Shhh GuidesGet the App

Privacy Policy

Document Classification: User-Facing Legal
Effective Date: 1 March 2026
Last Updated: 21 March 2026
Version: 2.1
Governing Law: Ontario, Canada

1. Introduction

Data Controller: Blvckshell Incorporated doing business as Shhh
Legal form: Canadian federal corporation (Canada Business Corporations Act).
Corporation number: 1400386-1
Business Number (BN): 729655308RC0001
Incorporation date: 2 May 2022
Registered office: 2113 Division Road N, Kingsville, Ontario N9Y 2Z2, Canada

Blvckshell Incorporated doing business as Shhh ("we," "us," or "our") operates the Shhh mobile application, website, and related services (collectively, the "Services"). We aim to protect your privacy and give you control over your data. This Privacy Policy ("Policy") explains how we collect, use, disclose, and safeguard your information when you use our Services. It applies to all users of the Services, regardless of location.

Consent is contextual and revocable. Prior consent does not imply future consent. You may withdraw consent at any time where processing is consent-based. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

2. Information We Collect

2.1 Information You Provide

  • Account information: Phone number (hashed), display name, bio, photos, date of birth (used to confirm you meet the minimum age for the Services and for account integrity), gender, preferences, and verification status.
  • Communications: Messages, whispers, and other content you send through the Services.
  • Payment information: Processed by our payment provider (Stripe); we do not store full card numbers.
  • Support contacts: Information you provide when contacting support or reporting issues.

2.2 Information Collected Automatically

  • Device information: Device type, operating system, unique identifiers.
  • Location data: Approximate location (with your consent) for discovery and venue features. Location is fuzzed for privacy.
  • Usage data: Logs of app usage, features used, and interaction patterns.

2.3 Information from Third Parties

  • Verification: If you complete identity verification, we may receive verification status from our providers.

2.4 Sensitive Personal Information

We may collect categories of data that are considered "sensitive" under applicable law, including:

  • Precise geolocation: When you use discovery or check-in features (with your consent). We apply fuzzing to protect your precise position.
  • Information revealing sexual orientation or preferences: To the extent you provide this in your profile or preferences.
  • Biometric data: If you submit a photo for verification, we may use it for identity verification. We do not extract or store biometric templates for other purposes.

We use sensitive information only as necessary to provide the Services, with your consent where required, and do not use it for inferring characteristics beyond what you have provided.

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Services;
  • Authenticate you and manage your account;
  • Enable discovery, messaging, and other features;
  • Process payments and subscriptions;
  • Send transactional and service-related communications;
  • Enforce our Terms and policies;
  • Detect and prevent fraud, abuse, and security incidents;
  • Comply with legal obligations;
  • Conduct analytics (aggregated and anonymized where possible);
  • Personalise your experience (e.g. discovery matching, ad targeting) where permitted.

Profiling and automated decision-making: We may use automated processes to match you with nearby users, surface relevant content, and serve ads. These processes do not produce legal effects or similarly significantly affect you. Where we use automated decision-making that could have legal or similarly significant effects, we will inform you and provide the right to human review, to express your point of view, and to contest the decision (GDPR Art. 22). We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data based on:

  • Contract: To provide the Services you requested.
  • Legitimate interests: To improve the Services, ensure security, prevent fraud, conduct analytics, and enforce our Terms. Our specific legitimate interests include: fraud prevention, network and information security, analytics to improve the product, and direct marketing (where permitted). You have the right to object to processing based on legitimate interests.
  • Consent: Where we rely on consent (e.g. precise location, optional features, marketing), you may withdraw it at any time.
  • Legal obligation: To comply with applicable laws.

5. Data Sharing and Disclosure

We may share your information with:

  • Service providers: Hosting, analytics, payment processing, SMS, verification (under data processing agreements).
  • Legal requirements: When required by law, court order, or to protect our rights, safety, or property.
  • Business transfers: In connection with a merger, acquisition, or sale of assets (with notice).
  • With your consent: Where you have explicitly agreed.

We do not sell your personal information. We do not "share" your personal information for cross-context behavioural advertising (as defined under CCPA/CPRA).

Marketing: If we send marketing communications, we will do so only with your consent or where permitted by law. You may opt out at any time via the unsubscribe link in emails or in-app settings. We will not discriminate against you for opting out.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Services. Specific retention periods:

  • Account data: Until account deletion, plus a reasonable period for backups and legal compliance.
  • Messages: Per TTL settings; some messages may be retained for compliance and safety.
  • Logs and audit: As required by law or our Data Retention Policy.

6.1 Deletion & Retention Clarification

When you request account deletion, we process your request in accordance with our Data Subject Rights process. To set accurate expectations:

  • Active data deletion: We aim to delete or anonymise your account data, profile, and associated content within 30 days of a verified deletion request. Some data may be retained longer where required for backups, legal holds, or technical constraints.
  • Safety and audit retention: We may retain certain data (e.g. safety reports, audit logs, moderation records) for longer periods where necessary for safety, abuse prevention, or legal compliance. This data is retained in accordance with our Data Retention Policy.
  • Legal retention: We retain data where required by law (e.g. financial records, certain logs). We do not use retained data for purposes beyond the stated retention reason.
  • Anonymisation vs destruction: In some cases we may anonymise data rather than destroy it (e.g. for analytics). Anonymised data cannot identify you.

Transparency about these limits is more important than perfection. We are continuously improving our deletion processes.

7. Cookies and Similar Technologies

We use cookies and similar technologies on our web properties. See our Cookie Policy for details.

8. Your Rights

Depending on your location, you may have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate data.
  • Erasure: Request deletion of your data.
  • Portability: Receive your data in a structured format.
  • Object: Object to processing based on legitimate interests.
  • Restrict: Restrict processing in certain circumstances.
  • Withdraw consent: Where processing is based on consent.

To exercise these rights, contact legal@shhh.social or use the in-app settings. We will respond within the timeframes required by applicable law.

You may also lodge a complaint with your local data protection authority.

9. Data Security

We implement technical and organisational measures designed to protect your data, including encryption in transit, access controls, and security assessments. See our Security Policy for more details. No system is perfectly secure; we aim to reduce risk to a reasonable level.

10. International Transfers

Your data may be transferred to and processed in countries outside your residence, including the United States. Where required by law, we use appropriate safeguards, including:

  • EU/EEA: Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable.
  • UK: UK-approved transfer mechanisms.
  • Other jurisdictions: Equivalent safeguards as required.

You may request a copy of the safeguards we use by contacting legal@shhh.social.

11. Children's Privacy

Our Services are not intended for users under 18. We do not knowingly collect data from children. See our Children's Privacy notice for more information.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know: What personal information we collect, the categories of sources, our business purposes, and the categories of third parties we share with.
  • Right to delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt out of sale: We do not sell personal information.
  • Right to opt out of sharing: We do not "share" personal information for cross-context behavioural advertising.
  • Right to limit use of sensitive personal information: We use sensitive personal information only as necessary to provide the Services and as described in this policy. You may limit use beyond what is necessary by contacting us.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact legal@shhh.social or use the in-app settings. We will respond within 45 days (with one 45-day extension if needed, with notice). You may designate an authorised agent to submit requests on your behalf; we will verify the agent's authority. If we deny your request, you may appeal by contacting legal@shhh.social; we will inform you of the appeal process and any further options.

Do Not Track: Some browsers send a "Do Not Track" (DNT) signal. We do not currently respond to DNT signals, but we honour your privacy choices as set out in this policy and in-app settings.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the app or via email. Your continued use after the effective date constitutes acceptance.

14. Contact

For privacy-related questions or to exercise your rights:

  • Email: legal@shhh.social
  • Data Protection Officer: legal@shhh.social (if applicable)
  • Post: Blvckshell Incorporated (Attn: Data Protection), 2113 Division Road N, Kingsville, Ontario N9Y 2Z2, Canada

Accessibility: If you need this policy in an accessible format, contact legal@shhh.social.