Privacy Policy

1. Data Controller and Contact

The organization responsible for the personal information processed under this Policy is:

Email: privacy@tribe26.app

Platform website: https://tribe26.app

Corporate website: https://totemian.com

Our Privacy Officer can be reached at the email address above for any privacy-related question, request, or complaint.

2. Scope of This Policy

This Policy applies to personal information we collect through the Services and in the course of our business operations. It does not apply to:

• Third-party websites, applications, or services that may be linked to or integrated with our Services;
• Information collected by our partners, including local businesses ("Nodes"), brand partners ("Brandboards"), or independent contributors, except to the extent we jointly process such information; or
• Information that has been anonymized or aggregated such that it can no longer reasonably be associated with an identified or identifiable individual.

3. Information We Collect

3.1 Information You Provide to Us

• Account Information: name, email address, phone number, password (in hashed form), date of birth, profile photo, and city of residence.
• Profile and Preferences: display name, biography, language preference, interests, and any other information you choose to add to your profile.
• Identity Verification: where required (for example, to redeem certain rewards or to act as a Contributor or Node), we may collect government-issued identification, business registration documents, or tax-related information.
• Activity Records: records of points, stamps, tokens, rewards, and redemptions earned or used on the Platform.
• User Content: photos, reviews, ratings, comments, messages, and other content you post, send, or share through the Services.
• Communications: records of correspondence with our support team, feedback, survey responses, and other communications.

3.2 Information Collected Automatically

• Device Information: device model, operating system and version, unique device identifiers, mobile network information, language settings, and time zone.
• Log and Usage Data: IP address, access times, pages and screens viewed, features used, referring/exit pages, crash reports, and diagnostic data.
• Location Information: with your permission, we collect precise geolocation data (GPS) to enable proof-of-presence, check-ins at Nodes, and location-based rewards. You may also choose to share approximate location only, or to disable location access entirely through your device settings. Disabling location may limit core functionality of the Services.
• Cookies and Similar Technologies: see Section 14 below.
• Camera, Photo Library, and Microphone: with your permission, to scan QR codes, upload images, or participate in features that require media capture.
• Bluetooth and Nearby-Device Sensors: with your permission, to enable proximity-based features at participating venues.
• Push Notification Tokens: to deliver notifications relevant to your account and activities.

3.3 Information We Receive from Third Parties

• Authentication Providers: if you sign in using a third-party service (such as Apple, Google, or a similar identity provider), we receive basic profile information from that provider in accordance with your privacy settings on that service.
• Nodes and Partners: participating businesses and partners may share information about your visits or participation in their programs as it relates to your use of the Services.
• Analytics Partners: aggregated or pseudonymized information about how Users interact with the Services.
• Public and Commercial Sources: to validate business registrations, detect fraud, and comply with legal obligations.

4. How We Use Your Information

We use the information described above for the following purposes:

1. To Provide and Operate the Services including creating and maintaining your account, recording and recognizing rewards and redemptions, enabling check-ins and proof-of-presence, displaying personalized content, and facilitating communications between Members, Contributors, and Nodes.
2. To Personalize Your Experience recommending Nodes, missions, and rewards relevant to your location, preferences, and prior activity.
3. To Communicate With You sending transactional messages, service announcements, security alerts, and, with your consent where required, marketing communications. Marketing communications are sent in accordance with Canada's Anti-Spam Legislation (CASL).
4. To Improve and Develop the Services performing analytics, debugging, A/B testing, research, and product development.
5. To Ensure Safety and Security detecting and preventing fraud, abuse, unauthorized access, and violations of our Terms of Service, and protecting the rights, property, and safety of our Users, partners, and the public.
6. To Comply With Legal Obligations including tax, accounting, and other regulatory requirements applicable to us or to our partners.
7. For Aggregate and De-identified Analysis producing statistical insights that do not identify any individual User.

We collect, use, and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances, in accordance with PIPEDA's accountability principles.

5. Nature of Tribe26 Rewards, Points, and Tokens

The Tribe26 platform operates a closed-loop loyalty and engagement program that includes points, stamps, tokens (such as "T-Coin"), badges, and similar in-platform recognition mechanisms (collectively, "Rewards"). For the avoidance of doubt:

1. Closed-Loop Only. Rewards are issued, recognized, and usable solely within the Tribe26 platform and the network of participating Nodes and Brandboards.
2. No Cash Value. Rewards have no cash value, are not legal tender, and cannot be redeemed for fiat currency, withdrawn as money, transferred to a bank account, or converted into any external asset by Users.
3. Not Financial Instruments. Rewards are not securities, deposits, e-money, stored-value instruments, foreign exchange, commodities, or cryptocurrencies in the legal sense. The operation of the Rewards system does not constitute the offering of regulated financial services, money services, or investment products.
4. No Peer-to-Peer Money Transfer. The Services do not facilitate the transfer of money or monetary value between Users. Tribe26 itself does not function as a payment system, money remitter, or financial intermediary.
5. No Direct Financial Transactions. Tribe26 does not, on its own behalf, process direct financial transactions between Users and Nodes. Where a Node chooses to honor a reward (for example, providing a discount or complimentary item to a Member), the underlying commercial transaction is between the User and that Node and is governed by the Node's own terms.
6. Governed by Terms of Service. All issuance, accrual, expiry, transfer (where permitted), and redemption of Rewards is governed exclusively by the Tribe26 Terms of Service.

This Privacy Policy describes how we handle personal information generated through Users' participation in the Rewards program. Questions about the economic terms of the program (rates, expiry, eligibility, etc.) are addressed in the Terms of Service.

6. Consent and Legal Basis for Processing

Under Canadian privacy legislation, we process personal information on the basis of your consent either express consent (for sensitive information, marketing communications, and precise location data) or implied consent (for collection and use that is reasonable and consistent with the purpose for which the information was provided, such as operating your account).

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent for certain processing activities may limit or prevent your use of the Services.

For Users located in the European Economic Area, the United Kingdom, or Switzerland, we additionally rely on the legal bases set out in the General Data Protection Regulation (GDPR), including performance of a contract, legitimate interests, consent, and compliance with legal obligations.

7. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

• With Nodes and Brandboards: when you check in, redeem a reward, or otherwise interact with a participating business or brand, we share information necessary to deliver the relevant service or reward (for example, your display name, the redemption code, and the time of the transaction).
• With Other Users: information you choose to make public (such as your display name, profile photo, public posts, and ratings) is visible to other Users of the Services.
• With Service Providers: including cloud hosting, analytics, customer support, identity verification, communications, and security providers acting on our behalf and bound by contractual confidentiality and data-protection obligations.
• For Legal Reasons: where we believe in good faith that disclosure is necessary to comply with applicable Canadian or foreign law, court order, or governmental request; to protect our rights, property, or safety; or to investigate fraud or violations of our policies.
• In Connection With Corporate Transactions: in the context of a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to appropriate confidentiality protections.
• With Your Consent or at Your Direction: for any other purpose disclosed to you at the time we collect the information.

8. Storage Location and Cross-Border Data Transfers

Personal information collected through the Services may be stored, processed, or accessed in Canada and in other countries, including the United States and other jurisdictions where our service providers operate. While information is stored or processed in another country, it is subject to the laws of that country, which may differ from those of Canada and which may permit access by foreign courts, law-enforcement agencies, or governmental authorities under their applicable laws.

We take contractual and organizational steps to require our service providers to protect personal information at a level of protection comparable to what we maintain ourselves. Where required by law, we implement additional safeguards such as standard contractual clauses or other recognized transfer mechanisms.

9. Data Retention

We retain personal information for as long as necessary to provide the Services and fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specific retention periods depend on the type of information and the context of collection. For example:

• Account information is retained for the duration of your account and for a reasonable period thereafter to support recovery, fraud prevention, and legal compliance.
• Activity and transactional records are retained for the period required by applicable tax and accounting laws.
• Marketing preferences and consent records are retained until you withdraw consent or for a reasonable period thereafter.
• Anonymized and aggregated information may be retained indefinitely.

When personal information is no longer required, we will delete or anonymize it in accordance with our internal retention policies.

10. Data Security

We implement reasonable technical, administrative, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, disclosure, copying, use, or modification, in line with the safeguards principle under PIPEDA and BC PIPA. These measures include encryption of data in transit, access controls, secure development practices, and regular security reviews. However, no method of electronic transmission or storage is entirely secure, and we cannot guarantee absolute security.

You are responsible for keeping your account credentials confidential and for promptly notifying us of any suspected unauthorized access. In the event of a breach of security safeguards involving a real risk of significant harm, we will notify affected Users and the Office of the Privacy Commissioner of Canada in accordance with PIPEDA's breach-notification requirements.

11. Accuracy

We make reasonable efforts to keep personal information accurate, complete, and up to date for the purposes for which it is to be used. You can review and update much of your account information directly within the Tribe26 application. If you become aware that information we hold about you is inaccurate or incomplete, please contact us so that we can correct it.

12. Your Rights and Choices

12.1 Rights Under Canadian Privacy Law

Subject to certain legal exceptions, you have the right to:

• Access the personal information we hold about you, and request information about how it is being used and to whom it has been disclosed;
• Request Correction of personal information that is inaccurate or incomplete;
• Withdraw Consent to our continued collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice;
• File a Complaint with us, and, if not resolved to your satisfaction, with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca, the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) at www.oipc.bc.ca, or your applicable provincial privacy regulator.

To exercise any of these rights, please contact us at privacy@tribe26.app. We will respond within the timeframes required by applicable law (generally within 30 days under PIPEDA). We may need to verify your identity before responding.

12.2 Additional Rights for International Users

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you additionally have the right to data portability, restriction of processing, objection to processing based on legitimate interests, and the right to lodge a complaint with your local data-protection authority.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information (we do not sell personal information as that term is conventionally understood) and the right not to be discriminated against for exercising your privacy rights.

You may also manage many of your settings, communications preferences, and account data directly within the Tribe26 application.

13. Children's Privacy

The Services are not directed to children under the age of 13 (or the equivalent minimum age in the relevant jurisdiction, such as 14 in Quebec under Law 25 or 16 in parts of the EEA). We do not knowingly collect personal information from children under that age without verifiable parental consent. If we become aware that we have collected personal information from a child without such consent, we will take appropriate steps to delete that information. If you believe a child has provided us with personal information, please contact us at privacy@tribe26.app.

14. Cookies and Similar Technologies

We and our service providers use cookies, software development kits (SDKs), pixels, local storage, and similar technologies to operate the Services, remember your preferences, analyze usage, and deliver relevant content. You can control cookies through your browser settings and, where required by law, through the cookie consent banner displayed on our website. Disabling certain cookies may impair the functionality of the Services.

15. Push Notifications and Marketing Communications

With your permission, we send push notifications to your device regarding your account, rewards, missions, and other Platform activity. You may opt out at any time through your device or in-app notification settings.

We may also send marketing emails or messages where permitted by applicable law, including Canada's Anti-Spam Legislation (CASL). You may opt out by following the unsubscribe instructions included in such communications, and we will honor your request without undue delay.

16. Third-Party Links and Services

The Services may contain links to, or integrations with, third-party websites and services, including those of Nodes and Brandboards. This Policy does not apply to information collected by such third parties. We encourage you to review their privacy practices before providing them with personal information.

17. App Store and Platform-Specific Disclosures

17.1 Apple App Tracking Transparency (iOS)

On iOS devices, we will request your permission before tracking your activity across other companies' apps and websites for advertising or measurement purposes. You may grant or decline this permission, and you may change your choice at any time in your device settings.

17.2 Google Play Data Safety (Android)

The data types we collect, the purposes of collection, and our security practices are disclosed in the Data Safety section of our Google Play listing. Such disclosures are aligned with this Policy.

17.3 Device Permissions

The Services may request access to the following device features. You may grant, decline, or revoke each permission through your device settings:

• Location (precise and/or approximate) for proof-of-presence, check-ins, and location-based rewards.
• Camera for scanning QR codes and uploading content.
• Photo Library for selecting and uploading images.
• Microphone for features that require audio capture.
• Notifications for delivering account and activity updates.
• Bluetooth and Nearby Devices for proximity-based features.
• Contacts only with explicit user action, for inviting friends.

18. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will provide notice through the Services or by other appropriate means before the changes take effect. The "Effective Date" at the top of this Policy indicates when it was last revised. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

19. Contact Us

If you have any questions, concerns, or requests regarding this Policy or our privacy practices, please contact our Privacy Officer at:

Email: privacy@tribe26.app

Platform website: https://tribe26.app

Corporate website: https://totemian.com

If you are not satisfied with our response, you may also contact:

• Office of the Privacy Commissioner of Canada (OPC) www.priv.gc.ca
• Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) www.oipc.bc.ca