LiLO
Share short moments. Keep it kind.

Privacy Policy

Effective Date: 2026-07-05 Last Updated: 2026-07-05 Publisher / Data Controller: BKPA (operator of LiLO) Contact: support@lilo.club

This Privacy Policy explains what data the LiLO mobile application ("LiLO", "we", "us") collects, how we use it, who we share it with, and what choices you have. It applies to LiLO v1.0 on iOS and Android.

LiLO is a short video/photo social application. To make the app useful and to keep the community safe, we collect a limited amount of personal data. We do not sell personal data and we do not run third-party advertising in v1.0.

LiLO offers an optional virtual-currency economy: you can buy Coins through Apple's In-App Purchase system and spend them on digital cosmetic items in the in-app Store (profile frames, chat bubbles, and entrance effects), and you may hold Diamonds, a separate in-app virtual currency. All payments are processed by Apple — we never receive or store your card number or other payment-instrument details. See the In-App Purchases and Virtual Currency section below.


1. Data We Collect

We collect only what is needed to operate the listed features in Key Features. Specifically:

1.1 Information you give us directly

DataRequired forStored where
Email addressAccount creation, login, password reset, account-deletion confirmationNestJS API + MySQL users table
PasswordLogin (hashed with bcrypt; never stored or transmitted in plain text)MySQL users.password_hash
Display name / nicknameProfile identityMySQL users + profiles
Profile photo (avatar)Profile identityNestJS API uploads dir (/uploads/avatars/) + URL in profiles.avatarUrl
Bio (short text)Profile identityprofiles.bio
Country, gender (optional, set once at onboarding)Personalization (e.g. recommended content)users.country, users.gender
Moments posts (video file, photo file, caption, hashtags)The Moments feedNestJS uploads dir + posts row
Comments and likes on Moments postsSocial interactioncomments, likes
1:1 chat messagesThe Messages featuremessages table (server-side at-rest)
Reports you file (post / comment / user)UGC moderation (Apple Guideline 1.2)reports table
Block listHiding content from blocked users (Guideline 1.2)blocks table
Privacy preferences (e.g. "private account", "comments off")Honoring your privacy choicesprivacy_settings
Coin / Diamond balance and in-app transaction history (which Store item you bought, when, for how many Coins)Operating the virtual-currency economy; crediting purchased Coins; showing your balance and purchase historyMySQL wallets / transactions
Apple In-App Purchase transaction identifier / receiptVerifying an IAP with Apple and crediting the matching Coin pack (we never receive your card number)MySQL iap_receipts

1.2 Information collected automatically

DataPurpose
Authentication token (JWT, HS256, 15-day expiry)Keeping you signed in (stored locally on device via flutter_secure_storage; not shared with any third party)
Device platform (iOS / Android) and app versionDiagnostics, crash triage
Approximate request timestampsRate-limiting, abuse detection

1.3 Information we do NOT collect in v1.0


2. How We Use Your Data

We use the data above only to:

  1. Provide the LiLO service — show your posts, deliver your comments and chats, render your profile, sign you in, send password-reset emails.
  2. Keep the community safe — review reports within 24 hours, enforce the community rules in the Terms of Service, suspend or remove accounts that violate them, hide content from users you blocked.
  3. Operate and improve the service — diagnose crashes, fix bugs, prevent abuse and spam.
  4. Comply with legal obligations — respond to lawful requests.

We do not use your data for targeted advertising. We do not sell or rent your data.


3. Sign in with Apple (when enabled)

When LiLO offers Sign in with Apple, the only data we receive is the Apple "private relay" email and the display name you choose to share. We store that in the same users table as an email-based account, and we treat it the same way. We do not receive any other Apple-account information.


3A. In-App Purchases and Virtual Currency

LiLO includes an optional virtual-currency economy. You are never required to spend money to use LiLO's core features (Moments, Messages, profiles).

We keep a record of your Coin/Diamond balance and your in-app transaction history (what you bought, when, and the Coin amount) to operate the economy, show you your purchase history, and support refund or dispute handling. We do not use purchase history for third-party advertising, and we do not sell it.

If we later add other paid features, they will likewise be sold only through Apple's In-App Purchase system on iOS (Apple Guideline 3.1.1).


4. Who We Share Data With

We share personal data only with the parties below, only for the purposes listed, and only the minimum data needed:

PartyPurposeData shared
Cloud hosting providerRun the NestJS API + MySQL databaseAll stored data, at-rest, encrypted by the provider
Email provider (transactional)Send password-reset / account-deletion confirmation emailsEmail address + the message body
Apple (App Store / StoreKit)Process In-App Purchases of Coins and verify receiptsHandled by Apple under Apple's own privacy policy; we receive only the transaction identifier / receipt, never your payment-instrument details
Live A/V vendor (future v1.1+ only — Agora or ZEGOCLOUD)Live streaming (NOT shipped in v1.0; gated off)n/a in v1.0

We do not share data with advertisers, data brokers, or social networks.

If we are ever required by law (a valid subpoena or court order) to disclose data, we will narrow the disclosure to exactly what is compelled and, where legal, notify the affected user.


5. Data Retention

DataRetention
Account (user row, profile, settings)Until you delete your account in-app (see §7)
Posts, comments, likes you createdSame as above; deleting your account hard-deletes them
Chat messagesSame as above; both sides' messages from the deleted account are removed from the deleted user's view
Reports you filed or that were filed about youUp to 12 months from action date, for trust and safety auditing
Coin/Diamond balance and in-app transaction historyWhile your account exists; transaction records may be kept up to 24 months (or longer where tax/accounting law requires) for refund, dispute, and audit purposes, even after individual items are consumed
Authentication token15 days from issue, or until you log out
Server request logs (HTTP access log)30 days, then rotated/deleted

6. Children's Privacy

LiLO is for users 17 and older. We do not knowingly collect data from children under 13. If you believe a child under 13 has registered, email support@lilo.club and we will remove the account within 5 business days.


7. Your Rights — including Account Deletion

You can, at any time, from inside the app:

If you cannot reach the in-app flow (e.g. the app will not open), email support@lilo.club with the email address used to register, and we will delete the account within 30 days of verifying your request.

You may also email support@lilo.club to request a copy of the data we hold about you, or to ask us to correct it.


8. Security

No system is perfectly secure. If you discover a vulnerability, please email security@lilo.club.


9. International Transfers

The NestJS API + MySQL database run in a single cloud region (initially: SEA). If you access LiLO from outside that region, your data crosses borders to reach the server, secured by HTTPS in transit.


10. Changes to This Policy

If we change this policy, we will update the "Last Updated" date above and, for material changes, present an in-app notice the next time you open LiLO. Continued use after the notice constitutes acceptance.


11. Contact

These addresses are reviewed every business day; trust-and-safety reports are actioned within 24 hours per Apple Guideline 1.2.