PRIVACY POLICY

Effective Date: 1 January, 2026
Last Updated: 23 January, 2026

1. INTRODUCTION

This Privacy Policy ("Policy") governs the collection, use, processing, and disclosure of personal information by DARKHORSEONE LIMITED ("Company," "we," "us," or "our"), a private limited company incorporated in England and Wales (Company Number: 15002342), in connection with the SaidMe mobile application (the "Application" or "Service").

By accessing or using the Service, you ("User," "you," or "your") consent to the practices described herein. If you do not agree with this Policy, you must immediately cease all use of the Service.

Registered Office:
DARKHORSEONE LIMITED
Suite 3.1, 27 Castle Street
Canterbury, Kent
CT1 2PX
United Kingdom

Company Number: 15002342
Contact Email: jian.ma@darkhorseone.co.uk
Contact Phone: +44 07766713214
ICO Registration Number: ZB913022

2. DEFINITIONS

For purposes of this Policy, the following terms shall have the meanings set forth below:

• "Personal Information" or "Personal Data" means any information relating to an identified or identifiable natural person, as defined by UK GDPR and Data Protection Act 2018.
• "Processing" means any operation performed on Personal Information, including collection, storage, use, disclosure, or deletion.
• "Service" means the SaidMe mobile application and all associated backend infrastructure.
• "Secure Message" means encrypted content submitted by a User for conditional delivery to designated Recipients.
• "Check-In" means a user-initiated confirmation of continued engagement with the Service.
• "Recipient" means an individual designated by a User to receive a Secure Message upon triggering conditions.
• "Entitlement Tier" means the tier level (FREE or LIFETIME ACCESS) governing Service features. Lifetime Access is acquired through one-time purchase.

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

3.1.1 Account Information

When you authenticate via Apple Sign-In, we collect:

• Apple User Identifier (a unique, anonymized string provided by Apple Inc.)
• Email Address (optional; only if you consent to share via Apple Sign-In)

We do NOT collect or store your Apple ID credentials, password, or full name unless explicitly provided by Apple's authentication response.

3.1.2 Secure Message Content

• Message Subject: Plain text (stored as encrypted ciphertext)
• Message Body: Plain text (stored as encrypted ciphertext using AES-256-GCM)
• Encryption Metadata: Nonce values, encrypted data encryption keys (DEKs)

3.1.3 Recipient Information

• Recipient Email Addresses (1-2 addresses, depending on Entitlement Tier)
• Recipient Labels (optional descriptive names)

3.1.4 Check-In Configuration

• Check-In Interval (1 to 30 days, depending on Entitlement Tier)
• Grace Period (0 to 48 hours, depending on Entitlement Tier)
• Armed Status (boolean indicating whether Secure Message delivery is enabled)
• Last Check-In Timestamp

3.2 Automatically Collected Information

3.2.1 Usage Data

• Check-In Timestamps: Date and time of each Check-In action
• API Request Logs: Endpoint access, HTTP status codes, request timestamps (retained for 30 days)
• Error Logs: Application errors and diagnostic information (anonymized, no Personal Information)

3.2.2 Transaction Data

• In-App Purchase Records: Product IDs, transaction IDs, purchase timestamps, StoreKit 2 JSON Web Signatures (JWS)
• Entitlement Status: Current tier level (FREE or LIFETIME ACCESS)

We do NOT collect payment card information. All financial transactions are processed exclusively by Apple Inc. through the App Store.

3.3 Information We Do NOT Collect

We explicitly do NOT collect:

• Device identifiers (IDFA, IDFV) beyond what Apple Sign-In provides
• Precise geolocation data
• Contacts or address book information
• Browsing history or web activity
• Health or biometric data
• Photos, videos, or media files
• Microphone or camera access data

4. HOW WE USE YOUR INFORMATION

4.1 Lawful Bases for Processing

We process Personal Information under the following legal bases as required by UK GDPR:

4.1.1 Performance of Contract (Article 6(1)(b))

• Account Authentication: Verifying your identity via Apple Sign-In
• Service Delivery: Storing encrypted Secure Messages and delivering them to Recipients upon triggering conditions
• Check-In Management: Tracking Check-In intervals and detecting missed Check-Ins
• Purchase Management: Validating In-App Purchases and enforcing Entitlement Tier limits

4.1.2 Legitimate Interests (Article 6(1)(f))

• Security and Fraud Prevention: Detecting unauthorized access, abuse, or fraudulent transactions
• Service Improvement: Analyzing aggregated, anonymized usage patterns to enhance functionality
• Legal Compliance: Retaining records to comply with financial regulations and tax obligations

4.1.3 Consent (Article 6(1)(a))

• Email Communications: Sending transactional emails (Secure Message delivery, check-in reminders) only to Recipients you explicitly designate

4.2 Specific Use Cases

4.2.1 Secure Message Delivery

When you fail to Check-In within your configured interval (plus any applicable Grace Period) AND your Secure Message is armed:

1. Our backend decrypts the Data Encryption Key (DEK) using our server-side RSA private key
2. The DEK is used to decrypt your message ciphertext
3. The plaintext message is transmitted via email to your designated Recipients
4. The message is re-encrypted and stored in our database for audit purposes

IMPORTANT: While your messages are encrypted at rest, our server possesses the cryptographic keys necessary to decrypt them for delivery purposes. This is inherent to the Service architecture and is NOT end-to-end encrypted in the manner of peer-to-peer messaging systems.

4.2.2 Reminder Notifications

For Lifetime Access Users, we send email reminders to your registered email address when a Check-In deadline is approaching (24 hours prior).

5. DATA SHARING AND DISCLOSURE

5.1 Third-Party Service Providers

We share Personal Information with the following third parties:

5.1.1 Apple Inc.

• Purpose: Authentication via Apple Sign-In, In-App Purchase processing
• Data Shared: Apple User Identifier, transaction receipts
• Privacy Policy: https://www.apple.com/legal/privacy/

5.1.2 Brevo (formerly Sendinblue)

• Purpose: Transactional email delivery
• Data Shared: Recipient email addresses, message content (decrypted at time of sending), timestamps
• Privacy Policy: https://www.brevo.com/legal/privacypolicy/
• Data Processing Agreement: We maintain a DPA with Brevo compliant with UK GDPR Article 28

We do NOT sell, rent, or trade your Personal Information to third parties for marketing purposes.

5.2 Legal Requirements

We may disclose Personal Information if required by law, including:

• Court Orders or Subpoenas: Compliance with judicial proceedings
• Law Enforcement Requests: Cooperation with government investigations (we will notify you unless legally prohibited)
• Legal Rights Protection: Defending against legal claims or protecting user safety

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your Personal Information may be transferred to a successor entity. You will be notified via email and/or prominent notice in the Application 30 days prior to such transfer.

6. DATA SECURITY

6.1 Encryption Standards

6.1.1 Data in Transit

• All communications between the Application and our servers use TLS 1.3 (Transport Layer Security)
• Certificate pinning prevents man-in-the-middle attacks

6.1.2 Data at Rest

• Secure Messages are encrypted using AES-256-GCM (Advanced Encryption Standard, Galois/Counter Mode)
• Data Encryption Keys (DEKs) are wrapped using RSA-OAEP (4096-bit keys) and stored separately from ciphertext
• Database connections are encrypted and access-controlled via mutual TLS

6.1.3 Key Management

• Server-side RSA private keys are stored in hardware security modules (HSMs) or encrypted key vaults
• JWT tokens use HS256 signatures with 256-bit secrets rotated annually
• Refresh tokens have a 30-day expiration and are invalidated upon logout

6.2 Access Controls

• Role-Based Access Control (RBAC): Only authorized personnel can access production databases
• Audit Logging: All database queries are logged and reviewed quarterly
• Two-Factor Authentication (2FA): Required for all administrative access

6.3 Limitations

No method of electronic storage or transmission is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security against unauthorized access, hardware failure, or other unforeseen vulnerabilities.

7. DATA RETENTION

7.1 Active Accounts

We retain Personal Information for the duration of your account's active status, plus:

• Secure Messages: Retained indefinitely until you delete them or close your account
• Check-In Logs: 90 days from timestamp
• API Request Logs: 30 days from timestamp
• Transaction Records: 7 years (required by UK tax and financial regulations)

7.2 Account Deletion

Upon account deletion (initiated via Application settings or written request):

1. Immediate Actions:
   • Authentication tokens invalidated
   • Secure Message delivery disarmed
   • Account marked for deletion
2. Within 30 Days:
   • Personal Information permanently deleted from production databases
   • Encrypted backups purged within 90 days
3. Retained Data (anonymized):
   • Aggregated usage statistics (no Personal Information)
   • Transaction records (anonymized, retained for 7 years per legal requirements)

8. YOUR RIGHTS UNDER UK GDPR

As a data subject, you have the following rights under the UK General Data Protection Regulation:

8.1 Right of Access (Article 15)

Request a copy of your Personal Data in structured, machine-readable format (JSON).

8.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete Personal Data via Application settings or by contacting us.

8.3 Right to Erasure (Article 17)

Request deletion of your Personal Data (subject to legal retention requirements).

8.4 Right to Restrict Processing (Article 18)

Temporarily suspend processing while we verify data accuracy or assess your objection.

8.5 Right to Data Portability (Article 20)

Receive your Secure Messages and Recipient lists in a portable format.

8.6 Right to Object (Article 21)

Object to processing based on legitimate interests (may result in service termination if processing is essential to the Service).

8.7 Rights Related to Automated Decision-Making (Article 22)

The Service does NOT use automated decision-making or profiling.

8.8 Right to Withdraw Consent

You may revoke consent for email reminders or promotional communications at any time. This does NOT affect the lawfulness of prior processing.

8.9 Right to Lodge a Complaint

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
Website: https://ico.org.uk/make-a-complaint/
Helpline: 0303 123 1113

To exercise any of these rights, contact us at jian.ma@darkhorseone.co.uk with the subject line "Data Subject Rights Request."

9. INTERNATIONAL DATA TRANSFERS

Our servers are located in the European Economic Area (Germany). If you access the Service from outside this jurisdiction, your Personal Information will be transferred internationally.

9.1 Transfers Outside the UK/EEA

For transfers to countries without an adequacy decision from the UK Government or European Commission, we implement:

• Standard Contractual Clauses (SCCs): UK International Data Transfer Agreement (IDTA) or EU SCCs approved by the European Commission
• Transfer Impact Assessments (TIAs): Evaluating risks associated with data transfers to third countries
• Additional Safeguards: Encryption, access controls, and contractual obligations on data processors

9.2 Brevo Email Service

Brevo processes data in the European Union and has implemented EU SCCs for any transfers outside the EEA.

10. DO NOT TRACK SIGNALS

The Application does not respond to "Do Not Track" (DNT) signals because we do not track users across third-party websites or services.

11. CHANGES TO THIS POLICY

We reserve the right to modify this Policy at any time. Changes will be effective immediately upon posting the updated Policy in the Application with a revised "Last Updated" date.

Material changes (e.g., changes to data sharing practices or legal bases) will be communicated via:

• Push notification in the Application
• Email to your registered address (if provided)
• Prominent banner in the Application for 30 days

Continued use of the Service after such notice constitutes acceptance of the revised Policy.

12. CALIFORNIA PRIVACY RIGHTS (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

12.1 Categories of Personal Information Collected

See Section 3 (Information We Collect).

12.2 Sale of Personal Information

We do NOT sell Personal Information as defined by the CCPA.

12.3 CCPA Rights

• Right to Know: Request disclosure of Personal Information collected in the past 12 months
• Right to Delete: Request deletion of Personal Information (subject to exceptions)
• Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights

To submit a CCPA request: Email jian.ma@darkhorseone.co.uk or call +44 07766713214.

13. EUROPEAN ECONOMIC AREA (EEA) USERS

If you are located in the European Economic Area:

13.1 Data Controller

DARKHORSEONE LIMITED is the data controller responsible for your Personal Information.

14.2 Legal Bases for Processing

See Section 4.1 (Lawful Bases for Processing).

14.3 Data Protection Officer (if applicable)

Name: Not Required
Email: N/A

Note: Under UK GDPR and EU GDPR, appointment of a Data Protection Officer is only mandatory for certain categories of controllers. If DARKHORSEONE LIMITED does not meet these criteria, a DPO is not required.

14.4 Right to Lodge a Complaint

You may file a complaint with your national data protection authority. For a list of EU authorities, visit: https://edpb.europa.eu/about-edpb/board/members_en

14. CONTACT US

If you have questions, complaints, or requests regarding this Privacy Policy or our data practices, contact us at:

Email: jian.ma@darkhorseone.co.uk
Phone: +44 07766713214
Postal Address:
DARKHORSEONE LIMITED
Suite 3.1, 27 Castle Street
Canterbury, Kent, CT1 2PX
United Kingdom

Data Protection Officer: Jian Ma (jian.ma@darkhorseone.co.uk)

15. SEVERABILITY

If any provision of this Policy is found to be unenforceable or invalid under applicable law, such provision shall be modified to reflect the parties' intention or eliminated to the minimum extent necessary, and the remaining provisions shall continue in full force and effect.

16. ENTIRE AGREEMENT

This Policy, together with our Terms of Service, constitutes the entire agreement between you and DARKHORSEONE LIMITED regarding the processing of Personal Information in connection with the Service.

END OF PRIVACY POLICY

Document Version: 1.2
Language: English
Governing Law: The laws of England and Wales
Jurisdiction: Courts of England and Wales

ACKNOWLEDGMENT: By clicking "I Accept" or continuing to use the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.