Privacy Policy — Catch-Me
Last updated: June 12, 2026
This Privacy Policy describes how Catch-Me ("we", "the app"), operated by Mauber Informatica LTDA, CNPJ 04.510.476/0001-23, collects, uses, stores and protects your personal data, in compliance with the Brazilian General Data Protection Law (LGPD) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. What Catch-Me is
Catch-Me is an entertainment app where you discover, match and chat with fictional characters operated by artificial intelligence. Characters are not real people; conversations are generated by large language models (AI). This nature of the service drives what data we process and why.
2. Data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, e-mail, date of birth, profile photo | Provided by you or by your social login provider (Google, Apple, Facebook, X) |
| Preferences | Gender of interest, age range, language, usage goals, content level | Provided by you during onboarding and in settings |
| Conversation content | Messages exchanged with AI characters | Generated during use |
| Conversation memories | Summaries and facts extracted from your chats to keep continuity | Derived from conversations (viewable and deletable in settings) |
| Device data | Model, OS, installation identifier, push notification token | Collected automatically |
| Usage and diagnostics | Error/performance events (via Sentry), moderation records | Collected automatically, with sensitive data redacted |
| Analytics data | Pseudonymized usage events (e.g. screens viewed, swipes, matches — never message content) and approximate location (city/region) derived from your IP address | Collected automatically (via PostHog) |
| Purchase data | History of credits (Lips), consumables and redeemed offers | Generated when using the in-app economy |
We do not collect: your precise location (GPS), phone contacts, or content from other applications. For analytics we only process your approximate location (city/region) derived from your IP address — the IP itself is not stored by the analytics provider.
3. Why we process your data (legal bases)
- Operating the service (contract): authentication, profile, conversations with characters, push notifications, credit economy.
- Personalization (contract/legitimate interest): preferences, language, conversation memories.
- Generating AI responses (contract): your messages are sent to language model providers (see §4) exclusively to generate the character's reply.
- Safety and moderation (legitimate interest/legal obligation): automated content filters, abuse prevention, moderation records.
- Diagnostics and improvement (legitimate interest): error and performance monitoring with sensitive data redacted.
- Product measurement and improvement (legitimate interest): pseudonymized usage events (screens viewed, actions such as swipe/match, usage funnels) and approximate location derived from IP. These events do not include the content of your conversations or the text you type.
- Legal compliance (legal obligation): fiscal retention of purchase records.
We do not sell your personal data. We do not use your conversations for advertising.
4. Sharing with third parties (processors)
We share data only with processors required to deliver the service, by categories of processors (GDPR Art. 13(1)(e) — "categories of recipients"; LGPD Arts. 9/18):
| Processor category | Purpose | Data |
|---|---|---|
| AI model providers | Generate character responses and moderate content | Conversation message content (without your account name/e-mail) |
| Cloud infrastructure, database and network | Hosting, authentication and service protection | Account data, content and technical traffic |
| Platform notification services (Apple/Google) | Push notification delivery | Push token, notification content |
| Error monitoring tools | Technical diagnostics | Technical events with sensitive data redacted |
| Product analytics tools — PostHog Inc. (USA) | Measure product usage to improve it | Pseudonymized usage events (internal identifier, no account name/e-mail), technical device data and approximate location derived from IP — never conversation content |
| Social login providers (Google, Apple, Facebook, X) | Authentication | Per the provider you choose |
We keep an up-to-date internal register of contracted processors; you may request information about specific sharing through the channel in §10.
International transfers may occur (servers in the US); we adopt appropriate contractual safeguards with processors.
5. Retention and deletion
- Chat messages: kept for up to 24 months, then automatically deleted.
- Conversation memories: kept while active; deactivated memories are deleted after 90 days; you can delete them anytime in settings.
- Moderation and notification logs: kept for 180 days.
- Purchase records: kept for the legally required fiscal period (up to 5 years in Brazil).
- Account data: kept while your account exists.
Account deletion (self-service, in the app)
In Profile → Settings → Delete Account, you can permanently and irreversibly delete your account: profile, conversations, matches, memories and device data are erased, and your login identity is removed. Purchase records may be retained for the legal fiscal period, unlinked from your profile. This flow also satisfies the data deletion requirements of Apple, Google Play and Facebook (data deletion instructions: use the flow above or contact [email protected]).
Analytics events are pseudonymized and contain no conversation content; when you delete your account, the internal analytics identifier is no longer linked to you. You can request full deletion of these events at any time through the channel in §10.
Subscriptions and purchases made via the App Store/Google Play must be cancelled directly in the store — deleting your account does not cancel store billing.
6. Your rights (LGPD/GDPR)
At any time you may: confirm the existence of processing; access your data; correct incomplete or outdated data; request anonymization, blocking or erasure; request portability; withdraw consent; and object to processing based on legitimate interest. To exercise any right, use the in-app tools (profile, memories, account deletion) or contact [email protected]. We will respond within the legal deadlines. You may also petition the Brazilian DPA (ANPD) or your local supervisory authority.
7. Security
We adopt technical and organizational measures: encryption in transit (HTTPS/TLS), row-level access control in the database (RLS), secure authentication (OAuth/PKCE), automated retention policies, redaction of sensitive data in technical logs, and periodic security audits.
8. Minimum age
Catch-Me is intended exclusively for adults (18+). We do not knowingly collect data from minors; accounts identified as belonging to minors will be deleted.
9. Changes to this policy
We may update this policy. Material changes will be communicated in the app or by e-mail. The date at the top indicates the current version.
10. Contact and Data Protection Officer
Controller: Mauber Informatica LTDA, CNPJ 04.510.476/0001-23. Privacy and data subject channel: [email protected]. All questions and requests are handled through this channel (a named DPO is not designated; not required for small-scale agents under ANPD Res. 2/2022 / GDPR Art. 37).
11. Cookies and technologies on the website
The catch-me.app website uses essential local storage to remember your chosen language and your consent decision (no tracking). Audience measurement is anonymous by default — no cookies and no persistent identifiers (PostHog). Analytics and marketing cookies/identifiers (persistent PostHog, Meta Pixel and, in the future, TikTok Pixel) are only activated after you accept the website banner, and you can change your choice at any time via the "Cookies" link in the footer. Website measurement data is covered by the safeguards in this policy.