Privacy Policy

Tago ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Tago platform, including our mobile applications, website, and related services (collectively, the "Services"). This Policy applies to all users worldwide and is designed to comply with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's PIPEDA, Australia's Privacy Act 1988, and other applicable national and state privacy laws. Please read this Policy carefully. By using the Services, you acknowledge you have read and understood it. If you do not agree, you must discontinue use of the Services.

Tago is the data controller responsible for your personal data. Our registered contact for privacy matters is: Email: tago@savhfresh.com Postal: Tago Privacy Team, c/o Legal Department For users in the European Economic Area (EEA) or the United Kingdom, we have appointed a representative who can be contacted at the email above. For users in California, we act as the "business" under the CCPA/CPRA.

We collect the following categories of personal data: (a) Account Data: name, username, email address, date of birth, profile photo, bio, and password (stored in hashed form). (b) Identity Verification Data: government-issued ID documents where required for creator payouts or age verification, processed by our third-party verification partner. (c) Content Data: videos, images, audio recordings, text posts, comments, messages, and live stream recordings you create or share on Tago. (d) Transaction Data: purchase history, payment method details (card type and last four digits only — full card numbers are processed and stored by our PCI-DSS-compliant payment processor), billing address, shipping address, order history, and payout history. (e) Usage Data: pages and features accessed, search queries, videos watched, time spent, clicks, scroll behaviour, feed interactions, device identifiers, IP addresses, browser type and version, operating system, referring URLs, and session duration. (f) Device Data: device model, hardware identifiers, advertising identifiers (IDFA/GAID), OS version, timezone, language settings, and network type. (g) Location Data: country and region inferred from IP address. Precise GPS location is only collected with your explicit consent for features that require it. (h) Communications Data: messages you send to other users or to Tago support, and metadata about those messages (timestamp, participants). (i) Third-Party Social Data: if you sign in via Google or Apple, we receive your name, email address, and profile picture from those providers, subject to their own privacy policies. (j) Financial Data for Creators: bank account details, tax identification numbers (e.g. Social Security Number, Employer Identification Number, VAT number) and W-9/W-8 forms where required for tax reporting purposes. (k) Cookies and Tracking Data: as described in Section 10 below.

Under the GDPR and UK GDPR, we process your personal data on the following legal bases: (a) Performance of a Contract: to create and maintain your account, provide the Services, process transactions, and fulfil orders. (b) Legitimate Interests: to improve our Services, detect and prevent fraud and abuse, ensure security, conduct analytics, and send service-related communications. We have conducted legitimate interest assessments and determined these interests are not overridden by your rights. (c) Consent: to send marketing communications, place non-essential cookies, process precise location data, and conduct personalised advertising. You may withdraw consent at any time. (d) Legal Obligation: to comply with applicable laws including tax reporting, anti-money laundering requirements, and lawful government requests. (e) Vital Interests: in rare circumstances where processing is necessary to protect someone's life. For users outside the EEA/UK, we process your data based on your agreement to these terms and our legitimate business purposes, subject to applicable local laws.

We use your personal data to: • Create, maintain, and authenticate your account • Provide, personalise, and improve the Services • Operate and curate the video feed, search, and recommendations • Process purchases, payments, payouts, and refunds • Facilitate live streams and real-time features • Send transactional emails (receipts, shipping updates, password resets) • Send service announcements and policy update notices • Send marketing communications where you have consented or where permitted by law • Detect, investigate, and prevent fraud, spam, abuse, and security incidents • Enforce our Terms of Service and Community Guidelines • Comply with legal obligations including tax reporting (e.g. IRS 1099-K filings, EU DAC7 reporting for sellers) • Respond to legal requests from government authorities • Conduct internal analytics and product research • Train and improve our recommendation and content moderation systems

We do not sell your personal data. We share data in the following circumstances: (a) Service Providers: we share data with vetted third-party processors who assist us in operating the Services, including cloud hosting, payment processing, identity verification, push notifications, email delivery, analytics, and customer support. All processors are bound by data processing agreements and may only use your data as instructed by us. (b) Other Users: your profile, username, public posts, videos, shop listings, and any content you post publicly is visible to other users and the general public. Your messages are shared with intended recipients only. (c) Buyers and Sellers: when a transaction occurs, we share necessary order details (name, address, order contents) between buyer and seller to fulfil the order. (d) Business Transfers: in the event of a merger, acquisition, financing, reorganisation, or sale of assets, your data may be transferred to the acquiring entity, subject to equivalent privacy protections. (e) Legal Compliance: we disclose data when required by law, court order, or valid government request; when necessary to protect the rights, property, or safety of Tago, our users, or the public; or to enforce our agreements. (f) Aggregated / De-identified Data: we may share aggregated, anonymised data that cannot reasonably identify you with partners and publicly. (g) With Your Consent: we may share data with third parties when you have given explicit consent.

Tago is a global platform. Your data may be transferred to and processed in countries other than your country of residence, including the United States and other countries where our service providers operate. For transfers of personal data from the EEA or UK to countries that the European Commission or UK ICO has not deemed adequate, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent transfer mechanisms. A copy of the relevant SCCs is available upon request. For transfers from other jurisdictions, we implement appropriate safeguards as required by applicable law.

We retain personal data for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law. • Account data: retained for the duration of your account and deleted within 30 days of account closure, subject to the exceptions below. • Transaction and financial records: retained for 7 years to comply with tax and accounting obligations. • Creator payout records and tax forms: retained as required by applicable tax law (typically 7 years). • Content (videos, posts): deleted upon account closure unless required for legal proceedings. • Safety and fraud logs: retained for up to 2 years to detect and prevent abuse. • Legal hold: data subject to a legal hold may be retained longer as required. After retention periods expire, data is securely deleted or anonymised.

Depending on your jurisdiction, you may have the following rights: (a) Access: request a copy of the personal data we hold about you. (b) Rectification / Correction: request correction of inaccurate or incomplete data. (c) Erasure / Deletion ("Right to be Forgotten"): request deletion of your personal data, subject to legal obligations requiring us to retain certain records. (d) Restriction of Processing: request that we restrict processing of your data in certain circumstances. (e) Data Portability: receive your personal data in a structured, machine-readable format and transmit it to another controller (EEA/UK users). (f) Object to Processing: object to processing based on legitimate interests or for direct marketing purposes. (g) Withdraw Consent: withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing. (h) Non-Discrimination (CCPA/CPRA — California): we will not discriminate against you for exercising your privacy rights. (i) Opt Out of Sale / Sharing (CCPA/CPRA): although we do not sell personal data, you may opt out of sharing for cross-context behavioural advertising by contacting us. (j) Limit Use of Sensitive Personal Information (CCPA/CPRA): you may request we limit use of sensitive personal information to necessary purposes. (k) Automated Decision-Making: you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, except where necessary for a contract or with your consent. To exercise any of these rights, email tago@savhfresh.com or use the in-app privacy controls in Settings > Privacy. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request. You may also lodge a complaint with your local data protection authority.

We use cookies, pixel tags, local storage, and similar technologies to: • Keep you logged in (strictly necessary — cannot be disabled) • Remember your preferences • Understand how you use the Services (analytics) • Measure the effectiveness of our marketing campaigns • Prevent fraud and enhance security Non-essential cookies are only placed with your consent, which you can manage via our cookie preference centre (accessible via the cookie banner) or your browser settings. Withdrawing cookie consent does not affect strictly necessary cookies required for the Services to function. We use third-party analytics and advertising technologies. You may opt out of targeted advertising through industry opt-out tools such as the Digital Advertising Alliance (DAA) opt-out, the Network Advertising Initiative (NAI) opt-out, or your device's advertising settings.

The Services are not directed to children under the age of 13, or under 16 in the European Economic Area, or under the applicable minimum age in your jurisdiction ("Minimum Age"). We do not knowingly collect personal data from children below the Minimum Age. If you believe we have inadvertently collected such data, please contact tago@savhfresh.com immediately and we will delete it promptly. Users between the Minimum Age and 18 (or the age of majority in their jurisdiction) may only use the Services with parental or guardian consent. Certain features (including payments and some content) are restricted to adults. We comply with the Children's Online Privacy Protection Act (COPPA), the EU's requirements under Article 8 of the GDPR, the UK Children's Code, and equivalent laws in other jurisdictions.

We implement technical and organisational measures designed to protect your personal data against unauthorised access, loss, destruction, alteration, or disclosure. These measures include encryption of data in transit (TLS 1.2+) and at rest, access controls, regular security assessments, and incident response procedures. No system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authorities and affected individuals as required by applicable law (within 72 hours under GDPR where required). You are responsible for maintaining the confidentiality of your account credentials. Please use a strong, unique password and enable two-factor authentication.

In the preceding 12 months, we have collected, used, and disclosed the categories of personal information described in Section 3. We do not sell personal information as defined by the CCPA/CPRA. Categories of personal information shared with third parties for cross-context behavioural advertising (which may constitute "sharing" under the CPRA): Identifiers, Internet/electronic network activity, and inferences. You may opt out by contacting tago@savhfresh.com or using our in-app controls. Sensitive Personal Information we collect: Social Security Number and financial account details (creators only, for payout purposes), and precise geolocation (with consent). We use sensitive personal information only to provide the Services and do not use it for advertising or profiling. Shine the Light: California Civil Code § 1798.83 permits users to request information about disclosures of personal information to third parties for direct marketing purposes. We do not share personal information for direct marketing without your consent. To submit a CCPA/CPRA request, email tago@savhfresh.com or call our toll-free number listed on our website.

Brazil (LGPD): Users in Brazil may exercise the rights described in Section 9 and may contact our data protection officer at tago@savhfresh.com. We process your data based on the legal bases enumerated in Articles 7 and 11 of the LGPD. Canada (PIPEDA / Law 25): We obtain meaningful consent before collecting, using, or disclosing personal data. You may withdraw consent subject to legal and contractual restrictions by contacting tago@savhfresh.com. Australia (Privacy Act 1988): We handle personal information in accordance with the Australian Privacy Principles. You may access or correct your information or complain to the Office of the Australian Information Commissioner. India (DPDP Act): We process your data based on your consent and other grounds as permitted by the Digital Personal Data Protection Act. You may exercise your rights by contacting tago@savhfresh.com. Other Jurisdictions: We comply with applicable local privacy laws. Contact us if you have questions about how we handle data in your country.

Some browsers transmit "Do Not Track" (DNT) signals. We currently do not respond to DNT signals in a standardised way, as there is no consensus on how to interpret them. We provide opt-out mechanisms as described in Sections 9 and 10.

The Services may contain links to third-party websites, apps, and services. This Policy does not apply to those third parties. We encourage you to review their privacy policies before providing any personal data to them. We are not responsible for the privacy practices of third parties.

We may update this Policy from time to time. If we make material changes, we will notify you by email and/or by posting a notice within the Services at least 30 days before the changes take effect, where required by law. The date at the top of this page reflects when the Policy was last updated. Continued use of the Services after the effective date of changes constitutes your acceptance.

For questions, concerns, or to exercise your rights under this Policy, contact us at: Email: tago@savhfresh.com Subject line: Privacy Request We aim to respond to all requests within 30 days. Where a request is complex or we receive a high volume, we may extend this by up to two additional months and will inform you accordingly. If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority (e.g. the ICO in the UK, the DPC in Ireland, the CNIL in France).