ZUVA

Legal

Privacy Policy

Effective date: April 15, 2026 · Applies to: zuva.tv and all Zuva mobile applications

GDPRCCPA/CPRAPIPEDALGPDPOPIAIAB TCF v2.3

Zuva.TV Inc. ("Zuva", "we", "us") operates the zuva.tv website and associated mobile applications (collectively, the "Platform"). This Privacy Policy explains what personal data we collect, why we collect it, how we share it, and the rights you have over your data. Please read this policy carefully. By using the Platform you acknowledge that you have read and understood this policy.

1. Who We Are

Zuva.TV Inc. is the data controller responsible for personal data collected through the Platform. We are incorporated under the laws of the Province of Ontario, Canada.

Data Protection Contact

For all privacy-related inquiries, requests, or complaints:

Email: [email protected]

Response time: within 30 days for general inquiries; 72 hours for breach notifications.

2. Information We Collect

2.1 Information You Provide Directly

  • Account credentials (email address, password hash managed by Clerk)
  • Display name, profile picture, and creator bio
  • Payment and payout details (processed by Chimoney — we do not store full card or bank numbers)
  • Content you upload: video files, titles, descriptions, thumbnail images
  • Communications you send us (support emails, feedback forms)

2.2 Information Collected Automatically

  • IP address and approximate geolocation (country/region level)
  • Browser type, operating system, device identifiers
  • Pages visited, videos watched, watch duration, and completion events
  • Referring URLs and search terms
  • Authentication session tokens (managed by Clerk)
  • Service-worker cache interactions (local device only, not transmitted)

2.3 Information From Third Parties

  • Social login data (name, email, profile picture) if you sign in via Google or Apple through Clerk
  • Payment processing status updates from Chimoney (transaction IDs, success/failure flags)
  • Advertising interaction signals from Google AdSense (cookie-based, subject to your consent)

3. How We Use Your Data

We process personal data only where we have a lawful basis to do so:

PurposeLawful Basis
Provide and operate the PlatformContract performance
Authenticate your account (Clerk)Contract performance
Process Sun purchases and creator payoutsContract performance
Detect fraud and abuseLegitimate interests
Send transactional emailsContract performance
Send marketing emails (opt-in only)Consent
Show personalised advertising (AdSense)Consent (IAB TCF v2.3)
Improve the Platform (analytics)Legitimate interests
Comply with legal obligationsLegal obligation

4. Third-Party Services

We work with the following sub-processors and service providers. Each link leads to their own privacy policy.

ClerkUnited States

Role: Authentication & identity management

Data shared: Email, password hash, session tokens, social-login profile data

Privacy Policy →
ChimoneyUnited States / Canada

Role: Payment processing & creator payouts (Suns → mobile money / bank)

Data shared: Name, email, payout destination (phone number or bank details), transaction history

Privacy Policy →
SupabaseUnited States (AWS us-east-1)

Role: Hosted PostgreSQL database and file storage

Data shared: All platform data stored in our database (user records, Sun balances, video metadata)

Privacy Policy →
Google AdSenseUnited States / EEA

Role: Advertising network — serves contextual and personalised ads

Data shared: Cookie identifiers, IP address, browsing behaviour (subject to consent)

Privacy Policy →
RailwayUnited States

Role: Backend application hosting and infrastructure

Data shared: Application logs (may contain IP addresses and request metadata)

Privacy Policy →

5. Cookies & Advertising

5.1 Cookies We Use

  • Session cookies — required for authentication (Clerk). Cannot be disabled without breaking sign-in.
  • Preference cookies — store your theme, language, and feed preferences.
  • Analytics cookies — aggregate usage metrics to improve the Platform.
  • Advertising cookies — Google AdSense sets cookies to serve relevant ads and measure ad performance.

5.2 Google AdSense & Third-Party Advertising

We use Google AdSense to display advertisements on the Platform. Google and its partners use cookies to serve ads based on your prior visits to this website or other websites. Google's use of advertising cookies enables it and its partners to serve ads to you based on your visit to our site and/or other sites on the Internet.

You may opt out of personalised advertising by visiting adssettings.google.com or by visiting aboutads.info/choices. You may also opt out of a third-party vendor's use of cookies for personalised advertising by visiting networkadvertising.org/choices.

Even if you opt out of personalised ads, you may still see contextual (non-personalised) ads while using the Platform.

5.3 IAB Transparency & Consent Framework (TCF v2.3)

Zuva.TV participates in the IAB Europe Transparency & Consent Framework ("TCF") version 2.3. Our Consent Management Platform ("CMP") collects and signals your consent choices to participating vendors in accordance with the TCF technical specifications. Our IAB TCF CMP ID is disclosed in our cookie banner.

Under the TCF, vendors may only process your personal data for advertising purposes where a valid legal basis (consent or legitimate interest, where applicable) has been established. You may withdraw consent or object to legitimate interest processing at any time via the Privacy Preferences link in the site footer.

5.4 Managing Cookies

You can control cookies through:

  • Our cookie consent banner (shown on first visit)
  • Your browser settings — most browsers allow you to block or delete cookies
  • Google Ad Settings: adssettings.google.com
  • NAI opt-out: networkadvertising.org/choices
  • DAA opt-out: aboutads.info/choices
  • European users: youronlinechoices.eu

6. Suns Virtual Currency Data

Suns are Zuva's in-platform virtual currency. Viewers purchase Suns and tip creators; creators redeem Suns for real-world payouts via Chimoney. We collect and store the following data in connection with Suns:

  • Sun balance for each user account
  • Transaction history: purchases, tips sent, tips received, and cashouts (amounts, timestamps, counterparty user IDs)
  • Fiat currency amounts at time of purchase (for tax reporting purposes)
  • Chimoney payout records including destination, currency, and status

Suns transaction data is retained for a minimum of 7 years to comply with financial recordkeeping requirements under applicable Canadian law and the laws of jurisdictions in which creators reside.

Suns have no cash value for viewers and are non-refundable except where required by applicable consumer protection law. Creators' accrued Sun balances represent a contractual obligation to make payouts, not a deposit of funds.

7. Data Sharing

We do not sell your personal data. We share personal data only in the following circumstances:

  • With sub-processors listed in Section 4 to operate the Platform
  • With law enforcement or government authorities when required by valid legal process (court order, subpoena)
  • To protect the rights, property, or safety of Zuva, our users, or the public
  • In connection with a merger, acquisition, or sale of all or substantially all of our assets (you will be notified in advance)
  • With your explicit consent for any other purpose not described in this policy

8. Data Retention

Data CategoryRetention PeriodBasis
Account profile dataDuration of account + 30 days after deletionContract
Authentication logs90 daysSecurity / fraud
Suns transaction history7 yearsLegal / financial
Payment records7 yearsTax compliance
Video contentUntil creator deletes or account closedContract
Support correspondence3 yearsLegitimate interests
Server / application logs90 daysSecurity
Advertising consent records5 yearsGDPR Art. 7 / TCF
Deleted account data30 days (recovery), then purgedGDPR Art. 17

9. Your Rights

Depending on your jurisdiction, you have some or all of the following rights. To exercise any right, email [email protected]. We will respond within 30 days (or sooner as required by law). We do not charge a fee for reasonable requests.

9.1 Rights Under GDPR (EU / UK / EEA)

  • Right of access (Art. 15) — obtain a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate data
  • Right to erasure / 'right to be forgotten' (Art. 17) — request deletion of your data
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20) — receive data in a structured, machine-readable format
  • Right to object to processing (Art. 21) — including objecting to direct marketing
  • Right to withdraw consent at any time without affecting prior processing
  • Right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, DPC in Ireland)

9.2 Rights Under CCPA / CPRA (California)

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information
  • Right to opt out of sale or sharing of personal information — Note: Zuva does not sell personal information
  • Right to correct inaccurate personal information
  • Right to limit use and disclosure of sensitive personal information
  • Right to non-discrimination for exercising your privacy rights

To submit a CCPA request, email [email protected]with subject line "CCPA Request". We will verify your identity before processing the request.

9.3 Rights Under PIPEDA (Canada)

  • Right to access your personal information held by Zuva
  • Right to challenge the accuracy and completeness of your information
  • Right to withdraw consent for collection, use, or disclosure of personal information
  • Right to complain to the Office of the Privacy Commissioner of Canada (OPC)

9.4 Rights Under LGPD (Brazil)

  • Confirmation of whether we process your data
  • Access to your personal data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymisation, blocking, or deletion of unnecessary data
  • Data portability to another service provider
  • Deletion of personal data processed with your consent
  • Information about public and private entities with which we share data
  • Right to revoke consent

9.5 Rights Under POPIA (South Africa)

  • Right to access personal information Zuva holds about you
  • Right to request correction or deletion of personal information
  • Right to object to processing of personal information
  • Right to submit a complaint to the Information Regulator of South Africa

10. International Transfers

Zuva is based in Canada. Our sub-processors operate primarily in the United States. When we transfer personal data from the European Economic Area, United Kingdom, or Switzerland to countries that the European Commission has not recognised as providing an adequate level of protection, we rely on one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The UK International Data Transfer Addendum to EU SCCs
  • Sub-processor certification under equivalent data privacy frameworks

Transfers from Brazil are conducted in accordance with LGPD Chapter V requirements. Transfers from South Africa are conducted in accordance with POPIA Section 72.

11. Security & Breach Notification

We implement appropriate technical and organisational measures to protect your personal data, including:

  • TLS 1.3 encryption for all data in transit
  • Encryption at rest for database content (Supabase AES-256)
  • Authentication handled by Clerk with industry-standard hashing
  • Access controls: principle of least privilege for all staff and systems
  • Regular security review of third-party dependencies

72-Hour Breach Notification Commitment

In the event of a personal data breach that poses a risk to your rights and freedoms, we commit to:

  • Notifying the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33)
  • Notifying affected individuals without undue delay where the breach is likely to result in high risk (GDPR Art. 34)
  • Notifying the Office of the Privacy Commissioner of Canada as soon as feasible (PIPEDA breach reporting obligations)
  • Maintaining an internal breach register

If you believe your Zuva account has been compromised, contact us immediately at [email protected].

12. Children's Privacy

The Platform is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If you believe we have inadvertently collected data from a child under 13, please contact us at [email protected] and we will promptly delete the data.

Users between 13 and 17 may use the Platform but are not eligible to participate in the creator payout program, which requires users to be at least 18 years of age and to complete identity verification through Chimoney.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the effective date at the top of this page
  • Post a notice on the Platform for at least 30 days
  • Send an email notification to registered users for significant changes

Your continued use of the Platform after the effective date of an updated policy constitutes your acceptance of the updated terms.

14. Contact Us

For privacy requests, complaints, or general questions:

Zuva.TV Inc. — Privacy Office

Email: [email protected]

Response time: 30 days (standard); 72 hours (data breach)

Governing jurisdiction: Province of Ontario, Canada

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your country (e.g., ICO in the UK, DPC in Ireland, CNIL in France, OPC in Canada, ANPD in Brazil, or the Information Regulator in South Africa).

See also: Terms of Service · Contact [email protected]