Privacy Policy
1. Introduction & Scope
1.1. This Privacy Policy (“Policy”) explains how Fos SM Ltd (“FOS Social,” “we,” “our,” or “us”) collects, uses, shares, and safeguards information about users of the FOS Social platform, including our official website fossocial.com, our web app fos.social, mobile applications, creator tools, payment and wallet features, Picks, Referral, Premium+, and Exclusive Content programs (together, the “Platform”).
1.2. This Policy applies globally, but certain rights and obligations vary depending on your location. In particular, we provide additional disclosures and rights under:
United Kingdom and European Union law, including the UK GDPR and EU GDPR;
United States state laws, including the California Consumer Privacy Act as amended (CCPA/CPRA) and equivalent state frameworks;
Canada (PIPEDA);
Singapore (PDPA-SG).
Any other jurisdiction that may apply to our platform.
1.3. This Policy should be read together with our Terms of Service, Cookie Policy, Community Guidelines, Subscription & Payment Policy, Referral & Rewards Policy, and any other policy incorporated, which collectively govern use of the Platform.
1.4. This Policy does not create rights beyond those set out in applicable law or contract. In the event of conflict, applicable law controls.
2. Who We Are & How to Contact Us
2.1. The Platform is operated by Fos SM Ltd, a company incorporated in England and Wales (company number 14956960) with its registered address at 71–75 Shelton Street, London, WC2H 9JQ.
2.2. For general questions, concerns, or rights requests, you may contact us at:
Support: support@fossocial.com
Abuse/Misconduct: abuse@fossocial.com
Copyright/DMCA: copyright@fossocial.com
Security: security@fossocial.com
2.3. Notices by post may be sent to our registered address above.
3. DPO and Regional Representatives
3.1. Where required by law, we will appoint a Data Protection Officer (DPO), an EU representative, and a UK representative to act on our behalf. Their details will be published in updated versions of this Policy once appointed.
3.2. Until then, you may contact us directly at support@fossocial.com for privacy matters, and we will respond in line with applicable legal timelines.
4. Key Definitions
For clarity in this Policy:
4.1. “Personal Data” or “Personal Information” means any information relating to an identified or identifiable individual, as defined under GDPR, UK GDPR, CCPA/CPRA, PIPEDA, and PDPA-SG.
4.2. “Sensitive Personal Data” means information that receives special protection under law, including biometric identifiers, government ID, payment credentials, or information about minors.
4.3. “Processing” means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
4.4. “Sell” and “Share” follow the meanings in CPRA (California) and include cross-context behavioral advertising, even if no money changes hands.
4.5. “User” means any individual or entity who accesses or uses the Platform, whether as a Creator or a Subscriber.
4.6. “Sponsor” means a third party that directly engages a Creator to support or promote that Creator’s Content on the Platform.
4.7. “Sponsorship” means an arrangement between a Sponsor and a Creator under which the Sponsor funds, supports, or promotes the Creator or specific Content.
4.8. “Sponsor Placement” means any badge, label, panel, or message indicating a Sponsorship in connection with a Creator or their Content (for example, “Sponsored by …”).
4.9. “Sponsorship Measurement Data” means aggregated or de-identified engagement statistics related to a Sponsor Placement (for example, total impressions, views, click-through counts, geographic distribution at country/region level).
5. How We Obtain Data
5.1. Directly from you: when you register, create or update your account, upload content, participate in Picks or Referrals, subscribe, make payments, or contact us.
5.2. Automatically: when you use the Platform, through cookies, SDKs, logs, approximate location, and analytics.
5.3. From third parties: such as payment service providers, identity vendors, app stores, marketing contractors, and Sponsors who supply creative materials or brand safety instructions for Sponsor Placements.
5.4. From other users: for example, when they tag you, invite you via referral, or submit a report about your content or conduct.
5.5. By inference: we may derive limited preferences or audience insights from your interactions, but we do not create sensitive inferences (such as political opinions) without your consent where required by law.
6. Categories of Data We Collect
Depending on how you use the Platform, we may collect:
6.1. Identifiers: name, username, email, date of birth, device IDs, and account credentials.
6.2. Profile & Content: uploaded posts, videos, audio, images, livestreams, stories, picks, and other user-generated content.
6.3. Government ID & Biometrics (collection): We may request government ID and, only with your explicit, informed consent, biometric identifiers (e.g., facial biometric templates used for liveness/face-match) solely for eligibility checks, KYC/AML, fraud prevention, sanctions screening, or payout compliance. A non-biometric verification route is always available (e.g., enhanced document/manual review, additional non-biometric checks), although it may be slower.
6.4. Payment & Transaction Data: subscription records, wallet balances, referral rewards, purchases, and metadata from payment service providers.
6.5. Device & Usage Data: log files, IP addresses, browser types, operating systems, in-app actions, and crash reports.
6.6. Moderation & Safety Data: reports, classification labels, risk scores, sanctions, and appeal records.
6.7. Marketing & Preferences: opt-ins/opt-outs, cookie consents, advertising preferences, and in-app notification choices.
6.8. Sensitive Data (limited): biometric verification and government ID for compliance, never used for advertising.
7. Children & Teens
7.1. Minimum age and rationale. The Platform is designed for older teens and adults and is not available to children under 17. We apply this higher minimum age as a safety measure due to the Platform’s monetisation, community-interaction, and user-generated content features.
7.2. Teens (age 17). Users aged 17 may register but cannot view Sensitive Content or use any payment, payout, referral, or monetisation features until successful age and identity verification. Teen accounts default to stricter privacy and safety settings.
7.3. Parental rights. Parents/guardians may request deletion of a minor’s data by contacting support@fossocial.com from a verifiable email and providing documentation sufficient to establish parental relationship.
7.4. Legal compliance. We implement age-appropriate measures and comply with applicable laws for youth privacy and consent (including COPPA in the US and GDPR/UK child-consent rules in the EU/UK and equivalent local frameworks).
7.5. Erroneous sign-ups. If we learn that an account under 17 was created without required consent or verification, we will suspend the account and its processing, delete personal data as required, and restrict re-registration until eligibility is demonstrated.
7.6. Sponsor Placements and youth protections. We do not show Sponsor Placements to unverified minors, and we apply category restrictions (for example, alcohol, nicotine, adult services, weapons, high-risk finance) so that such categories are never shown to minors or alongside Sensitive Content.
8. Purposes of Processing
We use Personal Data for the following purposes, depending on your role and activity on the Platform:
8.1. Account creation and management – to register users, verify eligibility, and provide account services.
8.2. Content hosting and discovery – to store, display, distribute, and recommend user-generated content.
8.3. Monetisation and payouts – to process subscriptions, Picks, referrals, and Exclusive Content rewards.
8.4. Safety and moderation – to detect, investigate, and act on illegal, harmful, or policy-violating content or conduct.
8.5. Payments and fraud prevention – to work with payment service providers and identity vendors to protect against fraud, money laundering, or sanctions risks.
8.6. Marketing and user engagement – to deliver ads, promotions, and platform communications, subject to your settings and applicable consent rules.
8.6A. Creator-led Sponsorship & contextual placements. We support Sponsor Placements that are tied to a specific Creator or piece of Content. We use contextual signals (for example, the page or Creator you are viewing, your general app activity with that Creator, language/locale, and device type) to show and measure those placements. We do not use cross-site tracking or build advertising profiles for Sponsor Placements. Where local law requires, any cookies/SDKs used for measurement will run only with your consent (see Sections 9 and 14).
8.7. Analytics and service improvement – to measure engagement, fix bugs, optimize features, and develop new programs.
8.8. Legal and compliance – to comply with tax, financial, regulatory, child-safety, and law-enforcement obligations.
8.9. Supplemental Data Modules
Certain features (such as identity verification, advanced moderation tools, or optional AI/model training features) involve additional processing beyond the core service:
– Separate consent/objection: We will seek your explicit consent (or give you a right to object) for these uses where required by law.
– No forced consent: Refusing does not prevent you from accessing the core Platform.
– Opt-out: You will have a clear, accessible method to object or withdraw consent.
– Use limitation: Data collected under this module will only be used for the stated feature.
– Retention/audit: Data is retained for the minimum necessary period, with access logging and audit trails.
8.10. Safety & Moderation Balancing Test
When processing Personal Data for safety, moderation, or abuse prevention, we apply a proportionality test:
– severity/likelihood of harm if not processed;
– intrusiveness of the data collected;
– user expectations;
– safeguards in place.
If a less intrusive method can achieve the same result, we will prefer it. Automated moderation may be subject to human review where required by law.
8.11. Automated decisions. Where we use automated decision-making that produces legal or similarly significant effects, we will ensure you can obtain meaningful information about the logic involved and request human review where required by law.
9. Legal Bases (Where Required)
Where data protection laws require a lawful basis for processing, we rely on:
9.1. Performance of a contract – where processing is necessary to provide the Platform (e.g., account, subscriptions, payouts).
9.2. Legitimate interests – including fraud prevention, analytics, network security, content safety, contextual Sponsor Placements tied to a Creator or Content you view, and marketing of similar services, balanced against your rights.
9.3. Consent – for optional uses such as targeted advertising, cookies requiring opt-in (EU/UK), or biometric checks where mandated.
9.4. Legal obligation – to comply with tax, AML, sanctions, child-protection, and other regulatory duties.
9.5. Vital interests – rarely, to protect someone’s safety (e.g., imminent threats reported on-platform).
9.6. Consent (Sponsor measurement where required). In the EU/UK and other consent jurisdictions, any non-essential cookies/SDKs used to measure Sponsor Placements run only with your opt-in consent via our Cookie banner/Privacy Center.
10. International Transfers
10.1. As a global service, we may transfer your Personal Data outside your country of residence, including to the United States, European Union, United Kingdom, and Singapore.
10.2. Where required, we implement appropriate safeguards, including: (i) Standard Contractual Clauses (SCCs) and UK IDTA/Addenda; (ii) transfer impact assessments; and (iii) supplementary measures such as encryption, strict access controls, and data minimisation.
10.3. You may request a summary of our transfer safeguards (including SCCs) by contacting support@fossocial.com. We will provide information to the extent permitted by law and confidentiality. International transfers are essential to operate and support the Platform globally.
11. Data Sharing & Recipients
We may share your data with:
11.1. Service providers and sub-processors – including AWS (hosting), Stripe (payments), email providers, analytics providers, and identity verification vendors.
11.2. Other users – to the extent you choose to make your content, profile, or interactions public.
11.3. Business partners – for Picks, referrals, promotions, and co-marketing initiatives.
11.4. Regulators and law enforcement – where legally required, or to protect safety, integrity, or legal compliance.
11.5. Corporate transactions – if we sell, merge, or transfer parts of our business, your data may be part of the transferred assets.
11.6. California “Do Not Sell or Share.” For California residents, certain advertising and analytics uses may be deemed a “sale” or “sharing” of personal information. You can exercise your right to “Do Not Sell or Share My Personal Information” via our in-app privacy settings or the link in our website footer. We do not knowingly sell or share the personal information of users we know are under 18.
11.7. Sponsors (limited, contextual). We may provide Sponsors with Sponsorship Measurement Data about their placements (for example, aggregated impressions, views, clicks, country/region counts, and broad device categories). We do not disclose your name, email, or precise identifiers to Sponsors unless you separately consent (for example, if you contact a Sponsor directly).
11.8. No resale or cross-context advertising. We do not permit Sponsors to place third-party ad tags, trackers, or beacons, and we do not license user data for cross-context behavioural advertising.
11.9. Brand safety & compliance. We may share limited information with partners needed to enforce category restrictions and brand-safety rules (for example, automated signals that a placement cannot run next to Sensitive Content), without revealing direct identifiers.
We do not “sell” your Personal Data in exchange for money, but certain uses (e.g., cross-context advertising) may be deemed a “sale” or “share” under US law.
11.1A. Categories of Vendors. Our service providers include:
– Payment & Payout Processors (e.g., Stripe, banks)
– Identity / Verification Providers
– Hosting & Infrastructure Providers (e.g., AWS, CDN)
– Analytics & Monitoring Partners
– Messaging & Notification Services
– Moderation & Safety Partners
Each provider is contractually bound to process data only on our instructions and with appropriate security.
12. Advertising & Analytics
12. Advertising, Sponsor Placements & Analytics
12.1. Creator-led only. We do not sell generic ad inventory or run network ads across unrelated content. Any promotional placement you see is tied to the Creator or Content you are viewing.
12.2. Contextual signals only. Sponsor Placements rely on contextual information (the Creator/Content you view, language/locale, device type). We do not use cross-site tracking or build behavioural advertising profiles for Sponsor Placements.
12.3. No “sale”/“share” for Sponsor Placements. We do not “sell” or “share” Personal Information for cross-context behavioural advertising under CPRA in connection with Sponsor Placements. If this ever changes, we will update this Policy and provide required opt-outs.
12.4. Measurement. We may measure the performance of Sponsor Placements using first-party analytics or approved SDKs. In consent jurisdictions (EU/UK), non-essential measurement runs only with your consent.
12.5. Sensitive data. We do not use Sensitive Personal Data for advertising or Sponsor Placements.
12.6. Minors. We do not show Sponsor Placements to unverified minors and apply stricter limits for teen accounts (see Section 7).
12.7. Advertiser disclosures. Creators must disclose Sponsorships using our in-product tools. We may audit or enforce those disclosures.
12.8. AI, model training, and derived uses. We do not use your personal content to train models or develop AI features unless you opt-in via a clear consent control. You can withdraw consent at any time without losing access to core Platform functions. Where feasible, we will cease future use promptly. Historical training already performed may not always be reversible, but no new content will be used after withdrawal. Safety/moderation processing that is necessary to operate the Platform (e.g., detecting spam, abuse, illegal content) is performed under Section 9 (legal bases) and is not used for advertising.
12.9. Sensitive categories. We do not use sensitive Personal Data (e.g., precise geolocation, biometric templates, government ID, health, sexual orientation, or beliefs) for advertising or cross-context behavioural targeting.
13. Payments, Wallet & Financial Data
13.1. Payments are processed by third-party providers (e.g., Stripe, bank partners, app stores). We do not store full credit card numbers.
13.2. We maintain ledger records of balances and transactions for wallets and promotional credits.
13.3. Verification for payouts may require government ID, bank details, or biometric checks to comply with KYC/AML obligations.
13.4. Funds may be subject to holds, reserves, or offsets for chargebacks, fraud, or legal/regulatory reasons.
13.5. We are not responsible for failures, breaches, or errors by third-party payment processors, though we require them to meet appropriate standards.
14. Cookies & Similar Technologies
14.1. We use cookies, SDKs, and similar technologies to operate, secure, and improve FOS Social, and to deliver ads and recommendations.
14.2. Strictly necessary cookies are always active. All other cookies (analytics, advertising, personalisation) require your consent in the EU/UK and provide opt-out rights in the US, Canada, and Singapore.
14.3. For details of categories, retention, third-party providers, and how to manage your settings, please see our Cookie Policy at fossocial.com/cookies.
14.4. Our cookie banner and in-app Privacy Center allow you to “accept all,” “reject all,” or choose granular categories. You may withdraw consent at any time.
14.5. No third-party ad beacons for Sponsor Placements. Sponsor Placements do not include third-party ad network tags or cross-site trackers.
14.6. First-party measurement. Where we measure Sponsor Placements, we prefer first-party analytics. In the EU/UK, non-essential measurement runs only with your consent.
14.7. Global Privacy Control. Where required by law, we honour recognised browser-level signals (for example, GPC) for advertising-related choices.
15. Data Security
15.1. We implement technical and organisational measures aligned with industry standards, including TLS (in transit), AES-256 (at rest) where appropriate, role-based access controls, logging and monitoring, vulnerability management, and third-party assessments. Administrative access is restricted and audited.
15.2. We regularly review controls for effectiveness and update them considering emerging threats. No system is perfectly secure, but we work to prevent, detect, and respond to incidents promptly.
15.2A. Breach notification. If a breach is likely to result in risk to your rights and freedoms, we will notify affected users and regulators without undue delay, describing the incident and measures taken. Sensitive identifiers (IDs, biometrics) are never stored in plaintext.
15.3. Users are responsible for maintaining the security of their accounts, including use of strong passwords and prompt reporting of suspicious activity to security@fossocial.com.
15.4. Data protection by design & default. We apply data minimisation, pseudonymisation where feasible, role-based access, and privacy-protective defaults (especially for teens) during feature design and deployment.
16. Data Retention
Data Retention
16.1. We retain Personal Data for as long as necessary to operate the Platform, fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and protect our legitimate business interests.
16.2. Wherever legally permissible, we retain account and profile data for the lifetime of the account and for a reasonable post-closure buffer period to allow for reactivation, investigations, legal defence, and regulatory compliance. After account closure, we target deletion or irreversible anonymisation of Personal Data within approximately 90 days, except where retention is required or permitted by law.
16.3. Typical retention periods and rationales include:
– Account & profile data: life of the account + post-closure buffer.
– Transaction & payout records: at least 7 years (tax, accounting, AML, financial regulations).
– Moderation & enforcement records: 24–36 months (repeat-abuse detection, appeals, user protection).
– Age-verification tokens & KYC records: up to 24 months (or longer if legally required) for audit, AML, and fraud-prevention.
– Server logs & telemetry: 12–24 months (security, debugging, service integrity).
– Backups: encrypted, retained on rolling cycles (generally ≤12 months) for disaster recovery.
16.4. Exceptions. We may retain certain data beyond these periods if necessary to establish, exercise, or defend legal claims; to comply with investigations, audits, or regulatory requests; to enforce our Terms; or to maintain the security and integrity of the Platform. In such cases, retention is limited to the minimum necessary and reviewed periodically.
16.5. Deletion and anonymisation. When data is deleted from active systems, copies may persist temporarily in backups or where your content has been shared with others. Backup copies are purged on scheduled cycles. Where deletion is not feasible, we will irreversibly anonymise the data.
17. Moderation & Enforcement Records
17.1. We may collect and retain evidence of policy violations, including flagged content, metadata, chat logs, and investigation notes.
17.2. These records may be shared with law enforcement, regulators, or courts where required.
17.3. Users subject to enforcement actions may request a summary of the decision, unless disclosure would compromise safety, security, or legal obligations.
18. Biometric & ID Data
18.1. Explicit consent & purpose limitation. We process biometric data only with your opt-in consent and only for identity verification, fraud prevention, or legal compliance. Biometric data is never used for advertising, recommendations, or unrelated profiling.
18.2. Alternatives. You may choose a non-biometric verification alternative. If you decline biometrics, you can still access core services; certain payout/creator features may remain locked until another KYC method is completed.
18.3. Vendors & security. Biometric processing is performed by vetted vendors under contract; biometric templates are encrypted and access-logged.
18.4. Retention & deletion. Biometric templates are retained only for the shortest period necessary to complete verification or comply with legal obligations, then deleted or irreversibly anonymised. We disclose applicable retention windows in our help centre and on request.
18.5. Regional laws. We comply with applicable biometric/privacy laws (e.g., GDPR/UK GDPR, CPRA, and any US state biometric statutes). If local law imposes stricter requirements, those prevail.
19. Your Rights – General
Depending on your location, you may have the following rights over your Personal Data:
19.1. Access – to know whether we process your data and to request a copy.
19.2. Correction – to request corrections to inaccurate or incomplete data.
19.3. Deletion – to request deletion of data, subject to retention limits in Section 16.
19.4. Restriction – to limit processing under certain conditions.
19.5. Portability – to request export of your data in a machine-readable format.
19.6. Objection – to object to processing based on legitimate interests or for marketing.
19.7. Withdrawal of consent – where processing relies on your consent, you may withdraw it at any time.
20. Rights by Jurisdiction
20.1. EU/UK supervisory authorities. You have the right to lodge a complaint with your local supervisory authority or, once appointed, our lead supervisory authority (details to be added here). We encourage you to contact us first so we can try to resolve your concern quickly.
20.2. United States – Depending on your state:
California (CCPA/CPRA): rights of access, deletion, correction, and opt-out of “sale”/“sharing” of personal information.
Virginia, Colorado, Connecticut, Utah: similar rights to access, delete, correct, and opt out of targeted advertising and profiling.
20.3. Canada (PIPEDA) – Rights of access, correction, and withdrawal of consent, subject to legal limits.
20.4. Singapore (PDPA) – Rights of access, correction, withdrawal of consent, and complaints to the PDPC.
20.5. Other regions – Users in other jurisdictions may have rights under local law. We honour requests where legally required.20.6. Non-discrimination (US state laws). We do not discriminate against you for exercising your privacy rights (e.g., denial of services, different prices), except where a price or service difference is reasonably related to the value provided by the data as permitted by law.
21. How to Exercise Your Rights
21.1. Submit requests via support@fossocial.com or the in-app Privacy Center. We may require identity verification (e.g., signed declaration, account checks, or government ID in limited cases).
21.2. Timelines. We respond within the period required by law (generally 30–45 days). If we need more time due to complexity or volume, we will tell you why and when you will receive a response.
21.3. Fees. Requests are free. A reasonable fee may apply for repetitive, manifestly unfounded, or excessive requests, where permitted by law.
21.4. Denials & appeals. If we decline your request (e.g., conflict with legal obligations, the rights of others, or security), we will explain why and how to appeal. Appeals will be reviewed by a different reviewer when feasible.
21.5. Authorised agents (US). We honour authorised-agent requests where we can verify both the agent’s authority and your identity.
21.6. Portability format. Where applicable, we provide machine-readable exports (e.g., JSON/CSV) of core account data and content you provided.
22. Children’s Data
22.1. We do not knowingly collect Personal Data from children under 17. Where local law sets a different child threshold, we apply whichever is stricter for safety.
22.2. If a parent/guardian believes a child has used the Platform, they may contact support@fossocial.com to request removal. We will promptly verify and act consistent with Section 16 and applicable law.
22.3. Teen accounts (age 17) use privacy-protective defaults, reduced data collection for marketing, and no targeted advertising. Monetisation and payments remain disabled until verification.
23. Third-Party Links & Services
23.1. The Platform may contain links to websites or services operated by third parties. Clicking those links may allow third parties to collect or share data about you.
23.2. We are not responsible for the privacy practices, content, or policies of third parties. We encourage Users to review the privacy policies of any linked services.
23.3. Some services integrated into the Platform (such as payment processors or identity verification providers) process data directly as controllers. Their processing is governed by their own privacy policies.
24. Changes to This Policy
24.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal obligations.
24.2. Material changes will be notified via the Platform, email, or other reasonable means at least 30 days before taking effect, unless required sooner by law.
24.3. Continued use of the Platform after changes take effect constitutes acceptance of the updated Policy. If you do not agree, you must stop using the Platform and may close your account.
25. Contact Details
25.1. Data Controller: Fos SM Ltd, 71–75 Shelton Street, London, England, WC2H 9JQ.
25.2. General Support: support@fossocial.com
25.3. Data Protection Officer (DPO) / EU–UK Representative: [placeholder until appointed].
25.4. Abuse/Misconduct: abuse@fossocial.com
25.5. Copyright/DMCA: copyright@fossocial.com
25.6. Security: security@fossocial.com
25.7. Users in the EU/UK may also contact their national supervisory authority for unresolved complaints.