Privacy policy.

1. Introduction

Rostra Labs, Inc. ("Rostra Labs," "we," "us," or "our") operates the disconnectd mobile application (the "App") and the associated website located at disconnectd.com (the "Site"). Together, the App and the Site are referred to in this Privacy Policy as the "Services."

disconnectd is a social event-discovery platform that helps you find and attend events happening near you, connect with friends and others who share your interests, and — if you choose to become a host — create and promote your own events to the disconnectd community.

This Privacy Policy explains what personal information we collect when you use the Services, how we use and protect that information, with whom we share it, and the rights and choices you have with respect to your information. It also describes the specific architectural choices we have made to protect your privacy — including the way the Find Friends feature, where offered, processes your contacts on your device rather than transmitting them to our servers.

Please read this Privacy Policy carefully. By downloading or using the App, visiting the Site, or otherwise using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Services.

1.1 Scope

This Privacy Policy applies to:

• The disconnectd mobile application available on iOS and Android;
• The disconnectd website at disconnectd.com; and
• Any other services, features, or content offered by Rostra Labs that link to or reference this Privacy Policy.

This Privacy Policy applies only to users located in the United States. We currently offer the Services exclusively to US residents. If you are accessing the Services from outside the United States, please do not do so, as we do not direct the Services to non-US users at this time.

1.2 Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes — meaning changes that significantly affect how we collect, use, or share your information — we will post the updated policy within the App and, where feasible, may send a push notification or SMS to the phone number associated with your account. The updated policy will be effective on the date stated at the top of this document.

Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised policy, you must stop using the Services and may request deletion of your account as described in Section 10.

1.3 Policy Status, Discretion, and Reservation of Rights

This Privacy Policy describes our current practices for handling personal information in connection with the Services. It supplements, and does not replace, our Terms of Service and Event Content Policy. To the extent of any conflict between this Privacy Policy and the Terms of Service regarding contractual matters, the Terms of Service control. To the extent of any conflict regarding the collection, use, retention, or sharing of personal information, this Privacy Policy controls.

Rostra Labs may take, decline to take, or delay any action described in this Privacy Policy in our reasonable discretion based on the information available to us, the resources available to us, the requirements of applicable law, and the protection of the safety and security of our users and the Services.

Nothing in this Privacy Policy: (a) creates any contractual right, private cause of action, or third-party beneficiary right beyond those expressly granted in the Terms of Service or required by applicable law; (b) waives, limits, or modifies any defense, immunity, privilege, or safe harbor available to Rostra Labs, including under Section 230 of the Communications Decency Act, 47 U.S.C. § 230; (c) limits Rostra Labs' rights or remedies under the Terms of Service or applicable law; or (d) constitutes legal advice. Nothing in this Privacy Policy limits any rights you may have under applicable federal, state, or other privacy law.

2. Who We Are

The data controller responsible for your personal information is:

Rostra Labs, Inc.
A Delaware C Corporation
Privacy inquiries: privacy@disconnectd.com
Website: disconnectd.com

If you have questions about this Privacy Policy or your personal information, please contact us at privacy@disconnectd.com. We aim to acknowledge privacy inquiries promptly and to provide a substantive response within the timeframes required by applicable privacy law.

3. Information We Collect

We collect information in three ways: (a) information you provide to us directly; (b) information we collect automatically when you use the Services; and (c) information we receive from third parties, such as our service providers. We describe each category below.

3.1 Information You Provide Directly

3.1.1 Account and Identity Information

To create a disconnectd account, you provide your mobile phone number. We use your phone number to send you a one-time passcode ("OTP") for authentication via SMS. Beyond your phone number, you may choose to provide:

• A display name or username;
• A profile photograph;
• Your city or general location (for users who opt not to share precise location);
• A short personal bio; and
• Social links (e.g., a personal website).

Providing a profile photo and bio is optional. Your phone number is required to create and maintain your account.

3.1.2 Host Profile Information

If you choose to create a host profile to organize and publish events, you may additionally provide:

• A company or organization name;
• A business address or location;
• A company phone number;
• A business website URL; and
• A company or event-host bio.

Host profiles and the events you create as a host are publicly visible to all disconnectd members.

3.1.3 Event Content

When you create an event as a host, you provide:

• Event name, description, and category;
• Event date, time, and duration;
• Event location (address);
• Photographs and other media uploaded to the event listing;
• Ticket price or cost information (if applicable); and
• Any other details you choose to include in the event listing.

All event listings, including photos and descriptions, are publicly visible to all disconnectd members. By submitting event content, you grant Rostra Labs a non-exclusive, worldwide, royalty-free license to display, distribute, and promote that content within the Services.

3.1.4 User-Generated Activity

When you use the App, you generate information through your activity, including:

• RSVPs and attendance confirmations for events;
• Events you mark as interested in or saved;
• Follow relationships (accounts you follow and accounts that follow you);
• Invitations you send to other users; and
• Feedback or reports you submit about content or other users.

3.2 Information Collected Automatically

3.2.1 Location Data

Location data is central to the disconnectd experience. With your permission, we collect your device's precise GPS location to:

• Sort and display events near you;
• Calculate approximate distances between you and events (e.g., "1.2 miles away");
• Apply distance-based filters you set in the App; and
• Improve the relevance of the events and content surfaced in your feed.

We request "while using the app" location access only. We do not request background location access unless a future feature requires it, in which case we will seek your explicit permission at that time and update this Privacy Policy accordingly.

You can deny or revoke location permission at any time through your device's Settings. If you do so, the App will ask you to enter a city or zip code manually so we can continue to show you relevant events.

Your precise GPS coordinates are used to calculate distances and surface events. We do not display your precise coordinates to other users. When event listings show a distance (e.g., "1.2 miles away"), that figure is approximate and does not disclose your exact location.

3.2.2 Usage and Behavioral Data

We automatically collect information about how you interact with the Services, including:

• Events you view, tap on, or spend time viewing;
• Search terms you enter;
• Notifications you open or dismiss;
• Features you use and buttons you tap;
• Timestamps and session duration; and
• Scroll depth and content engagement patterns.

We use this behavioral data to rank events in your feed, personalize recommendations, and improve the product. This data is sent to Firebase Analytics (operated by Google LLC) in anonymized and aggregated form.

3.2.3 Device and Technical Data

We automatically collect certain technical information from your device, including:

• Device type, model, and manufacturer;
• Operating system type and version;
• App version;
• Unique device identifiers (e.g., device ID);
• IP address (used to infer approximate region);
• Crash logs and error reports; and
• Network type (Wi-Fi, cellular).

This information is used to diagnose technical problems, maintain the security of the Services, and improve performance.

3.2.4 Communications Data

When you log in to the App, an OTP is sent to your phone number via SMS using Google Firebase Authentication. We log that an SMS was sent and whether authentication succeeded. We do not read the content of any SMS messages you send or receive outside of the App through your device's native messaging application.

3.3 Contacts — On-Device Processing

The App includes a "Find Friends" feature and the ability to invite contacts to download disconnectd or to attend a specific event. To use these features, the App requests permission to access your device's contact list.

As the Find Friends feature is currently designed:

• Your contact list is accessed and read locally on your device.
• The App performs an on-device comparison to identify which of your contacts have phone numbers that match existing disconnectd accounts. This matching is performed on your device.
• The Find Friends feature does not transmit your raw phone-contact data — including raw or hashed phone numbers, names, or email addresses — to our servers or to a third-party server as part of the matching process.
• When you choose to send an invitation to a contact, that invitation is sent via your device's own native SMS application. We do not access your messaging app, and we do not log or store the recipient's phone number on our servers as part of that send.

The on-device design described above is an architectural choice we have made for the Find Friends feature as it operates today. If we materially change this design, we will update this Privacy Policy in accordance with Section 1.2 before doing so.

You may deny or revoke contacts permission at any time through your device's Settings app. Revoking contacts access disables Find Friends and the contacts-invite feature but does not affect your ability to use other features of the App.

3.4 Website (disconnectd.com)

The disconnectd website at disconnectd.com is primarily a read-only experience. Visitors can browse publicly listed events without creating an account. The Site does not support account creation, event creation, photo uploads, or other account-level actions — those features are available exclusively through the App.

When you visit the Site, we may collect standard web server log data, including your IP address, browser type, and the pages you visit. This information is used for security monitoring and aggregate analytics only. We do not use cookies for behavioral tracking or advertising on the Site at this time.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Providing and Operating the Services

• Authenticating your identity when you log in using SMS-based OTP;
• Creating and maintaining your account;
• Displaying a personalized feed of events near you, sorted by relevance (including distance, your social connections, and event popularity);
• Enabling RSVP, attendance tracking, and follow features;
• Powering the host dashboard so you can create, manage, and promote events;
• Enabling the Find Friends and invite-contacts features through on-device processing; and
• Delivering in-app notifications and push notifications about events, invitations, and updates.

4.2 Personalizing Your Experience

• Ranking events in your feed based on proximity, your social graph (who you follow, mutual connections, friends who are attending), and behavioral signals;
• Surfacing events and hosts you may be interested in based on your activity and attendance history; and
• Allowing you to set preferences (distance filters, age filters, date filters) that shape your discovery experience.

4.3 Analytics and Product Improvement

• Analyzing usage patterns through Firebase Analytics to understand which features are adopted and how users navigate the App;
• Diagnosing bugs, crashes, and performance issues; and
• Making data-informed decisions about future features and improvements.

Analytics data shared with Firebase is anonymized and aggregated to the extent practicable. We do not use Firebase to build individual advertising profiles.

4.4 Safety, Security, and Fraud Prevention

• Detecting, investigating, and preventing fraudulent accounts, fake events, spam, and other policy violations;
• Enforcing our Terms of Service and Community Guidelines;
• Protecting the safety of users and the public; and
• Maintaining the security and integrity of the Services.

4.5 Legal Compliance

• Complying with applicable federal and state laws and regulations;
• Responding to valid legal process (such as subpoenas or court orders) from law enforcement or regulatory authorities;
• Protecting and defending Rostra Labs' legal rights and interests; and
• Enforcing any agreements between you and Rostra Labs.

4.6 Future Use Cases (With Advance Notice)

We intend to introduce additional features in the future, including:

• In-app payments for hosts and attendees; and
• A promoted event placement ("boosted events") product that allows hosts to pay for increased visibility within the App.

Before we use your personal information for materially new purposes that would significantly expand the categories of data collected, the categories of recipients, or the purposes of processing described in this Privacy Policy, we will update this Privacy Policy in accordance with Section 1.2. We describe our current plans in more detail in Section 15; those plans are forward-looking statements only and do not create any commitment with respect to the timing, scope, or features of any future product.

5. Legal Basis for Processing

Although the United States does not currently have a single federal privacy law analogous to the GDPR, we believe in articulating a clear legal basis for each category of processing we perform. This section also prepares us for compliance with the growing number of US state comprehensive privacy laws.

5.1 Contract Performance

We process your account information, location data, authentication data, and usage data as necessary to perform the contract between you and Rostra Labs — namely, to provide you with the Services you signed up for. Without this processing, we cannot operate the App.

5.2 Legitimate Interests

We process certain data on the basis of our legitimate interests, which we have balanced against your privacy rights and interests:

• Analytics and product improvement (Firebase Analytics): our legitimate interest in understanding how the App is used and improving it;
• Security and fraud prevention: our legitimate interest in protecting users and the integrity of the platform; and
• Technical data: our legitimate interest in maintaining App performance and diagnosing issues.

5.3 Consent

Where we rely on your consent, we will request it explicitly through standard operating system permission prompts. You may withdraw your consent at any time. The categories of processing based on consent are:

• Precise location access (iOS and Android location permission);
• Contacts access (iOS and Android contacts permission); and
• Push notification delivery (iOS and Android notification permission).

Revoking any of these permissions through your device Settings will stop the relevant processing going forward, but will not affect any processing that already occurred prior to revocation.

5.4 Legal Obligation

We may process your information as required by applicable law, including in response to valid legal process from courts or regulatory authorities, and to comply with applicable state breach notification laws.

6. How We Share Your Information

We do not sell your personal information. We share your information only as described below.

6.1 Information That Is Publicly Visible by Design

Certain information is visible to all disconnectd members as part of the normal operation of a social event-discovery platform:

• Your display name and profile photo, which are visible when you follow other users, RSVP to events, or appear on the "People Interested" list for an event;
• Your follow relationships (accounts you follow and accounts that follow you), which are visible on your public profile;
• Your RSVP or attendance status for events, which may be visible to other users on that event's page; and
• All event listings created under your host profile, including photos, descriptions, and event locations.

Before submitting any content — including your profile name, photo, or event listing — please consider what information you are comfortable making publicly visible to all App users.

6.2 Service Providers

We share data with third-party companies that help us operate the Services. These companies act as our service providers and are contractually prohibited from using your data for any purpose other than providing services to us.

Google LLC / Firebase: We use Firebase Authentication for SMS-based login (OTP delivery), Firebase Analytics for usage analytics, Firebase Cloud Messaging (FCM) for push notification delivery, and Google Cloud Storage for storing profile photos and event photos. Google processes your data as a service provider under a Data Processing Agreement with Rostra Labs and Google's standard contractual terms. Google's privacy policy is available at policies.google.com/privacy.

Apple Inc. (Apple Push Notification Service — APNs): Apple delivers push notifications to iOS devices through APNs. We provide APNs only with the information necessary to route the notification to your device. Apple's handling of notification delivery is governed by Apple's privacy policy at apple.com/privacy.

6.3 Analytics Provider

We use Firebase Analytics (provided by Google LLC) to collect anonymized, aggregated usage data. Firebase Analytics does not receive your name, phone number, or other directly identifying information in a form that is linked to your identity for advertising purposes. You can learn more about how Google uses this data at google.com/policies/privacy/partners.

6.4 Law Enforcement and Legal Process

We may disclose your personal information to government authorities, law enforcement agencies, or other third parties when we believe in good faith that such disclosure is:

• Required by applicable law, regulation, or valid legal process (such as a subpoena, court order, or search warrant);
• Necessary to protect the safety, rights, or property of Rostra Labs, our users, or the public; or
• Necessary to detect, prevent, or address fraud, security, or technical issues.

Where we determine, in our reasonable discretion, that doing so is permitted by applicable law and is not prohibited by the legal process or by an applicable non-disclosure order, we may notify you of a legal request for your data before complying. We may, but are not required to, challenge or seek to narrow legal requests that we believe are overbroad, defective, or unauthorized.

6.5 Business Transfers

If Rostra Labs is involved in a merger, acquisition, reorganization, financing, sale of assets, or bankruptcy or similar proceeding, your personal information may be transferred or disclosed as part of that transaction or potential transaction. Where reasonably practicable and not prohibited by law or contract, we will provide notice through the App or by SMS before your personal information becomes subject to a materially different privacy policy as a result of such a transaction.

6.6 With Your Consent

We may share your information with other parties with your explicit consent, which we will request at the time of sharing.

6.7 Practices We Do Not Engage In

As of the effective date of this Privacy Policy:

• We do not sell your personal information, as "sell" is defined under applicable state privacy law (including the California Consumer Privacy Act, as amended by the CPRA);
• We do not share your personal information for cross-context behavioral advertising;
• The Find Friends feature, as currently designed, does not transmit your phone-contact data to our servers (see Section 3.3);
• We do not display your precise location to other users. Approximate distance information (for example, "1.2 miles away") may appear on a public event listing alongside your public RSVP; and
• We do not use your data for third-party advertising.

If we materially change any of these practices in the future, we will update this Privacy Policy in accordance with Section 1.2 and, where required by applicable law, provide any required opt-out mechanism before doing so.

7. Location Data — Additional Detail

Because location data is essential to disconnectd's core functionality, we want to provide additional transparency about how it is used.

7.1 What We Collect

With your permission, we collect your device's precise GPS coordinates while you are actively using the App. We use "while using the app" location access only. We do not access your location when the App is in the background unless you have explicitly enabled background location in your device settings and the App requests it for a specific reason, which we will disclose at the time.

7.2 How We Use Location

• To calculate the distance between you and available events;
• To populate your discovery feed with events within your selected radius;
• To show your approximate area to event hosts for aggregate attendance planning purposes (e.g., "most RSVPs are coming from within 5 miles"); and
• To improve the relevance scoring algorithm that determines which events appear at the top of your feed.

7.3 Storage and Retention

We store an approximate location associated with your account (typically at the city or zip-code level rather than precise GPS coordinates) so that we can continue populating your feed when the App loads. The Services are designed so that precise GPS coordinates are processed primarily in memory at request time to calculate distances, rather than being retained as part of your long-term account profile. Transient or operational records (for example, server logs, performance traces, and security telemetry) may incidentally reflect coordinate data and are subject to the retention controls described in Section 9.5.

7.4 Sharing

We do not share your precise location with other users, hosts, or third parties. Approximate distance information (e.g., "1.2 miles away") may be displayed to other users alongside your RSVP on a public event listing, but this does not disclose your precise location.

7.5 Your Choices

You can deny or revoke location permission at any time in your device's Settings app under Privacy & Security > Location Services. If you revoke location access, the App will prompt you to enter a city or zip code so it can continue showing you relevant events.

8. Children's Privacy

8.1 Minimum Age

The Services are intended only for users who are 18 years of age or older, consistent with our Terms of Service. We do not knowingly permit anyone under the age of 18 to create an account or use the Services. By creating an account, you represent and warrant that you are at least 18 years of age.

8.2 Age Confirmation at Sign-Up

During account registration, you are required to confirm that you are 18 years of age or older. If we determine, or have reason to believe, that an account holder is under 18, we may suspend or terminate the account, restrict its access to the Services, and take steps to remove associated personal information consistent with this Privacy Policy and applicable law.

8.3 COPPA Compliance and Children Under 13

The Services are not directed to children under 13 and may not be used by anyone under 13. The Children's Online Privacy Protection Act ("COPPA") prohibits operators of online services from knowingly collecting personal information from children under 13 without verifiable parental consent. We comply with COPPA as follows:

• We do not knowingly collect personal information from children under 13;
• If we discover that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information and the associated account consistent with COPPA and other applicable laws; and
• Parents or guardians who believe their child under 13 has created an account on the Services may contact us at privacy@disconnectd.com. We aim to acknowledge such inquiries promptly and to take action consistent with applicable law.

9. Data Retention

9.1 Active Accounts

We retain your personal information for as long as your account is active. We also retain certain data for a reasonable period after you stop actively using the Services to allow for account reactivation and to fulfill the purposes described in this Privacy Policy.

9.2 Deleted Accounts

When you request account deletion, we aim to delete or de-identify your personal information within forty-five (45) days of receiving and verifying your request, or within any shorter period required by applicable law. You may request account deletion at any time from within the App's account settings (see Section 10).

The following categories of data may be retained beyond that window:

• Data required to comply with a legal obligation (for example, records subject to a litigation hold, subpoena, regulatory inquiry, tax-record retention requirement, or law-enforcement preservation request);
• Data needed to establish, exercise, or defend legal claims, or to detect or prevent fraud, security incidents, abuse, or policy violations;
• Residual copies that persist in backup, archive, disaster-recovery, or audit-log systems until those systems are overwritten or rotated in the ordinary course; and
• Aggregated or de-identified data that cannot reasonably be linked back to you.

9.3 User-Generated Content

When you delete your account, we will take reasonable steps to remove your profile, follow relationships, and personal data. However:

• Event listings you created as a host may remain visible in a de-identified or anonymized form where other users have interacted with those events (for example, RSVPed or saved them), as removing the listing entirely could affect those users' records;
• Photos and other media you uploaded may be removed from active display, while residual copies may persist in backup, archive, or disaster-recovery storage until those systems are overwritten or rotated in the ordinary course; and
• Content that has already been redistributed or copied by other users prior to deletion may persist outside our control.

9.4 Analytics Data

Anonymized and aggregated analytics data — data that cannot reasonably be used to identify you as an individual — may be retained indefinitely as it is not personal information.

9.5 Technical Logs

Server logs, authentication logs, and crash reports are retained for a maximum of ninety (90) days for security monitoring and debugging purposes, after which they are automatically deleted.

10. Your Rights and Choices

Rostra Labs provides you with meaningful controls over your personal information. Depending on your state of residence, you may also have specific legal rights under applicable state privacy laws (see Section 14).

10.1 Access

You may request a copy of the personal information we hold about you by contacting us at privacy@disconnectd.com. We aim to provide your data in a commonly used, machine-readable format within the timeframe required by applicable law (typically forty-five (45) days under the CCPA, extendable by an additional forty-five (45) days where permitted by law). Before providing access, we will take reasonable steps to verify your identity and may decline or limit a request to the extent permitted or required by applicable law.

10.2 Correction

You can update your profile information — including your display name, photo, bio, and host profile details — at any time from within the App's profile settings. If you are unable to correct certain information through the App, contact us at privacy@disconnectd.com and we will assist you.

10.3 Account Deletion and Data Erasure

You may request the deletion of your account and the erasure of your personal information at any time. Account deletion is available directly from within the App:

• Open the App;
• Navigate to your Profile;
• Tap "Settings" (or the gear icon);
• Select "Account"; and
• Tap "Delete Account" and confirm your request.

You may also request deletion by emailing privacy@disconnectd.com. We aim to process verified deletion requests within forty-five (45) days, or within any shorter period required by applicable law, subject to the exceptions described in Section 9.2.

Apple App Store guidelines require that any app supporting account creation must provide users with a clear and accessible in-app mechanism to delete their account. The in-app deletion flow described above satisfies this requirement.

10.4 Notification Preferences

You can manage the types of push notifications you receive from within the App's notification settings. You can also disable all push notifications for disconnectd at any time through your device's Settings app under Notifications.

10.5 Location Permission

You can revoke location access at any time through your device's Settings app (Privacy & Security > Location Services > disconnectd). Revoking location access will not delete your account but will limit certain location-based features.

10.6 Contacts Permission

You can revoke contacts access at any time through your device's Settings app (Privacy & Security > Contacts > disconnectd). Revoking contacts access will disable the Find Friends and invite-contacts features but will have no effect on any other App functionality.

10.7 Do Not Sell or Share My Personal Information

We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising. Because we do not engage in these activities, a formal "Do Not Sell or Share" opt-out mechanism is not currently required. If we introduce an advertising product in the future that would constitute "selling" or "sharing" under applicable law (including the California Consumer Privacy Act as amended by the CPRA), we will implement the required opt-out mechanism and update this Privacy Policy before doing so.

10.8 Exercising Your Rights

To exercise any of the rights described in this Section, please contact us at privacy@disconnectd.com or use the in-app settings. We may ask you to verify your identity (typically by confirming the phone number associated with your account) before fulfilling certain requests.

We will not discriminate against you for exercising any of your privacy rights. We will not deny you access to Services, charge you different prices, or provide you with a lower quality of service because you exercised a right described in this Privacy Policy.

11. Push Notifications and Communications

11.1 Types of Notifications

We may send you the following types of communications:

• Authentication SMS: A one-time passcode sent via SMS when you log in. This is a transactional message required to use the Services and is not subject to marketing opt-out requirements.
• Event reminders: Push notifications reminding you of upcoming events you have RSVP'd to.
• Invitations: Push notifications when a friend or connection invites you to an event.
• Follow alerts: Notifications when a new user follows you.
• Event updates: Notifications when an event you have RSVP'd to is updated, cancelled, or rescheduled by the host.
• Discovery alerts: Notifications about new events near you that match your preferences and interests (can be disabled individually).

11.2 Opt-In Requirement

iOS and Android both require your explicit permission before we can send you push notifications. We will request this permission at an appropriate point in your use of the App. You are not required to grant notification permission to use the core features of the App.

11.3 Managing Notifications

You can manage individual notification categories within the App's Settings > Notifications screen. You can also disable all push notifications for disconnectd at the OS level through your device's Settings app.

11.4 Future Marketing Communications

We do not currently send marketing emails or promotional SMS messages. If we introduce such communications in the future, we will first obtain your explicit consent (separate from the transactional SMS opt-in) and will provide a clear and easy opt-out mechanism in compliance with the CAN-SPAM Act (for email) and the Telephone Consumer Protection Act, or "TCPA" (for SMS).

12. Data Security

12.1 Our Security Practices

We use technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, loss, or destruction. As of the effective date of this Privacy Policy, those measures generally include:

• Encryption in transit between your device and our servers using current industry-standard transport-layer encryption;
• Encryption at rest of stored personal data and photos using cloud-provider default encryption that meets generally accepted industry standards;
• Role-based access controls that limit access to personal information to Rostra Labs personnel and contractors with a legitimate need to access it for purposes described in this Privacy Policy;
• Phone-based one-time-passcode authentication as a factor at login;
• Cloud-storage access controls intended to prevent unauthorized public access to stored profile and event photos; and
• Periodic review of our data and security practices.

The specific tools, providers, configurations, and protocols we use evolve as security best practices change. References above to current measures are descriptive, not contractual commitments to any particular tool, provider, version, or configuration.

12.2 Breach Notification

If a security incident affecting your personal information triggers a notification obligation under applicable federal or state law, we will provide notice in the manner and within the timeframes required by that law. Notice will typically be provided through in-app notification or SMS to the phone number associated with your account, or through any other method required by the applicable statute. Investigation and notification timing depends on the nature of the incident, the requirements of applicable law, and our duty not to impede a law-enforcement investigation. We do not guarantee any specific timeframe for breach notification beyond what applicable law requires.

12.3 Limitations

No method of data transmission over the internet and no method of electronic storage is completely secure. While we strive to protect your personal information using the measures described above, we cannot guarantee absolute security. You are responsible for maintaining the security of your device and your phone number. If you believe your account has been compromised, please contact us immediately at privacy@disconnectd.com.

13. Third-Party Services and Links

13.1 Our Third-Party Partners

We currently use the following third-party services in connection with the App:

Google LLC / Firebase: Firebase Authentication (SMS OTP), Firebase Analytics (usage analytics), Firebase Cloud Messaging (push notifications), and Google Cloud Storage (photo storage). All governed by Google's privacy policy and our Data Processing Agreement with Google.

Apple Inc. (APNs): Apple Push Notification Service for iOS push notification delivery. Governed by Apple's privacy policy.

13.2 No Third-Party Advertising SDKs

The Services do not currently include any third-party advertising SDKs, ad networks, tracking pixels, or data broker integrations. We will update this Privacy Policy before adding any such technology.

13.3 Event Host External Links

Event listings created by hosts may include links to external websites (e.g., a venue website, a ticketing platform, or a host's social media page). When you click on such a link, you will leave the disconnectd App or Site and be subject to the privacy policy of the destination website. We are not responsible for the privacy practices of third-party websites and encourage you to review their privacy policies before providing any personal information.

13.4 App Store Platforms

The App is distributed through the Apple App Store and the Google Play Store. When you download the App, your interactions with those platforms are subject to Apple's and Google's respective privacy policies. We do not control the data those platforms may collect in connection with App distribution.

14. State-Specific Privacy Rights

Various US states have enacted comprehensive consumer privacy laws that provide residents of those states with specific rights regarding their personal information. This Section describes those rights and how to exercise them.

14.1 California Residents — CCPA/CPRA

California residents have the following rights under the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"):

Right to Know. You have the right to request that we disclose: (a) the categories of personal information we have collected about you; (b) the categories of sources from which we collected it; (c) our business or commercial purpose for collecting it; (d) the categories of third parties with whom we share it; and (e) the specific pieces of personal information we have collected about you.

Right to Delete. You have the right to request that we delete personal information we have collected about you, subject to certain exceptions (e.g., information needed to complete a transaction, detect security incidents, or comply with legal obligations).

Right to Correct. You have the right to request that we correct inaccurate personal information we maintain about you.

Right to Opt Out of Sale/Sharing. You have the right to opt out of the "sale" of your personal information and the "sharing" of your personal information for cross-context behavioral advertising. We do not currently sell or share personal information in these ways.

Right to Limit Use of Sensitive Personal Information. Precise geolocation data is classified as "sensitive personal information" under the CPRA. You have the right to limit our use of your precise location to those uses permitted under California Civil Code § 1798.121 and its implementing regulations. We use your precise location to calculate event distances, populate your discovery feed, and provide other location-based features of the App. We rely on the statutory exception for uses that are reasonably necessary to perform the Services and proportionate to that purpose; you may contact us at privacy@disconnectd.com if you believe a particular use exceeds that scope.

Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise these rights, contact us at privacy@disconnectd.com or use the in-app account settings. We will take reasonable steps to verify your identity before processing your request and will respond within the timeframes required by the CCPA (typically forty-five (45) days, extendable by an additional forty-five (45) days where permitted, with notice). We may decline or limit a request to the extent permitted or required by law.

California residents who are dissatisfied with our response may contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.

14.2 Virginia, Colorado, Connecticut, Texas, and Other States

Multiple US states have enacted or are in the process of enacting comprehensive consumer data privacy laws, including Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA), among others. While the specific details of each law vary, these laws generally provide residents with rights similar to those described above for California residents, including rights to access, correct, delete, and opt out of certain uses of their personal information.

If you are a resident of a state with a comprehensive privacy law and wish to exercise any rights provided to you under that law, please contact us at privacy@disconnectd.com. We will review your request and respond in accordance with applicable law.

14.3 Nevada

Nevada residents may opt out of the sale of personal information under Nevada law. As noted above, we do not sell personal information. Nevada residents who have questions about this may contact us at privacy@disconnectd.com.

14.4 Submitting a Privacy Rights Request

To submit a privacy rights request under any applicable state law:

• Email privacy@disconnectd.com with the subject line "Privacy Rights Request" (the link prefills it);
• State your state of residence and the right(s) you wish to exercise; and
• Provide the phone number associated with your disconnectd account so we can verify your identity.

We aim to acknowledge requests promptly and to respond substantively within the timeframes required by applicable state privacy law (typically forty-five (45) days, extendable as permitted by that law). We may decline or limit a request to the extent permitted or required by law and may require reasonable identity verification before processing it.

15. Future Features: Payments and Advertising

This Section describes features we are currently exploring so that you are not surprised when they arrive. The following statements are forward-looking and describe our current plans only. They do not create any commitment, contractual or otherwise, with respect to the timing, scope, design, or features of any future product. We may change, delay, or decline to launch any of these features at any time and in our sole discretion.

15.1 In-App Payments

We currently expect to introduce in-app payments in a future version of disconnectd. Such payments could include fees for hosts to create or promote events and fees for users to purchase tickets to events through the App.

If and when we introduce payment functionality, we currently expect to:

• Use a third-party payment processor (such as Stripe) so that raw payment-card data is handled by that processor, subject to its PCI-DSS obligations, rather than stored on our own servers;
• Update this Privacy Policy to disclose what financial data is collected, by whom, and for what purpose;
• Provide reasonable advance notice before the feature launches; and
• Update the App Store and Google Play Data Safety disclosures accordingly.

15.2 Promoted Events (In-App Advertising)

We currently expect to introduce a "boosted events" feature that allows hosts to pay for increased visibility of their event listings within the App. If introduced, boosted event listings may receive priority placement in other users' discovery feeds.

If and when we introduce this feature, we currently expect to:

• Label boosted event listings so users can distinguish them from organically ranked events;
• Disclose, in this Privacy Policy or a successor policy, the categories of data used to determine which users see a boosted event;
• Provide users with any opt-out, opt-in, or other choice mechanism required by applicable law; and
• Update this Privacy Policy and the App Store and Google Play Data Safety disclosures before launching the feature.

As of the effective date of this Privacy Policy, we do not serve third-party advertisements, use third-party advertising SDKs, or share your data with ad networks, and we do not engage in cross-app tracking or behavioral advertising across other applications or websites. Any future advertising-related data use will be governed by the version of this Privacy Policy in effect at that time.

16. App Store–Specific Disclosures

16.1 Apple App Store

In accordance with Apple's App Privacy requirements, the App's App Store listing includes a Privacy Nutrition Label that summarizes the categories of data the App collects and how they are used. The Nutrition Label is intended to be consistent with this Privacy Policy; in the event of any inconsistency between a summary in the Nutrition Label and the more detailed descriptions in this Privacy Policy, this Privacy Policy controls. Current declarations generally include:

• Data Used to Track You: we do not currently engage in cross-app tracking as defined by Apple's App Tracking Transparency ("ATT") framework;
• Data Linked to You: phone number (account authentication); location data (app functionality); photos (user-generated content); and usage data (analytics); and
• Data Not Linked to You: device identifiers and crash data used in aggregated form for analytics.

Because we do not currently engage in cross-app tracking, we do not currently present the ATT prompt to request tracking permission. If we change this practice in the future, we will update this Privacy Policy and the Nutrition Label and present any required prompt before doing so.

16.2 Google Play Store

In compliance with Google's Data Safety requirements, the App's Google Play listing includes a Data Safety section that discloses the categories of data the App collects, how data is used, and whether data is shared with third parties. The disclosures in the Data Safety section are consistent with this Privacy Policy. We commit to keeping the Data Safety section updated whenever our data practices change.

17. Contact Information and How to Reach Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise any of your privacy rights, please contact us:

Rostra Labs, Inc. — Privacy Team
Email: privacy@disconnectd.com
Subject line: Privacy Inquiry or Privacy Rights Request

We aim to acknowledge inquiries promptly and to provide a substantive response to verified privacy rights requests within the timeframes required by applicable privacy law (typically forty-five (45) days, extendable by an additional forty-five (45) days where permitted by law, with notice). We may decline or limit a request to the extent permitted or required by law and may require reasonable identity verification before processing it.

If you are not satisfied with our response to your inquiry or request, you may contact the relevant state regulatory authority. California residents may contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov. Residents of other states may contact their state Attorney General's office.

18. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of Delaware, without giving effect to any principles of conflict of laws. Rostra Labs, Inc. is incorporated in the State of Delaware.

This Privacy Policy does not create any contractual rights between you and Rostra Labs beyond those set forth in our Terms of Service. Nothing in this Privacy Policy limits any non-waivable rights you may have under applicable federal or state law.

19. Construction and Limitations

19.1 No Private Right of Action

Except where applicable privacy law expressly grants you a private right of action that may not be waived by contract, this Privacy Policy does not create, and is not intended to create, any private right of action, contractual claim, or third-party beneficiary right against Rostra Labs, its affiliates, officers, directors, employees, contractors, agents, licensors, or service providers.

19.2 Safe Harbors and Defenses Preserved

Nothing in this Privacy Policy waives, limits, alters, or constitutes a contractual modification of any defense, immunity, privilege, or safe harbor available to Rostra Labs or its affiliates, including:

• Section 230 of the Communications Decency Act, 47 U.S.C. § 230, with respect to content posted by users or third parties;
• The notice-and-takedown safe harbor of the Digital Millennium Copyright Act, 17 U.S.C. § 512;
• Statutory exceptions, exemptions, and affirmative defenses under federal or state privacy law (including the CCPA/CPRA and similar state statutes); and
• Any common-law defense, including statute of limitations, laches, waiver, estoppel, or election of remedies.

19.3 No Duty to Monitor; Discretion to Act

Rostra Labs has no general duty to monitor users, content, or activity on the Services. Statements in this Privacy Policy describing how we may handle, retain, delete, restrict, or share information describe practices we may follow in our reasonable discretion based on the information available to us, the resources available to us, and the requirements of applicable law. The fact that we may take a particular action in one circumstance does not obligate us to take the same action in another. We do not waive the right to enforce any policy, term, or right by failing to enforce it on a given occasion.

19.4 No Legal Advice; Forward-Looking Statements

This Privacy Policy is provided for informational purposes and does not constitute legal advice. Statements about features, integrations, partners, jurisdictions, or capabilities that we expect to introduce or change are forward-looking and reflect our current intent only. They do not create a contractual commitment to deliver any particular feature, capability, integration, timeline, or design.

19.5 Severability and Survival

If any provision of this Privacy Policy is held invalid, illegal, or unenforceable by a court or arbitrator of competent jurisdiction, that provision will be enforced to the maximum extent permissible and the remaining provisions will continue in full force and effect. Provisions that by their nature should survive termination of your account or your use of the Services — including the data-retention exceptions in Section 9, identity-verification provisions in Section 10, and this Section 19 — will so survive.

19.6 Amendment and Interpretation

Rostra Labs reserves the right to amend, restate, or replace this Privacy Policy at any time in accordance with Section 1.2. Section headings are for convenience only and do not affect interpretation. The terms "include," "including," and similar terms are illustrative and not limiting. Translations of this Privacy Policy may be provided for convenience; in the event of any conflict between an English-language version and a translation, the English-language version controls.

20. Definitions

For clarity, the following terms used in this Privacy Policy have the meanings set forth below:

"App" means the disconnectd mobile application available for iOS and Android.

"CCPA/CPRA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.

"COPPA" means the Children's Online Privacy Protection Act of 1998 and the rules promulgated thereunder by the Federal Trade Commission.

"Personal Information" or "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular individual or household.

"Rostra Labs," "we," "us," or "our" means Rostra Labs, Inc., a Delaware corporation.

"Services" means the App, the Site (disconnectd.com), and any other products, features, or services offered by Rostra Labs that reference this Privacy Policy.

"Site" means the disconnectd website at disconnectd.com.

"You" or "User" means any individual who accesses or uses the Services.

---

disconnectd — Privacy Policy
Rostra Labs, Inc. | disconnectd.com | privacy@disconnectd.com
© 2026 Rostra Labs, Inc. All rights reserved.