CBODY — Privacy Policy

Effective Date: October 2025

1. Scope of Application

This Privacy Policy applies to the CBODY mobile application and related web experiences used by customers ("you" or "Users"). It explains how we collect, use, store, share, and protect your information when you browse, create an account, coordinate bookings, or communicate with providers via CBODY.

2. What We Collect & Why

We collect only what is necessary to operate the platform safely and efficiently:

• Account Data — email, display name, gender, profile photo/avatar, preferred language, country/region, and optional phone (country code + number) you provide for profile and communication purposes.
• Location Information — approximate or precise location (when authorized) to find nearby providers, estimate travel distance/fees, and enhance safety and relevance. You can disable location at any time in device settings.
• Addresses & Notes — service addresses you save (e.g., hotel/condo name, room number, access notes) to facilitate on-site services you request.
• Orders & Chats — booking details, order status, and message records between you and providers/support, used for coordination, safety, audit trails, and dispute prevention.
• Device Identifiers — device ID and Expo Push Token to deliver push notifications (order updates, messages, service status) and to prevent fraud/abuse.
• Media You Choose to Upload — e.g., avatar images or optional entrance photos of your location, used only for the stated purpose.
• App Usage Data — basic analytics, crash logs, and performance metrics to improve stability and user experience. We do not include advertising trackers.

3. How We Use Your Information

• Provide core features (account, discovery, booking coordination, messaging, notifications).
• Match with nearby verified providers and estimate travel distance/fees (when location is enabled).
• Maintain platform order and safety (e.g., anti-abuse, rate-limit, fraud prevention, and integrity systems).
• Operate our Trust Score mechanism (see Section 8) to encourage responsible behavior and manage misuse.
• Comply with legal obligations and respond to lawful requests.

4. Legal Bases

We process data under applicable laws (e.g., Thailand PDPA; and, where applicable, GDPR/other regimes) based on: performance of a service you request; our legitimate interests in safety, reliability, and improvement; your consent for optional permissions; and legal obligations.

5. Permissions You Can Control

• Location (approx./precise, foreground and, if you allow, background for time-critical updates). Without it, some proximity features may not work.
• Notifications (order, message, status). You can disable in device settings, but you may miss time-sensitive updates.
• Photos/Media for avatar or optional entrance photos. We access only files you select.

6. Cookies & Local Storage

We use secure local storage (tokens, preferences) to keep you signed in and reduce latency. No third-party advertising cookies are used in the app. Web experiences may use strictly necessary cookies for session and security.

7. Information Security

All traffic uses HTTPS. Data is stored on Supabase cloud infrastructure (PostgreSQL) with Row-Level Security (RLS) to ensure that only authorized requests can access your records. We apply industry-standard encryption, access control, and periodic security reviews.

8. Trust & Integrity System

To protect users and service quality, CBODY operates a Trust Score for customers. Responsible behavior (on-time, respectful communication, honoring agreed travel fees, avoiding no-shows) improves trust; misconduct (no-show, harassment, abusive messages, repeated policy violations, intentional circumvention) reduces trust. We may apply usage limits, messaging/booking restrictions, or account actions where necessary. We reserve reasonable discretion to interpret violations and enforce platform order.

9. Data Sharing & Third Parties

• With Providers — we share only information needed to coordinate bookings (e.g., display name, service address, order/chat details you provide, and relevant contact preferences).
• Service Vendors — Supabase (authentication, database, real-time), Expo services (push notifications, device modules), and media delivery services strictly for core functionality. We do not integrate advertising SDKs.
• Legal/Safety — we may disclose data to comply with law or protect users from harm, fraud, or security threats.

10. Retention

We retain personal data only as long as needed for operations, safety, or legal requirements. Routine operational records (e.g., orders/chats) may be kept for audit and safety purposes. If you delete your account, we will remove or de-identify personal data within a reasonable period, except where law or legitimate interests (e.g., fraud prevention) require limited retention.

11. Cross-Border Transfers

Your data may be stored in data centers outside your country (e.g., Singapore/US operated by Supabase). We implement appropriate safeguards (e.g., standard contractual clauses, technical controls) for such transfers.

12. Children's Privacy

CBODY is intended for adults (18+) only. We do not knowingly collect data from minors.

13. Your Rights

• Access a copy of your personal data;
• Rectify inaccurate information;
• Delete your account and associated data (subject to legal retention needs);
• Withdraw consent or disable permissions.

To exercise rights, contact us at the email below. We may need to verify your identity before responding.

14. Account Deletion

You have the right to delete your account at any time directly from the app. To delete your account, navigate to:

Profile → Settings → Delete Account

What will be deleted:

• Your personal profile information and account credentials;
• Your saved provider favorites list;
• All saved service addresses and location notes;
• Chat history and message records;
• Device notification tokens and preferences.

What will be anonymized:

• Historical order records will be anonymized (personal identifiers removed) and retained for business operations, financial compliance, and dispute resolution purposes;
• Any reviews or feedback you provided will be anonymized to preserve marketplace integrity.

Important: Account deletion is permanent and cannot be undone. Once deleted, you will not be able to recover your data or account. If you wish to use CBODY again in the future, you will need to create a new account.

If you are unable to access the app, you may request account deletion by emailing us at cbodyspa@gmail.com from your registered email address. We will process your request within 48 hours and confirm once completed.

15. No Ads & SDK Disclosure

We do not include advertising or tracking SDKs. Core SDKs (e.g., Expo Location/Notifications/Image Picker/Video, Supabase SDK) are used only to provide the features you request and comply with app store privacy requirements.

16. Changes to This Policy

We may update this Privacy Policy to reflect new features or legal changes. Significant changes will be announced in-app. Continued use after publication means you accept the updated policy.

17. Contact Us

Email: cbodyspa@gmail.com
Company: Sichuan Penglaokun Network Technology Co., Ltd.
Jurisdiction Notice: Please comply with the laws and regulations of the service location. CBODY currently focuses on Thailand and may expand to additional countries; local rules will apply.