Effective Date: May 16, 2026. Version 1.0.0.
This Privacy Policy describes how S8 Investment Holdings, LLC ("Project AG", "we", "us", or "our") collects, uses, shares, and protects personal information when you use the Project AG mobile application and any related websites, APIs, communications, and services (collectively, the "Service"). It also describes the rights you have over your personal information and how to exercise them.
Project AG is a travel-companion social application that connects adult travelers visiting the same destinations. Because we operate in this category, we process information that is sometimes sensitive — including precise travel plans, photographs, and identity-verification data. This Policy is designed to be clear about exactly what we do with it, and to comply with the General Data Protection Regulation (EU 2016/679, "GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), Brazil's Lei Geral de Proteção de Dados ("LGPD"), Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and Quebec's Law 25, Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares ("LFPDPPP"), Japan's Act on the Protection of Personal Information ("APPI"), South Korea's Personal Information Protection Act ("PIPA"), Australia's Privacy Act 1988 (Cth), South Africa's Protection of Personal Information Act ("POPIA"), Switzerland's revised Federal Act on Data Protection ("FADP"), and the Kingdom of Saudi Arabia's Personal Data Protection Law ("PDPL"), among others. Region-specific terms appear in dedicated annexes at the end of this Policy.
You must be 18 or older to use the Service. We do not knowingly collect personal information from anyone under 18. See Section 9.
The data controller (or, where applicable, the "business" under CCPA/CPRA, "controller" under GDPR/UK GDPR, "responsável" under LGPD, "operator" under POPIA, etc.) responsible for your personal information is:
If you live in a region with a designated representative or DPO, you are entitled to contact them directly. We will respond in the language of this Policy unless local law requires otherwise.
We collect personal information in three ways: (a) information you provide directly, (b) information generated by your use of the Service, and (c) information from limited third parties (for example, your phone carrier when you receive an SMS one-time passcode, or Apple/Google when you sign in).
Some of the information you choose to share is treated as a "special category" of personal data under GDPR Article 9 (and analogous laws elsewhere): (i) the biometric data processed by Persona for identity verification, (ii) photographs and self-identified data that can reveal racial or ethnic origin or religious belief, (iii) information you may volunteer in your bio or messages about your health or sexual orientation. We process these categories only with your explicit consent, given through specific in-app prompts at the point of collection. You can withdraw consent at any time as described in Section 11. Withdrawing consent for identity verification means we cannot continue to provide the Service to you and your account will be deactivated.
Under GDPR, UK GDPR, LGPD, FADP, and similar laws, we are required to identify a lawful basis for each purpose for which we process your personal information. The table below sets out our purposes, the categories of data involved, and the lawful basis (GDPR Article 6 and, where applicable, Article 9).
Categories: account identifiers, profile, device data. Legal basis: performance of a contract (GDPR Art. 6(1)(b)) — without this data we cannot deliver the Service you have requested.
Categories: profile, travel plans, location, activity. Legal basis: performance of a contract (Art. 6(1)(b)). Where this involves a special category of data (for example, sexual-orientation filters), the additional Article 9 basis is explicit consent (Art. 9(2)(a)).
Categories: account identifiers, activity. Legal basis: performance of a contract (Art. 6(1)(b)) for service-essential notifications (e.g., new matches, message receipts, subscription renewals). Marketing or promotional push notifications are sent only on the basis of your consent (Art. 6(1)(a)), which you can withdraw at any time in Settings → Notifications.
Categories: identity-verification data (including biometric data processed by Persona), device data, IP address. Legal bases: explicit consent for the processing of biometric data (Art. 9(2)(a)); legitimate interests under Art. 6(1)(f) for fraud prevention, where our interest in protecting the community from impersonation, romance fraud, and account-takeover attacks materially outweighs the limited and necessary use of your data; and compliance with a legal obligation (Art. 6(1)(c)) where local law requires age- or identity-verification (for example, certain online-safety statutes).
Persona processes the biometric template under a Data Processing Addendum signed with us. We instruct Persona to delete the biometric template and the source ID images on a fixed retention schedule (see Section 7). We do not use Persona's output to make automated decisions that produce legal or similarly significant effects on you (see Section 12 on automated decision-making).
Categories: photos, messages, reports, activity, device data. Legal bases: legitimate interests (Art. 6(1)(f)) in keeping the community safe, supported by our published Community Guidelines; compliance with a legal obligation (Art. 6(1)(c)) where applicable (for example, mandatory reporting of certain content); and explicit consent (Art. 9(2)(a)) for any processing of special-category data such as photographic content depicting race, ethnicity, or religious affiliation.
Photo moderation is performed by Amazon Web Services, Inc. ("AWS") via the Amazon Rekognition service. Rekognition returns a category-by-category confidence score (for example, "Explicit Nudity", "Violence"). A human moderator on our trust-and-safety team reviews any photo flagged by Rekognition before it is removed from circulation, except in the case of CSAM (child sexual abuse material), where we follow the mandatory reporting procedures in the jurisdictions where we operate.
Categories: account identifiers, subscription metadata. Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with a legal obligation (Art. 6(1)(c)) for tax and accounting records.
Categories: communications, account identifiers, device data. Legal basis: performance of a contract (Art. 6(1)(b)) and our legitimate interest (Art. 6(1)(f)) in providing efficient support.
Categories: device data, activity, performance metrics. We use this data on an aggregated, pseudonymized basis to understand which features work and where the Service has bugs. Legal basis: legitimate interests (Art. 6(1)(f)). You may object to this processing at any time as described in Section 11. We do not use this data to build advertising profiles of you, and we do not sell or rent it to third parties.
Categories: any data necessary to comply with applicable law. Legal basis: compliance with a legal obligation (Art. 6(1)(c)) and, where appropriate, the establishment, exercise, or defense of legal claims (Art. 9(2)(f) for special-category data).
We share personal information only with the categories of recipient listed below, and only to the extent strictly necessary for the purpose stated. We do not sell or rent your personal information to data brokers, advertising networks, or any other third party for monetary or non-monetary consideration. We do not "share" your personal information for cross-context behavioral advertising as that term is defined under CCPA/CPRA.
Each of these providers is bound by a written data-processing agreement that imposes confidentiality, security, sub-processor, and (where applicable) cross-border-transfer safeguards consistent with GDPR Articles 28 and 46. An up-to-date sub-processor list is available on request from privacy@projectag.app.
Profile information you mark as visible — your photos, first name, age, bio, interests, and current trip — is shown to other adult users of the Service for matching purposes. Your phone number, email address, exact home address, and identity-verification status are never disclosed to other users. Your verification badge (a generic indicator that you have passed identity verification) is shown if you have completed the optional verification flow.
We will disclose personal information to law-enforcement, courts, regulators, or other public authorities when we are compelled to do so by valid legal process (such as a subpoena, warrant, or court order issued by a court of competent jurisdiction), or where we believe in good faith that disclosure is necessary to (a) protect the safety of any person, (b) investigate or prevent fraud or security incidents, or (c) comply with applicable law. Where the law permits us to notify the affected user before disclosing, we will do so.
If Project AG or substantially all of its assets are acquired by, merged with, or transferred to another entity, personal information may be transferred to the acquirer subject to the same protections set out in this Policy. We will notify you of any change in controller and, where required, provide an opportunity to object.
Project AG is operated from the United States. The personal information we collect is processed primarily in the United States, with regional storage in the European Union (Frankfurt and Dublin) for users located in the EEA, the United Kingdom, and Switzerland, to the extent commercially practicable.
When we transfer personal information from a jurisdiction with comprehensive data-protection law to a jurisdiction that does not benefit from an adequacy decision, we rely on appropriate safeguards under Chapter V of the GDPR (and analogous provisions of UK GDPR, LGPD, FADP, and others). Specifically:
You may request a copy of the safeguards in place for a specific transfer (with confidential commercial terms redacted) by writing to privacy@projectag.app.
We implement and maintain technical and organizational measures designed to protect personal information against unauthorized or unlawful access, disclosure, alteration, loss, or destruction. These include:
No security measure is perfect. If you become aware of a security issue affecting Project AG, please report it to security@projectag.app.
We retain personal information only for as long as necessary for the purposes for which it was collected, in line with the storage-limitation principle (GDPR Article 5(1)(e) and equivalent provisions of UK GDPR, LGPD, FADP, POPIA, PIPA, APPI, CCPA/CPRA, and others).
You can delete your account at any time from Settings → Account → Delete account in the app. Deletion is irreversible.
Project AG does not display behavioral advertising inside the app and does not "sell" or "share" personal information for cross-context behavioral advertising under CCPA/CPRA. We do not participate in the IAB Transparency and Consent Framework.
Apple's App Tracking Transparency (ATT) prompt is shown only if we ever introduce a feature that would require it; today, we do not access the Identifier for Advertisers (IDFA) and we have not enabled any such feature. If this changes, we will update this Policy and obtain your explicit ATT consent before processing the IDFA.
Our marketing website (project-ag.com, when launched) uses only strictly-necessary first-party cookies. We do not deploy advertising cookies or third-party trackers on our website.
Project AG is intended for adults aged 18 and over. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@projectag.app and we will delete the information promptly. In the United States, we comply with the Children's Online Privacy Protection Act (COPPA); in the UK we comply with the ICO's Age-Appropriate Design Code; in the EU, with GDPR Article 8 and applicable Member-State age-of-consent rules; and elsewhere with equivalent local provisions.
The Project AG mobile application does not use HTTP cookies. The app does use local on-device storage (UserDefaults, Keychain, and an encrypted Core Data store) to maintain your session, cache your profile, and store your preferences. This data is local to your device and is removed when you uninstall the app.
When we operate a marketing website, it will use only the strictly-necessary cookies required to deliver the page (e.g., session and CSRF tokens). A separate cookie notice will be published at that time.
Subject to your jurisdiction, you have some or all of the following rights with respect to your personal information. To exercise any of these rights, contact us at privacy@projectag.app or use the in-app tools described below. We will respond within the timeframes required by applicable law (in the EEA/UK, no later than one month, extendable by two further months for complex requests; in California, 45 days, extendable by 45 days; in Brazil, 15 days). We will not discriminate against you for exercising any of these rights.
Many of these rights can be exercised directly in the app:
We may need to verify your identity before fulfilling a rights request, particularly for access, portability, and deletion. We will use the minimum data necessary to do so — typically a confirmation code sent to the phone number or email on file.
We use automated systems in two places:
If you would like to contest the outcome of any automated decision, or request human review, contact privacy@projectag.app.
In the unlikely event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33; UK GDPR; equivalent timelines under LGPD, PIPA, FADP, POPIA, PDPL). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (GDPR Art. 34; CCPA §1798.82; PIPEDA; LGPD Art. 48; APPI Art. 26; PIPA Art. 34).
If you have a question about this Policy or wish to exercise a right, please contact us first at privacy@projectag.app. We are committed to resolving complaints directly.
If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. Some examples:
We may update this Privacy Policy from time to time. The "Effective Date" and "Version" at the top of the document indicate when this Policy was last revised. If we make material changes, we will notify you in the app at least 14 days before the change takes effect, and (where required by law) ask you to acknowledge the new Policy. Older versions are available on request from privacy@projectag.app.
This Annex applies to you if you are in the European Economic Area, Switzerland, or — by virtue of the extraterritorial scope of GDPR Article 3(2) — if our processing of your personal information relates to the offering of goods or services to you in the EEA, or to the monitoring of your behavior within the EEA.
Controller and EU representative. S8 Investment Holdings, LLC is the controller. Our EU Article 27 representative is [EU REP NAME], at [EU REP ADDRESS], reachable at eu-rep@projectag.app.
Legal bases. As described in Section 3. Where we rely on legitimate interests, we have conducted a documented Legitimate Interests Assessment and the conclusion is available on request.
International transfers. As described in Section 5. For transfers to the United States, we rely on the EU–US Data Privacy Framework where the recipient is self-certified, and on the 2021 SCCs (Module 2) otherwise, supplemented by the measures described in Section 6.
Supervisory authority. The competent lead supervisory authority for our EU operations will be determined by reference to the location of our main establishment in the EU. Until such time, you may complain to the authority in your Member State of residence.
Digital Services Act (Regulation (EU) 2022/2065). Project AG is an intermediary service within the meaning of the DSA. Our single point of contact for Member State authorities, the European Commission, and the European Board for Digital Services under Article 11 is dsa-authorities@projectag.app (working language: English). Our single point of contact for recipients of the service under Article 12 is dsa-users@projectag.app. Statements of reasons for content-moderation decisions are or will be published in the DSA Transparency Database where and when required by Article 24(5), in the form prescribed by the European Commission. The notice-and-action procedure under Article 16, the internal complaint-handling system under Article 20, and your right to refer disputes to a certified out-of-court dispute-settlement body under Article 21 are described in our Terms and Conditions and Community Guidelines.
This Annex applies to you if you are in the United Kingdom or our processing is otherwise subject to the UK GDPR.
Controller and UK representative. S8 Investment Holdings, LLC is the controller. Our UK Article 27 representative is [UK REP NAME], at [UK REP ADDRESS], reachable at uk-rep@projectag.app.
International transfers. Transfers from the UK are made under the UK Addendum to the EU SCCs or under the UK International Data Transfer Agreement issued by the Information Commissioner.
Supervisory authority. Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF — ico.org.uk.
Online Safety Act 2023. Project AG is a "user-to-user service" within the meaning of the Online Safety Act 2023. We have designated a senior person accountable for compliance with our duties under the Act (section 103); the designation is held internally and can be confirmed to Ofcom on request at uk-safety@projectag.app. Our risk assessments, illegal-content policies, and age-assurance approach for adult-content controls are reviewed at least annually and updated when product changes warrant.
This Annex supplements the Policy if you are a California resident. Capitalized terms have the meaning given in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA").
Categories of personal information collected, sources, purposes, and disclosures. In the preceding 12 months we have collected the categories listed in Cal. Civ. Code §1798.140(v): identifiers; customer-records information; commercial information (subscription transactions); internet or network activity information; geolocation; sensory information (photographs and, transiently, biometric identifiers via Persona); inferences (matching signals); and sensitive personal information (precise geolocation, account log-in credentials in transit, contents of communications). Sources, purposes, and disclosures are as described in Sections 2–4 of this Policy.
Sale and "sharing" of personal information. We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined in the CCPA. We have not done so in the preceding 12 months.
Sensitive personal information. We use sensitive personal information (notably, photographs, precise geolocation, biometric identifiers transiently processed for verification, and the contents of your communications) only for the limited purposes permitted by Cal. Civ. Code §1798.121 and the implementing regulations, namely: to provide the services you have requested; to detect security incidents; to verify or maintain the quality of the service; and to comply with law. You have the right to limit our use of sensitive personal information; write to privacy@projectag.app to exercise it. We will action a verified request within 45 days (extendable by 45 days for complex requests).
Rights of California consumers. You have the right to know, the right to delete, the right to correct, the right to limit use of sensitive personal information, the right to opt out of sale/sharing (we do neither), the right to portability, and the right not to receive discriminatory treatment for exercising any of the foregoing. To submit a request, email privacy@projectag.app or call our toll-free intake line at [TOLL-FREE NUMBER — operator to confirm]. Authorized agents may submit requests on your behalf with proof of authorization.
Retention. As described in Section 7 of this Policy.
"Shine the Light" (Cal. Civ. Code §1798.83). We do not disclose personal information to third parties for their direct-marketing purposes.
If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Tennessee (TIPA), Minnesota (MCDPA), or Maryland (MODPA), you have rights of access, correction, deletion, portability, and to opt out of "targeted advertising", "sale", and certain forms of "profiling" in furtherance of decisions producing legal or similarly significant effects. We do not engage in any of these practices. To exercise an applicable right, email privacy@projectag.app.
Aplica-se a você se estiver no Brasil ou se o tratamento de seus dados pessoais ocorrer no território nacional. Os princípios da LGPD (Art. 6º) — finalidade, adequação, necessidade, livre acesso, qualidade, transparência, segurança, prevenção, não discriminação e responsabilização — orientam todo o nosso tratamento.
Encarregado (DPO). [DPO BR NAME], dpo-br@projectag.app. Autoridade competente. Autoridade Nacional de Proteção de Dados (ANPD).
Bases legais. Conforme a Seção 3 desta Política, em correspondência aos Arts. 7º e 11 da LGPD. Direitos do titular. Conforme o Art. 18 da LGPD — confirmação, acesso, correção, anonimização/bloqueio/eliminação, portabilidade, eliminação dos dados tratados com consentimento, informação sobre compartilhamento, informação sobre a possibilidade de não fornecer consentimento, e revogação do consentimento.
We comply with the ten fair-information principles set out in Schedule 1 of PIPEDA, and with the additional requirements of Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information).
Person in charge of the protection of personal information. For residents of Quebec under Law 25 §3.1: [QC PIC NAME], quebec-privacy@projectag.app. Transfer impact assessments under Law 25 §17 are conducted prior to any transfer of personal information outside Quebec, and a summary is available on request. Right to portability in a structured, commonly-used technological format took effect September 22, 2024 and is supported via the in-app data export.
El presente Aviso de Privacidad se emite en cumplimiento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) y su Reglamento. El responsable es S8 Investment Holdings, LLC. Finalidades primarias: operación del servicio, comunicación con usted, prevención de fraude, cumplimiento legal. Finalidades secundarias (mercadotecnia, encuestas) — usted puede oponerse en privacy@projectag.app. Derechos ARCO (Acceso, Rectificación, Cancelación, Oposición) — solicitudes a privacy@projectag.app, conforme a los artículos 28–32 de la Ley.
本附則は、日本の個人情報の保護に関する法律(APPI)に基づき、日本国内の利用者に適用されます。S8 Investment Holdings, LLC が個人情報取扱事業者です。利用目的、第三者提供、外国にある第三者への提供については、本ポリシーの第3〜5項のとおりです。日本の利用者は、APPI 第33条〜第35条に基づき、保有個人データの開示、訂正、利用停止、第三者提供の停止を請求できます。お問い合わせ:privacy-jp@projectag.app。
본 부속서는 대한민국 개인정보 보호법(PIPA)에 따라 한국 내 이용자에게 적용됩니다. 개인정보처리자는 S8 Investment Holdings, LLC 입니다. 개인정보 보호책임자(CPO) (PIPA 제31조에 따라 지정): [KR CPO 성명 — 한국 출시 전 운영자 확정], 연락처 privacy-kr@projectag.app. 국내대리인(PIPA 제31조의2)이 지정된 경우: [국내대리인 성명 및 주소 — 해당 시 확정]. 민감정보 및 고유식별정보의 처리, 국외 이전, 그리고 자동화된 결정에 대한 권리는 본 정책의 해당 절을 참조하십시오. 본인은 개인정보 보호위원회(PIPC)에 신고할 권리가 있으며, 개인정보 분쟁조정위원회(KISA) 또는 대검찰청 사이버수사과를 통한 구제 절차도 이용할 수 있습니다.
We comply with the Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act 1988 (Cth). Our cross-border disclosures (APP 8) are governed by contractual safeguards with each overseas recipient and, where consent is required, are made only after we have obtained your consent. Complaints may be lodged with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
We are the "responsible party" under the Protection of Personal Information Act, 2013 (POPIA). Our Information Officer (POPIA §55), registered with the Information Regulator under Regulation 4 of the POPIA Regulations: [ZA INFORMATION OFFICER NAME — operator to confirm and register prior to ZA launch], reachable at popia@projectag.app. A Deputy Information Officer may be designated under §56 where the volume of requests warrants. South-African data subjects may exercise the rights conferred by POPIA Chapter 3 and may complain to the Information Regulator at inforegulator.org.za. Where we transfer personal information across borders, we do so in accordance with POPIA §72 (adequate level of protection, contractual safeguards, or your specific informed consent).
هذا الملحق ينطبق عليك إذا كنت في المملكة العربية السعودية أو إذا خضعت معالجة بياناتك الشخصية لنظام حماية البيانات الشخصية (PDPL). يقع مقر مراقب البيانات خارج المملكة، وقد عيّن المراقب ممثلاً محلياً مسجلاً لدى الهيئة السعودية للبيانات والذكاء الاصطناعي (SDAIA) وفقاً للمادة 5 من النظام: [اسم وعنوان الممثل المحلي السعودي — يجب على المشغّل تأكيده وتسجيله لدى SDAIA قبل الإطلاق في المملكة]، البريد الإلكتروني: ksa-rep@projectag.app. تُجرى التحويلات الدولية وفقاً لأحكام النظام واللائحة التنفيذية، بما في ذلك الإخطار المسبق لـ SDAIA حيثما يكون مطلوباً. للوصول إلى حقوقك (المادة 4 من النظام) — بما في ذلك الحق في الإعلام، والحق في الاطلاع، والحق في طلب الحصول على بياناتك، والحق في طلب تصحيح بياناتك أو إتلافها — يُرجى التواصل عبر privacy@projectag.app. للشكاوى يمكنك التواصل مع الهيئة السعودية للبيانات والذكاء الاصطناعي (SDAIA) عبر sdaia.gov.sa.
If you are in a jurisdiction not specifically named above, the body of this Policy applies. To the extent local law grants you additional rights, we will honor those rights on request. To the extent local law imposes additional obligations on us, we will comply with those obligations and update this Policy or publish a supplemental notice as appropriate.
Document identifier: privacy-policy. Version 1.0.0. Effective 2026-05-16. Locale en-US. Authoritative version. Translations into other languages are provided for convenience; in the event of a conflict, the English (en-US) version controls except where local law requires otherwise.