Privacy Policy

1. Introduction and Scope

Perfy Group Ltd. (the "Company") deeply respects the privacy of every individual (the "User") who accesses the SuKu application (the "Services"). This highly detailed Privacy Policy clearly and explicitly identifies what data the app collects, how it collects that data, and all uses of that data, including if it is shared with third-party AI services. It also outlines the retention policies and describes how a User can revoke consent and request deletion of their data.

2. Categories of Information Collected by the Company and Methods of Collection

The Company explicitly collects the following data through active voluntary submissions by the User, automated tracking technologies, and the operation of its artificial intelligence functionalities:

2.1 Account and Algorithmic Identity Information: Upon initial registration, the Company collects necessary identifiers including the User's name, email address, telephonic contact information, age verification data, and cryptographic account credentials. This is collected via user input on the sign-up screens.

2.2 Chatbot Interactions and Persistent User Facts (Memory): When interacting with the artificial intelligence chatbot, the Company continuously collects the raw text of the conversations. To enhance the personalized experience, the artificial intelligence selectively extracts, categorizes, and permanently stores specific "facts" provided by the User (e.g., dietary preferences, personal history, named entities, emotional states) to formulate a persistent conversational memory matrix. The User explicitly acknowledges that if personal information is included in a text or audio prompt, such personal information is transmitted to third-party AI services for processing and may be reproduced in future artificial intelligence-generated outputs.

2.3 Biometric and Audio Data: Contingent upon the User's explicit, hardware-level permission requested via the device operating system, the Company captures, records, and algorithmically processes acoustic signals and voice inputs. This data is transmitted to third-party AI services to generate transcriptions, execute voice commands, and synthesize highly responsive audio outputs. The Company explicitly states that this audio data is processed solely for conversational functionalities; the Company does not create, extract, or permanently retain unique biometric identifiers or "voiceprints" from the User's acoustic data.

2.4 Visual Screen Data (Large Action Model Processing): If the User actively initiates the screen-sharing and remote assistance functionalities, the Company temporarily captures and visually analyzes data displayed on the User's device screen. This visual data is processed entirely in a transient state and transmitted to third-party AI services to allow the artificial intelligence to perceive the graphical user interface and provide navigational assistance.

2.5 Telemetry, Metadata, and Presence Indicators: The Company automatically collects diagnostic and usage telemetry, including the exact date and time of the User's last interaction with the application ("Last Seen" date), network IP addresses, device hardware types, and operating system specifications. Additionally, the Company utilizes cookies, pixel tags, and similar tracking technologies to monitor online activities over time, and collects specific device data including mobile phone carriers, device identifiers, and inferred general location.

2.6 Financial and Subscription Data: When the User elects to purchase a premium subscription, payment is securely processed via third-party application distributors (e.g., the Apple App Store or Google Play Store). The Company does not directly collect, process, or store full credit card numbers or highly sensitive financial credentials. The Company only receives and processes encrypted transaction tokens, purchase history data, and subscription status updates to provision the premium Services.

3. Purpose and Lawful Basis of Processing

The Company utilizes the collected data strictly for the following operational and commercial purposes, relying on specific reasonable and legal bases as required by BC PIPA, the GDPR, and App Store Guidelines:

3.1 Service Delivery (Legal Basis: Contractual Necessity / Reasonable Purpose): To operate, maintain, and provide the core functionalities of the SuKu application, including the maintenance of persistent memory tracking, real-time voice conversations, remote device assistance, and the provisioning of subscription-based premium features.

3.2 Artificial Intelligence Model Training (Legal Basis: Legitimate Interest / Consent): To analyze textual interactions, audio inputs, and conversational flows for the purpose of training, fine-tuning, and materially improving the underlying machine learning models and artificial intelligence algorithms developed by the Company. Users residing in jurisdictions requiring explicit consent for model training will be prompted accordingly.

3.3 Communication and Social Presence (Legal Basis: Consent): To facilitate social connectivity by displaying the User's "Last Seen" status to authorized contacts within the application's network, entirely contingent upon the User's active privacy settings.

3.4 Security, Fraud Prevention, and Legal Compliance (Legal Basis: Legal Obligation / Vital Interest): To proactively detect, prevent, and mitigate financial fraud, network abuse, and technical vulnerabilities, and to comply with binding legal obligations, subpoenas, or valid governmental requests.

3.5 Commercial and Marketing Communications (Legal Basis: Express Consent): If the User provides explicit, unbundled opt-in consent, the Company may utilize the User's email address and telephonic contact information to send promotional offers, feature updates, and marketing materials in strict compliance with CASL.

4. Consent Architecture, AI Data Sharing, and User Control Mechanisms

4.1 Third-Party AI Data Sharing Disclosure: In strict accordance with Apple App Store Review Guideline 5.1.2(i), the Company clearly discloses that the App sends the User's personal data—specifically text prompts, audio recordings, and transient screen visuals—to third-party AI services (including OpenAI and Anthropic) for processing. The Company obtains the User's explicit permission via an in-app consent dialog prior to sharing any personal data with these third-party AI services.

4.2 Revoking Consent for AI Data Sharing: Because the core functionalities of the SuKu application (including the conversational chatbot, audio transcription, and remote screen assistance) fundamentally rely upon third-party artificial intelligence processing, the transmission of data to these AI services cannot be disabled without rendering the application completely inoperable. Therefore, if the User wishes to totally revoke their explicit permission to share personal data with third-party AI services, they must do so by utilizing the "Delete Account" function located within the application's settings menu. Executing this function will immediately terminate the account, revoke all AI data-sharing permissions, and trigger the automated deletion of the User's personal data in accordance with Apple App Store Review Guideline 5.1.1(v) and 5.1.2(i).

4.3 Audio Sharing and Processing Controls: The processing of acoustic audio recordings relies unequivocally upon the explicit, informed consent of the User. The User may revoke microphone permission at any time via the device's operating system settings. Furthermore, while the User may choose to share recorded audio files with third parties, the Company only executes such algorithmic sharing actions upon receiving affirmative, cryptographic confirmation from the User.

4.4 Screen Data Volatility: Visual screen data is processed solely when the remote assistance feature is actively and manually engaged by the User. The Company does not permanently store the visual contents of the User's screen; processing occurs exclusively within a highly volatile, transient memory state. The User may terminate the screen-sharing session instantly at any time, immediately purging the data from the active processing queue.

4.5 Commercial Communications and CASL Unsubscribe Mechanisms: The Company strictly prohibits the bundling of marketing consent with the acceptance of general terms. The User will only receive commercial electronic messages (CEMs) if they proactively opt-in. The User may revoke this consent at any time by utilizing the prominent "unsubscribe" link or instructions provided within every commercial message, or via the application's privacy dashboard.

5. Data Sharing and Third-Party Disclosures

The Company strictly does not sell the User's personal information to data brokers or advertising networks. Information is disclosed solely under the following heavily regulated circumstances:

5.1 Vetted Service Providers, Payment Processors, and Third-Party Equal Protection: Data may be securely shared with vetted third-party infrastructure providers, cloud hosting services, and application distributors for payment processing. In strict compliance with Apple App Store Review Guideline 5.1.1(i), the Company confirms that any third party with whom the app shares user data—such as third-party AI services (e.g., OpenAI, Anthropic), analytics tools, advertising networks, third-party SDKs, as well as any parent, subsidiary, or other related entities that will have access to user data—will provide the same or equal protection of user data as stated in this Privacy Policy and required by the App Store Review Guidelines.

5.2 Law Enforcement and Legal Authorities: The Company may disclose personal information to law enforcement or regulatory authorities if legally compelled by a valid subpoena, warrant, court order, or to protect the vital safety and rights of the Company, its users, or the general public.

5.3 Corporate Transactions: The Company may transfer, disclose, or otherwise process personal information to potential transactional partners, advisors, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which the Company is acquired by or merged with another company, or in the event of a sale, liquidation, or transfer of all or a portion of its assets.

6. Data Retention Lifecycles and Memory Deletion

6.1 General Retention Schedules: The Company retains personal data only for as long as is strictly and legally necessary to fulfill the purposes outlined in this policy or to comply with overarching statutory retention obligations.

6.2 Unilateral Deletion of AI Memory and Account Data: The User has the fundamental right to access the accumulated "facts" stored within the artificial intelligence's memory matrix. The User may request a complete, irreversible purge of their entire user account directly within the application's account settings interface to erase their conversational memory. Upon initiating an account deletion request, the Company shall immediately execute automated deletion pipelines to permanently erase the account and all associated data from active production servers.

6.3 Exceptions to Data Deletion (Secure Backups): Following a formal deletion request by the User, specific information may be temporarily retained in secure backups or archives if such retention is strictly necessary for fraud prevention, internal analytics, or to satisfy overriding legal and statutory obligations.

7. International Data Transfers and Geopolitics

Perfy Group Ltd. is headquartered and domiciled in British Columbia, Canada. Information collected from the User will inevitably be transferred to, stored securely in, and processed within Canada and potentially other jurisdictions where the Company's service providers maintain server facilities. Under BC PIPA, the Company is permitted to transfer personal information outside of the province but remains legally accountable for ensuring that third-party service providers maintain reasonable security safeguards. For Users residing in the European Economic Area (EEA), the United Kingdom, or Switzerland, the Company legally relies upon the European Commission's Adequacy Decision regarding Canada's privacy framework. For transfers to jurisdictions lacking an adequacy decision, the Company employs highly secure Standard Contractual Clauses (SCCs).

8. User Rights and Specific Jurisdictional Provisions

Depending on the User's exact geographic location, applicable data protection law grants highly specific, legally enforceable rights concerning personal information:

8.1 Rights under GDPR (EEA/UK): The User possesses the right to access, rectify, or entirely erase personal data (the "Right to be Forgotten"). The User may also restrict algorithmic processing, object to automated profiling, and request machine-readable data portability.

8.2 Rights under CCPA/CPRA (California): California residents hold the right to know exactly what personal information is collected, the right to delete information, the right to explicitly opt-out of the sale or sharing of personal information, and the absolute right to non-discrimination for exercising any of these rights.

8.3 Rights under PIPEDA & BC PIPA (Canada): Canadian residents have the right to request comprehensive access to their personal information, legally challenge its accuracy, and file formal complaints regarding the Company's data handling practices.

8.4 Mechanisms for Exercising Rights: The User may seamlessly exercise any of the aforementioned rights by utilizing the in-app privacy center or by submitting a formal, legally binding request to the Company's designated Privacy Officer.

9. Data Security Operations and Cryptography

9.1 Security Measures: The Company implements robust, commercially reasonable, and industry-standard technical and organizational security measures to protect personal data against unauthorized access, malicious destruction, accidental loss, or unauthorized alteration. These sophisticated measures include military-grade encryption in transit (HTTPS/TLS 1.2+) and at rest (AES-256), strict role-based access controls for internal personnel, and regular third-party security audits.

9.2 Data Breach Notification: In the event of a security breach involving personal information that creates a real risk of significant harm to the User, the Company will notify the affected User and the Office of the Information and Privacy Commissioner of British Columbia (OIPC BC), as well as any other applicable regulatory authorities, in strict accordance with BC PIPA and PIPEDA mandatory breach reporting obligations.

10. Children's Privacy and Guardian Consent

The Company acknowledges that the Services may be utilized by individuals under the age of majority. However, recognizing that minors may lack the capacity to fully appreciate the complexities of artificial intelligence data processing, the Company strictly requires the explicit, meaningful consent of a parent or legal guardian prior to the collection, processing, or retention of a minor's personal information. This includes the capture of audio or persistent conversational memory. If the Company becomes aware that personal information has been collected from a minor without the verified, documented consent of a Guardian, the Company shall take immediate, automated steps to purge such information from its servers and terminate the associated account.

11. Policy Modifications and Notification

The Company may periodically update this Privacy Policy to reflect changes in global regulatory requirements, technological advancements, or internal operational practices. The Company will proactively notify the User of any material modifications through prominent application notifications or direct email correspondence.

12. Privacy Officer and Contact Information

In strict compliance with the British Columbia Personal Information Protection Act (PIPA), the Company has appointed a designated Privacy Officer accountable for the Company's compliance with these privacy principles. If the User has any questions, concerns, or requests regarding this Privacy Policy or the handling of personal data, they may contact the Privacy Officer at:

Right to Escalate: If the User is unsatisfied with the Company's response or handling of a privacy complaint, the User possesses the statutory right to escalate the complaint or seek a formal review from the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC).