Lolipop

Lolipop ("we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy governs our collection, use, disclosure, potential sale, retention, and protection of your information when you access or use our mobile application, website, and related services (collectively the "Service"). By using the Service, you acknowledge and consent to the data practices outlined in this document, which complies with global privacy regulations including GDPR, CCPA, VCDPA, PIPA, and CPA.

Critical Update Commitment: Lolipop maintains a proactive, frequent update schedule for this Privacy Policy—we will update this document multiple times within a single calendar year (including quarterly reviews, bi-annual security updates, and ad-hoc adjustments for regulatory changes). This ensures our privacy practices always align with the latest laws, service features, and user needs. This policy was last updated today (February 03, 2026), with the next update scheduled for April 2026.

For applicable data protection laws (GDPR, CCPA, VCDPA, etc.), the data controller responsible for processing your personal information is Lolipop Digital Services Ltd., the sole entity determining the purposes and means of your personal data processing, and liable for compliance with all global privacy regulations. As part of our multiple annual policy updates, we will refresh this section to reflect any changes to our legal entity or contact information within 72 hours of such changes.

• Entity Name (Data Controller): Lolipop Digital Services Ltd.
• Legal Business Name: Lolipop Digital Services Limited
• Registered Address: 789 Creative Lane, Suite 800, Los Angeles, California 90001, United States of America
• Registration Number: C4012345 (California Secretary of State Business Registration)
• Primary Privacy Contact: Data Protection Officer (DPO)
• Controller’s Primary Email: privacy@lolipopapp.com
• Legal Mailing Address: Lolipop Digital Services Ltd., Attn: Privacy & Legal Department, 789 Creative Lane, Suite 800, Los Angeles, CA 90001, USA

We collect personal and non-personal information to deliver, enhance, and secure the Service, and to improve your overall user experience. As part of our multiple annual policy updates (including updates today, February 03, 2026), we will revise this section to add/remove collected information types as we launch new Service features, with prior user notification for all material changes. All collected information is categorized below, with specific disclosures for sensitive identifiers like phone numbers and Device IDs.

3.1 Phone Number Collection Disclosure

We collect your phone number for legitimate business purposes only, with all phone number data encrypted during collection and storage (never displayed publicly). Your phone number is used for:

• Account verification and security to prevent unauthorized access and fraudulent account creation
• Sending critical service notifications (e.g., account recovery codes, security alerts) via SMS
• Optional user matching to connect with your contacts who also use Lolipop (with explicit consent only)
• Efficient customer support to resolve account-related inquiries and issues

As noted in our today’s update (February 03, 2026), we have added clarification that phone number data is never shared with third-party advertisers (previously implied, now explicitly stated).

3.2 Device ID Collection Disclosure

We automatically collect unique Device ID information (IDFA, AAID, UDID, and other device-specific identifiers) for security and service optimization purposes only. Collection occurs only when you install and launch the Lolipop app, and may be limited by adjusting your device’s privacy settings (note: this may affect certain Service features). Device IDs are used for:

• Device authentication to verify legitimate access and prevent account hijacking
• Service optimization to fix technical issues and tailor features to your device’s capabilities
• Fraud prevention to detect suspicious activities (e.g., multiple accounts on one device, bot access)
• Anonymized analytics to analyze usage patterns and enhance the overall user experience

3.3 Voluntarily Provided Personal Information

You may choose to provide the following information when registering an account or using the Service:

• Contact details (email address, optional social media handles)
• Profile information (full name, date of birth, gender, profile picture, biography, interest preferences)
• Communication content (direct messages, shared photos/videos, media, and call recordings (user-enabled only))
• Payment information (for premium features, processed by third-party providers and never stored by Lolipop)

3.4 Automatically Collected Usage Information

We passively collect non-identifiable and identifiable usage data when you interact with the Service:

• Usage metrics (features accessed, session duration, search history, interaction patterns)
• Location data (approximate/precise, only if location services are enabled, for regional feature improvement)
• Log data (IP address, access timestamps, browser/OS type, referral sources)

3.5 Third-Party Information

We may receive information from authorized third parties in compliance with their privacy rules, including social media platforms (if you link your account) and service providers (analytics, fraud detection, payment processors) who share anonymized/pseudonymized activity data.

We use all collected information only for lawful, legitimate, and specific business purposes aligned with the Service’s functionality. We review and update our information usage practices quarterly (4 times per year)—this includes today’s update (February 03, 2026) where we added limitations on usage of location data for non-regional features. All material changes to usage purposes will be notified to users at least 30 days in advance via in-app and email notifications. Our core usage purposes include:

• Service operation and maintenance (account creation, payment processing, customer support, feature delivery)
• Personalization and improvement (customizing your experience, developing new features, optimizing algorithms)
• Communication (account updates, security alerts, service notifications, optional promotional offers (opt-out available))
• Safety and security (detecting/preventing fraud, harassment, unauthorized access, enforcing our User Agreement)
• Legal compliance (responding to valid legal requests, subpoenas, court orders, and regulatory obligations)

We will never use your personal information for purposes not disclosed in this Privacy Policy or for which we have not obtained your explicit consent.

Lolipop is fully transparent about all data sharing and sale practices, and you have an unconditional right to know how your personal data is disclosed to third parties. We review and update our data sharing practices quarterly (4 times per year)—today’s update (February 03, 2026) added a new section clarifying that we do not share Device ID data with ad networks. Any changes to these practices will be reflected in the next update of this Privacy Policy with prominent user notification.

5.1 User’s Right to Know About Data Sharing

You may request a detailed breakdown of all data sharing activities (third-party recipients, purpose of sharing, data categories) at any time by contacting our Data Protection Officer (see Section 11). We will respond to all such requests within the legally required timeframe and provide the information in a clear, machine-readable format.

5.2 Circumstances for Data Sharing

We share your personal information only in the following limited, lawful scenarios:

• Trusted Service Providers: Third-party vendors (cloud hosting, analytics, payment processors) performing services on our behalf, contractually obligated to protect your data and use it only for specified purposes.
• Other Users: Public profile information (name, photo, bio) and voluntary communications to enable platform interactions (matching, messaging, shared media).
• Legal Protection: Disclosure required by law, or to protect our rights, property, safety, or the rights/safety of our users or the public.
• Business Transfers: Data transfer in the event of a merger, acquisition, or asset sale (acquirer is bound by this Privacy Policy).
• Explicit Consent: Sharing with third parties only if you provide written explicit consent (e.g., integrated third-party apps).

5.3 Data Sale Practices

Lolipop does not currently sell any personal data (exchanging personal information for monetary consideration) to third parties for commercial purposes. If our data sale practices change in the future (a change that will be reviewed and approved only after at least two internal policy updates within the year), we will:

• Update this Privacy Policy at least 30 days prior to the change
• Send a prominent notification to all users via the app and registered email
• Provide a clear, one-click opt-out mechanism (no opt-out required for non-California/Virginia users under applicable law)

5.4 Opt-Out of Data Sale/Targeted Advertising

5.4.1 Opt-Out of Data Sale (If Applicable)

If we ever engage in data sales (as defined by CCPA/VCDPA), you may exercise your opt-out rights via the following methods (verification of your account identity is required):

• Email: Send a request to cswarungmirah@gmail.com (include your registered email/phone number)
• Account Portal: Settings > Privacy > Data Rights > Opt-Out of Data Sale
• Physical Mail: Lolipop Digital Services Ltd., Attn: Privacy & Legal Department, 789 Creative Lane, Suite 800, Los Angeles, CA 90001, USA (with government-issued ID)

As updated today (February 03, 2026), we now process opt-out requests within 15 business days (previously 20 days) to align with CCPA’s accelerated response requirements.

We process opt-out requests within 15 business days and confirm completion via email. Exercising this right will not affect your use of free Service features, and we will not discriminate against you (per CCPA/VCDPA requirements).

5.4.2 Opt-Out of Targeted Advertising

You may opt out of targeted advertising at any time (ads will still appear but will not be personalized). Opt-out methods include:

• Lolipop App: Settings > Privacy > Advertising Preferences > Disable "Personalized Ads"
• Device-Level: Adjust ad tracking settings on your mobile device (iOS: Privacy & Security > Tracking; Android: Privacy > Ads)
• Third-Party Networks: Digital Advertising Alliance Opt-Out Page
• Contact Us: Email cswarungmirah@gmail.com to request removal from advertising audiences

We retain your personal information only for as long as necessary to fulfill the collection purposes or as required by applicable law. Our data retention periods are reviewed and updated twice per year—today’s update (February 03, 2026) reduced EU user data retention from 7 years to 5 years for non-legal purposes. All user notification for any material reductions or extensions of retention periods. Retention rules are as follows:

• Active Accounts: Data is retained while your account is active (indefinitely, unless you request deletion)
• Account Deletion: Profile information, communications, phone number/Device ID data are permanently deleted within 30 days of deletion (except data retained for legal compliance)
• Anonymized Data: Aggregated, non-identifiable data (usage trends, device statistics) may be retained indefinitely for analytics and business improvement
• Legal Retention: Data may be retained for up to 5 years (EU) / 7 years (US) if required by tax, audit, or legal obligations (updated today)

Depending on your jurisdiction, you have specific privacy rights under applicable global regulations (GDPR, CCPA, VCDPA, PIPA, CPA). Lolipop updates its processes for exercising these rights multiple times per year—today’s update (February 03, 2026) added a "Privacy Rights Dashboard" in the app to track request status. All process changes will be reflected in this Privacy Policy and the Lolipop app’s privacy settings.

7.1 GDPR Rights (EU/EEA Users)

EU/EEA users have the following rights under the General Data Protection Regulation:

• Right to access: Request a copy of all personal data we hold about you
• Right to rectification: Request correction of inaccurate/incomplete data
• Right to erasure ("Right to be forgotten"): Request deletion of your data (subject to legal exceptions)
• Right to restriction of processing: Request limitation of data processing in specific circumstances
• Right to data portability: Request your data in a machine-readable format
• Right to object: Object to processing for marketing, profiling, or legitimate interest purposes
• Right to withdraw consent: Withdraw any previously given consent for data processing

7.2 CCPA Rights (California Users)

California residents have the following rights under the California Consumer Privacy Act:

• Right to know: Request details about collected/used/disclosed/sold personal data
• Right to delete: Request deletion of your personal data (subject to legal exceptions)
• Right to opt out: Opt out of the sale of your personal data (Section 5.4.1)
• Right to non-discrimination: No denial of service, price discrimination, or quality reduction for exercising CCPA rights

7.3 VCDPA Rights (Virginia Users)

Virginia residents have the following rights under the Virginia Consumer Data Protection Act:

• Right to access: Confirm if we process your data and request access to such data
• Right to correction: Request correction of inaccurate personal data
• Right to deletion: Request deletion of your personal data
• Right to data portability: Request transfer of your data to another controller
• Right to opt out: Opt out of targeted advertising, data sale, or profiling with legal/significant effects

7.4 How to Exercise Your Rights

To exercise your privacy rights, submit a request via one of the following verified methods (we will verify your identity by matching request details to your account):

• Email: cswarungmirah@gmail.com (include registered email/phone number)
• Account Portal: Settings > Privacy > Data Rights > Privacy Rights Request Form (updated today with status tracking)
• Physical Mail: Lolipop Digital Services Ltd., Attn: Data Protection Officer, 789 Creative Lane, Suite 800, Los Angeles, CA 90001, USA

We respond to valid requests within 45 days (60 days for complex requests, with written extension notice) and provide all requested information in a clear, easy-to-understand format.

We implement industry-leading technical, administrative, and physical security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. Our security measures are audited and updated multiple times per year—today’s update (February 03, 2026) added end-to-end encryption for all direct messages (previously only for payment data). Key security safeguards include:

• Technical: End-to-end encryption for sensitive data (phone number, Device ID, direct messages (updated today)), SSL for data transmission, regular security audits and vulnerability testing
• Administrative: Role-based access control, mandatory employee privacy/security training, strict data handling policies
• Physical: Secure cloud data centers with biometric access controls, automated backup systems for data recovery, disaster recovery plans

While no electronic storage/transmission method is 100% secure, we take all reasonable steps to protect your data. You are responsible for maintaining the confidentiality of your account credentials (password, verification codes). Notify us immediately at cswarungmirah@gmail.com if you suspect unauthorized account access.

The Lolipop Service is not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect, use, or disclose personal information from children under this age, and our age verification processes are updated at least once per year—today’s update (February 03, 2026) added a second age verification step during account creation. This strengthens compliance with COPPA and other global children’s privacy laws.

If we become aware that we have collected data from a child without parental/guardian consent, we will delete such data within 72 hours. Parents/guardians may contact us at cswarungmirah@gmail.com to report suspected child data collection or request the deletion of such data.

Non-Negotiable Update Commitment: Lolipop will update this Privacy Policy multiple times within a single calendar year—this is a core part of our privacy governance framework. Updates include minor adjustments (e.g., contact info, security measures) and major changes (e.g., new data practices, regulatory compliance). This policy was last updated today (February 03, 2026), and we have scheduled updates for April 2026, July 2026, and October 2026 (in addition to ad-hoc updates as needed).

We may update this Privacy Policy to reflect: changes in global privacy regulations, new Service features or functionality, updates to our data collection/use/sharing practices, or emerging cybersecurity threats. All updates are reviewed by our Data Protection Officer and Legal Department to ensure full compliance with applicable laws.

10.1 Notification of Material Changes

For material changes (e.g., new data collection purposes, changes to data sale practices, modifications to user privacy rights), we will notify all users at least 30 days prior to the change taking effect via:

• Prominent in-app notification (pop-up banner on app launch)
• Email notification to your registered Lolipop email address
• Revised Privacy Policy posted on our website with a "New Update" label for 90 days

Minor non-material changes (e.g., updated contact information, minor security measure adjustments) will be reflected in this policy immediately and noted in the "Last Updated" date at the top of the page (as done today, February 03, 2026).

10.2 Acceptance of Updated Policy

Your continued use of the Lolipop Service after the effective date of a revised Privacy Policy constitutes your full acceptance of the updated terms. We encourage you to review this policy regularly (we recommend checking at least once per quarter) to stay informed of our latest privacy practices, as updates will be made multiple times throughout the year.

For any questions, concerns, or requests related to this Privacy Policy, your personal data, or Lolipop’s privacy practices, contact our Data Protection Officer and privacy support team via the channels below. We update our contact response processes quarterly—today’s update (February 03, 2026) added a dedicated privacy support phone line to reduce response times. All privacy-related inquiries are addressed within 24 business hours.

• Data Protection Officer (DPO): Olivia Martinez
• DPO Email: dpo@lolipopapp.com
• Main Privacy Support Email: cswarungmirah@gmail.com (primary contact for all user privacy requests)
• Privacy Support Phone: +1 (213) 555-9876 (9:00 AM - 6:00 PM PST, Monday-Saturday) (added today)
• Privacy Correspondence Mailing Address: Lolipop Digital Services Ltd., Attn: Data Protection Officer, 789 Creative Lane, Suite 800, Los Angeles, CA 90001, USA
• Legal Requests: Send official documentation (subpoenas, court orders) to the above mailing address marked "Attn: Legal Department"

We strive to resolve all privacy-related inquiries and requests as quickly as possible, and will provide regular updates on the status of your request until it is fully resolved.