Privacy Policy

Effective date: August 21, 2025

Who we are. goon.app is operated by Polaris Digital LLC ("Company," "we," "us," "our").
Contact: privacy@polarisdigital.net · Mailing: 1209 Mountain Road Pl NE #7160, Albuquerque, NM 87110 USA.

This Policy explains what we collect, how we use it, and your choices. By using the Service, you agree to this Policy and our Terms.

1) What we collect

You provide

  • Account & profile: email, username, password hash.
  • Age-verification (if required): verification result/token and minimal metadata from our provider; we do not retain your full ID images or face scans (the provider may process them to verify age).
  • Payments: handled by processors (e.g., CCBill) or crypto on-ramps. We receive transaction IDs, status, last 4, descriptors, not full card numbers.
  • Prompts, outputs, uploads, and flags you submit.
  • Support/comms: messages, email, reports (e.g., NCII/DMCA).

Collected automatically

  • Usage & device logs: IP, timestamps, pages, user agent, approximate location, feature use, crash logs.
  • Cookies/SDKs: necessary cookies for auth and security; optional analytics (see Cookies below).

From third parties

  • Payment processors, age-verification vendors, anti-fraud tools, and analytics may send us results/metadata.

2) How we use data (purposes)

  • Provide the Service: accounts, generation, credits, subscriptions, customer support.
  • Payments & billing: process transactions, prevent fraud, dunning.
  • Age-gating & compliance: verify legal age where required; geoblock restricted regions.
  • Safety & moderation: detect/remove prohibited content (e.g., CSAM), investigate abuse, satisfy legal duties (including reports to NCMEC).
  • Analytics & quality: measure performance, fix bugs, improve UX.
  • Comms: transactional emails (receipts, notices). We do not send marketing emails without consent.
  • R&D / model improvement: only if you opt in. Otherwise, prompts/outputs are used solely to provide and secure the Service.
  • Legal & enforcement: comply with law, enforce Terms, defend our rights.

3) Cookies & analytics

We use necessary cookies (auth, security) and may use optional analytics. Manage preferences in Cookie Settings. If you are in the EU/UK, we show a consent banner.

4) Sharing & processors

We share data with service providers under contract to operate the Service:

  • Payments: CCBill (card processing), crypto on-ramps/exchanges (for USDC, etc.).
  • Age-verification: a third-party AV vendor processes ID/face data and returns a pass/fail/result token.
  • Hosting & delivery: cloud infra, storage, CDN, email/SMS providers, logging/monitoring.
  • Trust & Safety: content-scanning, hash-matching, anti-fraud tools.
  • Compliance & legal: law enforcement (e.g., NCMEC) where required; auditors; professional advisors.
  • Business transfers: merger, acquisition, or asset sale (we’ll notify you if required by law).

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

5) Data retention

  • Account & billing records: as long as you have an account and as needed for tax, accounting, and legal obligations.
  • Prompts/outputs/logs: for the life of the account and for a reasonable period thereafter for safety, debugging, and legal compliance.
  • Age-verification: we store only the verification result/token and minimal metadata; our AV provider deletes images/biometrics per its policy (we require prompt deletion, typically within 30 days).
  • Safety/abuse files (e.g., DMCA/NCII reports): retained as needed to comply with law and enforce policies.

6) Your choices & rights

  • Access, correction, deletion: request via privacy@polarisdigital.net.
  • Opt-out of model training: we do not use your content for model training unless you opt in (toggle in settings when available).
  • California (CPRA): you may request access, correction, deletion, and to limit sensitive personal information. We do not sell/share personal information. Submit requests at privacy@polarisdigital.net. We honor authorized agent requests consistent with law.
  • EU/UK (if applicable): you may request access, rectification, erasure, restriction, objection, and portability; contact us to exercise rights. You may lodge a complaint with your data protection authority.

We may need to verify your identity before responding.

7) Children

The Service is for adults only. We do not knowingly collect data from anyone under the legal age. If you believe a minor has used the Service, contact safety@goon.app; we will delete related data and report as required.

8) Security

We use reasonable administrative, technical, and organizational measures (encryption in transit, access controls, audit logs). No system is perfect; you use the Service at your own risk.

9) International transfers

Data may be processed in the United States and other countries where we and our providers operate. Where required, we use lawful transfer mechanisms (e.g., SCCs) and implement safeguards.

10) Third-party services

Our Service links to or relies on third-party services (e.g., CCBill, AV providers, crypto on-ramps). Their terms and privacy policies apply to their processing; we are not responsible for them.

11) Changes

If we change this Policy, we’ll post the update and update the “Effective date.” Material changes will be announced via the Service or email.

12) How to contact us

privacy@polarisdigital.net (privacy requests)
legal@goon.app (legal notices)
ncii@goon.app (non-consensual intimate imagery)
dmca@polarisdigital.net (copyright)
Mail: 1209 Mountain Road Pl NE #7160, Albuquerque, NM 87110 USA

13) GDPR legal bases (EU/UK)

  • Contract (Art. 6(1)(b)): provide the Service, payments, support.
  • Legal obligation (Art. 6(1)(c)): reporting (e.g., NCMEC), tax, accounting.
  • Legitimate interests (Art. 6(1)(f)): security, fraud, analytics, service improvement (balanced against your rights).
  • Consent (Art. 6(1)(a)): optional analytics cookies; marketing; age-verification biometrics where required by local law.

14) State biometric notices (IL/WA/TX)

If we use biometric age-estimation, we do so only to verify age, not for identification; we do not sell or disclose biometric data; our provider deletes biometric images within 30 days; we retain only the verification outcome/token. We will honor state-specific requirements (e.g., consent and deletion timelines).