Privacy Policy — Catch-Me

Last updated: June 12, 2026

This Privacy Policy describes how Catch-Me ("we", "the app"), operated by Mauber Informatica LTDA, CNPJ 04.510.476/0001-23, collects, uses, stores and protects your personal data, in compliance with the Brazilian General Data Protection Law (LGPD) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. What Catch-Me is

Catch-Me is an entertainment app where you discover, match and chat with fictional characters operated by artificial intelligence. Characters are not real people; conversations are generated by large language models (AI). This nature of the service drives what data we process and why.

2. Data we collect

CategoryExamplesSource
Account dataName, e-mail, date of birth, profile photoProvided by you or by your social login provider (Google, Apple, Facebook, X)
PreferencesGender of interest, age range, language, usage goals, content levelProvided by you during onboarding and in settings
Conversation contentMessages exchanged with AI charactersGenerated during use
Conversation memoriesSummaries and facts extracted from your chats to keep continuityDerived from conversations (viewable and deletable in settings)
Device dataModel, OS, installation identifier, push notification tokenCollected automatically
Usage and diagnosticsError/performance events (via Sentry), moderation recordsCollected automatically, with sensitive data redacted
Analytics dataPseudonymized usage events (e.g. screens viewed, swipes, matches — never message content) and approximate location (city/region) derived from your IP addressCollected automatically (via PostHog)
Purchase dataHistory of credits (Lips), consumables and redeemed offersGenerated when using the in-app economy

We do not collect: your precise location (GPS), phone contacts, or content from other applications. For analytics we only process your approximate location (city/region) derived from your IP address — the IP itself is not stored by the analytics provider.

3. Why we process your data (legal bases)

We do not sell your personal data. We do not use your conversations for advertising.

4. Sharing with third parties (processors)

We share data only with processors required to deliver the service, by categories of processors (GDPR Art. 13(1)(e) — "categories of recipients"; LGPD Arts. 9/18):

Processor categoryPurposeData
AI model providersGenerate character responses and moderate contentConversation message content (without your account name/e-mail)
Cloud infrastructure, database and networkHosting, authentication and service protectionAccount data, content and technical traffic
Platform notification services (Apple/Google)Push notification deliveryPush token, notification content
Error monitoring toolsTechnical diagnosticsTechnical events with sensitive data redacted
Product analytics tools — PostHog Inc. (USA)Measure product usage to improve itPseudonymized usage events (internal identifier, no account name/e-mail), technical device data and approximate location derived from IP — never conversation content
Social login providers (Google, Apple, Facebook, X)AuthenticationPer the provider you choose

We keep an up-to-date internal register of contracted processors; you may request information about specific sharing through the channel in §10.

International transfers may occur (servers in the US); we adopt appropriate contractual safeguards with processors.

5. Retention and deletion

Account deletion (self-service, in the app)

In Profile → Settings → Delete Account, you can permanently and irreversibly delete your account: profile, conversations, matches, memories and device data are erased, and your login identity is removed. Purchase records may be retained for the legal fiscal period, unlinked from your profile. This flow also satisfies the data deletion requirements of Apple, Google Play and Facebook (data deletion instructions: use the flow above or contact [email protected]).

Analytics events are pseudonymized and contain no conversation content; when you delete your account, the internal analytics identifier is no longer linked to you. You can request full deletion of these events at any time through the channel in §10.

Subscriptions and purchases made via the App Store/Google Play must be cancelled directly in the store — deleting your account does not cancel store billing.

6. Your rights (LGPD/GDPR)

At any time you may: confirm the existence of processing; access your data; correct incomplete or outdated data; request anonymization, blocking or erasure; request portability; withdraw consent; and object to processing based on legitimate interest. To exercise any right, use the in-app tools (profile, memories, account deletion) or contact [email protected]. We will respond within the legal deadlines. You may also petition the Brazilian DPA (ANPD) or your local supervisory authority.

7. Security

We adopt technical and organizational measures: encryption in transit (HTTPS/TLS), row-level access control in the database (RLS), secure authentication (OAuth/PKCE), automated retention policies, redaction of sensitive data in technical logs, and periodic security audits.

8. Minimum age

Catch-Me is intended exclusively for adults (18+). We do not knowingly collect data from minors; accounts identified as belonging to minors will be deleted.

9. Changes to this policy

We may update this policy. Material changes will be communicated in the app or by e-mail. The date at the top indicates the current version.

10. Contact and Data Protection Officer

Controller: Mauber Informatica LTDA, CNPJ 04.510.476/0001-23. Privacy and data subject channel: [email protected]. All questions and requests are handled through this channel (a named DPO is not designated; not required for small-scale agents under ANPD Res. 2/2022 / GDPR Art. 37).

11. Cookies and technologies on the website

The catch-me.app website uses essential local storage to remember your chosen language and your consent decision (no tracking). Audience measurement is anonymous by default — no cookies and no persistent identifiers (PostHog). Analytics and marketing cookies/identifiers (persistent PostHog, Meta Pixel and, in the future, TikTok Pixel) are only activated after you accept the website banner, and you can change your choice at any time via the "Cookies" link in the footer. Website measurement data is covered by the safeguards in this policy.