Privacy Policy
PRIVACY POLICY
Gosh — operated by Spheregosh Private Limited
Effective Date: 8 May 2026 · Last Updated: 8 May 2026
1. Introduction
This Privacy Policy describes how Spheregosh Private Limited, a company incorporated in the Republic of Singapore ("Gosh", "we", "us", or "our"), collects, uses, discloses, and safeguards personal data when you access or use the Gosh website, mobile applications, and related services (collectively, the "Services").
We are committed to handling your personal data in accordance with the Singapore Personal Data Protection Act 2012 ("PDPA") and, where applicable, other privacy laws including the EU/UK General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA").
This Privacy Policy is incorporated into and forms part of our Terms and Conditions.
2. Personal Data We Collect
2.1 Information you provide directly
- Account information: name, username, email address, phone number, date of birth, password, and profile photo.
- Profile information: bio, social-media links, gender (if you choose to provide it), and other details you add to your profile.
- Streamer information: bank account or payment-platform details, government-issued identification, and tax information (collected only from users who become eligible Streamers).
- Content you submit: livestreams, recordings, chat messages, comments, images, and other content.
- Payment information: when you purchase Coins or other services, payment details are collected and processed by our third-party payment providers; we receive only limited transaction information (such as the last four digits of your card and confirmation status).
- Communications: messages you send to us through customer support or feedback channels.
2.2 Information collected automatically
- Device and technical information: IP address, device identifiers (such as IDFA, Android Advertising ID), device model, operating system, browser type and version, language settings.
- Usage information: pages or screens viewed, features used, search queries, time spent on the Services, click and scroll behaviour, referral URLs.
- Streaming-related telemetry: bitrate, latency, viewer counts, and similar performance metrics.
- Approximate location: derived from your IP address. We do not collect precise GPS location unless you explicitly enable a feature that requires it.
- Cookies and similar technologies: see Section 7.
2.3 Information from third parties
- Third-party login providers: if you sign in using Google, Apple, Facebook, or another third-party identity provider, we receive the basic profile information you authorise that provider to share (typically your name, email, and profile picture).
- Payment providers: confirmation of successful payments, refunds, and chargebacks.
- Analytics, advertising, and fraud-prevention partners: aggregate or pseudonymous data about how you interact with the Services and signals that help us prevent fraud.
- Public sources: information from public records or social-media platforms where you have made it public.
2.4 Sensitive data — special handling
Some features may involve more sensitive categories of data, which we handle with heightened care:
- Biometric / face data: if you use voluntary features such as face filters, special effects, or Real-Person Profile Picture verification, we may briefly process facial-image data. Such data is processed only for the specific feature for which it is collected, only with your express, separate consent, and only for as long as necessary to provide that feature. We do not use this data for training general-purpose machine-learning models, and we do not share it with third-party advertisers.
- Identification documents: collected only from Streamers and only for identity verification, anti-money-laundering checks, and tax compliance.
We do not knowingly collect data from children. See Section 10.
3. How We Use Personal Data
We use personal data for the following purposes:
Purpose | Examples |
|---|---|
Providing the Services | Creating and maintaining your Account; delivering livestreams; processing Coin purchases and Gifts; powering search, recommendations, and chat. |
Customer support | Responding to enquiries; investigating and resolving disputes; sending administrative messages. |
Safety and integrity | Detecting, preventing, and responding to fraud, abuse, harassment, infringement, security threats, and policy violations; verifying age and identity where required. |
Personalisation | Recommending streams, creators, and categories based on your activity. |
Communications | Sending service notifications, updates to legal terms, and (with your consent where required) marketing messages. |
Advertising | Displaying ads and measuring their effectiveness, subject to your choices (Section 9). |
Research and improvement | Analysing usage patterns, conducting A/B tests, improving features, and developing new ones. |
Legal compliance | Complying with applicable law, court orders, regulatory requests, tax obligations, and our legitimate business interests in protecting our rights, property, and users. |
4. Legal Bases for Processing
Where the GDPR or similar laws apply, we rely on the following legal bases:
- Performance of a contract — to provide the Services you have requested.
- Your consent — for purposes that require it, such as marketing communications, biometric processing, or non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Legitimate interests — to operate, secure, and improve the Services; to prevent fraud and abuse; to enforce our terms; and to communicate with you about service changes. We balance these interests against your rights.
- Legal obligation — to comply with applicable law and regulatory requests.
- Vital or public interests — in rare cases, to protect someone's life or to support public-interest functions provided for by law.
Where the PDPA applies, we rely on your consent (express or deemed, as permitted by the PDPA) and on the legitimate-interests, business-improvement, and other exceptions provided by the First and Second Schedules of the PDPA.
5. How We Share Personal Data
We do not sell your personal data. We share personal data only as described below:
- With your consent or at your direction — for example, when you publish a livestream, your username, profile, and content become visible to others.
- With service providers — cloud hosting, content delivery, analytics, payment, customer support, anti-fraud, communications, and similar vendors that process data on our behalf under written contracts that include confidentiality and data-protection obligations.
- With our affiliates — companies under common control with Spheregosh Private Limited, for the purposes described in this Policy.
- For safety and legal reasons — when we reasonably believe disclosure is necessary to comply with applicable law, respond to lawful requests by public authorities, enforce our terms, prevent fraud or harm, or protect rights, property, or safety.
- In a corporate transaction — in connection with a merger, acquisition, financing, reorganisation, or sale of all or part of our business, subject to appropriate confidentiality protections.
- With your community on the Services — public profile information, public posts, livestreams, and chat messages are visible to other users by their nature.
- In aggregated or de-identified form — we may share information that does not directly identify you with research partners, advertisers, and the public.
6. International Data Transfers
We are based in Singapore, and personal data we collect may be processed and stored in Singapore and in other countries where we, our affiliates, or our service providers operate. These countries may have data-protection laws different from those of your country.
When transferring personal data out of Singapore, the EEA, the UK, or other regulated jurisdictions, we use appropriate safeguards required by applicable law, which may include:
- standard contractual clauses approved by relevant data-protection authorities;
- transfer-impact assessments;
- transfers to recipients in jurisdictions recognised as providing an adequate level of data protection;
- compliance with the PDPA's Transfer Limitation Obligation.
You may contact us using the details in Section 14 to request information about the safeguards we use.
7. Cookies and Similar Technologies
We use cookies, pixels, SDKs, and similar technologies ("Cookies") to:
- keep you signed in and remember your preferences;
- secure your Account and prevent fraud;
- understand how the Services are used and improve them;
- deliver relevant advertising and measure its performance.
We use:
- Strictly necessary cookies — required to operate core features.
- Functional cookies — to remember your preferences.
- Analytics cookies — to measure and improve the Services.
- Advertising cookies — to deliver and measure advertising (only with your consent where required by law).
You can manage Cookie preferences through:
- the Cookie banner or preference centre we provide on first visit and from any page footer;
- your browser or device settings (note: blocking some Cookies may affect functionality);
- platform-level controls such as iOS App Tracking Transparency or Android advertising-ID reset.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, tax, regulatory, and reporting requirements, and to resolve disputes and enforce agreements. Indicative retention periods:
Category | Retention period |
|---|---|
Account information | While the Account is active and for up to 90 days after closure (longer where required by law). |
Livestream recordings (where retained) | As specified in the Services or required by law. |
Chat messages | Generally deleted within 90 days, except where retained for safety or legal reasons. |
Payment and tax records | Up to 7 years, in accordance with Singapore tax and accounting law. |
Identity-verification documents | While required to verify status, plus the period required by anti-money-laundering law (up to 5 years after the relationship ends). |
Server and security logs | Generally up to 12 months. |
Biometric/face data for filters | Processed only for the duration of the session unless you explicitly save the result. |
When personal data is no longer needed, we will securely delete or anonymise it.
9. Your Rights and Choices
Depending on your jurisdiction, you may have the following rights in relation to your personal data:
- Access — to request a copy of the personal data we hold about you.
- Correction — to ask us to correct inaccurate or incomplete data.
- Deletion / withdrawal of consent — to ask us to delete personal data or to withdraw consent we previously relied on.
- Restriction or objection to processing — to ask us to limit or stop certain processing.
- Data portability — to receive your personal data in a structured, commonly used format.
- Opt-out of marketing — at any time, by using the unsubscribe link in our marketing emails, by adjusting in-app notification settings, or by contacting us.
- Opt-out of personalised advertising — through the in-app controls we provide and through industry tools such as the Digital Advertising Alliance opt-out, the Network Advertising Initiative, or Your Online Choices.
- Lodge a complaint — with your local data-protection authority (such as the Personal Data Protection Commission of Singapore, the Information Commissioner's Office in the UK, or your EU national authority).
To exercise these rights, please contact us using the details in Section 14. We will respond within the timeframes required by applicable law (in Singapore, generally within 30 days; under the GDPR, within one month, extendable in certain cases). We may need to verify your identity before acting on your request, and we may decline requests where permitted or required by law (for example, where granting the request would violate another person's rights).
10. Children's Privacy
The Services are intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we learn that we have inadvertently collected personal data from a person under 18, we will delete that data promptly. If you are a parent or guardian and believe that a child under 18 has provided us with personal data, please contact us using the details in Section 14.
11. Security
We implement reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit, access controls, network segmentation, employee training, and regular security reviews.
No method of electronic storage or transmission is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. You are responsible for keeping your Account credentials confidential.
In the event of a personal-data breach that meets a notification threshold under applicable law, we will notify the relevant authorities and affected individuals in accordance with the timelines required by law (including, where applicable, within 72 hours of becoming aware of the breach under the GDPR, and within the timeframes set by the PDPA).
12. Data Protection Officer
In accordance with the PDPA, we have appointed a Data Protection Officer ("DPO"). You may contact our DPO at:
Data Protection Officer
Spheregosh Private Limited
Email: [email protected]
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by reasonable means (such as posting the revised Policy on the Services and updating the "Last Updated" date, or sending an email or in-app notification). The revised Policy will take effect on the date stated at the top. Please review this Policy periodically.
14. How to Contact Us
For privacy-related questions or requests:
Spheregosh Private Limited
General contact: [email protected]
Privacy / DPO: [email protected]