Effective date: 10 May 2026

Privacy Policy

This Privacy Policy explains how Social ("we", "us", or "our") collects, uses, shares, and protects personal data of users ("you") of the Social mobile application and the website at socialapp.world (together, the "Service"). Please read it carefully. If you do not agree with this Policy, do not use the Service.

1. Who we are

Social is an independent project. It is not currently operated by a registered company. The team behind Social is responsible for the personal data the Service handles and acts as the data controller within the meaning of the GDPR. You can reach us at [email protected] for any privacy-related request, to exercise your rights, or to ask questions about this Policy.

2. Information we collect

We collect only the data we need to operate the Service.

(a) Information you provide

  • Account: email address, and either a one-time email verification code OR a Google ID token (if you sign in with Google).
  • Profile: first name, last name, date of birth (used to derive age), gender, biography, profile picture, languages, nationalities, interests, and the city you select.
  • Events: title, description, date and time, address, geographic coordinates of the event location (chosen via Google Places), cover image, language and gender filters, participant cap.
  • Chat content: text messages and images you send inside event chats. Images are stored on our object storage.

(b) Information generated through your use

  • Participation records (which events you organised, joined, or left, and timestamps); muted-chat preferences; karma score; read-receipt timestamps; refresh-session tokens.
  • Push notification token (Apple APNs / Google FCM via Expo) — only stored if you grant notification permission.
  • Technical logs: IP address, request timestamps, error traces, rate-limit counters. These help us secure the Service and troubleshoot issues.

(c) Information from third parties

  • If you sign in with Google, we receive your verified email, basic profile fields and avatar URL from Google.
  • Google Places returns the place identifier, formatted address, and coordinates of the city or venue you select.

3. How we use your data

  • To create and authenticate your account and keep you signed in.
  • To display your profile to other users you interact with on the Service.
  • To organise and discover events, including showing event covers, locations, organisers and participants.
  • To deliver event chat messages between participants.
  • To send transactional push notifications (someone joined your event, new message in a chat you are part of). You can disable notifications in your device settings or mute individual chats.
  • To prevent abuse, enforce our Terms, debug, and ensure the stability and security of the Service.
  • To comply with legal obligations.

4. Legal bases (GDPR Art. 6)

  • Performance of a contract — to provide the core features you ask for (account, events, chats).
  • Consent — for push notifications, optional profile fields you choose to fill, and access to your device location/photos.
  • Legitimate interests — to keep the Service secure, prevent fraud, and improve features. We balance these against your rights.
  • Legal obligation — when we must respond to lawful requests from public authorities.

5. Who can see your data

(a) Other users

Your profile (name, age, avatar, languages, nationalities, interests, bio) is visible to other users when you are a participant or organiser of a shared event, and on the public shareable event page (socialapp.world/event/<id>). Your email address and exact birth date are never shown to other users.

(b) Service providers (processors)

  • Cloud hosting and database — to host the back-end and store data.
  • Object storage — to host avatar and chat images.
  • Email delivery — to send the 4-digit verification code.
  • Google (Sign-In, Places) — only when you use those features.
  • Apple Push Notifications / Firebase Cloud Messaging via Expo — to deliver push messages.

Each processor acts under our written instructions and is bound by confidentiality and security obligations.

(c) Authorities

We may disclose data when required by law, court order, or to protect rights, property or safety of users and the public.

(d) Sale of data

We do not sell your personal data and we do not share it for cross-context behavioural advertising.

6. International data transfers

Some of our processors operate outside your country of residence. When data leaves the European Economic Area we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions, to keep an equivalent level of protection.

7. Retention

We keep account data for as long as your account is active. When you delete your account we anonymise your profile (your email is replaced with a non-identifying placeholder, and your name, photo, bio, location and other personal fields are cleared) and mark the account as deleted. Past chat messages remain in chats you took part in, attributed to "Deleted account" instead of your name, so we do not break conversations for the other participants. Events you organised remain visible after deletion. Backups are rotated and overwritten on a regular cycle.

8. Security

Data is transmitted over HTTPS. Refresh tokens are opaque and stored hashed; access tokens are short-lived JWTs. Passwords are not stored — we use one-time email codes or Google OAuth. We apply rate-limiting on sensitive endpoints. No system is 100% secure; please use a strong, unique password for the email account associated with Social and enable two-factor authentication there.

9. Your rights

Subject to applicable law (including GDPR/UK GDPR and CCPA), you have the right to:

  • Access the data we hold about you;
  • Rectify inaccurate data (in-app via Edit profile);
  • Delete your data ("right to be forgotten") — use Profile → Delete profile, or email us;
  • Restrict or object to certain processing;
  • Data portability — receive your data in a machine-readable format;
  • Withdraw consent at any time, without affecting prior lawful processing;
  • Lodge a complaint with your local supervisory authority (in the EU/EEA), or the UK ICO.

To exercise these rights, contact [email protected]. We respond within 30 days.

10. Children

The Service is not directed at children under 16. We do not knowingly collect data from anyone under that age. If you believe a child has created an account, contact us and we will remove it.

11. Permissions on your device (mobile app)

  • Location — only when you tap "Use my location" while choosing a city or event location. We do not track your location in the background.
  • Photos / Camera — only when you pick an avatar, an event cover image, or attach an image to a chat. We do not scan your library.
  • Notifications — only if you grant permission, used for transactional alerts.

You can change or revoke any permission at any time in your device settings.

12. Cookies and similar technologies (web)

The website uses only strictly necessary cookies and local storage to keep you signed in and remember your preferences. We do not use advertising or third-party tracking cookies.

13. California residents (CCPA / CPRA)

We do not sell or share personal information for cross-context behavioural advertising. California residents have the right to know, delete, correct, and limit use of sensitive personal information, and to opt out of sharing/selling. To exercise these rights, email [email protected].

14. Changes to this Policy

We may update this Policy. The "Effective date" at the top of this page reflects the latest version. If changes are material, we will notify you in-app or by email before they take effect.

15. Contact

Social
[email protected]