🔒 Privacy Policy

§ 1 — WHO WE ARE

Pashtun Hujra is a social media platform specifically designed for the Pashtun community worldwide, while welcoming all users.

Operator: Schwaben Apps

Address: Eschenhofstr. 46, 86154 Augsburg, Germany

Contact: pashtunhujra@gmail.com

Website: www.pashtunhujra.com

Full imprint: schwabenapps

§ 2 — WHAT DATA WE COLLECT

We collect the following categories of personal data:

a) Registration Data (required):

• Full name, email address, date of birth, gender, password
• Username and profile picture (optional)

b) Profile Data (optional):

• Bio, profession, location, social links, accent color preference

c) Content Data:

• Posts, Virals, Stories, comments, messages, polls and poll responses, voice messages, shared images and videos, music attachments
• Dual-Post and Triple-Post data (simultaneous publication across formats)
• Draft data (unfinished posts saved locally and in the cloud)

d) Usage and Behavioral Data:

• Device information (device model, operating system, app version)
• Login times, session duration, features used
• Likes, comments, shares, views, follows
• Search queries and Explore interactions
• Coins balances, transactions, login streaks
• Offline cache usage data

e) Technical Data:

• IP address, device token for push notifications
• Crash reports (via Firebase Crashlytics)
• Performance data (app startup time, response times)

f) Communication Data:

• Private messages (end-to-end encrypted — we cannot read the content)
• Voice and video calls (metadata only — no call content is stored)
• Group chat messages (encrypted in transit, not E2EE)
• Problem reports and feedback submitted through the app

g) Location Data (only with explicit consent):

• GPS coordinates for the Social Map feature
• Location data is shared only with confirmed friends
• You can disable location sharing at any time

h) Biometric Data (only with explicit consent):

• Face ID, Touch ID, or fingerprint — processed exclusively by the device's operating system, NOT by Pashtun Hujra (see § 12)

i) Advertising Data:

• Whether you have watched reward advertisements
• Number of ads viewed per hour (for the 3-per-hour limit)
• No personalized ad profiling is performed

§ 3 — HOW WE USE YOUR DATA

We use your data for the following purposes:

a) Service Provision:

• Account creation and management
• Displaying and distributing your content (including Dual-Post and Triple-Post distribution)
• Enabling communication features (chat, calls, live streams, Hujra Rooms)
• Processing poll responses and displaying poll results
• Enabling the Coins system and gift features
• Providing friend suggestions based on mutual friends
• Providing the offline cache feature

b) Security and Safety:

• Verifying your identity and age
• Detecting and preventing fraud, abuse, and violations of our Terms
• App security features (PIN lock, biometric lock, login notifications)
• End-to-end encryption of private messages

c) Improvement and Development:

• Analyzing app usage patterns (anonymized)
• Crash diagnostics and bug fixes
• Performance optimization (including video compression)

d) Communication:

• Sending push notifications (messages, likes, comments, friend requests)
• In-app notifications about Terms changes
• Processing problem reports and support requests

e) Legal Compliance:

• Fulfilling legal obligations (e.g., data retention requirements, cooperation with authorities)
• Responding to legitimate legal requests

§ 4 — LEGAL BASIS FOR PROCESSING

We process your personal data on the following legal bases (GDPR Art. 6):

• Contract Performance (Art. 6(1)(b)) — Processing necessary for providing the Services (account, posts, messages, Coins system, polls, Dual-/Triple-Post).
• Consent (Art. 6(1)(a)) — For optional features: location sharing, push notifications, biometric lock, camera/microphone access, reward advertising.
• Legitimate Interests (Art. 6(1)(f)) — Security, fraud prevention, app improvement, anonymized analytics, friend suggestions.
• Legal Obligation (Art. 6(1)(c)) — Where required by law (e.g., tax obligations, cooperation with authorities).

You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

§ 5 — END-TO-END ENCRYPTION (E2EE)

• Technology: RSA-2048 key pair per user + AES-256-CBC for individual messages.
• Key Storage: Private key remains exclusively on the user's device.
• What is encrypted: All private 1-to-1 messages (text, images, videos, voice messages, GIFs, music previews).
• What is NOT encrypted: Group chats, public posts, comments, Stories, Live Streams, Hujra Rooms, polls, Virals.
• Consequence: Pashtun Hujra cannot read your encrypted messages — even upon official request. In case of key loss (e.g., signing out of all devices), old encrypted messages are irrecoverable.

§ 6 — APP SECURITY (PIN & BIOMETRICS)

• PIN Lock: Optional 4- or 6-digit PIN for app access. The PIN is stored securely on your device using platform-native secure storage (iOS Keychain / Android Keystore).
• Biometric Lock: Optional Face ID / Touch ID / Fingerprint. The biometric check is performed entirely by your device's operating system. Pashtun Hujra receives only a "yes/no" result and NEVER accesses the biometric data itself.
• Chat Lock: You can additionally lock individual chats with PIN or biometrics. A locked chat can only be accessed after re-authentication. The lock status is stored as a boolean value in your Firestore session settings — no additional biometric data is collected.
• Login Notifications: You may enable notifications for new logins.
• All Devices Sign-Out: You may end all active sessions at any time.

One-Time Permission Setup: After your first login, Pashtun Hujra displays a one-time permission setup screen where you can conveniently review and grant all required device permissions (camera, microphone, notifications, location) at a glance. This setup is performed once and stored locally on your device (SharedPreferences). You can change all permissions at any time in your device settings.

§ 7 — DATA STORAGE & SECURITY

• Cloud: Your data is stored on Firebase (Google Cloud Platform) servers. Firebase data centers are located in the EU (europe-west) and the US.
• Encryption: Data in transit is TLS-encrypted. Data at rest is AES-256-encrypted on Firebase servers.
• Access Control: Access to user data is restricted to the minimum necessary (principle of least privilege).
• Offline Cache: Up to 50 MB of data is cached locally on your device for offline access. This data is encrypted at the OS level and is deleted when you sign out or uninstall the app.

§ 8 — SHARING WITH THIRD PARTIES & PROCESSORS

We share your data with the following third-party services (processors):

• Firebase / Google Cloud Platform — Hosting, database, authentication, push notifications, crash reports (Google LLC, USA, EU Standard Contractual Clauses)
• Giphy — GIF search and display (Meta Platforms Inc., USA)
• Deezer — Music search and preview (Deezer SA, France)
• MusicBrainz — Music metadata (MetaBrainz Foundation, USA)
• Saavn / JioSaavn — Music search (Saavn Media Ltd., India)
• Twemoji — Sticker display (open source, no data transfer)
• WebRTC — Audio/video calls (open standard, peer-to-peer — no data transfer through us)
• Cloudflare — CDN and DDoS protection for website (Cloudflare Inc., USA, EU SCCs)

We do NOT sell your personal data to third parties.

We do NOT share your data with advertisers or data brokers.

§ 9 — RETENTION PERIOD

• Account Data: For the duration of your account plus 90 days after deletion.
• Messages (E2EE): Deleted immediately from the server after delivery. If the recipient is offline, stored encrypted for a maximum of 30 days.
• Stories: Automatically deleted after 24 hours.
• Crash Reports: Stored for 90 days.
• Coins Transactions: Stored for the duration of the account.
• Problem Reports: Stored for 180 days after resolution.
• Login Logs: Stored for 6 months.
• After Account Deletion: All data is irrevocably deleted within 90 days. Backup copies are destroyed within a further 30 days.

§ 10 — AUTOMATED DECISIONS & PROFILING

Pashtun Hujra does NOT use automated decision-making or profiling that has legal or similarly significant effects on you. Specifically:

• No automated account suspensions — every suspension is reviewed by a human.
• No algorithmic content suppression — no shadowbanning.
• No personalized ad profiling.
• Friend suggestions are based solely on mutual friends (not on behavior profiling).

§ 11 — INTERNATIONAL DATA TRANSFER

Your data may be transferred to countries outside the EU/EEA, specifically to the USA (Firebase/Google). This transfer is safeguarded by:

• EU Standard Contractual Clauses (SCCs)
• Google's additional security measures and certifications (SOC 2, ISO 27001)
• Encryption of data in transit and at rest

For users in specific countries, additional safeguards may apply (see Part B).

§ 12 — BIOMETRIC DATA

Pashtun Hujra offers an optional biometric lock for the app and individual chats (Chat Lock) using Face ID, Touch ID, or Fingerprint.

Important: Pashtun Hujra does NOT collect, store, or process biometric data. The biometric authentication is performed entirely by your device's operating system (iOS/Android). Pashtun Hujra receives only a "yes/no" confirmation. For Chat Lock, only a boolean value (locked/unlocked) is stored in your Firestore session settings.

This means:

• Your biometric data never leaves your device.
• Pashtun Hujra has no access to your fingerprint, face scan, or other biometric information.
• If you delete the app, no biometric data remains with us (because we never had it).

§ 13 — CHILD PROTECTION & MINIMUM AGE

Pashtun Hujra is exclusively intended for persons aged 18 and above.

• We do not knowingly collect personal data from minors.
• If we discover that a user is under 18, the account will be immediately deleted and all data will be destroyed.
• Parents and guardians: If you learn that a minor is using Pashtun Hujra, please contact us at pashtunhujra@gmail.com.

§ 14 — YOUR RIGHTS

Depending on your location, you have some or all of the following rights:

• Right of Access — Request a copy of your personal data.
• Right to Rectification — Correct inaccurate personal data.
• Right to Erasure — Request deletion of your personal data.
• Right to Restriction — Request restriction of processing.
• Right to Data Portability — Request your data in a machine-readable format.
• Right to Object — Object to processing based on legitimate interests.
• Right to Withdraw Consent — Withdraw consent at any time.
• Right to Complain — Lodge a complaint with your local data protection authority.

How to exercise your rights:

• In the app: Settings → Account → My Data (for data export)
• In the app: Settings → Account → Delete Account (for deletion)
• By email: pashtunhujra@gmail.com

We will respond to your request within 30 days (or within the legally required timeframe in your jurisdiction).

§ 15 — COOKIES & TRACKING

The Pashtun Hujra App:

• Does NOT use cookies (apps don't use cookies).
• Does NOT use third-party tracking pixels.
• Does NOT use cross-app tracking.
• Uses Firebase Analytics for anonymized, aggregated usage statistics only.

The Pashtun Hujra Website (pashtunhujra.com):

• Uses only technically necessary cookies (session, language preference).
• Does NOT use advertising cookies.
• Does NOT use third-party tracking scripts.

§ 16 — DATA EXPORT & DATA PORTABILITY

You may download all your personal data at any time:

• In the app: Settings → Account → My Data
• Format: JSON file containing all your data (profile, posts, messages metadata, Coins history, friend list, poll history)
• Processing time: Available within 48 hours after request.

§ 17 — 🇪🇺 EU/EEA — GDPR

§ 18 — 🇬🇧 UK — UK GDPR

For users in the United Kingdom:

• UK GDPR and Data Protection Act 2018 apply.
• International Transfer: UK Adequacy Decisions and UK International Data Transfer Agreements apply.
• ICO: You may file a complaint with the Information Commissioner's Office (ICO).
• Age Verification: Our minimum age of 18 exceeds the UK minimum of 13.

§ 19 — 🇨🇭 SWITZERLAND — DSG

For users in Switzerland:

• The Swiss Data Protection Act (DSG/nDSG) applies.
• FDPIC: You may file a complaint with the Federal Data Protection and Information Commissioner.
• International Transfer: Secured by Swiss Standard Contractual Clauses.

§ 20 — 🇹🇷 TURKEY — KVKK

For users in Turkey:

• KVKK (Personal Data Protection Law No. 6698) applies.
• VERBIS Registration: If required, Pashtun Hujra will register in the VERBIS Data Controllers Registry.
• Your Rights under KVKK: Access, rectification, erasure, objection, complaint to the KVKK Board.

§ 21 — 🇸🇦🇦🇪🇶🇦 ARAB COUNTRIES

For users in Saudi Arabia, UAE, Qatar, Kuwait, Bahrain, Oman, Iraq, Jordan, Lebanon, and Egypt:

• Applicable data protection laws are respected, specifically:
• Saudi Arabia: PDPL (Personal Data Protection Law)
• UAE: Federal Decree-Law No. 45/2021
• Qatar: Law No. 13/2016
• Data processing takes into account local cultural and legal requirements.

§ 22 — 🇵🇰 PAKISTAN

For users in Pakistan:

• PECA 2016 and the applicable data protection regulations apply.
• PTA: Pashtun Hujra cooperates with the Pakistan Telecommunication Authority within the framework of applicable law.
• Your rights: Access, rectification, and deletion of your data.

§ 23 — 🇦🇫 AFGHANISTAN

For users in Afghanistan:

• Pashtun Hujra prioritizes the safety and privacy of Afghan users.
• Data minimization: We collect only the minimum necessary data.
• Special attention is paid to the protection of identity and political affiliation.

§ 24 — 🇮🇳 INDIA — DPDPA 2023

For users in India:

• DPDPA 2023 (Digital Personal Data Protection Act): When in force, Pashtun Hujra will fully comply.
• IT Act 2000 & IT Rules 2021: We comply with the Intermediary Guidelines.
• Your Rights: Access, correction, deletion, grievance redressal.
• Grievance Officer: Available for complaints (details will be published in the app).
• Data Localization: If data localization rules come into force, we will comply.

§ 25 — 🇺🇸 USA — CCPA/CPRA & STATE PRIVACY LAWS

For users in the United States:

• CCPA/CPRA (California): You have the right to know, delete, opt-out of sale, and non-discrimination. Pashtun Hujra does NOT sell personal data.
• Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA): Respective state privacy rights apply.
• COPPA: Our minimum age of 18 exceeds the COPPA threshold of 13. We do not knowingly collect data from children.
• Categories Collected: Identifiers, internet activity, geolocation (with consent), professional information (optional).
• Categories NOT Sold: All categories — we do not sell any personal data.

§ 26 — 🇨🇦 CANADA — PIPEDA & QUEBEC LAW 25

For users in Canada:

• PIPEDA applies to the collection, use, and disclosure of personal data.
• Quebec (Law 25): Privacy Impact Assessments, right to de-indexation, explicit consent requirements.
• OPC: You may file a complaint with the Office of the Privacy Commissioner of Canada.

§ 27 — 🇦🇺 AUSTRALIA — PRIVACY ACT & APPs

For users in Australia:

• Privacy Act 1988 and Australian Privacy Principles (APPs) apply.
• eSafety Commissioner: You may submit complaints directly to the Office of the eSafety Commissioner.
• Notifiable Data Breaches: In the event of a data breach, affected users and the OAIC will be notified.

§ 28 — 🇮🇷 IRAN

For users in Iran:

• Pashtun Hujra respects applicable data protection regulations.
• Given possible access restrictions, uninterrupted availability cannot be guaranteed.
• Data minimization applies.

§ 29 — 🇷🇺 RUSSIA — PERSONAL DATA LAW (FZ-152)

For users in Russia:

• FZ-152 (Federal Law on Personal Data) applies.
• Your Rights: Information, correction, deletion, objection.
• Roskomnadzor: We comply with the requirements of the Russian telecommunications regulator.
• Data Localization: If personal data of Russian users must be stored locally, we will take appropriate measures.

§ 30 — 🇧🇩 BANGLADESH — DIGITAL SECURITY ACT & DSA 2018

For users in Bangladesh:

• Digital Security Act 2018 applies.
• Your Rights: Access and deletion of your data.
• When the Data Protection Act comes into force, we will comply.

§ 31 — 🇮🇩 INDONESIA — UU PDP (LAW NO. 27/2022)

For users in Indonesia:

• UU PDP (Law No. 27/2022 on Personal Data Protection) applies.
• Your Rights: Access, correction, deletion, objection, portability.
• Kominfo: We comply with the requirements of the Ministry of Communication and Informatics.

§ 32 — 🇺🇿🇹🇯🇹🇲🇰🇬🇰🇿 CENTRAL ASIA (Uzbekistan, Tajikistan, Turkmenistan, Kyrgyzstan, Kazakhstan)

For users in Central Asian countries:

• Applicable data protection and cybersecurity laws are respected.
• Data minimization applies.
• Uninterrupted availability cannot be guaranteed due to possible internet restrictions.

§ 33 — 🇲🇾 MALAYSIA — PDPA 2010

For users in Malaysia:

• PDPA 2010 (Personal Data Protection Act) applies.
• Your Rights: Access, correction, objection.
• JPDP: You may file a complaint with the Department of Personal Data Protection.

§ 34 — 🇧🇾 BELARUS — DATA PROTECTION LAW (NO. 99-Z)

For users in Belarus:

• Law No. 99-Z on Personal Data Protection applies.
• Data minimization and special attention to user safety apply.
• Given the political situation, identity protection is prioritized.

§ 35 — CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. For material changes:

• You will be notified via in-app notification.
• Where legally required, your renewed consent will be obtained.
• The current version is always available in the app (Settings → About & Help → Privacy Policy) and on our website.

§ 36 — CONTACT & COMPLAINT AUTHORITIES

General Contact: pashtunhujra@gmail.com

Complaint Authorities:

• 🇪🇺 EU: Data protection authority of your country of residence
• 🇩🇪 Germany: State Data Protection Commissioner of your federal state
• 🇬🇧 UK: Information Commissioner's Office (ICO) — ico.org.uk
• 🇨🇭 Switzerland: FDPIC — edoeb.admin.ch
• 🇹🇷 Turkey: KVKK — kvkk.gov.tr
• 🇮🇳 India: Grievance Officer (details in-app)
• 🇺🇸 USA: FTC — ftc.gov, or your state's Attorney General
• 🇨🇦 Canada: OPC — priv.gc.ca
• 🇦🇺 Australia: OAIC — oaic.gov.au

Last updated: March 26, 2026