This Privacy Policy explains how [Company Legal Name] ("Nomad Connect", "we", "our", or "us") collects, uses, shares, and protects information about you when you use the Nomad Connect mobile and web application (the "Service"). By creating an account or using the Service, you agree to this Policy.
1. Who we are
Nomad Connect is operated by [Company Legal Name], a [entity type] with its registered address at [Company Address]. You can reach us at [support@nomadconnect.app] for any privacy-related question, request, or complaint.
If you are in the European Union, the United Kingdom, or another jurisdiction with data-protection law, [Company Legal Name] is the data controller for the personal data described below.
2. Information we collect
2.1 Information you provide
- Account information processed by our authentication provider (Supabase Auth): your email address, password (stored as a salted hash by Supabase, never by us), and, if you sign in with Google, the basic profile fields Google returns (name, email, profile photo, Google account ID).
- Profile content that you choose to add: display name, profession or role tags, bio, home city, current city, languages, favourite apps and places, social-platform links, gender (optional), profile photo and banner image.
- Activity content: meetups you host (title, description, location, date, time, cost, max participants, visibility) and the meetups you join.
- Messages that you send in activity chat rooms.
- Ratings you give to other participants after activities (thumbs up / thumbs down).
- Privacy preferences (who can message you, who can view your profile, whether your full name, location, social links, or online status are shown).
- Support correspondence if you email us.
2.2 Information collected automatically
- Device and diagnostic information: device model, operating system version, application version, language, time zone, and crash diagnostics.
- Usage data: which screens you view, which features you use, and aggregated event data (for example, "activity created"). We use PostHog for product analytics.
- Push-notification tokens issued by Apple Push Notification service or Google Firebase Cloud Messaging, used solely to deliver app notifications.
- Approximate location from the device's coordinates if you grant location permission, used to centre maps and surface nearby activities. We do not store continuous location history.
- Cookies and similar technologies on the web version of the Service (session cookies for authentication and analytics).
2.3 Information from third parties
If you sign in with Google or another OAuth provider, we receive the basic profile fields you authorise that provider to share with us.
3. How we use your information
We use information to:
- create and operate your account, authenticate you, and keep your data secure;
- show you and other users your profile and activity content according to your privacy settings;
- run the social features of the Service (chat, ratings, push notifications, search);
- improve the Service (analytics, crash diagnostics, A/B tests);
- prevent abuse, spam, fraud, and violations of our Terms of Service;
- comply with legal obligations and respond to lawful requests.
3.1 Legal bases (EEA / UK / similar)
We rely on the following legal bases under the GDPR:
- Contract (Article 6(1)(b)): to provide the Service you signed up for.
- Legitimate interests (Article 6(1)(f)): to keep the Service safe, prevent abuse, and improve features. You may object at any time.
- Consent (Article 6(1)(a)): for optional features like location and push notifications. You may withdraw consent at any time in your device settings or in-app.
- Legal obligation (Article 6(1)(c)): when we must retain or disclose information to comply with applicable law.
4. How we share your information
We do not sell your personal data. We share information only with:
- Other users, according to your privacy settings (other users see your profile, activity content, and chat messages in rooms you participate in).
- Service providers (sub-processors) that operate the Service on our behalf, under contracts that require them to protect your data:
- Supabase: authentication, database hosting, and file storage.
- PostHog: product analytics.
- Expo (Apple, Google): push-notification delivery.
- Google: OAuth sign-in and (where used) maps and place data.
- Authorities and legal recipients when we are required to disclose information by law, subpoena, or to protect the rights, property, or safety of users or the public.
- A successor in the event of a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, in which case we will require the recipient to honour this Policy or notify you and offer choices.
5. International data transfers
Your information may be processed in the United States and other countries. Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses or another lawful transfer mechanism with our sub-processors.
6. How long we keep your information
- Active accounts: for as long as your account exists.
- Account-deletion requests: when you request deletion in the app, we mark your profile as scheduled for deletion within 30 days. During those 30 days you can cancel deletion by signing back in. After 30 days we permanently erase your profile, hosted activities, sent messages, ratings, push tokens, profile photos, banners, analytics person record, and authentication account.
- Backups: encrypted backups may retain a copy for up to 60 days after deletion, after which they are overwritten on the regular backup rotation.
- Legal retention: we may retain limited information longer where required by law or to defend legal claims.
7. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate personal data.
- Delete your account and associated personal data, available in-app under Profile → Account & data → Delete my account, or by emailing [support@nomadconnect.app].
- Export your data, available in-app under Profile → Account & data → Download my data.
- Object to processing based on our legitimate interests.
- Restrict processing in certain circumstances.
- Withdraw consent for consent-based processing at any time.
- Lodge a complaint with your local data-protection authority.
- Not be discriminated against for exercising your rights (US state-law residents).
To exercise these rights, use the in-app controls or email [support@nomadconnect.app]. We may need to verify your identity before acting on your request.
8. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, please contact us and we will delete the information.
9. Security
We use industry-standard safeguards, including encryption in transit (TLS), encryption of credentials and tokens at rest, role-level security on our database, and least-privilege access for staff. No method of transmission or storage is perfectly secure, but we work to protect your information.
10. Changes to this Policy
If we make material changes to this Policy, we will notify you in-app or by email and require you to re-accept the updated Policy before continuing to use the Service. The "Last updated" date at the top reflects the latest revision.
11. Contact
For privacy questions, requests, or complaints, email us at [support@nomadconnect.app] or write to:
[Company Legal Name]
[Company Address]