Whatspoppin ("we", "us", "our") operates the Whatspoppin mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the App. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive.
Our registered jurisdiction is Ireland. By using the App, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller
Whatspoppin is the data controller responsible for your personal data. For any data protection enquiries, contact us at privacy@whatspoppin.app.
2. Information We Collect
2.1 Information You Provide
- Account information: When you sign in via Apple, Google, or phone number, we receive your name, email address, and (if provided) profile photo from the identity provider. If you sign in via phone, we collect your phone number.
- Profile information: You may optionally provide a username, age range, and gender. You may upload a profile photo from your device's photo library.
- Check-in data: When you check in to a venue, you submit a status rating (1–5). We record the venue, your rating, and the timestamp.
2.2 Information Collected Automatically
- Location data: With your permission, we access your device's GPS coordinates to (a) display your position on the map and (b) verify you are physically at a venue when checking in. Your raw GPS coordinates are processed on your device only and are not transmitted to or stored on our servers. We store only a boolean flag indicating whether GPS verification succeeded.
- Device information: We collect your device platform (iOS or Android) for compatibility purposes. We collect your Expo push notification token if you enable notifications. We do not collect device model, OS version, advertising identifiers (IDFA/GAID), or carrier information.
- Usage data: We record when you view a venue's detail sheet (venue ID, your user ID, and timestamp) to power the "people helped" feature. We do not use third-party analytics SDKs.
- Local storage: We store your authentication session tokens on your device using encrypted local storage. We cache your five most recent venue searches (venue name, address, and ID) on your device. This data does not leave your device.
2.3 Contact Information
If you choose to use the "Find Friends" feature, we request access to the phone numbers in your device's contacts. We collect phone numbers only — not names, emails, or any other contact fields. These phone numbers are normalised to international format and sent to our server to match against existing Whatspoppin users. We do not store your contacts on our servers beyond the duration of the matching query.
3. Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the App and its features | Performance of contract (Art. 6(1)(b)) |
| GPS location verification | Your consent (Art. 6(1)(a)) |
| Contact matching for friend discovery | Your consent (Art. 6(1)(a)) |
| Push notifications | Your consent (Art. 6(1)(a)) |
| Venue view tracking ("people helped") | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Information
- Display real-time venue statuses based on aggregated user check-ins
- Show your check-ins to friends (or other users, based on your visibility settings)
- Connect you with friends via the friend request system
- Send push notifications you have opted into (friend check-ins, friend requests)
- Verify you are physically present at a venue during check-in
- Match your contacts to find friends already on the platform
- Display predicted venue busyness when no live check-ins are available
- Generate aggregate statistics (e.g., "people helped" count on your profile)
5. Social Sharing
When you choose to share a check-in, the following data may be transmitted to third-party platforms at your initiation:
- Instagram Stories: A generated image containing the venue name, your status rating, and your username. Our app's bundle identifier is shared with Instagram as the source application.
- WhatsApp / SMS: A text message containing the venue name, status, and your personal invite link.
- TikTok: A generated image for use as a green screen background.
- General share sheet: A text message with venue details and your invite link.
We do not control how these third-party platforms process this shared data. Please review their respective privacy policies.
6. Data Sharing and Disclosure
We do not sell your personal information. We may share data with:
6.1 Other Users
Your check-ins are visible to other users based on your privacy settings. Your profile name, username, and avatar are visible to other users.
6.2 Service Providers (Sub-processors)
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (US) | Backend infrastructure, authentication, database, file storage, real-time messaging | All account, profile, check-in, friendship, and notification data |
| Google Maps Platform | Map rendering | Device IP address (via map tile requests) |
| Apple / Google (OAuth) | Authentication | OAuth tokens during sign-in flow |
| Expo (US) | Push notification delivery | Push token, notification title and body |
| BestTime.app | Venue busyness predictions | Venue name and address (server-side only, no user data) |
6.3 Legal Requirements
We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Whatspoppin, our users, or the public.
7. International Data Transfers
Our primary backend infrastructure is hosted by Supabase in the United States. Your data may be transferred to and processed in the United States. We rely on Supabase's compliance with appropriate safeguards, including Standard Contractual Clauses (SCCs), for transfers of personal data outside the European Economic Area (EEA).
8. Data Retention
- Account and profile data: Retained for as long as your account is active. Deleted upon account deletion.
- Check-in data: Upon account deletion, your check-ins are anonymised (your user ID is removed) rather than deleted. This allows aggregate venue status history to remain accurate. Anonymised check-in data is not attributable to you.
- Friendship and notification data: Deleted upon account deletion.
- Venue view data: Deleted upon account deletion.
- Contact data: Phone numbers from your contacts are processed in memory during the matching query and are not retained on our servers.
- Push tokens: Deleted upon account deletion or when you disable notifications.
- Local device data: Session tokens and cached searches are stored locally on your device and cleared when you sign out or delete the app.
9. Your Rights
Under GDPR and applicable data protection laws, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Correct inaccurate or incomplete personal data via the Edit Profile screen or by contacting us.
- Erasure: Delete your account and associated personal data. Note that check-ins will be anonymised rather than fully deleted to preserve aggregate venue data. If you require full erasure of all data including anonymised check-ins, contact us at privacy@whatspoppin.app.
- Restriction: Request that we restrict processing of your personal data in certain circumstances.
- Data portability: Request your personal data in a structured, commonly used, machine-readable format.
- Object: Object to processing based on legitimate interests, including venue view tracking.
- Withdraw consent: Withdraw consent for location access, contact access, or push notifications at any time via your device settings or app settings. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
To exercise any of these rights, contact privacy@whatspoppin.app. We will respond within 30 days.
10. Your Controls
- Check-in visibility: Control who can see your check-ins via the privacy toggle in your profile settings.
- Location access: Revoke location permission at any time via your device's settings. The App will still function but GPS verification will be unavailable.
- Contact access: Revoke contacts permission via your device's settings at any time.
- Push notifications: Disable notifications via your device's settings or within the App.
- Account deletion: Delete your account at any time from the App's settings screen.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encrypted data transmission (HTTPS/TLS) for all communications
- Row-level security policies on our database to ensure users can only access authorised data
- Authentication tokens stored securely on your device
- Server-side API keys stored in environment variables, never exposed to client applications
No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
12. Children's Privacy
Whatspoppin is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete that data promptly. If you believe a minor has provided us with personal data, please contact us at privacy@whatspoppin.app.
13. Third-Party Links
The App may contain links to third-party websites, services, or applications (e.g., venue websites, social media platforms). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page and, where appropriate, through an in-app notification. Your continued use of the App after any changes constitutes acceptance of the updated policy.
15. Supervisory Authority
If you are located in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at www.dataprotection.ie, or with your local supervisory authority.
16. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data:
Email: privacy@whatspoppin.app
Legal: legal@whatspoppin.app