Privacy Policy

Effective from May 16, 2026 · Last updated: May 16, 2026

This Policy describes what data the Scrollity social network (hereinafter "we", "Service", "Platform") collects about its users, for what purposes we process it, with whom we may share it, and what rights users have. By using the Service (the website at scrollity.ru and the mobile applications for iOS and Android), you agree to the terms of this Policy.

This Policy is prepared in accordance with Russian Federal Law No. 152-FZ "On Personal Data", and takes into account the principles of the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Children's Online Privacy Protection Act (COPPA), as well as the Apple App Store Review Guidelines and Google Play Developer Policies.

1. Data Controller

The data controller responsible for processing personal data of Scrollity users is the administration of the Scrollity Media platform (hereinafter the "Operator"). You can contact the Operator through the channels listed in the "Contacts" section.

2. Definitions

User — an individual who has registered in the Service.
Personal Data — any information relating to a directly or indirectly identifiable user.
Processing — any operation performed on personal data: collection, recording, organization, storage, use, disclosure, anonymization, deletion.
Content — posts, short videos (scrolls), comments, images, text and other materials published by the user.
Wallet — the user's internal account within the Service for transfers and operations.
UGC — User-Generated Content.

3. What Data We Collect

3.1. Data You Provide During Registration and Use

Username and public identifier (custom_id).
Email address.
Password (stored as a cryptographic hash; the plain-text value is not accessible even to the Operator).
Avatar, profile header image, biography, website link — if you choose to add them.
Content of your posts, short videos, comments, reactions, hashtags and replies.
Direct messages and conversation metadata.
Followers, follows, likes and follow-related actions.

3.2. Data Collected Automatically

IP address from which you access the Service.
User-Agent string (browser type, operating system, app version).
Device identifier (device_id) for authenticated sessions.
Authentication tokens and their expiration time.
Date and time of registration, sign-ins and actions in the Service.
Information about short-video views: the fact of viewing, watch duration, association with a user or anonymous session.
Server request logs.
Crash reports and application error logs.

3.3. Data Provided in Specific Actions

Documents and information for profile verification (see Section 14).
Wallet payment operations, transaction history, wallet payment password (stored as a hash).
Reports, support requests, communications with moderators.

We deliberately do not collect phone numbers, precise GPS location, biometrics, the contents of your address book, health data, full access to your photo or video library, or any other sensitive data not required for the operation of the Service. Camera and gallery access is requested only at the moment you choose a file to publish, and is used solely to upload that selected material.

4. Purposes of Processing

Registration and identification of the user, providing access to the features of the Service.
Displaying profiles, content, the feed and recommendations.
Operating follows, likes, comments, hashtags and search.
Sending and receiving direct messages.
Operating the internal wallet and user-to-user transfers.
Performing verification and confirming account status.
Recommendation systems (based on your actions: views, likes, follows, watch duration).
Security: protection against fraud, spam, unauthorized access and multiple registrations.
Content moderation and response to user reports.
Compliance with applicable law, response to lawful government requests.
Anonymized analytics, product improvement, fault detection and resolution.
Communication with the user: notifications, support replies, important Service messages.

5. Legal Bases

We process personal data on the following legal grounds:

Consent of the user, expressed by registering and continuing to use the Service.
Performance of the contract between the user and the Operator (the Terms of Service).
Compliance with the Operator's legal obligations.
Legitimate interests of the Operator (platform security, prevention of abuse, protection of other users' rights).

6. Cookies and Similar Technologies

The Service uses cookies and local browser/device storage for the following purposes:

Storing the authentication token so you remain signed in between sessions.
Remembering interface and language preferences.
Cross-Site Request Forgery (CSRF) protection and detection of suspicious activity.
Anonymous usage statistics.

You can disable cookies in your browser settings, but some features of the Service may then become unavailable.

7. Use in the Mobile Application

The Scrollity mobile application for iOS and Android requests permissions only at the moment they are needed for a specific feature:

Camera — to take photos and short videos when creating a post or scroll.
Photos and Media Library — to choose files to publish. Access is granted only to selected files; we do not perform background scans of your library.
Microphone — to record audio in videos when you enable it.
Notifications — to deliver push notifications (see Section 10).
Local Storage — to cache content and enable offline access.

You can revoke any permission at any time in your device's system settings. This may limit some app features but will not block access to the Service.

You can delete your account directly inside the application: Settings → Account → Delete Account. No additional steps in a browser are required.

8. Third-Party Services and SDKs

To operate the Service we use a limited set of third-party services. Each one processes only the data needed for its specific task:

Hosting and infrastructure — servers and CDN located in the Russian Federation. Transmitted: request payloads, IP address, User-Agent.
Apple Push Notification service (APNs) — push notification delivery on iOS. Transmitted: device token and notification text.
Firebase Cloud Messaging (Google) — push notification delivery on Android. Transmitted: device token and notification text.
Crashlytics / Sentry — collection of crash and error reports. Transmitted: device model, OS version, app version, stack trace, anonymized session ID. Content and direct messages are not transmitted.
App Store / Google Play — processing of in-app purchases (see Section 12).

These services act as data processors on our behalf and are bound by appropriate agreements. Their use of data is limited to the purpose of providing the service to the Operator. Apple, Google and other providers also process data under their own privacy policies, which you can review on their websites.

9. Sign-In With Third-Party Providers

The Service may offer sign-in via third-party identity providers including Apple ID (Sign in with Apple), Google and others. If you choose such a method, the provider transmits to us:

A unique user identifier issued by the provider.
Email address (or an anonymized relay email in the case of Apple).
Your name — if you consented to share it.

We do not receive your password for the third-party account and do not have access to your contacts, files or other data within that provider's system. Apple, Google and other providers handle your authentication in accordance with their own privacy policies.

In compliance with App Store Review Guideline 4.8, where the iOS app offers sign-in via a social provider, Sign in with Apple is offered alongside it.

10. Push Notifications

If you grant the corresponding permission, we will send push notifications about the following events:

New followers, likes and comments on your content.
New direct messages.
Incoming wallet transfers.
Decisions on reports and verification requests.
Important system messages and updates.

Marketing notifications are sent only with your separate consent and can be turned off at any time in the app settings. You can also disable notifications entirely in your device's system settings.

To deliver notifications we use Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging on Android. Only the device token and the notification text are transmitted.

11. Device Identifiers and Tracking

The Scrollity application does not use IDFA (Identifier for Advertisers) for tracking purposes and does not transmit device identifiers to advertising networks. The App Tracking Transparency (ATT) prompt is not shown on first launch because we do not perform cross-app or cross-website tracking.

For internal analytics we use an anonymized session identifier that is not linked to advertising networks and does not leave our infrastructure.

If Scrollity later introduces advertising or shares data with advertising partners, we will update this Policy in advance and request the appropriate ATT permission from iOS users.

12. Payments and Apple In-App Purchase

Purchases of digital content and subscriptions inside Scrollity mobile applications are processed via Apple In-App Purchase (on iOS) and Google Play Billing (on Android), in accordance with the rules of App Store and Google Play.

When such a purchase is made:

Payment data (card numbers, billing details) are processed by Apple or Google and are not transmitted to us.
We receive confirmation of the purchase, the transaction identifier from the platform and information about the purchased product.
This data is used to activate the corresponding item or service in your account and to handle potential disputes.

Refund terms are defined by the policies of the respective app store (App Store / Google Play).

13. Internal Wallet and Transfers

The Service includes an internal wallet. When you use it we process:

Current wallet balance.
Transaction history: top-ups, withdrawals, incoming and outgoing transfers, rewards, purchases.
Transfer amount and link to the conversation (when sending a transfer through direct messages).
Wallet payment password (stored as a hash, not accessible in plain text).

Transaction information is retained for as long as required to operate the wallet, resolve disputes and comply with applicable financial-records legislation. Transaction history may be retained in anonymized form even after account deletion for accounting and anti-fraud purposes.

14. Verification and Documents

Verification (blue or gold) is a voluntary procedure. To go through it you provide:

Your full name.
A photograph of an identity document.
A description of your activity and the desired badge text.

This data is processed only by the moderators reviewing your request. Documents are stored in a protected vault with restricted access. After the request is processed and a reasonable review window has elapsed, the document copies are deleted. Only the decision, the displayed badge text and the identifier of the moderator who made the decision are kept in the audit log.

15. Direct Messages

Direct messages are stored in encrypted form on the Service's servers. Under normal operation only the participants of a conversation have access to message contents.

Operator staff may obtain technical access to messages only in the following cases:

Investigation of complaints about violations of the Service rules (harassment, threats, fraud, distribution of prohibited content).
A lawful request from a competent government authority.
Recovery of data at the user's own request.

Deleted messages disappear from your interface immediately, but may remain in backups for the backup retention period (see Section 21).

16. Published Content and Visibility

Content you publish on the Service (posts, scrolls, comments, replies) is by default visible to other users and may be indexed by search engines as part of the public availability of the Service.

Publication metadata — creation date, like/comment/view counts, hashtags used — is also public.

Likes and comments under another user's content may be visible to that user and to others.

Deleting your content removes it from public access. It may remain in backups until the next backup rotation.

17. Moderation, Reporting and Blocking

Scrollity is a social network with user-generated content. We do not endorse and actively work against any content that violates the law or our rules: hate speech, threats, harassment, sexual content involving minors, fraud, spam, copyright infringement.

17.1. Tools Available to Users

Report content — a "Report" button is available on every post, video, comment, message and profile.
Block a user — fully prevents interaction: the blocked user cannot follow you, send messages, comment on your content, and their posts will not appear in your feed.
Hide comments — the author of a post can remove comments under their publication.
Sensitive content filter — settings to hide 18+ material.

17.2. Operator's Response

All reports are recorded in the moderation system.
Reports about serious violations (threats to life or health, child sexual abuse material, fraud) are handled with priority, within 24 hours of receipt.
Other reports are reviewed in the order received, typically within 72 hours.
As a result, content may be hidden or removed, and the offender may receive a warning, a temporary ban or a permanent ban.
The reporter and the offender are notified of the decision.
A ban decision can be appealed via the support channel.

A more detailed description of conduct rules and moderation procedures is available in the Community Guidelines inside the Service.

18. Age of Users

The Service is not intended for individuals under the age of 13. In compliance with COPPA (Children's Online Privacy Protection Act, USA) we do not knowingly collect personal data from children under 13. If we learn that an account has been registered by a person under 13, the account will be deleted and any associated data anonymized or destroyed.

In the Russian Federation, individuals between 14 and 18 years old use the Service with the consent of their legal representatives.

In app stores, Scrollity carries an age rating reflecting its user-generated nature. Parents and guardians can manage their children's access via Apple Screen Time, Google Family Link and similar tools.

19. Sharing With Third Parties

We do not sell or share your personal data for the advertising or marketing purposes of third parties. Sharing is possible only in the following cases:

Contractors that provide hosting, traffic delivery, push-notification delivery and crash reporting — to the extent described in Section 8.
Payment systems, banks, app store operators (Apple, Google) — when payment operations are performed.
Authorized government bodies — pursuant to a lawful request.
In case of reorganization, merger or sale of the Service — to the legal successor, with this Policy continuing to apply.

20. Data Location and Cross-Border Transfers

The Service's servers are located in the Russian Federation. In accordance with Article 18 of Federal Law No. 152-FZ, primary collection and storage of personal data of Russian citizens is performed in databases located in Russia.

For specific purposes, limited or anonymized data may be transferred across borders:

Apple Push Notification service — Apple Inc. servers (United States and other regions).
Firebase Cloud Messaging, Crashlytics — Google LLC servers (United States and other regions).
App Store, Google Play — for purchase verification.

Such transfers are made to countries that ensure an adequate level of protection, or under standard contractual clauses and the user's consent.

21. Storage and Retention Periods

Account data and content are retained while the account exists.
Technical logs (IP, User-Agent, actions) — up to 12 months, after which they are anonymized or deleted.
Short-video view records — up to 12 months in identifiable form, then aggregated.
Crash reports — up to 90 days.
Wallet transaction history — for the period required by financial-records legislation, but no less than 5 years.
Backups — up to 30 days from creation, then overwritten.
Verification documents — until the procedure is completed plus 30 days, then deleted.
Moderation logs (without full content payloads) — up to 3 years, to enable appeals and prevent repeat violations.

22. Security

We apply organizational and technical security measures:

Hashing of passwords and wallet payment passwords using modern algorithms.
Data transmission over HTTPS / TLS.
Role-based access for staff (user, moderator, admin).
Audit logging of administrator and moderator actions.
Login attempt rate limiting and brute-force protection.
Anomaly monitoring and automatic blocking of suspicious operations.
Regular backups and component updates.

Despite these measures, no internet transmission or storage system can guarantee absolute security. By using the Service you accept these risks.

23. User Rights

You have the right to:

Be informed about which of your data is processed and for what purposes.
Request a copy of your data in a machine-readable format (right to portability).
Correct, update or supplement your data if it is inaccurate.
Withdraw consent to processing (which may end your access to the Service).
Request deletion of your data where there is no lawful basis for further storage.
Restrict or object to processing.
Opt out of the sale of personal data (for California residents — we do not sell personal data in any case).
Lodge a complaint with the competent data protection authority (in Russia — Roskomnadzor; in the EU — your national supervisory authority; in California — the California Privacy Protection Agency).

Requests should be sent through the channels listed in the "Contacts" section. We respond within 30 calendar days.

24. Account Deletion

You can delete your account yourself:

In the mobile app: Settings → Account → Delete Account.
On the website: Settings → Account → Delete Account.
Or by sending a request to privacy@scrollity.ru.

After deletion:

Your profile, posts, scrolls, comments, likes and follows are deleted or anonymized.
Direct messages are removed from your side of conversations (the other participant may still have a copy).
Wallet transaction history is retained in anonymized form for the period required by law.
Data is removed from backups in line with the backup rotation cycle (up to 30 days).

Account recovery after a complete deletion is not possible.

25. Changes to the Policy

We may update this Policy. The current version is always available at scrollity.ru/privacy-en. We will notify users of material changes within the Service or by email at least 7 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the new version.

26. Contacts

For questions regarding personal data processing and the exercise of your rights:

Reports and requests are handled in the order received; we respond within 30 calendar days.