Privacy Policy

1) Scope & Eligibility

Applies to a-list.com, our apps, and any features, content, or communications offered by Immortal that link to this Policy.

U.S. only. By using the Service, you represent you are currently located in the United States. If you use the Service from outside the U.S., you understand your information will be transferred to and processed in the U.S. under U.S. law.

Age 18+. We do not knowingly collect personal information from children under 18 (see §15).

2) Notice at Collection (California & similar U.S. state laws)

We collect the categories of personal information below from the sources listed for the purposes described, and retain it for periods aligned with §11 (Data Retention). Examples are illustrative, not exhaustive.

Selling/Sharing: As of the Effective Date, we do not "sell" or "share" personal information (as those terms are defined under CPRA/other U.S. state privacy laws), and we do not use personal information for cross-context behavioral advertising. If that changes, we will update this Policy, honor opt-out preference signals where required, and provide appropriate notices/controls.

3. Information We Collect

We collect information you provide directly, information from your device and activity, and—only with your permission—from integrations (e.g., HealthKit).

• Account & Identity. Phone number (for OTP sign-in/security), name, handle, bio, profile/cover photos.
• User Content & Social Graph. Posts, photos, videos, comments, likes, and follower/following relationships you create are public by default unless you adjust your privacy settings. This includes video content shared through Journeys, which may be visible to your followers and other users on the Service. You control what you post and can delete your content at any time.
• Wellness & Health Inputs (Sensitive). Entries you make about food, hydration, exercise, supplements, goals, habits, routines.
• Health Integrations (Sensitive). With your explicit permission, we access only the HealthKit categories you authorize.
• Location. With OS permission, precise GPS (for features like local UVI/sunset); we may also infer coarse location from IP.
• Contacts (Friend-Finder). With your permission, we may access your device's contact list to help you find friends who are already using the Service. We do not store your contacts' raw information. Instead, we create one-way cryptographic hashes of email addresses and phone numbers to match against other users. These hashes cannot be reversed to reveal the original contact information.
• Voice Data. When you use voice features to interact with our AI-powered assistants, we collect audio recordings from your device's microphone. These recordings are transmitted to our servers and processed using our approved third-party processors to convert speech to text. Audio data is used solely to facilitate your conversation and is not retained after transcription is complete. You may interact with our AI assistants via text instead of voice at any time.
• Device/Technical. Device and app identifiers, IP, OS/browser details, crash/diagnostic logs, and usage events.
• Cookies/SDKs. First-party cookies/SDKs for core functionality, analytics/diagnostics (e.g., Mixpanel, Sentry), infrastructure/communications (e.g., Supabase, AWS, Vercel, Twilio), and payments (e.g., Stripe).
• Communications. Email/phone for transactional messages; marketing only with your consent.

We may create de-identified or aggregated data (which is not personal information) and use it for any lawful purpose. We commit to maintaining and not re-identifying de-identified data except to test our de-identification processes.

4. Sources of Information

• You (account setup; posts; wellness entries; settings; communications).
• Your Device/OS (permissions; sensors; crash/usage telemetry).
• Integrations you authorize (e.g., HealthKit).
• Service Providers (fraud prevention, security, analytics).
• Public/Community Content (content you or others make public).

5. How We Use Information

We use personal information to:

• Operate the Service (account creation, authentication, social features).
• Provide features you request (e.g., UVI/sunset, health data syncing you authorize).
• Maintain safety and integrity (detect, prevent, and respond to spam, abuse, fraud, violations of our Terms or policies).
• Debug, monitor, and improve (analytics, diagnostics, performance).
• Communicate (transactional messages like OTP codes, service notices; marketing only with your consent—unsubscribe/STOP anytime).
• Research & development (including product analytics, quality assurance, and improving algorithms that do not make legal or similarly significant decisions about you).
• Comply with law and enforce our rights.

Automated decision-making (clarity): We do not engage in automated decision-making with legal or similarly significant effects (e.g., credit, employment, housing). We may use ranking/recommendation algorithms for content discovery that do not have such effects.

6. Public Content & Social Visibility

Public by default. Posts, profiles, and other public actions may be viewed, used, reshared, or indexed by others and search engines.

Controls. You can make your account require follower approval; you can delete your public posts at any time, but deletion does not control copies, shares, or indexing by others/third parties.

Caution. Do not post information you would not want to be public.

7. How We Disclose Information

We do not sell or share personal information for cross-context behavioral advertising. We disclose information as described:

• Service Providers / Sub-processors. We engage the following categories of service providers who process personal information on our behalf under contractual confidentiality obligations: hosting and infrastructure (AWS, GCP, Render); analytics and diagnostics (Mixpanel, Sentry); AI and machine learning vendors (OpenAI, Anthropic); push notification services (Firebase Cloud Messaging); authentication providers (Google Sign-In, Supabase); feature management and experimentation (Statsig); and payment processors.
• AI Features. If you use features that send content to model providers, we instruct vendors to use data only to provide the requested functionality. Where available, we configure vendor settings to disable training on your content. Vendor trust & safety logging may occur. Avoid submitting highly sensitive information in free-text fields.
• Legal/Compliance. To comply with law or legal process; to protect users, the public, or our rights, property, and safety; to detect/prevent fraud or security issues.
• Business Transfers. As part of a merger, acquisition, financing, or sale of assets, in which case data may transfer subject to this Policy's protections or successor equivalent protections.
• Public Content. Content you make public is, by definition, visible to others and may be reshared.
• With Your Consent. Where you direct us to share (e.g., exporting your data to a third party).

Contacts Matching. We receive only contact hashes, used solely for friend discovery; we do not use them for advertising.

Payments. Stripe processes payments; we don't store full card numbers.

8. Health Integrations (Apple HealthKit)

If you connect HealthKit:

• We access only data types you explicitly authorize and use them solely to provide or improve app features you request.
• We do not use HealthKit data for advertising or marketing and do not sell HealthKit data.
• We will not disclose HealthKit data to third parties except (a) to service providers acting on our behalf to provide Service functionality under strict confidentiality, or (b) with your separate, express consent.
• You can revoke access at any time in your device's Health settings; controls in our app may also be available.

9. Your Choices & Controls

• Location. Enable/disable precise location in your device settings at any time.
• Contacts. Friend-finder is opt-in; revoke in device/app settings.
• Health Integrations. Grant/revoke categories (e.g., in Apple Health).
• Marketing. Emails: use the unsubscribe link. SMS: text STOP to cancel, HELP for help. Message/data rates may apply; frequency varies; consent not required as a condition of purchase or use.
• Public Content. Delete your posts at any time (copies/shares/search caches may persist).
• Account Deletion & Data Requests. See §12.

10. Cookies, SDKs & Do Not Track

We use cookies and SDKs for core functionality, analytics (e.g., Mixpanel), diagnostics/error monitoring (e.g., Sentry), infrastructure (e.g., Supabase, AWS, Vercel), communications (e.g., Twilio), and payments (e.g., Stripe). You can control cookies in your browser and manage app permissions at the OS level.

Do Not Track/Global Privacy Control. Many browsers offer DNT/GPC. Because we do not sell or share personal information for cross-context behavioral advertising, these signals currently do not change our advertising practices. If we later engage in activities that require honoring recognized opt-out signals, we will do so as required by law.

11. Data Retention

We retain personal information only as long as necessary for the purposes in §5, to comply with legal obligations, resolve disputes, enforce terms, and maintain security. Examples (not promises):

• Account & Content. Kept while your account is active; if you request deletion and we verify the request, we aim to delete active copies within 30 days.
• Logs/Backups. Security/diagnostic logs and backups persist for a limited period consistent with operational needs and are purged on a routine schedule.
• Legal Holds. If we are obligated to preserve information (e.g., for litigation), we will retain only what is necessary for as long as required.

Deletion from our active systems does not automatically remove content from others' devices or third-party caches/archives.

12) Security

We use technical and organizational measures to protect information, including TLS in transit, encryption at rest provided by our cloud platforms, role-based access controls, least-privilege access, and routine monitoring. No system is 100% secure. Please report security concerns to privacy@a-list.com. We do not currently operate a public bug bounty.

13) Your U.S. Privacy Rights & Appeals

Depending on your state, you may have rights to access, delete, correct, and obtain a portable copy of personal information, and to limit certain uses of sensitive information.

How to submit. Email privacy@a-list.com from your account email (or include your account phone number) and specify the request type (access, deletion, correction, portability).

Verification. We may verify requests via one-time code to your account phone number or by other reasonable methods. If you use an authorized agent, we may require proof of authorization and also verify you directly.

Timing. We aim to respond within 45 days (or as required by law), and may extend once where permitted.

Appeal. If we deny your request, you may appeal by replying to our decision email with "Appeal" in the subject. If your appeal is denied, you may contact your state attorney general.

California (CPRA) Notice. We state above our categories, purposes, sources, and disclosures (§2). We do not sell or share personal information as defined by CPRA, and we do not use or disclose sensitive personal information for purposes requiring a Right to Limit. We do not offer financial incentives for personal information. You may still exercise access/deletion/correction/portability rights as described.

14. International Data Transfers

Data is hosted and processed in the United States (e.g., U.S. regions of Supabase/AWS). The Service is intended only for U.S. users.

15. Children & Teens

Under 18. We do not knowingly collect personal information from children/teens under 18. If we learn we have, we will delete it.

We do not offer teen-specific features.

16. Third-Party Links & Services

Links to third-party websites or services are provided for convenience. Their privacy practices are governed by their own policies; we are not responsible for their content, security, or practices.

17. Changes to This Policy

We may update this Policy from time to time. The current version will be available in-app and at a-list.com. For material changes, we may provide additional notice (e.g., in-app banner, website notice, email, or SMS).

18. Contact Us

Email: privacy@a-list.com

Postal: Immortal Company, Inc., 11273 COLINWARD AVE, LAS VEGAS, NV 89135, USA