Legal

Privacy Policy

Effective date: April 30, 2026  ·  Last updated: May 6, 2026

This Privacy Policy is prepared with care and represents our genuine commitment to protecting your information. It is not a substitute for legal advice. If you have specific questions about your privacy rights in your jurisdiction, we encourage you to consult a qualified lawyer. Nothing here constitutes legal advice to you. We are not lawyers.

1. Who we are and how to reach us

SobrCircle is operated by Moradi Labs Inc., a federal Canadian corporation (Corporation No. 1783166-8; Ontario extra-provincial registration No. 1001564375), and its predecessor sole proprietorship of Behnam Moradi. Moradi Labs Inc. is in the process of consolidating all operations and product accounts; both entities are responsible for the service during this transition.

Registered office: 1223 Enfield Ct, Windsor, Ontario, Canada N8S 4N1.

Our Terms of Service are incorporated by reference into this Privacy Policy.

2. Our Privacy Officer

Designated Privacy Officer (Person in Charge of the Protection of Personal Information): Behnam Moradi, Director and sole shareholder, Moradi Labs Inc.

This designation satisfies the requirement under the Quebec Act respecting the protection of personal information in the private sector (CQLR c P-39.1, as amended by Law 25 / Bill 64, s. 3.1) and the accountability principle under the federal Personal Information Protection and Electronic Documents Act (PIPEDA, Schedule 1, Principle 4.1.1).

The Privacy Officer has independent authority to: pause new data collection activities that have not received privacy review; veto product changes that introduce undisclosed data flows; approve or deny new third-party data processors; and direct the response to any privacy incident.

3. Scope of this policy

This policy describes how SobrCircle collects, uses, discloses, stores, and deletes personal information when you use the SobrCircle mobile application (iOS and Android) and our related website at sobrcircle.com. It applies worldwide to all users wherever the app is distributed. Regional supplements are incorporated inline in Sections 11–16 below.

This policy does not apply to third-party services linked from SobrCircle (for example, external meeting-directory sources or crisis hotline websites). Those services have their own privacy policies.

4. Who can use SobrCircle

SobrCircle is for adults aged 18 and older only. We do not knowingly collect personal information from anyone under 18. At sign-up, we require you to confirm you are 18 or older; we record the date and time of that confirmation in your account record. If we learn that someone under 18 has created an account, we will close the account and delete the associated personal information without delay.

5. Information we collect

5.1 Information you give us directly

5.2 Information collected automatically while you use the app

5.3 Information from third parties

5.4 Location information

We never collect background location. Location access requires your explicit permission and is never requested at app launch.

5.4a Device permissions and what each one is used for

Every device permission SobrCircle asks for has a single, narrowly-scoped purpose that you control. Each prompt is shown the first time you reach a feature that needs it; you can revoke any of these from your device settings at any time and the rest of the app continues to work.

5.5 What we do not collect

5.6 Subscriptions and Family Sharing

The SobrCircle Supporter monthly subscription (formerly “Premium” in older app builds; “Supporter” everywhere user-facing in current builds) is an individual subscription. Apple Family Sharing is intentionally disabled for this subscription, and Google Play Family Library is not enabled. Each member of a household who chooses to support SobrCircle does so with their own subscription. Recovery is personal — we don’t want a household’s subscription state to be visible to anyone the user has not chosen to share recovery context with.

5.7 Home-screen widgets

On iOS, SobrCircle’s home-screen and lock-screen widgets read a small set of values (recovery date, today’s reflection text, tomorrow’s reflection text) from a shared App Group container (group.com.sobrcircle.app.widgets) that lives entirely on your device. The app writes these values; the widget extension reads them. Widget data is local-only and is never transmitted to a server. The same model applies to the Android home-screen widgets (which read locally-stored values via Android shared preferences).

5.8 Maps API key

SobrCircle uses the Google Maps SDK on both iOS and Android to render maps and meeting locations. The Maps API key is embedded in the app binary (this is the design Google requires for client-side Maps SDKs); it is restricted at the Google Cloud Platform IAM layer to SobrCircle’s iOS bundle ID and Android package name + signing certificate, and is restricted to the Maps SDK only. No location tracking happens on our servers as part of map rendering — the Maps SDK communicates directly with Google’s map tile servers from your device.

6. How we use your information

We use the information we collect for the following purposes:

We do not use your information for advertising. SobrCircle has no advertisers, advertising networks, or advertising SDK.

We do not use automated decision-making that produces legal or similarly significant effects on you, with one exception: our content moderation classifiers may automatically hide or flag content pending human review. If your content is flagged, you will be notified and you can request human review by emailing [email protected].

7. Content moderation and safety processing

SobrCircle is a recovery community. To protect users from harmful content, we run automated moderation on content you upload or post. We describe below the controls actually deployed today. Where a control is built but not yet activated, we say so plainly. For our full child safety standards, see sobrcircle.com/child-safety-standards.

If your content is removed or restricted, you will be notified. You can appeal by emailing [email protected]. All appeals are reviewed by a human. Image and video data passed to Google Cloud Vision and Google Cloud Video Intelligence is used solely for moderation and is not retained by those providers for training or other purposes beyond the scope of the moderation scan.

8. Sharing with third parties

We do not sell personal information. We share personal information only with the service providers listed below, which process it on our instructions to operate SobrCircle. Where required, we have entered into data processing agreements (DPAs) with each provider.

We may disclose personal information to law enforcement, regulators, or courts when required by a valid legal demand (court order, subpoena, regulator request, or equivalent). We will tell you about any disclosure unless we are legally prohibited from doing so, or unless doing so would create a risk of harm to you or others.

If Moradi Labs Inc. or the SobrCircle service is sold, merged, or transferred, personal information may be transferred to the successor entity, subject to the same privacy protections described in this policy. We will notify you before any such transfer takes effect.

9. Retention

10. International data transfers

We are headquartered in Canada. Our primary infrastructure runs on Google Cloud in the us-central1 region (Iowa, United States). When you use SobrCircle, your personal information is transferred to and processed in the United States.

Canada to United States transfers: PIPEDA does not prohibit cross-border transfers, but requires us to use contractual means (our DPAs with Google, RevenueCat, etc.) to ensure comparable protection. Our DPAs with Google and RevenueCat include the Google Cloud Data Processing Addendum and RevenueCat’s DPA respectively, which impose obligations consistent with PIPEDA and Quebec Law 25. Google maintains Google Cloud certifications including ISO 27001 and SOC 2.

Quebec Law 25 cross-border transfer assessment: Quebec Law 25 requires a written privacy impact assessment before transferring personal information outside Quebec to confirm comparable protection. We have conducted this assessment. Our determination is that Google Cloud’s contractual and organizational protections, combined with the protections in our DPA, provide protection comparable to Quebec standards. This assessment is available to the Commission d’accès à l’information du Québec (CAI) on request.

EU and UK residents — GDPR Chapter V and UK GDPR: The United States does not benefit from an EU adequacy decision for general commercial data transfers (the EU-US Data Privacy Framework applies only to self-certified US organizations). Our transfers of EU/UK personal data to Google Cloud rely on the Standard Contractual Clauses (SCCs) included in the Google Cloud Data Processing Addendum (Module 2: Controller to Processor), supplemented by Google’s Transfer Impact Assessment. Our transfers to RevenueCat rely on RevenueCat’s DPA, which also includes SCCs. No other ad hoc mechanisms are used. We do not rely on consent as the sole basis for transfers.

Australian residents: We transfer personal information from Australia to the United States as described above. We take reasonable steps under Australian Privacy Principle 8 to ensure that overseas recipients handle your information in accordance with the Australian Privacy Principles, primarily through our DPAs.

11. Your rights

Regardless of where you are located, you have the following rights with respect to your personal information. Regional notes follow below where the law adds specific requirements or extends these rights.

How to submit a request: email [email protected] from the email address associated with your account, or use the in-app tools described above. We may ask you to verify your identity before processing your request.

Response time: we will respond to all privacy requests within 30 calendar days. If we need more time, we will notify you in writing with the reason and the new expected date. We will never charge a fee for a first request; we may charge a reasonable fee for repeated or manifestly unfounded requests, consistent with applicable law.

12. Regional rights — Canada (PIPEDA and Quebec Law 25)

We comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec’s Act respecting the protection of personal information in the private sector (CQLR c P-39.1, as amended by Law 25 / Bill 64).

Your rights under PIPEDA include access, correction, and withdrawal of consent. We process your personal information only for the purposes identified in this policy, and only with your knowledge and consent (express for sensitive information such as recovery date; implied for necessary operational purposes).

Quebec residents have additional rights under Law 25:

To file a complaint: Office of the Privacy Commissioner of Canada (federal / PIPEDA) at priv.gc.ca  ·  Commission d’accès à l’information du Québec (Quebec) at cai.gouv.qc.ca  ·  BC Information & Privacy Commissioner at oipc.bc.ca  ·  Alberta Information and Privacy Commissioner at oipc.ab.ca.

Notre politique de confidentialité est disponible en français sur demande. Contactez-nous à [email protected].

13. Regional rights — European Economic Area and United Kingdom (GDPR / UK GDPR)

SobrCircle is not actively marketed in the European Economic Area (EEA) or the United Kingdom. If you nonetheless use SobrCircle from within the EEA or the UK, the General Data Protection Regulation (GDPR) and UK GDPR apply to our processing of your personal data.

Legal bases for processing (Article 6 and Article 9 GDPR):

Your GDPR and UK GDPR rights: access (Art. 15), rectification (Art. 16), erasure (“right to be forgotten,” Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and the right not to be subject to automated decision-making with legal effects (Art. 22 — see Section 7 on human review of moderation decisions).

To file a complaint: contact your national data protection authority (EU member state supervisory authority) or, in the UK, the Information Commissioner’s Office (ICO) at ico.org.uk. Because we are based in Canada and do not have an EU/UK establishment or EU/UK representative formally designated, your lead supervisory authority is the authority in the EU member state or UK where you reside.

Cross-border transfers (EU/UK to US): as described in Section 10, transfers rely on Standard Contractual Clauses in our Google Cloud and RevenueCat DPAs.

14. Regional rights — United States

14.1 California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the following rights:

We respond to verifiable California consumer requests within 45 days (extendable by 45 days when reasonably necessary, with notice).

We do not have actual knowledge of collecting personal information of California residents under 16.

14.2 Other US state privacy laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other US states with consumer privacy laws have rights similar to those described in Sections 11 and 14.1 above, including rights to access, correct, delete, and obtain a portable copy of your personal information, and to opt out of any sale or targeted advertising (neither of which we engage in). We honor these rights. Contact [email protected] to exercise them. We will respond within the shorter of 45 days or the statutory deadline of your state.

Colorado SB 24-205 (AI Law, effective June 30, 2026): to the extent we deploy any automated decision-making covered by that law after its effective date, we will provide required notices at that time.

15. Regional rights — Australia (Privacy Act 1988)

If you are in Australia, we handle your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

To file a complaint: Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. Please contact us first; we will try to resolve your concern within 30 days.

16. Breach notification

We take security incidents seriously. If we discover a breach of personal information that poses a risk of harm, we will act immediately to contain it and notify the affected users and regulators according to the following obligations:

17. Security

We protect your information using:

No system is perfectly secure. If we discover a breach that affects your information, we will notify you and the relevant regulator(s) as described in Section 16.

18. Push notifications

We send push notifications only with your permission. You can grant or revoke notification permission in your device settings at any time. We send push notifications for: new messages, friend request activity, milestone events, and important account alerts (such as deletion confirmation). We do not send commercial marketing push notifications unless you have separately opted in.

19. Cookies and tracking technologies

The SobrCircle mobile app does not use cookies. We use a device-level advertising identifier (IDFA on iOS, GAID on Android) only if Firebase Analytics is active and only if you have opted in (Section 5.2). You can reset or limit this identifier through your device settings at any time.

The SobrCircle website (sobrcircle.com) uses no third-party analytics, advertising, or tracking cookies. We set no persistent cookies beyond what is technically necessary to serve the site.

20. SobrCircle is not medical care

SobrCircle is a peer-support social community. It is not medical treatment, addiction therapy, clinical care, crisis intervention, or a substitute for professional health services. Content you encounter on SobrCircle reflects the personal experience of the user who shared it. It is not medical advice or clinical guidance.

If you are in crisis or immediate danger, contact emergency services (911 in Canada/US, 999 in the UK, 000 in Australia, 112 in the EU) or a crisis line: 9-8-8 Suicide Crisis Helpline in Canada (call or text 988); 988 Suicide & Crisis Lifeline in the US (call or text 988). Additional crisis resources are listed within the app.

Recovery meeting information shown in SobrCircle is provided by users and third-party directories. We cannot guarantee a meeting is taking place at the time and location shown. Always confirm directly with the meeting host before attending.

21. Changes to this policy

We may update this Privacy Policy. Material changes — those that expand what we collect, add a new category of third-party processor, or limit your rights — will be announced in the app and by email at least 30 days before they take effect. You may close your account before a material change takes effect if you do not agree.

Non-material changes (updated contact details, typographical corrections, clarifications that do not change our practices) take effect when published. The “Last updated” date at the top of this policy will always reflect the most recent change.

Archived versions of this policy are available on request by emailing [email protected].

22. Contact us and regulator escalation

For any privacy question, rights request, or concern, please contact our Privacy Officer first:

If you are not satisfied with our response, you have the right to escalate to the relevant privacy regulator in your jurisdiction: