How we handle your data.
LIFAAFA UG is an offline-first youth culture. We collect the minimum data required to run a real-world postal network. This notice explains what we hold, why, and what you can do about it. If any of this is unclear, write to us. Contact details at the bottom.
1. Who we are
LIFAAFA UG is an unregistered brand initiative currently operated as a proprietorship, Bombay Breed, based in Bangalore, India. For DPDP purposes, we are the Data Fiduciary. Reach us at info@theresaronnie.com.
2. What we collect
When a member signs up, we collect:
- Name, email, age, and phone number (for account creation and postal delivery)
- Postal address (only when ordering physical merch)
- Answers to self-perception questions asked during signup
- Password (stored as a Firebase-hashed credential, not readable by us)
- For members under 18: parent or guardian name, email, and relationship
We do not collect: precise location, contact lists, photos, health data, biometrics, financial account numbers, or anything from third-party trackers. We do not run ads.
3. Why we collect it
- Postal delivery. Address and name to ship physical merch.
- Account access. Email and password to let you sign back in.
- DPDP compliance. Age plus parent email to record verifiable parental consent for under-18 members.
- Community fit. Self-perception answers to route members to relevant clubs.
- Legal contact. Phone number for OTP-based sign-in and account recovery.
4. Who else sees your data
We use these vendors, all bound by their own privacy terms:
- Google Firebase (Firestore + Authentication). Stores member records. Servers in Asia-South1 (Mumbai).
- Resend. Sends the quarterly parent letter. Only parent emails are shared.
- Formspree. Delivers signup and consent notifications to our inbox.
- India Post and other logistics partners. For physical letter and merch delivery.
We do not sell your data. We do not share it with advertisers.
5. Children under 18
LIFAAFA UG is designed for young members. For anyone under 18, we ask for verifiable parental consent through the DPDP-compliant flow at /parent-consent.html. Until a parent consents, the account is inactive. Parents can withdraw consent at any time by emailing us.
6. How long we hold it
Active member data is held for the duration of membership plus one year, unless you ask us to delete it sooner. Transactional records (orders, consent receipts) are held for seven years for legal and accounting reasons. Aggregated, non-identifying data may be retained indefinitely for internal reporting.
7. Your rights under DPDP
You have the right to:
- Access the data we hold about you (or your child)
- Correct anything wrong
- Request erasure of your record
- Nominate someone to exercise these rights on your behalf
- Withdraw consent for any processing based on consent
- File a grievance with our contact person or, if unresolved, with the Data Protection Board of India
8. Security
We rely on Firebase for authentication, hashed password storage, and TLS-in-transit. Firestore access is restricted by security rules. Backups are managed by Google. We are a small operation, so we do not run bug bounties yet, but if you find a vulnerability, please email us at the address above.
9. Changes to this notice
If we change how we handle data materially, we will email all active members and their consenting parents at least 14 days before it takes effect. The "last updated" date at the top will always reflect the current version.
10. Contact
info@theresaronnie.com
Bombay Breed / LIFAAFA UG, Bangalore, India