Privacy Policy

1) Who we are

YouShould ("we," "us," or "our") operates a platform where people create and complete checklists, verify participation, earn points, and redeem rewards. We operate out of California, USA and serve users worldwide. You can reach us at info@youshould.app.

2) Scope

This policy explains the personal data we collect when you visit our websites, use our apps and services, interact with checklists, complete items, verify participation, earn or redeem points, make purchases, or contact us for support (collectively, the “Service”).

3) Data we collect

A. Data you provide

• Account data (name, email, password or SSO identifiers).
• Profile & organization data (display name, avatar, organization name).
• User Content (checklists, photos, descriptions, tips, comments).
• Participation & verification data (completion timestamps, verification method, and related information such as QR code scans, GPS verification, NFC taps, PIN entries, quiz responses, or uploaded proof submitted to confirm participation).
• Rewards & fulfillment data (preferred pickup location; shipping name, address, phone if provided for shipped rewards).
• Payment and transaction data (purchase details, subscription status, billing-related information, and limited payment metadata provided by our payment processors).
• Communications (messages to support, feedback, survey responses, and email preferences).

B. Data we collect automatically

• Usage data (features used, clicks, pages viewed, referring/exit pages, timestamps).
• Device & technical data (IP address, device type, OS, browser, app version, language, error logs).
• Approximate location (derived from IP).
• Security and fraud-prevention data (login attempts, IP logs, verification checks, abuse signals, rate-limiting events, and similar activity used to protect the Service).

C. Data from others

• Single sign-on (if used): we receive limited account info from the provider you choose (e.g., Google, Apple, Facebook).
• Payment processors: when you make purchases through the Service, payment information is processed by third-party providers such as Stripe. We do not store full payment card numbers, and those providers process payment data according to their own privacy policies.
• Third-party embeds: when you interact with Google Maps, YouTube, reCAPTCHA Enterprise, or Spotify embeds, those providers may receive data pursuant to their own policies.

4) How we use data

• Provide, maintain, and improve the Service.
• Enable checklist creation, completion tracking, participation verification, points, payments, and reward redemption.
• Secure the Service (fraud prevention, abuse detection, rate limiting, reCAPTCHA, and account protection).
• Communicate with you (service messages, updates, support, and optional marketing emails you can unsubscribe from at any time).
• Comply with legal obligations and enforce our Terms.

5) Legal bases (EEA/UK/CH)

Where GDPR/UK GDPR/FDPA applies, we process personal data under these bases:

• Contract: to provide the Service you request.
• Legitimate interests: to secure and improve the Service, prevent fraud, process transactions, and engage with organizers and users in a way that does not override your rights.
• Consent: for certain optional features (e.g., precise location, certain cookies where required, and certain marketing communications where required by law).
• Legal obligation: to comply with law.

6) How we share data

• Service providers: cloud hosting, databases, analytics, email, payment processing, customer support, and security providers (under contract, limited use).
• Organizers: when you join, participate in, or redeem from a specific checklist, relevant information (e.g., your display name, completion status, verification activity, and fulfillment details you provide) may be visible to that organizer.
• Reward fulfillment partners: when a reward is fulfilled by an organizer, sponsor, merchant, or other partner, we may share limited information necessary for fulfillment, pickup, delivery, or redemption.
• Independent organizer practices: organizers may operate their own programs through the Service and may independently determine how they use participant information. In those cases, organizers may act as independent controllers of personal data and are responsible for their own privacy practices.
• Legal & safety: to comply with law or protect rights, safety, and security.
• Business transfers: in connection with a merger, acquisition, financing, due diligence, or asset sale.

We do not sell personal information.

7) Cookies, analytics & reCAPTCHA

We use cookies and similar technologies to keep you signed in, remember preferences, measure usage, and protect the Service from abuse. We also use reCAPTCHA Enterprise to help detect bots and fraudulent activity. Your use of these features is subject to the providers’ policies:

• Google services (reCAPTCHA Enterprise, Maps): Google’s Privacy Policy and Terms of Service apply. This site is protected by reCAPTCHA.
• YouTube & Spotify embeds load content from those services when you play them; they may set cookies or collect data per their policies.

You can control cookies through your browser settings. Where required by law, we will request consent for non-essential cookies.

8) Location data

We may use your approximate location (from IP) to show nearby checklists. We only access precise location with your explicit permission (e.g., via your device or browser) when needed for features such as location-based participation verification. You can disable precise location in your device settings.

9) International transfers

We may process and store data in the United States and other countries. Where required, we use appropriate safeguards for cross-border transfers, such as the EU Standard Contractual Clauses or their UK/Swiss equivalents.

10) Retention

We keep personal data for as long as your account is active or as needed to provide the Service. When you delete your account, we delete or anonymize your personal data and User Content within a reasonable period, subject to limited retention required by law or reasonably necessary for legal, tax, accounting, security, fraud-prevention, dispute resolution, or enforcement purposes.

11) Security

We use administrative, technical, and physical safeguards to protect data, including encryption in transit and at rest and security practices aligned with SOC 2 standards. No method of transmission or storage is 100% secure; please use strong passwords and keep your credentials confidential.

12) Children

The Service is not directed to children under 13. If we learn that we have collected personal data from a child under 13, we will delete it.

13) Your rights

A. EEA/UK/Switzerland

Subject to law, you may request access, correction, deletion, restriction, portability, or object to processing. You may also withdraw consent where processing is based on consent. You can lodge a complaint with your local supervisory authority.

B. California (CPRA)

California residents have the right to know, delete, correct, and limit use of sensitive personal information, and to not be discriminated against for exercising these rights. We do not sell personal information. We do not share personal information for cross-context behavioral advertising at this time. If that changes, we will provide a “Do Not Sell or Share” mechanism.

C. Canada (PIPEDA) & Québec

Canadian users may request access and correction and may withdraw consent subject to legal or contractual restrictions. For Québec residents, additional consumer rights may apply.

To exercise your rights, email info@youshould.app. We may need to verify your identity and, where applicable, your authority to make the request.

14) “Do Not Sell or Share”

We do not sell personal information. If we begin sharing personal information for cross-context behavioral advertising, we will update this Policy and provide a clear opt-out link.

15) Changes

We may update this Policy to reflect changes to our practices or for legal, operational, or regulatory reasons. We will post the updated Policy with a new effective date.

16) Contact

Questions or privacy requests? Email info@youshould.app. For copyright/IP issues, contact our DMCA agent at trevor@youshould.app.

If the Service contains links to third-party websites or services, we are not responsible for their privacy practices. We encourage you to review their privacy policies before providing personal information to them.

When using Google services, note: “This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.”