Privacy Policy

Last Updated: December 20, 2025

1. Introduction

Welcome to Susu. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how JoinSusu LLC ("we", "us", "our") collects, uses, discloses, and safeguards your information when you use our mobile application and website (collectively, the "Service").

By using Susu, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

Data Controller

For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and UK GDPR, the data controller is:

JoinSusu LLC

Email: privacy@joinsusu.co

As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with applicable data protection laws.

2. Information We Collect

2.1 Information You Provide to Us

Account Registration:

  • Full name
  • Email address
  • Phone number
  • Password (encrypted)
  • Profile photo (optional)

Identity Verification (KYC):

  • Government-issued ID (driver's license, passport, etc.)
  • Social Security Number or Tax ID (last 4 digits)
  • Date of birth
  • Home address
  • Selfie photo for identity confirmation

Payment Information:

  • Bank account details (routing and account numbers)
  • Debit/credit card information
  • Payment history and transaction records

Note: Payment card information is processed and stored by Stripe, our payment processor. We do not store full card numbers on our servers.

Receipts (Optional):

  • Payment confirmation photos/receipts you choose to upload for contributions
  • Stored in a private, access-controlled bucket; shared via short-lived signed URLs
  • Subject to file size/type limits (e.g., JPEG/PNG/HEIC; 5MB max) to reduce risk

2.2 Information Collected Automatically

Device and Usage Information:

  • Device type, model, and operating system
  • IP address and approximate location
  • App version and installation date
  • Usage patterns and interactions with features
  • Crash reports and performance data

Cookies and Tracking Technologies:

  • Session cookies for authentication
  • Analytics cookies to understand user behavior
  • Preference cookies to remember your settings

2.3 Information from Third Parties

We may receive information about you from:

  • Stripe: Payment processing status, verification results
  • Identity Verification Services: KYC verification outcomes
  • Other Users: When they add you to a circle or interact with you
  • Social Media Platforms: Profile information when you use social login (see Section 2.5)
  • Public Databases: Information to verify your identity or prevent fraud

2.4 Push Notifications

We may request to send you push notifications regarding your account, circle activity, payment reminders, and other service-related updates.

If you wish to opt-out from receiving push notifications, you may turn them off in your device's settings or within the app's notification preferences. Note that opting out may affect your ability to receive important payment reminders and circle updates.

2.5 Social Media Login

Our Service offers you the ability to register and login using your third-party social media account details (such as Google or Apple). If you choose to do this, we will receive certain profile information from your social media provider.

The profile information we receive may vary depending on the provider, but typically includes:

  • Your name
  • Email address
  • Profile picture
  • Account identifier

We use this information only for the purposes described in this Privacy Policy. We do not control, and are not responsible for, other uses of your personal information by your social media provider. We recommend reviewing their privacy policy to understand how they collect, use, and share your information.

3. How We Use Your Information

We use the information we collect for the following purposes. We process your personal information based on these legal grounds:

Legal Bases for Processing:

  • Consent: When you have given us explicit permission
  • Contract Performance: To fulfill our agreement with you
  • Legitimate Interests: For our reasonable business interests
  • Legal Obligations: To comply with applicable laws
  • Vital Interests: To protect your safety or that of others

3.1 To Provide and Maintain the Service

  • Create and manage your account
  • Process contributions and payouts
  • Facilitate circle creation and management
  • Send transaction confirmations and receipts
  • Provide customer support

3.2 To Ensure Security and Prevent Fraud

  • Verify your identity and prevent identity theft
  • Detect and prevent fraudulent transactions
  • Monitor for suspicious activity
  • Comply with anti-money laundering (AML) regulations
  • Calculate and update trust scores

3.3 To Communicate with You

  • Send payment reminders and notifications
  • Notify you of circle activity
  • Respond to your inquiries
  • Send important service updates
  • Provide marketing communications (with your consent)

3.4 To Improve Our Service

  • Analyze usage patterns and trends
  • Conduct research and development
  • Test new features and improvements
  • Troubleshoot technical issues

3.5 To Comply with Legal Obligations

  • Respond to legal requests and court orders
  • Comply with financial regulations (FinCEN, KYC, AML)
  • Enforce our Terms of Service
  • Protect our rights and property

3.6 To Administer Rewards and Promotions

We use your information to administer promotional programs, including:

  • Organizer Rewards: Track circle completion and on-time payments to calculate reward eligibility
  • First-Time Bonuses: Identify eligible new users for promotional offers
  • Referral Programs: Track referrals and credit rewards to referring users

Participation in rewards programs is voluntary. Specific terms for each program are available in the app.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 With Other Users

When you participate in a circle, other members can see:

  • Your name and profile photo
  • Your trust score tier (Starter, Bronze, Silver, Gold, Platinum)
  • Your payment status (paid, pending, missed)
  • Messages you send in circle chat

4.2 With Service Providers

We work with third-party companies to provide our Service:

  • Stripe: Payment processing, identity verification, payouts
  • Supabase: Database hosting and authentication
  • Resend: Email delivery
  • Analytics Services: Usage analytics and crash reporting
  • Cloud Hosting: Server infrastructure (Vercel, Supabase)

These providers are contractually required to protect your information and use it only for the purposes we specify.

4.3 For Legal Reasons

We may disclose your information if required to:

  • Comply with legal obligations or valid legal requests
  • Respond to subpoenas, court orders, or government requests
  • Enforce our Terms of Service or other policies
  • Protect the rights, property, or safety of JoinSusu, our users, or the public
  • Prevent fraud, security issues, or technical problems

4.4 Business Transfers

If JoinSusu is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

5. Data Security

We take the security of your personal information seriously and implement industry-standard measures to protect it:

Security Measures:

  • Encryption: All data in transit uses TLS/SSL encryption
  • Data at Rest: Sensitive data is encrypted in our databases
  • Access Controls: Strict role-based access for our team
  • Authentication: Secure password hashing and multi-factor authentication
  • Regular Audits: Security assessments and penetration testing
  • Monitoring: 24/7 monitoring for suspicious activity

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as necessary to:

  • Provide the Service to you
  • Comply with legal obligations (typically 7 years for financial records)
  • Resolve disputes and enforce our agreements
  • Prevent fraud and abuse

Retention Periods:

  • Account information: Duration of account + 7 years after closure
  • Transaction records: 7 years (required by financial regulations)
  • KYC documents: 5 years after account closure
  • Chat messages: 2 years or until circle completion
  • Usage analytics: 2 years

7. Your Rights and Choices

7.1 Access and Update

You can access and update most of your information through your account settings in the app. You have the right to request a copy of the personal information we hold about you.

7.2 Deletion

You can request deletion of your account and personal information. Please note:

  • You must complete all active circle commitments before deletion
  • Some information must be retained for legal/regulatory compliance
  • Deletion is permanent and cannot be undone

7.3 Marketing Communications

You can opt out of marketing emails by clicking "unsubscribe" in any marketing email or by adjusting your notification settings in the app. You cannot opt out of transactional emails (payment confirmations, security alerts, etc.).

7.4 Do Not Track

Our Service does not currently respond to "Do Not Track" signals from browsers.

7.5 State-Specific Rights

If you reside in California, Virginia, Colorado, or other states with privacy laws, you may have additional rights:

  • Right to know what personal information we collect
  • Right to delete personal information
  • Right to opt-out of "sales" (we do not sell your information)
  • Right to non-discrimination for exercising your rights
  • Right to correct inaccurate information

California "Shine the Light" Law

California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to privacy@joinsusu.co.

California Residents Under 18

If you are under 18 years of age, reside in California, and have a registered account with the Service, you have the right to request removal of unwanted data that you publicly post on the Service. To request removal of such data, please contact us at privacy@joinsusu.co and include the email address associated with your account and a statement that you reside in California. We will ensure the data is not publicly displayed on the Service, but please be aware that the data may not be completely or comprehensively removed from all our systems (e.g., backups, etc.).

8. Children's Privacy

Susu is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.

If we learn that we have collected information from a child under 18, we will delete it immediately. If you believe we have collected information from a child, please contact us at privacy@joinsusu.co.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

We ensure appropriate safeguards are in place when transferring your information internationally, including:

  • Standard contractual clauses approved by regulatory authorities
  • Adequacy decisions recognizing equivalent protection
  • Your explicit consent where required

10. EU/EEA and UK Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR.

10.1 EU Representative

As JoinSusu LLC is established outside the EU/EEA, we have appointed a representative in the European Union in accordance with Article 27 of the GDPR:

EU Representative:
Aminata Tunkara
France
Email: eu-privacy@joinsusu.co

You may contact our EU representative for any matters relating to the GDPR.

10.2 Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
  • Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data and completion of incomplete data.
  • Right to Erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances (e.g., when data is no longer necessary for its original purpose). Note: Financial regulations may require us to retain certain data.
  • Right to Restriction (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) and to transmit that data to another controller.
  • Right to Object (Article 21): You have the right to object to processing of your personal data based on legitimate interests, including profiling. This includes objecting to our trust score calculations (see Section 11 below).
  • Right to Withdraw Consent (Article 7): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

  • Email: privacy@joinsusu.co
  • Subject line: "GDPR Request - [Your Right]"

We will respond to your request within one month. This period may be extended by two further months for complex requests, in which case we will inform you within the first month.

We may need to verify your identity before processing your request. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive.

10.4 Right to Lodge a Complaint

If you believe we have not complied with your data protection rights, you have the right to lodge a complaint with a supervisory authority. You may complain to:

  • The supervisory authority in your country of residence
  • The supervisory authority in your place of work
  • The supervisory authority where the alleged infringement occurred

A list of EU supervisory authorities is available at: European Data Protection Board

10.5 Legal Basis for Processing

We process your personal data on the following legal bases:

Processing ActivityLegal Basis
Account creation & circle participationContract performance
Payment processing & payoutsContract performance
Identity verification (KYC)Legal obligation
Fraud prevention & trust scoresLegitimate interests
Marketing communicationsConsent
Analytics & service improvementLegitimate interests
Financial record keepingLegal obligation

11. Automated Decision-Making and Profiling

Susu uses automated processing to calculate trust scores for users. This section explains how this works and your rights regarding automated decisions.

11.1 Trust Score System

Our trust score system automatically evaluates users based on:

  • On-time payment history
  • Circle completion rate
  • Account age and verification status
  • Historical participation patterns

Trust scores range from 0-100 and determine your tier (Starter, Bronze, Silver, Gold, Platinum). Higher scores may unlock access to larger circles and additional features.

11.2 Significance and Consequences

Your trust score may affect:

  • Eligibility to join certain circles (circle organizers may set minimum score requirements)
  • Maximum contribution amounts you can participate in
  • Your visibility and reputation within the community

11.3 Your Rights

Under Article 22 of the GDPR, you have the right to:

  • Request human review: Ask for a human to review any automated decision that significantly affects you
  • Express your view: Provide additional context or explanation about your payment history
  • Contest the decision: Challenge a trust score calculation you believe is inaccurate
  • Object to profiling: Request that we stop using automated profiling for your account

To exercise these rights, contact us at privacy@joinsusu.co with subject line "Trust Score Review Request".

11.4 Safeguards

We have implemented the following safeguards for our automated processing:

  • Regular audits of the trust score algorithm for bias
  • Clear explanation of score factors in the app
  • Human review available upon request
  • Appeals process for disputed scores
  • Minimum scores never result in complete service denial (only feature limitations)

12. Data Breach Notification

We take data security seriously. In the event of a personal data breach:

12.1 Notification to Authorities

If a breach is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.

12.2 Notification to You

If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay. This notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of individuals affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Recommendations for steps you can take to protect yourself

12.3 Breach Response

Our incident response plan includes immediate containment, forensic investigation, remediation, and preventive measures to avoid future occurrences. We maintain detailed records of all data breaches regardless of whether notification is required.

13. Cookie Policy

Our website and app use cookies and similar technologies. This section explains what cookies we use and how you can control them.

13.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. They help us remember your preferences, understand how you use our service, and improve your experience.

13.2 Types of Cookies We Use

CategoryPurposeRequired
EssentialAuthentication, security, basic functionalityYes
FunctionalRemember preferences, language settingsNo
AnalyticsUnderstand usage patterns, improve serviceNo
MarketingMeasure ad effectiveness (if applicable)No

13.3 Managing Cookies

You can control cookies through:

  • Cookie banner: When you first visit, you can accept or reject non-essential cookies
  • Browser settings: Most browsers allow you to block or delete cookies
  • Device settings: Mobile devices have privacy settings for app tracking

Note: Blocking essential cookies may prevent you from using certain features of our Service.

13.4 Third-Party Cookies

Some cookies are placed by third-party services we use (such as analytics providers). These third parties may use cookies to collect information about your online activities across different websites. We do not control these cookies; please refer to the third parties' privacy policies for more information.

14. Withdrawal of Consent

Where we process your personal data based on your consent, you have the right to withdraw that consent at any time.

14.1 How to Withdraw Consent

You can withdraw consent through the following methods:

  • Marketing emails: Click "unsubscribe" in any marketing email
  • Push notifications: Disable in your device or app settings
  • Cookies: Adjust your cookie preferences or browser settings
  • Other processing: Email privacy@joinsusu.co with your request

14.2 Effect of Withdrawal

Withdrawal of consent:

  • Does not affect the lawfulness of processing before withdrawal
  • May limit your ability to use certain features (e.g., personalized recommendations)
  • Will be processed within 48 hours of receipt
  • Does not affect processing based on other legal grounds (contract, legal obligation)

15. Third-Party Links

Our Service may contain links to third-party websites or services (e.g., social media platforms). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any information.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

  • Posting the updated policy with a new "Last Updated" date
  • Sending an email notification
  • Displaying an in-app notification

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

JoinSusu LLC - Privacy Team

Email: privacy@joinsusu.co

Support: support@joinsusu.co

Website: https://www.joinsusu.co/support

We will respond to your inquiry within 30 days.

Your Privacy Matters

At Susu, we are committed to transparency and protecting your privacy. We will never sell your personal information, and we only use it to provide you with the best possible service. If you ever have questions or concerns, please don't hesitate to reach out.

Last Updated: December 16, 2025

Version 2.1