1. Introduction
Gossip Buzz ("Gossip Buzz", "Gosip", "we", "us", or "our") is a social platform combining real-time end-to-end encrypted messaging (Gossip) with a public social feed (Buzz), short-form video (Sip), communities (Circles), and structured debates. We are headquartered in Nepal and operate globally.
This Privacy Policy describes the information we collect about you, how we use and share it, and the rights and choices you have. It applies to the Gossip Buzz mobile app, the web app at www.gossipbuzz.app, our APIs, and any other product, feature or service we offer that links to this policy (together, the "Services").
2. Who we are
The data controller responsible for your personal information is Gossip Buzz Pvt. Ltd., registered in Nepal. For users in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, we may appoint a local representative; contact details appear in § Contact us.
| Region | Controller / Representative | Supervisory Authority |
|---|---|---|
| Nepal (primary) | Gossip Buzz Pvt. Ltd., Darchula | Government of Nepal — MoCIT |
| EEA | Gossip Buzz EU Rep (appointed — see §Contact) | Your national DPA |
| UK | Gossip Buzz UK Rep (appointed — see §Contact) | Information Commissioner's Office (ICO) |
| USA | Gossip Buzz Pvt. Ltd. | State AGs (CA, VA, CO, CT, UT, TX…) |
| Brazil | Gossip Buzz Pvt. Ltd., DPO appointed | ANPD |
| India | Gossip Buzz Pvt. Ltd., Grievance Officer appointed | DPBI (under DPDP Act) |
3. Scope of this policy
This Privacy Policy covers all Gossip Buzz Services. It does not cover:
- Websites or services operated by other people that you link to from Gossip Buzz (for example, an external link inside a buzz).
- Services provided by independent third parties that we integrate with (for example, third-party login, wallet or payment providers) — those parties have their own privacy notices.
- Information that never enters our servers — such as the plaintext of your end-to-end encrypted messages, which exists only on your device and your contact's device.
4. Information we collect
We collect information in four ways: what you give us, what we observe as you use the Services, what we receive from other sources, and what we infer from all of that combined.
4.1 Information you provide
- Account information. Your phone number and/or email, a Gosip code, your chosen username, display name, profile photo, date of birth (for age-gating and minimum-age features), and country/region.
- Profile details. Anything you add to your profile — bio, tagline, location, website, languages, education, work history, certifications, skills, interests, services. For business profiles: business name, category, description, address, hours, services and FAQs.
- Content you create. Buzzes, sips, debates, comments, arguments, reactions, polls, rebuzzes, photos, videos, voice notes, stories, and any media or text you upload.
- Messages. Metadata about who you message and when (not the content — see § Encryption).
- Contacts. If you enable contact discovery, we receive salted hashes of your contacts' phone numbers — not the raw numbers. See Privacy-Preserving Contact Sync.
- Transactions. Yeti Coin purchases, wallet transfers, subscriptions, cheers/tips. Card or bank details are handled by our payment processors, not by us.
- Customer support. Anything you send us when you contact support or file a report.
4.2 Information we collect automatically
- Device. Model, operating system, language, time zone, mobile carrier, screen size, accessibility settings, and a device identifier that's bound to a cryptographic key we generate on your device.
- Network. IP address, approximate location derived from IP (country/region level), connection type.
- Usage. What you tap, how long you watch a sip, which buzzes you expand, which debates you vote on, scroll depth, session length, feature-flag exposure, crashes and performance traces.
- Cookies and local storage — see § Cookies.
- Precise location — only if you explicitly grant the "Precise location" permission (for Sip geo-tagging, Circle location features or the "near me" feed).
- Sensors. Camera and microphone are accessed only when you open the camera sheet; we never collect sensor streams in the background.
4.3 Information from third parties
- Login partners. If you sign in with a third party (Apple, Google), we receive the identifiers that partner shares with us.
- Safety partners. Hash databases of known child-sexual-abuse material (CSAM) and terrorist content, so we can detect uploads of that material.
- Payment processors. Transaction tokens and statuses (not card numbers).
- Analytics and crash tools. Aggregate engagement and reliability data.
- Advertisers and measurement partners — only where you have interacted with an advertiser (see § Advertising).
4.4 Information we infer
From the signals above we derive: the language you most likely read, the topics and creators you engage with most, how active you are day-to-day, your likely country, your plan usage, an internal "health score" that reflects platform behaviour (safety, civility, originality), and the probability that a piece of content matches a policy violation.
5. How we use information
We use the information we collect to operate, personalise, secure and improve the Services.
5.1 Personalization & recommendations
We rank your feed, suggest circles, rank debate arguments, select trending topics, and prioritise content from people you follow (mutual follows are weighted highest — see Feed Algorithm). Recommendations are based on your interactions, location (country-level), and the behaviour of similar users.
5.2 Safety, security & integrity
- Detect spam, fraud, harassment, fake accounts, and synthetic media.
- Enforce our Terms of Service and Community Guidelines.
- Prevent account takeovers (device-binding via Ed25519 signatures, anomalous-login detection).
- Respond to legal process and emergency requests (see § Legal).
5.3 Advertising & measurement
Today, Gossip Buzz does not show third-party display ads. We may show promoted buzzes, sponsored circles, or creator subscriptions. When we do serve promoted content, we use coarse signals only: country, language, app version, broad interest cluster. We do not use the content of your private messages, your precise location or your contact list to target promotions.
If we introduce display advertising in the future, we will update this section, notify you in-product, and give you an advertising opt-out in Settings → Privacy → Ads.
5.4 Research & improvement
We perform product research, A/B tests, ML model training (for feed ranking, safety classifiers and search), and aggregate analytics. Whenever feasible we use de-identified or aggregated data. Private message content is never used for ML training.
6. Legal bases for processing (EEA, UK, Switzerland)
| Purpose | Legal basis | Example |
|---|---|---|
| Provide the Services | Performance of a contract (Art. 6(1)(b) GDPR) | Creating your account; delivering your messages |
| Safety & integrity | Legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) | Detecting spam, complying with court orders |
| Personalization & ranking | Legitimate interests or consent | Ranking the For You feed |
| Direct marketing | Consent (Art. 6(1)(a)) | Product newsletters |
| Special-category data (very rare) | Explicit consent (Art. 9(2)(a)) | If you voluntarily disclose health information in a public buzz |
| Cookies & similar on the web | Consent or strictly necessary (ePrivacy Directive) | Analytics cookies, login cookies |
You may object to processing based on legitimate interests at any time — see § EEA rights.
7. How we share information
7.1 With other users and the public
- Your profile (username, display name, photo, bio, buzzes, sips) is public by default. You can make specific elements private in Settings → Privacy.
- When you post in a circle, members of that circle see your post.
- When you send a message, the recipient(s) of that message see it.
- Reactions and votes are visible to the author and aggregated to everyone.
7.2 With service providers
We share information with vendors who help us operate the Services — cloud hosting (AWS / Neon), file storage (S3-compatible), real-time database (Convex), email/SMS delivery, payment processing, crash and performance tools, and safety partners. Each vendor is bound by a written data-processing agreement and cannot use your information for their own purposes. The full list is in Appendix B.
7.3 For legal reasons
We may disclose information to courts, law enforcement or other authorities when we have a good-faith belief that disclosure is required by law, necessary to prevent imminent harm, or essential to enforce our Terms. We publish a semi-annual Transparency Report at gossipbuzz.app/transparency.
7.4 Corporate transactions
If we are involved in a merger, acquisition, bankruptcy or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
8. International data transfers
Gossip Buzz is a global service. Your information may be stored and processed in Nepal, India, the United States, the European Economic Area and other countries where we or our vendors operate. When we transfer personal data out of the EEA, UK or Switzerland, we rely on:
- The European Commission's Standard Contractual Clauses (2021) or the UK International Data Transfer Addendum;
- The EU-U.S. Data Privacy Framework, where applicable to our vendors;
- Adequacy decisions where they exist;
- Your explicit consent for ad-hoc transfers (used sparingly).
A copy of the safeguards for a specific transfer is available on request at privacy@gossipbuzz.app.
9. How long we keep information
| Category | Retention | Reason |
|---|---|---|
| Account identifiers (phone, email, username) | Life of the account + 30 days after deletion | Anti-abuse cool-down |
| Profile content (bio, tagline, education…) | Life of the account | You can edit or delete any time |
| Buzzes | Per-plan lifespan (Free 30d, Basic 90d, Pro 180d; then auto-archive for 1 month) — you can Revive or delete manually | Plan feature + storage cost |
| Sips | Same as buzzes | Plan feature |
| Messages (E2EE) | On your device until you delete; on our servers only while undelivered (max 30 days) | We cannot read them anyway |
| Security logs | Up to 180 days | Intrusion detection |
| Transaction & wallet records | 7 years (post-transaction) | Tax, accounting, anti-money-laundering |
| Moderation reports & decisions | Up to 3 years from decision | Appeal window + pattern detection |
| Trust & safety — repeat violator signals | Indefinite | To prevent re-creation of banned accounts |
| Anonymised aggregate analytics | Indefinite | No longer personal data |
10. How we protect information
- Encryption in transit. TLS 1.3 everywhere.
- Encryption at rest. AES-256 for databases, object storage and local SQLCipher databases on mobile.
- End-to-end encryption. Signal Protocol (X3DH + Double Ratchet) for direct messages.
- Device binding. Every session is bound to a per-device Ed25519 keypair; private keys never leave the device.
- Bug bounty. Researchers can report vulnerabilities at security@gossipbuzz.app.
No system is perfectly secure. If a breach affects your personal information, we will notify you and the relevant supervisory authority within the timelines required by applicable law (72 hours under GDPR; "without unreasonable delay" under most US state laws; 72 hours under the India DPDP Act).
11. Cookies & similar technologies
We use a small number of cookies and local-storage keys on the web app:
| Type | Purpose | Duration |
|---|---|---|
| Strictly necessary | Login, CSRF protection, load balancing | Session or up to 30 days |
| Preferences | Theme, language, cached compose drafts | Up to 12 months |
| Analytics (if you consent) | Aggregate feature usage | Up to 12 months |
| Security | Rate limiting, fraud detection | Up to 30 days |
We do not use third-party advertising cookies. If you are in the EEA or UK, we will ask for your consent on first visit via a banner and you can change your choice any time at /cookie-choices.
12. End-to-end encryption (chat)
Your private messages on the Gossip (chat) side are end-to-end encrypted using the Signal Protocol. What this means in practice:
- Messages are encrypted on your device before they leave it, and can only be decrypted on the recipient's device.
- We can see that you sent a message and to whom, and when — but not the content.
- Voice and video calls are encrypted end-to-end with SRTP + DTLS.
- Group chats use the Sender Keys construction.
- If you lose your device, we cannot restore your message history.
Encryption does not apply to public Buzz content, comments, sips, debates or business-profile info — those are public by design.
13. Automated decisions, AI & content moderation
We use automated systems for:
- Feed ranking. A composite score based on recency, follow relationship, prior views, and content type. You can reset your recommendations at Settings → Reset Feed.
- Trending detection. Velocity-weighted hashtag and topic ranking.
- Safety classifiers. Automated detection of spam, nudity, hate speech, harassment, and deceptive media. Borderline cases are escalated to human reviewers.
- Bot-posted content. Clearly labelled "Bot" accounts may generate public content — they are disclosed on the profile and bypass paid quotas but never appear in private chats.
If an automated decision (for example, a content takedown or account suspension) significantly affects you, you have the right to request human review. Use Settings → Help & Feedback → Appeal a decision or email appeals@gossipbuzz.app.
14. Children and minors
Gossip Buzz is not directed to children under 13 (or under 14 in South Korea, 15 in France, 16 in Germany and other countries that require a higher default age under GDPR Article 8). We do not knowingly collect personal information from children below the applicable minimum age.
Where a parent or guardian becomes aware that their child has created an account in violation of this policy, they can write to privacy@gossipbuzz.app and we will delete the account and associated content.
For accounts flagged as belonging to users between the minimum age and 18, we apply heightened defaults: private profile, restricted discoverability, and limited direct messaging from strangers.
15. Your choices and rights
15.1 Controls built into the app
- Edit, hide or delete any buzz, sip, comment, rebuzz or argument from its menu.
- Privacy toggles (hide followers, hide following, hide circles, hide buzzes, hide sips, hide health score, hide activity) in Settings → Privacy.
- Deactivate your profile (hides from search/feeds) without deleting data.
- Delete your social profile (removes buzzes, sips, follows, reactions) while keeping chat history.
- Export your data at Settings → Account → Download my data (JSON + media ZIP within 30 days).
- Delete your account entirely at Settings → Account → Delete.
15.2 EEA, UK and Switzerland
If you are in the EEA, UK or Switzerland, under the GDPR / UK GDPR you have the right to:
- Access your personal data (Art. 15).
- Rectification of inaccurate data (Art. 16).
- Erasure ("right to be forgotten") (Art. 17).
- Restriction of processing (Art. 18).
- Data portability (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time for consent-based processing (Art. 7(3)).
- Not be subject to solely automated decision-making producing legal or similarly significant effects (Art. 22).
- Lodge a complaint with your national supervisory authority (Art. 77).
Submit a request at privacy@gossipbuzz.app or via the in-app form. We aim to respond within 30 days.
15.3 United States (state laws)
Depending on where you live, you may have rights under one or more of: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Delaware, Iowa, Tennessee, Nebraska, New Hampshire, New Jersey, and others as new laws take effect. Across these laws you generally have the right to:
- Know what personal information we collect, use, share and retain.
- Request a copy or "portable" export.
- Request deletion.
- Request correction.
- Opt out of sale, sharing for cross-context behavioral advertising, and/or profiling for decisions with legal or similarly significant effects.
- Limit use of sensitive personal information (California).
- Appeal a denied request (Virginia, Colorado, Connecticut).
- Not be discriminated against for exercising any of these rights.
To exercise your rights, use Settings → Privacy → My Privacy Rights or email privacy@gossipbuzz.app. For California, you can also call our toll-free intake line at +1 (628) 555-0199. We will honour an authorised agent acting on your behalf with written authorisation.
15.4 Brazil — LGPD (Lei Geral de Proteção de Dados)
If you are in Brazil, you have the rights in Article 18 of the LGPD: confirmation of processing, access, correction, anonymisation / blocking / deletion of unnecessary data, portability, deletion of data processed with consent, information on sharing, and withdrawal of consent. Our Data Protection Officer can be reached at dpo-br@gossipbuzz.app.
15.5 India — Digital Personal Data Protection Act, 2023
If you are in India, you have the right to access, correct, update, erase, nominate a successor and grieve under the DPDP Act. Our Grievance Officer can be reached at grievance-in@gossipbuzz.app. We will respond within the statutory period (currently 30 days) and escalation is available to the Data Protection Board of India.
15.6 Nepal
For users in Nepal, processing is governed by the Individual Privacy Act, 2075 (2018), the Electronic Transactions Act, 2063 (2008), and related regulations. You may submit a request or complaint at privacy-np@gossipbuzz.app. Grievances that remain unresolved may be escalated to the Nepal Police Cyber Bureau or the Ministry of Communication and Information Technology.
15.7 Asia-Pacific (Australia, Singapore, South Korea, Japan)
- Australia (Privacy Act 1988 / Australian Privacy Principles). You may request access or correction; complaints may go to the OAIC.
- Singapore (PDPA 2012). Access and correction requests per sections 21–22.
- South Korea (PIPA). Access, correction, suspension and deletion per Chapter V. Sensitive personal data and resident registration numbers require separate consent.
- Japan (APPI). Disclosure, correction, suspension and deletion requests. Cross-border transfers disclosed per Article 24.
15.8 Other jurisdictions
Canada (PIPEDA and provincial laws), Mexico (LFPDPPP), UAE (Federal Decree-Law 45/2021), Turkey (KVKK), South Africa (POPIA), New Zealand (Privacy Act 2020), Nigeria (NDPA 2023), Kenya (Data Protection Act 2019) and others may grant similar rights. Write to privacy@gossipbuzz.app and we will route your request.
16. "Do Not Track" and Global Privacy Control
Because the meaning of "Do Not Track" browser signals is not standardised, our web app does not respond to them individually. However, we do honour the Global Privacy Control (GPC) signal where applicable as an opt-out of "sale/share" under California law and similar US state laws.
17. Accessibility of this policy
This policy is available in English today and will be made available in Nepali, Hindi, Tamil, Telugu, Bengali, Marathi, Bhojpuri, Maithili, Newari and Tharu. If you need an accessible format (large print, screen-reader-friendly HTML, audio narration), email accessibility@gossipbuzz.app.
18. Changes to this policy
We may change this policy as the Services, law, or our practices change. If changes are material — for example, a new category of data use — we will notify you in the app or by email at least 30 days before the change takes effect, except where a shorter period is required by law. A change log with a summary of what changed is kept at /privacy/changelog.
19. Contact us
| Reason | Where |
|---|---|
| General privacy questions | privacy@gossipbuzz.app |
| EU / EEA representative | eu-rep@gossipbuzz.app |
| UK representative | uk-rep@gossipbuzz.app |
| Brazil DPO | dpo-br@gossipbuzz.app |
| India Grievance Officer | grievance-in@gossipbuzz.app |
| Security reports | security@gossipbuzz.app |
| Law-enforcement requests | lawenforcement@gossipbuzz.app |
| Appeals | appeals@gossipbuzz.app |
| Postal mail (Nepal HQ) | Gossip Buzz Pvt. Ltd., Darchula, Nepal |
Appendix A — Categories of personal information (CCPA/CPRA mapping)
| CCPA category | Examples in Gossip Buzz | Collected? | Disclosed for business purpose? |
|---|---|---|---|
| Identifiers | Name, username, phone, email, device ID, IP | Yes | Yes — to vendors |
| Customer records (Civ. Code §1798.80(e)) | Phone, payment token | Yes | Yes — to processors |
| Protected classifications | Age (derived from DOB) | Yes (DOB for age-gating) | No |
| Commercial information | Plan, transaction history | Yes | Yes — to payment processors |
| Internet / network activity | App usage, interactions, referrers | Yes | Yes — to analytics vendors |
| Geolocation | IP-derived country; precise if you opt in | Yes | Rarely — to map/geo vendors |
| Sensory / visual / audio | Photos, videos, voice notes you upload | Yes | Yes — to storage vendors |
| Professional / employment | Only if you add it to your profile | Optional | Public |
| Education | Only if you add it to your profile | Optional | Public |
| Inferences | Interest clusters, health score | Yes | Internal only |
| Sensitive PI | Precise location (opt-in), government IDs we don't collect | Only with opt-in | Limited |
Appendix B — Service provider categories
- Cloud hosting & databases. Amazon Web Services, Neon, Convex, Cloudflare.
- Object storage. AWS S3 / S3-compatible providers (Wasabi, Backblaze B2).
- Communications. Twilio, MessageBird, AWS SNS (SMS); SendGrid, Resend (email).
- Payments. Stripe, eSewa, Khalti, Fonepay, Razorpay (regional).
- Analytics & performance. PostHog, Sentry, Grafana Cloud.
- Safety & moderation. Hive, PhotoDNA, Microsoft Azure Content Safety.
- AI / ML. OpenAI, Anthropic, Google (for specific labelled features).
- Customer support. Intercom, Front, Linear.
Appendix C — 12-month disclosure summary (California CCPA/CPRA)
In the preceding 12 months, we have:
- Collected all the categories listed in Appendix A.
- Disclosed for a business purpose the categories noted "Yes" in the right column of Appendix A.
- Sold no categories of personal information.
- Shared for cross-context behavioural advertising device-level identifiers with analytics partners only where you have not opted out via the Global Privacy Control.