Privacy Policy

Effective date: April 19, 2026
Last updated: April 19, 2026

This Privacy Policy describes how Capaz ("Capaz", "we", "us", or "our") collects, uses, stores, and shares personal information when you use the Capaz mobile application and related services (the "Service"). It also explains the rights you have under the European General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

The Service is operated by Capaz. If you do not agree with this policy, please do not use the Service.

1. Who we are (Data Controller)

The data controller responsible for your personal data is:
Capaz
Contact email: contact@capaz-app.com

2. Children and family use

Capaz is a family application that allows parents and their children to stay in touch. Accounts for children under the age of 13 (or the applicable age of digital consent in your country, e.g. 15 in France) can only be created or linked by a parent or legal guardian, who provides verifiable consent for the collection and processing of the child's data.

A parent account must invite the child to join the family.
The parent can at any time review, export or delete the child's data from the "Family" settings or by contacting us.
We do not knowingly collect data from a child without parental consent. If we discover that we have done so, we will delete the data promptly.
We do not show behavioral advertising to children and we do not sell children's personal data.

3. Data we collect

Category	Examples	Purpose	Legal basis (GDPR)
Account data	Email, phone number, display name, profile picture, date of birth, authentication identifiers (Google / Apple sign-in)	Create and secure your account, link family members	Performance of a contract
Family & friends graph	References to other users you add as friend or family, invitations	Enable chat, calls and location sharing inside your family / friends	Performance of a contract
Messages & media	Chat text, photos, videos, voice messages you send or receive	Deliver messages to the intended recipients	Performance of a contract
Calls	Voice / video call signaling and temporary media streams (via Agora)	Enable real-time calls between family members	Performance of a contract
Location	Approximate and precise location, in foreground and (with consent) background	Share your location with the family members you have authorized, so they can see you on the family map	Explicit consent (you can revoke it at any time)
Device & technical data	Device model, OS version, language, app version, push token, crash and performance logs	Deliver push notifications, diagnose bugs, improve the app	Legitimate interest
Purchases	Subscription status, purchase receipts (handled by Apple / Google / RevenueCat — we never see your card number)	Manage paid features and subscriptions	Performance of a contract
Support & communications	Emails you send us, reports you submit from the app	Respond to you and improve the Service	Legitimate interest

We do not collect: bank card numbers, government ID, biometric identifiers, sexual orientation, political opinions, religion, health data, or precise contacts from your address book.

4. How we use your data

To provide, operate, and maintain the Service (accounts, chat, calls, family map, notifications).
To authenticate you and prevent fraud or abuse.
To provide customer support.
To send you service-related notifications (e.g. a new message, a family invitation).
To improve the Service, fix bugs, and measure performance in an aggregated way.
To comply with our legal obligations.

We do not use your personal data for targeted advertising, and we do not sell your personal data.

5. Sharing with other users

Some data is shared with other users of Capaz by design:

Your display name and profile picture are visible to the friends and family members you accept.
Messages and media are delivered to the recipients of the chat.
Your location is visible only to family members you have explicitly authorized, and only if you have not turned location sharing off.

6. Service providers (sub-processors)

We rely on a small number of trusted providers to run Capaz. They process data only on our instructions, under a data processing agreement:

Provider	Role	Location
Google Firebase (Authentication, Firestore, Cloud Functions, Cloud Messaging, Storage, Crashlytics, Performance)	Hosting of accounts, messages, media and push notifications	European Union / United States
Google Play Services / Apple Push	Push notification delivery	European Union / United States
Agora.io	Real-time voice and video calls	European Union / United States
RevenueCat	Subscription management	United States
OpenAI, Mistral AI	AI assistant features, when you choose to use them (the content of the request is sent to the AI provider to generate a response, and is not used by the provider to train their models)	European Union / United States
Google Sign-In, Sign in with Apple	Authentication, when you choose to use them	United States

When data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses or an adequacy decision.

7. Data retention

Account data: kept as long as your account exists.
Messages & media: kept until you or the chat participants delete them, or until your account is deleted.
Location: only the latest known position of each family member is stored; we do not keep a long-term location history.
Logs & crash reports: up to 90 days.
Billing records: kept for the period required by applicable tax and accounting law (up to 10 years).

When you delete your account, we delete or anonymize your personal data within 30 days, except where we are legally required to keep it longer.

8. How we protect your data

All traffic between the app and our servers is encrypted with TLS.
Data stored on Firebase is encrypted at rest.
Access to production data is restricted to a limited number of administrators and logged.
Firestore security rules enforce that you can only read and write your own data and data shared with you by other users.

No system can be 100% secure; if we become aware of a personal data breach affecting you, we will notify you and the competent authority as required by law.

9. Your rights

Depending on where you live, you have the right to:

Access the personal data we hold about you;
Request correction of inaccurate or incomplete data;
Request deletion of your data ("right to be forgotten");
Restrict or object to certain processing;
Port your data to another service;
Withdraw your consent at any time, for processing based on consent (e.g. location sharing);
Lodge a complaint with your local data protection authority (in France: the CNIL — www.cnil.fr).

You can delete your account directly from the app (Settings → Account → Delete my account) or by writing to contact@capaz-app.com. We will reply within 30 days.

10. Permissions we request on your device

Location — to show your position to the family members you have authorized. You can disable it from your device settings or from inside the app.
Camera & microphone — to take photos, record videos and voice messages, and make calls.
Photos / media — to let you attach content to messages and to save received media to your gallery.
Notifications — to alert you of new messages, calls or family events.
Background location (optional) — to keep the family map up to date even when the app is not open. You are asked for this permission separately and can revoke it at any time.

11. Cookies and similar technologies

The Capaz mobile app does not use advertising cookies or third-party tracking SDKs. Our public website uses only technical cookies needed to display the page.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you inside the app or by email before the changes take effect. The "Last updated" date at the top of this page always reflects the latest version.

13. Contact

Questions, requests, or complaints? Contact us at contact@capaz-app.com. We are happy to help.

Capaz