Privacy Policy — RealMaster Discover

Contents

Scope & Controller
Information We Collect
How We Use Information
Legal Bases (GDPR)
How We Share Information
Data Retention
Security
Your Rights & Choices
DSAR Procedure
Children's Privacy (COPPA)
California Residents (CCPA/CPRA)
European Users (GDPR)
Canadian Users (PIPEDA)
International Transfers
Changes & Contact

1. Scope and Data Controller

This Privacy Policy describes how RealMaster Technology Inc., an Ontario, Canada corporation ("RealMaster", "we", "us", or "our"), collects, uses, discloses, and protects your personal information when you use the RealMaster Discover mobile application and related websites and services (collectively, the "Services").

For purposes of the EU/UK General Data Protection Regulation ("GDPR"), the data controller is RealMaster Technology Inc., with its principal place of business at 50 Acadia Avenue, Unit #130, Markham, Ontario L3R 0B3, Canada.

By using the Services, you acknowledge the practices described in this Policy. If you do not agree, please do not use the Services. This Policy should be read together with our Terms of Service, which governs your overall use of the Services.

2. Information We Collect

2.1 Information You Provide Directly

Category	Examples	Source
Account credentials	Email address, password (stored hashed with bcrypt), nickname	Registration
OAuth identifiers	Apple Sign In identifier (with email if shared), Google Sign In identifier and email	Apple / Google
Profile information	Display name, avatar image, optional bio	You
User-generated content	Video files, titles, descriptions, comments	You
Reports & feedback	Report content, recipient, your account ID; support tickets	You

2.2 Information Collected Automatically

Category	Examples
Device	Device type, OS version, app version, language & locale preferences
Usage	Videos viewed, watch time, search queries, interactions (likes, blocks, reports), session duration
Network	IP address, approximate region derived from IP (city-level at most; no precise GPS)
Diagnostics	Crash logs, performance metrics, error traces
Identifiers	Anonymous device identifier (used for fraud prevention and session continuity)

We do not use third-party advertising SDKs or web tracking cookies that share identifiers with advertising networks. We do not engage in cross-site or cross-app tracking for advertising purposes.

2.3 Information from Third Parties

Apple Sign In — a unique identifier and (if you share it) an email address;
Google Sign In — Google account ID, email address, and basic profile information you explicitly authorize;
Cloud and infrastructure providers — operational data necessary to deliver the Services on our behalf;
Crash and analytics providers — anonymized diagnostics, where deployed.

3. How We Use Your Information

To provide, maintain, secure, and improve the Services;
To authenticate you and secure your account against unauthorized access;
To deliver personalized content recommendations based on your viewing and interaction history;
To moderate user-generated content, respond to user reports, and enforce our Terms of Service and the law;
To send transactional emails (verification, password reset, security notices, report acknowledgments);
To detect, prevent, investigate, and respond to fraud, abuse, security incidents, and other harmful activity;
To comply with legal obligations and respond to lawful requests from public authorities;
To conduct analytics and research to understand how the Services are used and to improve them.

We do not sell your personal information. We do not share your personal information with third parties for their own direct marketing purposes.

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information on the following legal bases:

Purpose	Legal Basis
Providing the Services you request (account, content delivery, support)	Performance of a contract (Art. 6(1)(b))
Sending transactional emails, fraud prevention, security, analytics, service improvement	Legitimate interests (Art. 6(1)(f))
Complying with legal obligations (e.g., responding to legal process)	Legal obligation (Art. 6(1)(c))
Where we ask for your explicit consent (e.g., optional features)	Consent (Art. 6(1)(a))

5. How We Share Your Information

We share information only as described below:

Service providers and processors — third-party vendors that perform services on our behalf, such as cloud hosting, email delivery, crash reporting, and analytics. These providers are bound by contractual obligations to use the information only for the purposes we direct, to protect its confidentiality, and to apply appropriate security measures.
With other users — your profile information and Your Content are visible to other users in accordance with the Services' functionality and your visibility settings.
Legal compliance and protection — where required by law, court order, subpoena, or other valid legal process; to enforce these Terms; or to protect the rights, property, or safety of RealMaster, our users, or others.
Business transfers — in connection with a merger, acquisition, financing, restructuring, or sale of assets, where information may be transferred as a business asset, subject to the surviving entity's commitment to honor this Policy.
With your consent — for any other disclosure to which you have consented.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes set out in this Policy. Specific retention practices:

Category	Retention
Active account data (profile, videos, interactions)	For the duration of your account
Deleted account — primary records (profile, avatar, videos, likes, favorites, blocked list)	Permanently removed from active systems immediately upon account deletion
Deleted account — account snapshot (see Section 6.1 below)	Retained for as long as necessary and legally permissible for safety, accountability, abuse prevention, and legal compliance purposes
Encrypted backups and cached copies	May persist for a reasonable period until overwritten in the ordinary course of system operation
Crash and performance logs	Up to 180 days, then purged in the ordinary course
Server access logs (with IP)	Up to 90 days
Report records (when you report another user)	Retained indefinitely as immutable safety-audit records. Each report is evidence of a past moderation event and is retained to preserve moderator appeal history, support law-enforcement and child-safety inquiries, prevent abuse-of-deletion patterns, and otherwise fulfil the legal and public-safety grounds set out in GDPR Article 17(3)(e)(f) and equivalent provisions. Deleting your account does not remove reports you have filed; the reporter reference becomes a non-reversible identifier pointing to a deleted account.
Information subject to legal process, litigation hold, or specific legal retention obligations	For the period required by applicable law or until the legal matter is resolved

6.1 Information Retained After Account Deletion

When you delete your account through the App (Me → Edit Profile → Delete Account), we will permanently and immediately remove the following data from our active systems:

your public profile page, avatar image, and other public-facing profile content, except for the limited account identifiers retained in the account snapshot described below;
all videos and thumbnails you have uploaded;
your likes, favorites, view history, and watch progress;
your blocked list;
your active sessions and authentication tokens (you will be logged out of all devices).

However, for the purposes of platform safety, abuse prevention, fraud detection, and compliance with legal obligations, we retain an account snapshot after deletion, for as long as necessary and legally permissible. This snapshot is stored in a separate, access-restricted system used only by our trust & safety, security, and legal teams. The snapshot includes:

your account identifier, email address, nickname, and (if previously linked) phone number;
third-party login associations (such as Google or Apple sign-in identifiers, where applicable);
account status flags (e.g., whether the account was suspended or restricted at the time of deletion);
login history records that were on the account at the time of deletion;
authentication and security records associated with the account at the time of deletion — for password-based accounts this includes the salted, irreversible password hash (we do not store passwords in plain text), and previously issued refresh-token identifiers — kept solely to support fraud investigations, defend against legal claims (for example, "this credential was stolen, not used by me"), and prevent reuse of compromised credentials on future accounts;
aggregate counts of how many videos you had uploaded and how many reports had been filed against your account at the time of deletion;
the time and reason of deletion (user-initiated or administrator action).

We retain this snapshot to: (a) prevent the same individual from circumventing prior safety enforcement actions by creating a new account; (b) respond to law enforcement requests, subpoenas, or court orders relating to past activity; (c) defend against legal claims; and (d) maintain the integrity of our moderation and reporting records. The snapshot is not used for advertising, profiling, marketing, AI or machine-learning training, or any unrelated commercial purpose, and is not shared with third parties except as described in Section 5 (legal compliance) or Section 13 (international transfers).

If you have specific questions about the snapshot retained for your deleted account, or wish to exercise rights provided under applicable law (such as the right to erasure under GDPR), please contact us at rmd.support@realmaster.com. We will assess each request in accordance with applicable law, including whether continued retention is necessary for legal obligations, the establishment, exercise, or defense of legal claims, fraud and abuse prevention, platform safety, or other permitted grounds.

7. Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, and destruction. These include encrypted transport (HTTPS/TLS), encryption of sensitive credentials at rest, role-based access controls, regular security reviews, and logging of administrative actions.

No system is perfectly secure. You are responsible for keeping your account credentials confidential and notifying us promptly at rmd.support@realmaster.com if you suspect unauthorized access. In the event of a personal data breach affecting your information, we will notify you and the relevant authorities as required by applicable law.

8. Your Rights and Choices

Subject to applicable law, you have the following rights regarding your personal information:

Access & portability: obtain a copy of the personal information we hold about you;
Correction: correct inaccurate or incomplete information (you can edit your profile in-app);
Deletion: request deletion of your personal information, including via in-app account deletion;
Restriction: ask us to restrict processing of your information in certain circumstances;
Objection: object to processing based on legitimate interests;
Withdraw consent: where processing is based on consent, withdraw it at any time;
Lodge a complaint: with your local data protection authority (see Section 12 for EU users).

You can exercise most of these rights directly within the App:

View and edit profile: Me → Edit Profile
Block users/content: tap ⋯ on any video or profile → Block
Manage blocked list: Me → Blocked List
Delete account: Me → Edit Profile → Delete Account (see Section 6.1 for which information is removed and which is retained for safety and compliance purposes)

9. Data Subject Access Request (DSAR) Procedure

To submit a formal request to access, correct, delete, or otherwise exercise rights over your personal information beyond what is available in-app, please email rmd.support@realmaster.com with the subject line "DSAR — [your request type]" and include:

your full name and the email address associated with your account;
a clear description of the right(s) you wish to exercise;
any additional information needed to verify your identity (we will only request what is necessary; we may decline to act on requests we cannot reasonably verify).

We will respond to verifiable requests within the timeframe required by applicable law (typically 30 days under GDPR, extendable by 60 days for complex requests; 45 days under CCPA, extendable by 45 days). We will not charge a fee for the first request in a 12-month period unless the request is manifestly unfounded or excessive.

10. Children's Privacy (COPPA)

The Services are not directed to children under 13 years old, and we do not knowingly collect personal information from children under 13 within the meaning of the United States Children's Online Privacy Protection Act ("COPPA"). If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete it promptly.

If you are a parent or legal guardian and believe your child under 13 has provided us with personal information, please contact rmd.support@realmaster.com and we will take prompt action to investigate and delete the information.

For users between the ages of 13 and the age of majority in their jurisdiction (typically 18 or 19), use of the Services should be supervised by a parent or legal guardian.

11. California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"):

Right to know what personal information we have collected, the sources of collection, the purposes of use, and the categories of third parties with whom we share it;
Right to delete your personal information, subject to certain exceptions;
Right to correct inaccurate personal information;
Right to opt out of the "sale" or "sharing" of personal information — we do not sell or share personal information as those terms are defined under CCPA/CPRA, so this right is automatically honored;
Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes that trigger this right;
Right to non-discrimination — we will not discriminate against you for exercising any of your rights.

To exercise these rights, follow the DSAR procedure in Section 9. Authorized agents may submit requests on your behalf with written authorization that we may verify.

Categories collected in the past 12 months are described in Section 2. Purposes of collection are described in Section 3. Categories of recipients are described in Section 5.

12. European, UK, and Swiss Users (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the legal bases for our processing are described in Section 4 and your rights are described in Section 8. You also have the right to lodge a complaint with your local supervisory authority (a list is available at edpb.europa.eu/about-edpb/board/members_en).

Where we transfer personal information outside the EEA / UK / Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent mechanisms recognized under applicable law.

13. Canadian Users (PIPEDA)

If you are located in Canada, our processing of your personal information is subject to the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy laws. You have the right to access and correct your personal information and to withdraw consent (subject to legal or contractual restrictions) by contacting rmd.support@realmaster.com. Complaints may be filed with the Office of the Privacy Commissioner of Canada (priv.gc.ca).

14. International Data Transfers

Your information may be stored and processed in countries outside your country of residence, including Canada and the United States. These countries may have data protection laws that differ from those of your country. By using the Services, you understand that your information will be transferred to and processed in these countries, subject to the safeguards described in this Policy.

15. Changes and Contact

15.1 Changes

We may update this Privacy Policy from time to time. For material changes we will use reasonable efforts to notify you in advance by in-app notice or email, ordinarily at least 30 days beforehand, except where a shorter notice period is necessary to address security, legal, regulatory, or operational concerns. The "Effective Date" at the top of this Policy indicates the latest revision. Continued use of the Services after the effective date constitutes acceptance.

15.2 Contact

For questions, requests, or concerns about this Privacy Policy or our data practices, please contact:

RealMaster Technology Inc.
Email: rmd.support@realmaster.com
Telephone: +1-647-931-3331
Mailing address: 50 Acadia Avenue, Unit #130, Markham, Ontario L3R 0B3, Canada