Privacy Policy

This Privacy Policy covers your use of SQUIDS — the platform at squids.co.za and any associated services. SQUIDS is a global social platform where ideas surface: a place for questions, opinions, debate, and conversation. When you use it, you share information with us, and this document tells you exactly what we do with that information.

By using SQUIDS you consent to the processing described here. This Policy works alongside our Terms of Service and Cookie Policy — all three together form the agreement between you and us.

We're a South African platform with users and infrastructure across the world, so multiple privacy laws apply to us. Here's how they stack up:

South Africa — primary jurisdiction

The Protection of Personal Information Act, 2013 (POPIA) is our primary obligation. It's backed by Section 14 of the Constitution, which makes privacy a fundamental right. Alongside POPIA, the Consumer Protection Act, 2008 (CPA) governs how we send you notifications, the Electronic Communications and Transactions Act, 2002 (ECTA) covers our online operations, and the Cybercrimes Act, 2020 informs our breach-reporting obligations. Where any other law conflicts with POPIA, POPIA wins first.

Sweden and the European Union — our database servers

Our database infrastructure runs in Sweden through Supabase. That means your data sits on servers inside the EU, which brings two layers of European law into play. The EU General Data Protection Regulation (GDPR, Regulation 2016/679) applies directly. On top of that, Sweden's own Data Protection Act (2018:218) and Data Protection Ordinance (2018:219) supplement the GDPR with Swedish-specific rules — including how personal identity numbers are handled and conditions for processing criminal conviction data. The Swedish Electronic Communications Act (2022:482) governs cookie-related rules for users in Sweden. The supervisory authority is Integritetsskyddsmyndigheten (IMY) — Sweden's Authority for Privacy Protection. We are subject to IMY's jurisdiction for any processing that takes place on our Swedish infrastructure.

United Kingdom

UK users are covered by the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA) — whose provisions are rolling out through 2026. Cookies for UK users fall under the Privacy and Electronic Communications Regulations 2003 (PECR). The supervisory authority is the Information Commissioner's Office (ICO).

Australia

Australian users are covered by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). The reforms introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth) also apply. The supervisory authority is the Office of the Australian Information Commissioner (OAIC).

United States

Our minimum age of 16 exceeds the threshold of the Children's Online Privacy Protection Act (COPPA), which applies to under-13s. We don't collect data from anyone under 16, so COPPA's requirements are met by default.

We only collect what we need to run SQUIDS. When you register, we collect your email address, username, display name, and a hashed version of your password — we never store it in plain text. If you choose to fill out your profile, we also collect whatever you voluntarily add: a bio, profile image, or any other details. Everything you post — questions, comments, replies — is content you provide directly, and it becomes part of your account.

When you use the platform, we automatically collect some technical information: your IP address, browser type and version, the device you're using, which pages you visit, how long you spend on them, and what features you interact with. We need this to keep SQUIDS running securely and to understand what's working and what isn't. We also collect information through cookies — explained fully in our Cookie Policy.

If you use a third-party login service to sign in, that provider will share a limited set of profile data with us — typically your name, email, and profile picture — in line with whatever permissions you granted them.

We use your information to operate and deliver SQUIDS — to authenticate you, display your content, send notifications, and keep everything running. We use technical and usage data to detect abuse, prevent fraud, investigate policy violations, and keep the platform secure. We analyse usage trends to understand what's working and improve SQUIDS over time. Where you've opted in, we may send you service-related updates — not marketing spam. Advertising data supports the display of ads on the platform, which is how we keep SQUIDS free for everyone. And we comply with any legal obligations that require us to process or retain certain data.

We do not use automated decision-making that produces significant legal effects on you, except where the law allows it and appropriate safeguards are in place. We do not sell your personal information to anyone.

Under POPIA, every time we process your data we need a lawful reason. We rely on four: your consent — for example, when you agree to marketing or optional analytics; the performance of a contract — processing that's necessary to deliver the service you signed up for; our legitimate interests — like security monitoring or platform improvement, balanced against your rights; and legal obligations — where South African law or a court requires it.

Where consent is the basis, you can withdraw it at any time by contacting us at legal@squids.co.za. Withdrawing consent doesn't undo anything we did lawfully before you withdrew it.

We don't sell your data. Full stop. We do share it in a few limited circumstances. Our infrastructure providers — Supabase (databases, hosted in Sweden) and Cloudflare (security and content delivery) — process data on our behalf under strict contracts. We share with analytics providers for anonymous usage reporting. We share with law enforcement or regulatory bodies when required by a valid court order or South African law — and where legally permitted, we'll tell you when that happens. If SQUIDS is ever sold or merged, your data may transfer to the new entity, but they'd be bound by equivalent protections.

All third-party processors are contractually required to protect your data, use it only for the purposes we specify, and comply with applicable privacy law. They are not permitted to do anything with your data that we haven't instructed them to do.

We use cookies to keep you logged in, remember your settings, measure how the platform is used, and serve advertising. The full breakdown — what types we use, how long they last, and how to manage them — is in our Cookie Policy.

Under POPIA — and in parallel under GDPR for EU and UK users — you have real rights over your data. You can ask to see what we hold on you. You can ask us to correct anything that's wrong or out of date. You can ask us to delete your data where we no longer have a lawful reason to keep it. You can object to how we're using it. You can ask for a copy in a format you can take elsewhere. And if you think we've got something wrong, you can complain to the Information Regulator.

To exercise any of these rights, use the process in Section 9 below.

Email our Information Officer. We'll acknowledge within three business days and respond fully within 30 days as required by POPIA. Please tell us who you are, what you're asking for, and include something that confirms your identity so we can protect your account from fraudulent requests.

If you're not satisfied with our response, here's where to escalate:

• South Africa: Information Regulator — inforegulator.org.za
• Sweden / EU: Integritetsskyddsmyndigheten (IMY) — imy.se
• United Kingdom: Information Commissioner's Office — ico.org.uk
• Australia: Office of the Australian Information Commissioner — oaic.gov.au

Our database servers are hosted in Sweden. Sweden is a member of the European Union, which means that data stored on those servers sits within the EU and is subject to the full protections of the GDPR. This is actually good news for you — the GDPR is one of the strongest data protection frameworks in the world, and it applies to your data regardless of where you are in the world.

Specifically, because of our Swedish infrastructure, the following Swedish laws apply to how your data is processed on those servers: the Swedish Data Protection Act (Dataskyddslag 2018:218), which supplements the GDPR with national rules on personal identity numbers and criminal conviction data; the Swedish Data Protection Ordinance (2018:219); and the Swedish Electronic Communications Act (Lag (2022:482) om elektronisk kommunikation), which implements the EU ePrivacy Directive and governs cookie rules. The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten — IMY) is the competent supervisory authority for data processing on Swedish territory.

Transfers of your personal data from South Africa to our Swedish servers are lawful cross-border transfers under POPIA, given that EU member states maintain data protection standards equivalent to or greater than South Africa's. No personal data is transferred from our Swedish servers to countries outside the EU/EEA without appropriate safeguards — including Standard Contractual Clauses where required.

SQUIDS uses two primary infrastructure providers. Here's exactly what they do, where they operate, and how your data is protected with each of them.

Both Supabase and Cloudflare are bound by written data processing agreements with SQUIDS. They process your data only under our instruction. If you have concerns about how either provider handles data, you can also raise them directly with those providers using the links above — or contact us at legal@squids.co.za and we'll help you get the right answer.

We take security seriously, and so do our infrastructure partners. All data in transit is encrypted via HTTPS and TLS. Data at rest on our Supabase servers is encrypted with AES-256. Passwords are hashed and salted — we never see them in plain text. Access to personal data is restricted on a need-to-know basis. We monitor for security incidents and review our practices regularly. If there's ever a breach that could harm you, we'll notify you and the Information Regulator as required by POPIA and the Cybercrimes Act, 2020. No system is perfectly secure — but we do everything reasonable to keep yours safe.

SQUIDS is not for people under 16. We don't knowingly collect data from anyone under 16, and we don't want to. Our minimum age exceeds the thresholds of COPPA (US), UK GDPR (13), and the EU GDPR (13–16 depending on member state). If you think a minor has created an account, please email legal@squids.co.za straight away — we'll investigate and act immediately.

If you're in the United Kingdom, your data is handled in accordance with the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025, whose provisions are coming into force progressively throughout 2026. Cookies placed on your device are also governed by the Privacy and Electronic Communications Regulations 2003 (PECR). Your rights under UK GDPR are the same as those described in Section 8. You can exercise them by contacting us at legal@squids.co.za. If you're not happy with our response, you can escalate to the Information Commissioner's Office (ICO) at ico.org.uk.

If you're in Australia, your data is handled in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs), as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth). You have the right to access and correct your personal information, and to complain about how it's been handled. Exercise those rights by contacting us at legal@squids.co.za. If you're not satisfied with our response, you can raise a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

We keep your data for as long as your account is active and for a reasonable period after it closes, to comply with legal obligations, resolve disputes, prevent fraud, and maintain platform integrity. When you delete your account, most of your personal data is deleted or anonymised within 90 days. Some data may be retained longer where the law requires it — for example, records relevant to an ongoing legal proceeding. Anonymised usage data that can no longer be tied to you may be kept indefinitely for platform analytics.

We'll update this document when our practices or legal obligations change. When we make significant changes, we'll update the date at the top and let you know via in-app notification or email where it's practical to do so. The latest version is always at policies.squids.co.za/privacy. Continuing to use SQUIDS after an update means you've accepted the new version.