← Back

Privacy Policy

Last updated: March 18, 2026

1. Introduction

Boredmood Studios ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, store, share, and protect information obtained from users ("User," "you," or "your") of the Boredmood Studios website located at boredmood.studio, the Boredmood OS iOS application, and any related services, tools, features, or APIs (collectively, "the Platform" or "the Services").

By accessing or using the Platform, you consent to the collection, use, disclosure, and processing of your personal information as described in this Privacy Policy. If you do not agree with the practices described in this Privacy Policy, please do not use the Platform. This Privacy Policy is incorporated into and subject to our Terms of Service.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page and, where appropriate, providing additional notice (such as an in-app notification or email). Your continued use of the Platform after such modifications constitutes your acknowledgment and acceptance of the modified Privacy Policy.

2. Information We Collect

We collect information from you in several ways when you use the Platform. The types of information we collect include:

2.1 Account & Profile Information

When you create an account, we collect your email address and authentication credentials. Through your profile, we may collect your username, display name, avatar image, bio, social links, and any other profile information you choose to provide. Authentication is handled through Supabase Auth, a third-party authentication service.

2.2 User-Generated Content

We collect and store all content you create, upload, post, or share on the Platform, including but not limited to:

  • Images, photographs, and visual artwork you upload or generate
  • Audio files, music tracks, DJ sets, and sound recordings
  • Text posts, comments, and replies
  • Moodboard compositions and canvas arrangements
  • Collections, bookmarks, and saved items
  • Clan posts, clan chat messages, and clan announcements
  • Event listings, RSVP data, and check-in records
  • AI generation prompts, parameters, and resulting outputs

2.3 Social Interaction Data

When you interact with other users or content on the Platform, we collect data related to those interactions, including:

  • Follows & Followers: Records of which users you follow and who follows you
  • Likes: Records of content you have liked, including timestamps
  • Reposts: Records of content you have reposted to amplify within the community, including timestamps and repost counts
  • Comments & Replies: Text content you post as comments on other users' content
  • @Mentions: When you tag other users using the @username syntax in posts, comments, or clan chat, we process the mentioned usernames to resolve user identities, deliver notifications, and render interactive links. Autocomplete suggestions for @mentions involve querying public usernames from our profiles database
  • Direct Messages: Content of private messages exchanged between you and other users
  • Clan Membership: Records of which clans you belong to, your role within each clan, and your clan activity
  • Notifications: Records of notifications generated by your social interactions, including likes, follows, reposts, mentions, comments, and clan activity

2.4 Usage & Analytics Data

We automatically collect certain information about how you access and interact with the Platform, including:

  • Pages and features visited, including timestamps and duration
  • Interaction patterns such as clicks, scrolls, taps, and navigation paths
  • Session duration, frequency, and timing of visits
  • Search queries entered on the Platform
  • Feature adoption and usage frequency
  • Error logs and crash reports
  • Performance metrics and load times

This data is collected using PostHog, our analytics provider. PostHog may also record session replays — visual recordings of how you interact with the Platform (mouse movements, clicks, page scrolls, and navigation). Session replays do not capture passwords, credit card numbers, or other sensitive form field inputs.

2.5 Device & Technical Information

When you access the Platform, we may automatically collect technical information about your device and connection, including:

  • Device type, model, manufacturer, and operating system version
  • Browser type, version, and language settings
  • Screen resolution and display characteristics
  • IP address (which may be used to approximate your general geographic location)
  • Unique device identifiers
  • Referring URLs and exit pages
  • Network connection type and internet service provider
  • Time zone settings and language preferences

2.6 Payment & Transaction Data

When you make purchases on the Platform (such as purchasing credits), we collect transaction-related data including the items purchased, transaction amounts, dates, and billing address. Full payment card details (card number, CVV, expiration date) are collected and processed directly by Stripe, our third-party payment processor, and are never stored on our servers. We may receive and store limited payment information from Stripe, such as the last four digits of your card number, card brand, and billing address, for receipt and fraud prevention purposes.

2.7 Communication Data

We collect information from communications you send to us, including emails, support requests, feedback submissions, and any other correspondence. If you contact us through email at edward@boredmood.studio, we will retain the content of your email messages, your email address, and our response for the purpose of handling your inquiry.

3. How We Use Your Information

We use the information we collect for a variety of purposes, including but not limited to:

3.1 Providing & Operating the Platform

  • Create, maintain, and secure your account
  • Authenticate your identity and manage access permissions
  • Display your content to other users in the community canvas, feed, gallery, clans, and other areas of the Platform
  • Process your social interactions including likes, follows, reposts, comments, and @mentions
  • Deliver notifications about social interactions, including when someone likes, comments on, reposts, or @mentions you in content
  • Power the @mention autocomplete feature by searching public usernames when you type the @ symbol
  • Facilitate real-time communications including clan chat, direct messages, and radio streaming
  • Process payments, manage credits, and maintain transaction records
  • Provide event discovery, ticketing, and check-in services
  • Generate AI-powered content based on your prompts and creative parameters

3.2 Improving & Personalizing the Platform

  • Analyze usage patterns to understand how the Platform is used and identify areas for improvement
  • Conduct A/B testing and feature experiments to optimize the user experience
  • Develop new features, products, and services based on usage insights
  • Personalize content recommendations and discovery based on your interactions and preferences
  • Improve the accuracy and relevance of search results and autocomplete suggestions
  • Monitor and improve the performance, reliability, and security of the Platform

3.3 Communication

  • Send you transactional emails and notifications related to your account activity
  • Communicate service updates, security alerts, and administrative messages
  • Notify you about changes to our Terms of Service or Privacy Policy
  • Respond to your support requests, questions, and feedback
  • Send event reminders and community updates (with your consent where required)

3.4 Safety, Security & Legal Compliance

  • Detect, investigate, and prevent fraudulent, unauthorized, or illegal activities
  • Enforce our Terms of Service and community guidelines
  • Protect the rights, property, and safety of Boredmood Studios, our users, and the public
  • Comply with applicable legal obligations, including responding to lawful requests from law enforcement and government authorities
  • Resolve disputes and enforce our agreements

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a legal basis for processing personal data, our legal bases for collecting and using your personal information depend on the specific context in which we collect it:

  • Contractual Necessity: Processing necessary to perform our contract with you (e.g., providing the Services, managing your account, processing payments)
  • Legitimate Interests: Processing necessary for our legitimate interests, such as improving the Platform, fraud prevention, and security, where such interests are not overridden by your data protection rights
  • Consent: Where you have given clear consent for us to process your personal data for a specific purpose (e.g., analytics, session recording, marketing communications)
  • Legal Obligation: Processing necessary to comply with a legal obligation to which we are subject

5. Third-Party Services & Data Processors

We engage certain trusted third-party service providers to perform functions and provide services to us. We share your personal information with these third parties only to the extent necessary to perform the respective services. Each third-party provider is contractually obligated to protect your data and use it only for the purposes we specify.

  • Supabase — Database hosting, user authentication, real-time subscriptions (including live clan chat and notification delivery), file storage, and Row Level Security enforcement. Supabase stores your account data, content, social interactions (likes, follows, reposts, mentions, comments), and all structured data. Data is stored on Supabase-managed PostgreSQL databases with encryption at rest.
  • Cloudflare R2 — Object storage and content delivery network (CDN) for user-uploaded media files including images, audio files, and video content. Files are distributed globally for fast access and served via Cloudflare's edge network.
  • Vercel — Web application hosting, serverless function execution, and edge deployment. Vercel processes HTTP requests and may log request metadata including IP addresses, user agents, and request paths for performance monitoring and security.
  • PostHog — Product analytics, event tracking, feature flags, and session recording. PostHog collects usage data including page views, clicks, interactions, session replays, and user identification data. PostHog may set cookies and use local storage for tracking purposes. You can opt out of PostHog tracking by using a browser extension that blocks analytics scripts, or by enabling "Do Not Track" in your browser settings.
  • Stripe — Payment processing for credit purchases and event ticketing. Stripe collects and processes payment card details directly and is PCI DSS Level 1 compliant. Stripe may collect additional fraud detection data. We do not store full payment card details on our servers.
  • fal.ai — AI image generation and machine learning model inference. When you use AI generation features, your text prompts and generation parameters are sent to fal.ai for processing. Generated images may be temporarily hosted on fal.ai CDN servers before being transferred to our storage.
  • Resend — Transactional email delivery for account verification, password reset, event confirmations, and other system emails. Resend processes your email address and email content to deliver messages on our behalf.

Each of these services has its own privacy policy governing the collection and use of information. We strongly recommend reviewing the privacy policies of these third-party services to understand their data practices.

6. Data Storage, Security & Retention

6.1 Data Storage

Your data is primarily stored on Supabase-managed PostgreSQL databases with encryption at rest and in transit. User-uploaded media files (images, audio, video) are stored on Cloudflare R2 with global CDN distribution. AI-generated images may be temporarily hosted on fal.ai CDN servers before being transferred to our permanent storage systems. All data transfers between your device and our servers are encrypted using TLS 1.2 or higher.

6.2 Security Measures

We implement a variety of technical and organizational security measures to protect your personal information, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Row Level Security (RLS) policies on all database tables to ensure users can only access data they are authorized to view
  • Secure authentication through Supabase Auth with support for multi-factor authentication
  • Regular security assessments and dependency vulnerability scanning
  • Access controls and role-based permissions for administrative functions
  • Automated monitoring for suspicious activities and unauthorized access attempts
  • Secure environment variable management for API keys and secrets

Despite our efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law.

6.3 Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Services. We may also retain and use your personal information as necessary to comply with our legal obligations, resolve disputes, prevent abuse, and enforce our agreements. When you delete your account, we will delete or anonymize your personal information within a commercially reasonable timeframe, except where retention is required by law or for legitimate business purposes. Backup copies may persist in our systems for up to ninety (90) days following deletion.

7. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to collect and store certain information when you use the Platform. These technologies include:

7.1 Essential Cookies

These cookies are strictly necessary for the Platform to function and cannot be switched off. They are set in response to actions you take, such as logging in, setting your privacy preferences, or filling in forms. They include authentication session tokens managed by Supabase Auth.

7.2 Analytics Cookies

PostHog sets analytics cookies to track your usage patterns across sessions. These cookies help us understand which features are most popular, how users navigate the Platform, and where they encounter issues. Analytics cookies may include a unique identifier to recognize returning visitors.

7.3 Local Storage

We may use browser local storage (localStorage and sessionStorage) to store preferences, UI state, and other non-sensitive data to improve your experience. This includes settings such as dismissed onboarding prompts, preferred view modes, and recent search queries.

7.4 No Advertising Cookies

We do not use third-party advertising cookies, retargeting pixels, or ad tracking technologies. We do not serve advertisements on the Platform and do not share your data with advertising networks.

Most web browsers are set to accept cookies by default. You can usually choose to set your browser to refuse cookies or alert you when cookies are being sent. If you disable cookies, some parts of the Platform may not function properly.

8. Data Sharing & Disclosure

We do not sell, rent, trade, or otherwise share your personal information with third parties for their own marketing purposes. We may share your information in the following circumstances:

  • With Your Consent: We may share your information when you have given us explicit consent to do so
  • Public Content: Content you choose to publish on the Platform (posts, profile information, public comments, reposts) will be visible to other users and may be indexed by search engines
  • Social Interactions: When you like, repost, comment on, or @mention someone, the relevant activity and your public profile information will be visible to the affected users and may appear in their notification feeds
  • Clan Content: Content shared within clans is visible to clan members; content marked as "public" within clans is visible to all Platform users
  • Service Providers: We share information with third-party service providers who process data on our behalf (as described in Section 5)
  • Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request
  • Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your personal information may be transferred as part of the transaction. We will notify you via email and/or a prominent notice on the Platform of any change in ownership or use of your personal information
  • Aggregated & De-identified Data: We may share aggregated or de-identified information that cannot reasonably be used to identify you for research, analysis, business intelligence, or other purposes

9. Your Rights & Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information. These rights may include:

9.1 Access & Portability

You have the right to request access to the personal information we hold about you. You may also request a portable copy of your data in a structured, commonly used, and machine-readable format.

9.2 Correction

You have the right to request correction of any inaccurate or incomplete personal information we hold about you. You can update most of your account information directly through your profile settings.

9.3 Deletion

You have the right to request deletion of your personal information, subject to certain exceptions. You can delete your account through the settings page or by contacting us. Upon account deletion, we will delete your account data, profile information, and associated content. Some information may be retained as required by law or for legitimate business purposes.

9.4 Restriction & Objection

You may have the right to restrict or object to certain types of processing of your personal information, particularly where we process data based on legitimate interests.

9.5 Withdrawal of Consent

Where we process your personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

9.6 Opt-Out of Analytics

You can opt out of PostHog analytics tracking by: (a) using a browser extension that blocks analytics scripts (such as uBlock Origin); (b) enabling the "Do Not Track" setting in your browser; or (c) contacting us to request removal of your analytics data.

9.7 Notification Preferences

You can manage your notification preferences, including notifications for likes, follows, reposts, @mentions, comments, and clan activity, through your account settings. You may opt out of non-essential email communications at any time.

To exercise any of these rights, please contact us at contact@boredmood.studio. We will respond to your request within thirty (30) days, or as required by applicable law. We may need to verify your identity before processing your request.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
  • Right to Correct: You have the right to request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights

To exercise your California privacy rights, please contact us at contact@boredmood.studio.

11. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than the country in which you reside, including the United States, where our servers and third-party service providers operate. These countries may have data protection laws that are different from the laws of your country.

If you are located in the European Economic Area (EEA) or United Kingdom, we will ensure that any transfer of your personal information to countries outside the EEA/UK is protected by appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, or other legally recognized transfer mechanisms.

By using the Platform, you consent to the transfer of your information to the United States and other countries where our service providers operate, as described in this Privacy Policy.

12. Children's Privacy

The Platform is not intended for, directed at, or designed to attract children under the age of thirteen (13). We do not knowingly collect, maintain, or use personal information from children under thirteen (13) years of age, and no part of the Platform is directed to children under thirteen (13).

If we learn that we have collected personal information from a child under thirteen (13) without parental consent, we will take steps to delete such information as quickly as possible. If you believe that we might have any information from or about a child under thirteen (13), please contact us immediately at support@boredmood.studio.

For users between thirteen (13) and eighteen (18) years of age, we strongly encourage parents and guardians to monitor their children's use of the Platform and to help enforce this Privacy Policy by instructing their children never to provide personal information through the Platform without their permission.

13. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to the websites and other online services with which the browser communicates. There is currently no universally accepted standard for how companies should respond to DNT signals. We currently do not change our tracking practices in response to DNT signals, but we may update this practice as industry standards evolve. However, you can opt out of analytics tracking as described in Section 9.6.

14. User-to-User Data Exposure

Certain features of the Platform inherently involve the sharing of information between users. When you use these features, you should be aware of the following:

  • Your public profile information (username, avatar, bio) is visible to all Platform users
  • Posts you publish are visible to other users and may appear in the explore canvas, feeds, and search results
  • When you @mention another user, they will receive a notification containing your username and a link to the relevant content
  • When you repost another user's content, the original author will be notified and the repost may appear in your followers' feeds
  • Comments you post are visible to other users viewing the same content
  • Your clan membership and clan activity are visible to other clan members
  • Event check-ins may be visible to event organizers and other attendees

We are not responsible for the actions of other users with respect to your personal information. We encourage you to be mindful of the information you choose to share publicly on the Platform.

15. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time, at our sole discretion. When we make material changes, we will update the "Last updated" date at the top of this page. We may also provide additional notice of significant changes through email notification or in-app alerts. We encourage you to review this Privacy Policy periodically to stay informed about our data practices.

Your continued use of the Platform after the effective date of any changes to this Privacy Policy constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Privacy Policy, you should discontinue your use of the Platform and contact us to exercise your data rights as described in Section 9.

16. Contact Information

If you have any questions, concerns, complaints, or requests regarding this Privacy Policy or our data practices, please contact us:

Boredmood Studios — Data Protection

Email: contact@boredmood.studio

Website: boredmood.studio

If you are located in the EEA and believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.