Graphit Privacy Policy
Last updated: June 25, 2026

1. Who we are

Graphit is operated by Aleksandr Bagatka, an individual based in Poland ("Graphit", "we", "us", "our").

For GDPR purposes, Aleksandr Bagatka is the data controller for personal data processed through Graphit unless a later incorporated Graphit company replaces him as controller after notice to users.

Privacy contact: aleksandr@graphit.live
General, moderation, DSA, and legal contact: aleksandr@graphit.live
For personal safety, we do not publish a private home address. Use the email contact above for all privacy, legal, moderation, DSA, and authority communications. If a lawfully required formal address is needed for a specific valid process, contact us by email first.

No Data Protection Officer is appointed at this stage. Please use the privacy contact above for data protection requests. We can receive privacy communications in English or Polish.

2. Scope

This Policy explains how we collect, use, disclose, retain, and protect personal data when you use Graphit websites, apps, APIs, accounts, profiles, feeds, messages, media, comments, reports, notifications, and related services (the "Service").

Graphit is a social network. The Service may evolve over time. If our privacy practices materially change, we will update this Policy and, where required, notify you.

3. Age limit

Graphit is intended only for users who are 18 or older. We do not knowingly allow children or minors to create accounts. If we learn that a user is under 18, we may suspend the account and delete related personal data, unless we must keep limited data for legal, safety, security, or abuse-prevention reasons.

4. Personal data we collect

We collect data you provide, data created by your use of the Service, and data needed to operate a secure social network.

Account and authentication data:
- email address;
- username, handle, display name, profile ID, account ID, and similar identifiers;
- password hash or sign-in credentials, if you use password login;
- OAuth or Apple sign-in identifiers, if you use third-party sign-in;
- verification, password reset, session, and security data.

Profile and public social data:
- display name, username, avatar, bio, social links, and profile settings;
- follows, followers, blocks, bookmarks, likes, counters, and other relationship/activity data;
- public content, public profile fields, and public interactions.

User content:
- posts, cards, comments, replies, descriptions, captions, and other text;
- photos, videos, avatars, uploaded files, and media metadata;
- audio, if included in videos or recordings you upload;
- autograph/signing data, replay data, or similar creative content;
- reports, moderation appeals, and support messages.

Device, app, and technical data:
- device identifiers such as app installation ID and push notification token;
- IP address, approximate location inferred from IP address, request time, app version, device type, operating system, language, and diagnostics;
- crash logs, performance data, server logs, abuse-prevention signals, and security events;
- notification delivery and read status.

Product interaction data:
- actions such as account creation, sign-in, searches, follows, likes, bookmarks, views, notification interactions, reports, blocks, and settings changes;
- feature usage needed to run, secure, debug, and improve the Service.

Support and legal data:
- messages you send to us;
- identity, contact, and evidence data needed to handle requests, complaints, intellectual-property notices, legal requests, and disputes.

We do not intentionally collect government ID, payment card numbers, precise GPS location, health data, biometric identifiers, or other special-category data unless a future feature clearly asks for it and this Policy is updated. Do not upload sensitive personal data unless it is necessary and lawful.

5. Public content

Graphit is a social network. Content and profile information you publish may be visible to other users and, depending on settings and product design, to the public. Other users may copy, save, share, screenshot, or re-publish public content. We cannot control all actions by other users.

Do not post personal data about yourself or others unless you have the right to do so and accept the visibility risk.

6. Why we use personal data and legal bases

We use personal data only when we have a legal basis.

To provide the Service - contract necessity:
- create and manage accounts;
- authenticate users;
- publish profiles and content;
- show feeds, comments, media, social graph data, notifications, and settings;
- process blocks, reports, deletion requests, and account recovery;
- provide support.

To keep the Service safe and reliable - legitimate interests:
- prevent spam, fraud, abuse, scraping, malware, harassment, and illegal content;
- investigate reports and enforce Terms of Service;
- detect security incidents and protect accounts;
- debug, measure performance, and maintain infrastructure;
- keep limited records needed to defend legal claims.

To comply with law - legal obligation:
- respond to valid legal requests, court orders, regulator requests, and law-enforcement requests;
- meet privacy, consumer, platform, tax, accounting, and safety obligations;
- preserve or disclose data where legally required.

With your consent:
- send push notifications, if you enable them;
- access camera, microphone, photos, or similar device permissions, if you allow them;
- send optional marketing emails, if any;
- process optional data where consent is required.

You may withdraw consent at any time. Withdrawal does not affect processing that happened before withdrawal.

7. Recommendations, ranking, and automated tools

Graphit may rank or recommend content using signals such as recency, relationships, content type, user actions, popularity, safety signals, language, and settings. These systems are used to operate the Service and personalize the experience.

Graphit may use automated tools to detect spam, malware, suspected abuse, policy violations, duplicate reports, or unsafe media. Important account or content moderation decisions may include human review where required or appropriate.

We do not use solely automated decision-making that produces legal or similarly significant effects for you, unless we clearly disclose it and have a lawful basis.

8. Analytics, ads, and tracking

At this stage, Graphit does not sell personal data, share personal data with data brokers, or use data for third-party advertising tracking.

We may use privacy-limited analytics, diagnostics, and crash reporting to understand app functionality, reliability, and product quality. These providers may process data for us as service providers, not as independent advertisers.

If Graphit later adds ads, cross-app tracking, marketing pixels, or data sharing for advertising, we will update this Policy and obtain consent where required.

9. Service providers and recipients

We may share personal data with recipients who need it to provide, secure, or legally support the Service, including:
- cloud hosting, storage, database, and content delivery providers;
- email delivery and authentication providers;
- Apple and other platform providers for sign-in, app distribution, push notifications, purchases, and device permissions;
- analytics, crash reporting, logging, and monitoring providers;
- content moderation, safety, anti-spam, and abuse-prevention tools;
- professional advisers, insurers, auditors, and legal representatives;
- regulators, courts, authorities, and law enforcement where legally required;
- a future Graphit company, buyer, investor, or successor, if the Service is reorganized, incorporated, merged, financed, sold, or transferred, subject to appropriate safeguards.

We require service providers to process personal data only for authorized purposes and with appropriate confidentiality and security duties.

10. International transfers

We are based in Poland, but our service providers may process data in the European Economic Area, the United Kingdom, Switzerland, the United States, or other countries.

Where personal data is transferred outside the EEA, we use lawful transfer mechanisms when required, such as adequacy decisions, Standard Contractual Clauses, Data Privacy Framework participation where applicable, or other safeguards.

11. Retention

We keep personal data only as long as needed for the purposes above.

Typical retention:
- account and profile data: while your account exists;
- public content and media: until deleted by you, removed by us, or your account is deleted, subject to backups, legal holds, and safety records;
- comments, likes, follows, blocks, bookmarks, and similar interaction data: while needed to provide the Service or until deletion/account deletion where applicable;
- push tokens and device registrations: until disabled, replaced, or no longer needed;
- authentication, security, audit, and server logs: usually up to 12 months, unless needed longer for security, abuse, legal claims, or compliance;
- moderation reports, enforcement records, and appeal records: usually up to 5 years, or longer if needed for repeat-abuse prevention, legal claims, or law;
- support messages: usually up to 3 years after the last contact, unless needed longer for legal, safety, or account reasons;
- backups: usually overwritten or deleted within 90 days, unless preserved for security, disaster recovery, or legal reasons;
- legal request and rights-request records: as long as needed to document compliance and protect legal rights.

When we no longer need data, we delete it, anonymize it, or keep it only in a restricted form where deletion is not immediately possible.

12. Account deletion

You may request account deletion through the app if available, or by contacting aleksandr@graphit.live.

Deleting an account may remove or anonymize account data and content, but some data may remain:
- in backups for a limited period;
- in other users' copies, screenshots, or interactions;
- where needed for safety, security, anti-abuse, legal compliance, dispute resolution, or enforcement;
- where content has been shared publicly and continued retention is lawful.

13. Your GDPR rights

If GDPR applies, you may have the right to:
- be informed about processing;
- access your personal data;
- correct inaccurate data;
- delete data;
- restrict processing;
- receive data in portable form;
- object to processing based on legitimate interests;
- withdraw consent;
- object to direct marketing;
- not be subject to solely automated decisions with legal or similarly significant effects.

To exercise rights, contact aleksandr@graphit.live. We may need to verify your identity. We normally respond within one month. If a request is complex or numerous, we may extend the time by up to two further months where law allows.

Some rights are not absolute. We may refuse or limit a request where allowed by law, including to protect other users, comply with legal duties, preserve evidence, prevent abuse, secure the Service, or defend legal claims.

You may lodge a complaint with a data protection authority. In Poland, the authority is the President of the Personal Data Protection Office (UODO): https://uodo.gov.pl/

14. Legal requests, authorities, and safety disclosures

We do not give user data to authorities just because someone asks informally.

We may preserve, use, or disclose personal data if we believe in good faith that it is necessary to:
- comply with a valid law, court order, warrant, subpoena, regulator request, or other binding legal process;
- respond to lawful law-enforcement or public-authority requests;
- protect the rights, safety, and security of users, the public, Graphit, or others;
- investigate fraud, abuse, security incidents, or illegal activity;
- enforce our Terms of Service.

Where lawful and practical, we may ask for clarification, narrow overbroad requests, object to invalid requests, or notify affected users. We may not notify users where prohibited by law, where notice would create safety/security risk, or where the request itself requires confidentiality.

This Policy cannot prevent courts, regulators, or authorities from using powers granted by law.

15. Security

We use reasonable technical and organizational measures designed to protect personal data, such as access controls, encryption in transit, credential protection, logging, backups, and restricted administrative access.

No online service is perfectly secure. You are responsible for keeping your credentials safe and telling us promptly if you believe your account was compromised.

16. Your choices

You may:
- update account and profile data in the app where available;
- delete content where product controls allow;
- block users;
- report content or users;
- change notification settings;
- revoke device permissions through iOS or your device settings;
- request account deletion.

17. Changes to this Policy

We may update this Policy. The "Last updated" date shows the latest version. Material changes may be announced in the app, by email, or by another reasonable method where required.

18. Contact

Privacy requests: aleksandr@graphit.live
Moderation, DSA, safety, and general requests: aleksandr@graphit.live
Legal requests: aleksandr@graphit.live

Please include enough information for us to understand and process your request. Do not send sensitive documents unless requested.