← Back to LVLUP
Privacy Policy
Effective date: April 16, 2026
1. Introduction
LVLUP ("we", "our", "us") respects your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.
2. Information We Collect
| Category | Examples |
|---|
| Account info | Email, username, display name, profile photo |
| Content you post | Videos, captions, comments, hashtags, location |
| Financial data | EXP balance (stored internally as USD), transaction history, an opaque payee identifier returned by our licensed payment partner (we do not store your bank details directly — they live on the partner's hosted portal), Apple/Google in-app purchase receipts (for refund handling), Tap top-up identifiers |
| Device info | Device model, OS version, RAM (for adaptive quality) |
| Usage data | Session duration, screens viewed, features used |
| Authentication | Google/Apple sign-in tokens (we do not store passwords) |
3. How We Use Your Information
- Provide the Service: display your profile, journeys, and content to other users.
- Process transactions: manage EXP balances, EXP purchases, escrowed supports, refunds, and creator payouts.
- Improve performance: adapt video quality and cache behavior to your device capabilities.
- Analytics: understand how users engage with the app (via Firebase Analytics). We use this to improve the experience, not to sell ads.
- Security: detect fraud, enforce rate limits, and log sensitive actions (bank detail changes, large transfers) to a per-user audit log.
- Notifications: send push notifications for supports received, journey milestones, and messages.
4. Information Sharing
We do not sell your personal information to third parties. We share data only in these cases:
- With other users: your username, profile photo, journey content, and public stats are visible to signed-in users.
- Service providers: Firebase (Google) for hosting, authentication, storage, and analytics. These providers process data on our behalf under their own privacy policies.
- Legal requirements: if required by law, court order, or to protect the safety of our users.
5. Data Storage and Security
- Data is stored in Google Cloud (Firebase) with encryption at rest and in transit.
- Bank details are stored in Firestore with server-side-only access (the client app cannot read or modify wallet balances directly).
- Sensitive actions require recent re-authentication (within 5 minutes).
- We enforce Firebase App Check to block non-app traffic.
6. Data Retention
- Account data: retained as long as your account is active.
- Journey content: completed, time-locked journey days are permanent (this is a core feature — your journey history becomes your highlight reel).
- Transaction records: retained indefinitely for audit and legal compliance.
- Temporary uploads: auto-deleted after 24 hours via storage lifecycle rules.
- Session tracking data: retained for analytics; aggregated on your user profile.
7. Legal Basis for Processing (GDPR)
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar legislation, we process your personal data on the following legal bases:
- Performance of contract (GDPR Art 6(1)(b)): processing required to provide the LVLUP service to you — account creation, EXP wallet management, escrow, payouts, content delivery.
- Legitimate interests (GDPR Art 6(1)(f)): fraud prevention, abuse detection, AML screening, security event logging, service-improvement analytics that are essential to operate a payment platform safely.
- Consent (GDPR Art 6(1)(a)): web analytics (Firebase Analytics), marketing communications, optional features. We obtain consent through the on-site banner; you can withdraw consent at any time via "Cookie settings" in the footer.
- Legal obligation (GDPR Art 6(1)(c)): record-keeping for tax, accounting, AML, and dispute-resolution requirements under Omani law and applicable foreign law.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your account and associated data (subject to legal retention requirements and the permanence of completed journey content).
- Object to or restrict processing of your data.
- Export your data in a portable format.
- Withdraw consent for any processing based on consent (e.g. analytics) at any time.
- Lodge a complaint with a supervisory authority. EEA / UK users have the right to complain to their national data-protection authority. A list is available via the European Data Protection Board.
To exercise these rights, email support@lvlup.om. We aim to respond within 30 days.
9. Children's Privacy
LVLUP is not intended for children under 13. We do not knowingly collect personal information from children under 13. In jurisdictions where the digital-consent age is higher (for example, age 16 under GDPR in some EU member states), users below the local digital-consent age must have verifiable parental or guardian consent before using LVLUP. If you believe a child below the applicable age has provided us with personal information without consent, please contact us and we will delete it.
10. Cookies and Tracking
The LVLUP mobile app does not use cookies. The website (lvlup.om) uses cookies in the following categories:
- Strictly necessary cookies — required for sign-in, security, and the consent record itself. Cannot be disabled.
- Analytics cookies — Firebase Analytics / Google Analytics 4, used only with your explicit consent via the on-site banner. Default state is denied; analytics fires only after you tap "Accept all". You can withdraw consent at any time via the "Cookie settings" link in any page footer.
We do not use advertising or third-party-tracking cookies. We do not engage in cross-site behavioural advertising.
11. Third-Party Services
- Firebase (Google): authentication, database, storage, analytics, crash reporting, performance monitoring.
- Google Sign-In / Apple Sign-In: authentication only; we receive your name and email, not your password.
- Apple App Store & Apple In-App Purchase: processes EXP purchases on iOS and notifies us of refund / family-sharing revocation events so we can adjust your EXP balance.
- Google Play Billing: processes EXP purchases on Android.
- Tap Payments: processes EXP purchases on the web. Tap receives the payment information needed to complete the transaction.
- Licensed payout partner: processes creator payouts. The partner runs its own hosted Pay Portal where the creator completes KYC and adds a payout method; we receive only an opaque user token and activation status, not raw bank details.
12. International Data Transfers
Your data may be processed in countries outside Oman, primarily on Google Cloud infrastructure (Firebase) in the United States and other regions where Google operates data centres. For users in the European Economic Area or United Kingdom, transfers outside the EEA/UK rely on the European Commission's adequacy decision for the destination country (where applicable) or Standard Contractual Clauses (SCCs) executed between LVLUP and the relevant processor. By using LVLUP, you consent to this transfer.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via the app or email. Continued use after changes constitutes acceptance.
14. Contact
For privacy-related questions, data-subject access requests, deletion requests, or to withdraw consent, contact us at support@lvlup.om. We aim to respond within 30 days.