PRIVACY POLICY

This Privacy Policy describes how RWAFLIX ("we", "us", "our") collects, uses, stores, shares, and protects your personal information when you use our platform at rwaflix.com ("the Platform"). We are committed to protecting your privacy and handling your data transparently and responsibly. By creating an account or using the Platform, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree with this policy, please do not use the Platform.

We collect the following categories of personal information: Account Information: When you register, we collect your full name, email address, and a hashed version of your password. We also store your selected account type (Creator, Professional, or Studio). Profile Information: You may voluntarily provide additional details including your bio, location, phone number, website, years of experience, social media links (LinkedIn, Twitter, Instagram, Facebook), profile photo, and cover photo. Portfolio Content: Any media, files, descriptions, and metadata you upload as portfolio items are stored on our servers and third-party hosting services (Cloudinary). Marketplace Data: If you list products on the marketplace, we collect product titles, descriptions, pricing, images, and your designated contact method (WhatsApp number, email address, or external URL). Payment Information: Payment transactions are processed through Flutterwave. We store transaction references, payment amounts, currencies, and payment statuses. We do NOT store your credit card numbers, bank account details, or mobile money PINs — these are handled exclusively by Flutterwave. Communication Data: Messages exchanged through the Platform's messaging system are stored to facilitate communication. Connection requests and their statuses are also recorded. Usage Data: We automatically collect data about how you interact with the Platform, including pages visited, profile views (who viewed your profile and when), timestamps of activity, IP addresses, browser type, and device information. Audit Logs: For security purposes, we log API requests including the endpoint accessed, HTTP method, request origin, user agent, and whether the request was successful.

We use your personal information for the following purposes: Service Delivery: To create and manage your account, display your profile and portfolio to other users, facilitate connections and messaging between users, process payments and membership activations, and operate the digital marketplace. Platform Improvement: To analyze usage patterns and improve Platform features, to fix bugs and resolve technical issues, and to develop new features based on user behavior. Communications: To send password reset emails and account verification links, to notify you of important changes to our Terms or Privacy Policy, and to send event and broadcast notifications (you may opt out of non-essential communications). Security & Safety: To detect and prevent fraud, unauthorized access, and abuse, to enforce our Terms of Service, to maintain audit trails for compliance purposes, and to respond to legal requests and law enforcement inquiries. Personalization: To display relevant talent suggestions and marketplace products, to show your profile view statistics, and to customize your experience based on your account type.

Data Location: Your data is stored on secure servers operated by our hosting providers. Our primary database is hosted on Neon (PostgreSQL cloud service), and media files (profile photos, portfolio items) are stored on Cloudinary's content delivery network. Security Measures: We implement industry-standard security practices including: password hashing using bcrypt with secure salt rounds, JWT (JSON Web Tokens) with refresh tokens for session management, HTTPS encryption for all data in transit, HMAC-SHA256 signed tokens for password reset verification, role-based access control (RBAC) to restrict administrative functions, and rate limiting on authentication endpoints to prevent brute-force attacks. Data Retention: We retain your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 business days, except where retention is required by law or for legitimate business purposes (such as transaction records). Audit logs are retained for 12 months for security compliance. Third-Party Hosting: We use the following third-party services that may process and store your data: Vercel (application hosting and deployment), Neon (PostgreSQL database hosting), Cloudinary (media file storage and delivery), Flutterwave (payment processing), and email delivery services for transactional emails.

We do NOT sell your personal information to anyone. We share your information only in the following circumstances: Public Profile Information: Your name, profile photo, bio, roles, portfolio items, and marketplace listings are visible to other Platform users and the public (unless you set your profile to private). Profile view counts and recent viewers are visible only to you. Service Providers: We share data with third-party service providers who help us operate the Platform (Vercel, Neon, Cloudinary, Flutterwave). These providers are contractually obligated to protect your data and use it only for the purposes of providing their services to us. Other Users: When you send a message or connection request, the recipient can see your name, profile photo, and message content. When you list a product on the marketplace, your contact method (WhatsApp, email, or external link) is visible to potential buyers. Legal Requirements: We may disclose your information if required by law, court order, or government regulation, or if we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or ensure the safety of our users. Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will notify you of any such change and your options regarding your data.

RWAFLIX uses cookies and browser local storage to enhance your experience: Essential Cookies: We use cookies to store your authentication tokens and session information. These are necessary for the Platform to function and cannot be disabled. We also use cookies to store your language preference (English or Kinyarwanda). Local Storage: We store your authentication tokens (JWT and refresh tokens) and user data in browser local storage for session persistence. This data is cleared when you log out. We do NOT use third-party tracking cookies, advertising cookies, or analytics cookies that track your behavior across other websites.

Depending on your jurisdiction, you may have the following rights regarding your personal data: Right to Access: You can request a copy of all personal data we hold about you. Right to Rectification: You can update your profile information, portfolio, and marketplace listings at any time through the Platform. Right to Deletion: You can request that we delete your account and associated data by contacting us at support@rwaflix.com. Deletion will be processed within 30 business days. Right to Data Portability: You can request your data in a structured, machine-readable format. Right to Restrict Processing: You can request that we limit how we use your data. Right to Object: You can object to certain types of data processing, including processing for marketing purposes. Right to Withdraw Consent: Where processing is based on your consent, you can withdraw consent at any time. To exercise any of these rights, contact us at support@rwaflix.com. We will respond within 30 business days. We may ask you to verify your identity before processing your request.

RWAFLIX is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we discover that we have inadvertently collected data from a minor, we will take immediate steps to delete that information. If you believe a child under 18 has provided us with personal information, please contact us at support@rwaflix.com.

RWAFLIX operates primarily in Rwanda but our services are available globally. Your data may be processed and stored in countries outside your country of residence, including countries where data protection laws may differ from your jurisdiction. By using the Platform, you consent to the transfer of your information to these countries. We take steps to ensure that your data receives adequate protection wherever it is processed, in compliance with applicable data protection regulations.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users via email within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the data affected, the measures taken to address the breach, and recommendations for steps you should take to protect yourself. We will also notify relevant regulatory authorities as required by applicable law.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and notify users through the Platform. Your continued use of the Platform after any changes constitutes your acceptance of the updated Privacy Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: Email: support@rwaflix.com Address: Kigali, Rwanda Website: www.rwaflix.com For data protection inquiries, please include "Privacy Request" in your email subject line. We aim to respond to all inquiries within 5 business days.