Welcome to PoPcA ("we", "our", "the App"), operated by Mercaly. This privacy policy explains what personal data we collect, why we collect it, how we protect it, and what your rights are. It applies to the PoPcA mobile application (bundle identifier: com.mercaly.popca) and all associated services.
We collect the following information:
• Account information: username, email address, phone number, date of birth, password (bcrypt-hashed, never stored in plaintext).
• Profile information: profile picture, biography, gender, country, language preferences.
• Content you create: posts, photos, videos, comments, private messages, live streams, shop products.
• Usage data: interactions, follows, likes, shares, viewing history, content preferences.
• Technical data: device type, model, operating system, app version, IP address, Firebase push notification token.
• Location data: only if you grant permission (for geotagged content).
• Payment data: processed by our PCI-DSS certified providers (Stripe, PayPal). We do not store any banking data on our servers.
Your personal data is used to:
• Provide, maintain, and improve the App
• Personalize your feed and recommendations
• Process your transactions (coin purchases, ads, earnings withdrawals)
• Send notifications (push via Firebase Cloud Messaging, email via SendGrid, SMS via Twilio)
• Moderate content using AI and human review
• Detect and prevent fraud, abuse, and malicious behavior
• Comply with our legal obligations
The text content of your posts is encrypted end-to-end using the Fernet algorithm (AES-128-CBC + HMAC-SHA256) before being stored in our database. This means that even in the event of a server breach, your post content remains unreadable without the decryption key. Mercaly does not share this key with any third party.
We implement technical and organizational measures to protect your data:
• HTTPS/TLS 1.3 encrypted communications
• Bcrypt-hashed passwords (cost factor 12)
• Two-factor authentication (2FA) available
• Brute-force detection and automatic blocking
• E2E encryption of posts (Fernet / AES-128)
• Regular security audits
• Restricted internal access (least-privilege principle)
We never sell your personal data. We only share certain data with:
• Technical providers: Firebase (Google) for push notifications, SendGrid for transactional emails, Twilio for SMS, Stripe and PayPal for payments, MongoDB Atlas for storage.
• Advertising partners: only aggregated and anonymized data.
• Legal authorities: if required by law or as part of an investigation.
• In case of merger/acquisition: your data may be transferred to the successor, subject to this policy remaining in force.
PoPcA is forbidden for users under 13. Users aged 13-17:
• Must obtain permission from a parent or legal guardian
• Have stricter default privacy settings
• Cannot access adult content
• Cannot enable monetization or withdraw earnings
• Are subject to enhanced AI moderation
If you believe a child under 13 has created an account, please contact us at info.popca@mercaly.com for immediate deletion.
• Active account: your data is kept as long as your account exists.
• Deleted account: your data is erased within 30 days, except data we must keep for legal reasons (e.g., security logs for 90 days, tax data for 10 years).
• Deleted content: removed from our servers within 30 days. Cache copies may briefly persist on our CDNs.
You have the following rights, which you can exercise from the app settings or by contacting us:
• Right of access: obtain a copy of your data
• Right to rectification: correct your information
• Right to erasure: delete your account and data
• Right to portability: export your data in JSON format
• Right to object: refuse certain processing
• Right to withdraw consent: at any time
• Right to lodge a complaint: with your local data protection authority (CNIL in France, ICO in UK, etc.)
To exercise these rights: info.popca@mercaly.com
Your data may be processed on servers located outside your country of residence (notably in the United States for Firebase and SendGrid). These transfers are covered by Standard Contractual Clauses approved by the European Commission.
We use secure local storage (AsyncStorage, SecureStore) to maintain your session, remember your preferences, and analyze app usage. You can clear this data by logging out or uninstalling the app.
We may update this policy. Significant changes will be notified to you in the app or by email at least 30 days before they take effect. The last update date is shown at the top of the document.
Data controller: Mercaly
Email: info.popca@mercaly.com
Legal email: legal.popca@mercaly.com
Address: Port-au-Prince, Haiti
For any question regarding your personal data or to exercise your rights, please write to us. We respond within 30 days maximum.