with consent).
Withdraw Consent: If we are processing some of your data based on your consent (e.g., sending marketing emails, or participating in optional analytics), you have the right to withdraw that consent at any time. Withdrawal will not affect the legality of processing based on consent before it was withdrawn.
Non-Discrimination/No Retaliation (CCPA/CPRA): If you exercise any privacy right, we will not discriminate against you, refuse service, or provide a different quality of service because you exercised your rights.
Lodge a Complaint: If you believe we have infringed your privacy rights, you have the right to lodge a complaint with a supervisory authority. For EU/UK individuals, this would be your country's Data Protection Authority (e.g., the ICO in the UK, or CNIL in France, etc.). We encourage you to contact us first so we can address your concerns directly.

To exercise any of your rights, please contact us via our support form and select "Privacy Inquiry" as the subject. For security, we will need to verify your identity before acting on a data request (for example, by confirming ownership of your email address or other information). We aim to respond to requests within 30 days (or as required by law, 45 days under CCPA for example). If we need more time, we will inform you of the reason and extension period.

8. International Users – Additional Disclosures

EU/UK Users: Fn First Holdings LLC is the controller of your personal data. Our legal bases for processing are as stated in Section 2. We have appointed an EU representative [if applicable, include details] or you may contact us directly with any questions. You have the rights under the GDPR as outlined in Section 7 above. If we transfer your data outside the EU, we rely on Standard Contractual Clauses (SCCs) or other legally approved mechanisms for such transfers, as mentioned in Sharing section.

California Users: Under the CCPA/CPRA, California residents have specific rights, some of which overlap with GDPR rights described above (access, deletion, etc.), and also the right to know what categories of personal information are collected, from where, the business purpose, and the categories of third parties we share with. We believe this Policy provides those details: see Section 2 (categories, sources, purposes) and Section 4 (sharing). We do not "sell" or "share" personal information as defined under the CCPA (we don't provide your data to third parties for their own marketing). If you send a request to exercise California rights, we will process it per applicable law. If you have an authorized agent you want to submit a request on your behalf, we will require proof of authorization and still take steps to verify your identity directly with you.

Other Regions: We strive to honor the privacy rights of users in all jurisdictions. If your local laws provide any privacy rights not explicitly listed here, we commit to respecting those as well. You can contact us to inquire about your specific privacy concerns.

9. Children's Privacy

SayBoard and our Services are not intended for children under 16 years of age. We do not knowingly collect personal information from anyone under 16. If you are under 16, please do not use the App or provide any information about yourself to us (including name, email, etc.). In the event we learn that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete such information from our records. If you are a parent or guardian and believe we might have any information from or about a minor under 16, please contact us so that we can promptly investigate and address it.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the "Last Updated" date at the top of this Policy. If changes are material, we will provide advance notice to you of the changes – for example, by posting a notice on our website or in-app, or by emailing users (when appropriate) – at least 7 days before the changes take effect. We encourage you to review this Policy periodically for the latest information on our privacy practices. By continuing to use SayBoard after any update becomes effective, you acknowledge and accept the revised Privacy Policy.

11. Digital Services Act (DSA) Notice (EU Users)

While SayBoard is not a platform for user-shared public content (no social networking features), we provide the following information in the interest of transparency and compliance with the EU Digital Services Act for users in the EU:

Content Moderation & Reporting: SayBoard generates audio and translations based on user-provided text. We do not pre-screen or automatically filter user inputs or outputs. Users are responsible for the content they input and any output they generate, ensuring it complies with applicable laws (e.g., no hate speech, harassment, or unlawful content). If you encounter misuse of SayBoard (such as someone using it to generate unlawful content), you can report it to us via our support form. We will review and take appropriate action in line with our Terms of Use and legal obligations.
Algorithmic Systems: The App uses algorithmic systems such as text-to-speech synthesis and language translation. These are deterministic based on your input (there are no personalized recommendation algorithms or content feeds). The voice synthesis and translation engines apply machine learning models to generate output but do not curate or promote content beyond what the user enters.
Product Safety: SayBoard is a digital tool designed for creative and communication purposes. There are no physical product risks. We have designed the software to comply with applicable safety and digital service regulations. The intended uses include helping with language pronunciation, creating voiceovers, and facilitating communication in different languages. As with any AI-based tool, users should exercise judgment in verifying critical information (especially translations in high-stakes scenarios). We are committed to addressing any serious misuse that could lead to harm if brought to our attention.

This DSA notice is provided to give you insight into how SayBoard operates in terms of content and algorithms. For any concerns regarding illegal content or misuse, please reach out via the contact information below.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Fn First Holdings LLC

Attn: Privacy Officer

30 N Gould St Ste N

Sheridan, WY 82801

For privacy inquiries, please use our support form and select "Privacy Inquiry" as the subject.

For general support inquiries, please visit our support page.

We will do our best to address any issue to your satisfaction. Your privacy is important to us, and we welcome your feedback.