Privacy Policy for Baxstory

1. Information We Collect

We collect various types of information to provide and improve the App and its features.

a. Information You Provide Directly

• Account and Profile Information: When you create an account, we collect your email address and a unique user ID. You also provide a username and may choose to create a display name, which is the name visible to other users. We never store passwords in plaintext. Authentication is handled by our provider, and only a salted, hashed form may be stored where applicable.

• Public Profile Information: Your profile picture, display name, profile description, and profile fields are all data you provide directly that is publicly visible to other users in your proximity.

• Communications: When you communicate with us (e.g., for support or to submit a report), we collect the content of your communications and your user ID to respond to your inquiry and take appropriate action.

• Invites & Contacts: We do not import your address book or send invitations from your device. If you use the “Share Baxstory” feature, your operating system handles the share locally; we do not receive your contacts or the recipients you choose.

b. Information Collected Automatically

Location Data: This is central to Baxstory's functionality.

• Approximate Proximity: We compute proximity on our servers within a radius currently capped at 150 meters. Distances are rounded to the nearest 25 meters and capped at "150+m." Distances are shown only if both users have Show Distance enabled. We never expose precise coordinates to other users.

• Location Updates:

  • -

    Foreground (default): While the App is open and visible, your device may send us location updates to power proximity.

  • -

    Background (optional): Only if you explicitly enable "Background Location Updates" in Settings and grant the required OS permission (e.g., "Always" on iOS) will we receive occasional updates while the App is in the background. Continued use of GPS running in the background can dramatically decrease battery life. Background updates are not available on the web.

  • -

    Control: You can turn Background Location Updates off anytime in Settings → Background Location Updates. This feature helps you discover nearby connections as you and others move while the App is in the background.

• Location Permissions & Functionality: We request access to your device's location to enable the core proximity features. The functionality you receive depends on the permission you grant:

  • -

    Allow While Using: Proximity features (like seeing nearby users) will function only when the App is open and visible in the foreground.

  • -

    Always Allow (Optional): If you opt in to Background Location Updates in the App’s Settings and grant "Always" permission on iOS, proximity detection can continue while the App is in the background. Background location updates stop if you disable the in-app background toggle, and without new updates your profile may remain visible near your last updated location for up to 30 minutes before disappearing. All location updates (foreground and background) stop if you toggle to "Incognito" mode, sign out, or force-quit the App.

• OS Power Management & Resumption: To conserve your device's battery, the operating system (e.g., iOS) may automatically pause background location updates when your device is stationary. When motion is detected again (for example, when you start walking or traveling), the OS may resume updates. Updates will also resume when you bring the App to the foreground or toggle from "Incognito" to "Active" mode.

• Controls:

  • -

    Background toggle: Turn Background Location Updates off anytime in Settings → Background Location Updates. While off, your last known location remains active for up to approximately 30 minutes, after which it automatically expires until you reopen the App in “Active” mode. Enabling Background Location Updates helps keep your proximity data current and maintain nearby discovery (and notifications, if enabled) while the App is backgrounded.

  • -

    Incognito or Sign out: We stop updating and delete your last known location immediately.

  • -

    Ban / Termination: We set your account to "Incognito", delete your last known location, and sign out active sessions.

  • -

    Force-quit / unexpected exit: Updates stop; without a new update your profile may remain visible near your last location for up to approximately 30 minutes and then disappears.

• Freshness Window & Visibility: If the App is force-quit or backgrounded without Background Location Updates enabled, your last captured location may continue to power proximity for up to approximately 30 minutes. If you sign out, go "Incognito", or if your account is banned, your last known location is deleted immediately and your profile becomes invisible to others. You and others remain invisible until you go "Active" (or re-sign in) again.

• Precision: We use your device’s operating system location services, which estimate your position using GPS, Wi-Fi and cellular network signals (and similar sensors). We receive only the resulting coordinates and accuracy estimate. Your exact location is never shared with other users; it’s used on our servers only to compute coarse, bucketed proximity.

• Diagnostics & Log Data: Our servers and hosting providers (e.g., for the web/API) automatically receive limited technical information, such as IP address, device ID (e.g., push token or platform identifier), OS and app version, language, timestamps, and crash/diagnostic logs. We use this only to operate, secure, and improve the App; we do not use it for targeted advertising or user profiling.

App-Specific Usage Data (Associated with your Account):

We collect data about your interactions within the App and associate it with your user ID. This is done to provide features and insights to you, while protecting the privacy of other users. This includes:

• Profile Views: We record the number of times your profile is viewed. We do not disclose the identities of users who viewed your profile to you.

• Profile Field Hearts: We record the number of times users "heart" a field on your profile. We do not disclose the identities of users who heart your profile fields or which specific field they hearted.

• Blocking: When you block another user, we record this action and associate it with your account. The blocked user is not notified. You can see a list of users you have blocked in your settings and can unblock them at any time.

• Flagging/Reporting: When you flag or report another user, we collect your user ID and the user ID of the flagged user, along with the content of your report. This information is used for safety and to enforce our Terms of Service. The flagged user is not notified that they have been reported.

c. Data Related to Your Settings and Account Status

• Incognito/Active Mode: We record whether you have toggled "Incognito" or "Active" mode. When "Incognito" is on, the App will not collect or process your device’s location for proximity features and your profile will not be surfaced to other users. Limited operational telemetry (e.g., diagnostics, security logs) may still be collected. You can toggle between "Incognito" and "Active" mode at any time in the App's Home tab.

• Show Distance Preference: We store a simple on/off setting for whether you want distance displayed to others. Distance is only shown when both users have this setting enabled.

• Account Enforcement Status (Bans/Suspensions): If your account is restricted for safety or policy reasons, we store a record of the restriction (e.g., reason and, if applicable, an expiration time) to administer and audit enforcement actions. For severe policy violations leading to a permanent ban, your account is automatically toggled to "Incognito", your last known location is deleted, your push notification token is removed, and all active sessions are signed out.

• Battery Saver Mode: We record whether you have enabled "Battery Saver Mode," which may reduce the accuracy of location updates to conserve your device's battery.

• Push Notifications: If you opt in, we record your preference and your device’s push token to deliver notifications via our provider (Expo). You can disable push notifications in your device settings; doing so doesn’t affect in-app notices. We also clear your push token on sign out and if your account is banned.

• Account Status and Activity: We collect data related to your account's status, including your account creation date, onboarding status, and timestamps for your last activity and profile updates.

• Sign Out: When you sign out, your session is terminated on the device, your account is automatically toggled to "Incognito", your push token is cleared, and your last known location is deleted immediately. Your account and its other data remain on our servers so you can sign back in later.

• Account Deletion: When you delete your account, we will permanently delete or de-identify your personal data, subject to limited exceptions (e.g., short-term backups, security logs, and legal obligations), after which remaining copies are automatically purged on a rolling basis. After you delete your account, we stop using your personal information for marketing or product promotion, retaining only what’s reasonably needed for backups, security logs, legal compliance, dispute resolution, and enforcement.

d. Cookies, Local Storage & SDKs

On the web and in the App, we use first-party local storage technologies (e.g., AsyncStorage and similar) to keep you signed in and remember preferences. We do not use third-party advertising cookies or third-party analytics SDKs in the App at this time. If that changes, we will update this Policy. Most browsers let you control cookies; you can manage app permissions (including location and notifications) in your device’s OS settings. We currently do not respond to ‘Do Not Track’ signals.

2. How We Use Your Information

We use the collected information for various purposes, including:

• To Provide and Maintain the App: We use your location data to power the core functionality of the App, allowing you to discover and connect with nearby users. We use your account and profile information to create your profile and make it visible to other users who are in your proximity.

• To Enhance Your Experience: We use your proximity to other users to show you relevant potential connections. We also use the data collected from your interactions, such as profile views and hearts, to provide you with insights about your profile's performance (e.g., the total number of views or hearts your profile has received).

• For Security, Safety, and Terms Enforcement: We use reports, block lists, and other signals to investigate and respond to potential violations of our Terms of Service or Community Guidelines. We may temporarily limit, suspend, or ban accounts while we review issues. For permanently banned accounts, we remove your push notification token, toggle your profile to "Incognito", delete your last known location, and sign out active sessions. Enforcement records (e.g., reason and timing) are retained as needed to administer appeals, prevent abuse, and comply with legal obligations. We review and act on valid reports within 24 hours.

• For App Improvement and Analytics: We use non-identifiable, aggregated data about App usage and interactions (such as the total number of hearts or views across all users) to understand usage patterns, troubleshoot issues, and develop new features.

• For Communication and Support: We use your email address and communication history to send service and transactional communications (for example, replies to support requests, security or legal notices, and account-related messages). We do not send promotional or marketing emails at this time. If that changes, we will update this Policy and include instructions to unsubscribe.

• For Account Management: We use your account information and activity data (e.g., last active date) to manage your account status and provide features like signing out and account deletion.

• For Nearby Notifications: To manage “nearby” notifications, we temporarily keep a minimal pair record (a pseudonymous key for the two users plus timestamps like last in-range and last notified). It does not store precise locations and is kept only as long as needed to prevent spammy repeats.

We do not use personal information to make automated decisions that produce legal or similarly significant effects. We may create aggregated or de-identified data for analytics and product improvement, and we do not attempt to re-identify it.

3. How We Share Your Information

We do not sell or “share” your personal information as those terms are defined under applicable U.S. state privacy laws. We may share your information with third parties in the following ways:

• With Other Users (Limited & Controlled): Your exact coordinates are never shared. Distance is only shown if both users have Show Distance enabled, and it is displayed in bucketed ranges (e.g., "50m" or "150+m"). We do not disclose who viewed or hearted your profile, who blocked you, or who reported you. Profiles are not indexed by public search engines and are only visible within the Baxstory App.

• With Authorities or When Legally Required: We may disclose information when required by law (e.g., court order, subpoena, or valid government request) or when we believe it’s necessary to enforce our Terms, protect rights or property, or ensure user safety.

• For Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity as part of the transaction. We will notify you via email or a prominent notice in the App of any such change in ownership or control of your personal information.

• With Your Consent: We may share your information for any other purpose with your explicit consent.

• Affiliates: We may share information with our affiliates under confidentiality obligations for legitimate business purposes.

• Professional Advisors: We may share information with lawyers, auditors, insurers, and similar advisors subject to confidentiality, for compliance and business purposes.

• Linked Third-Party Services: We do not currently offer third-party logins. If we add them, we will receive only the information you authorize from that service, and their use of your information will be governed by their privacy policy. If enabled in the future, we will present a just-in-time notice and update this Policy.

Service Providers

We use third-party services to help us operate, maintain, and improve the App. These providers are bound by confidentiality obligations and are only permitted to use your information for the specific purposes for which we disclose it to them. These companies act as our service providers/processors and are contractually restricted to using personal information only to provide services to us and in accordance with this Policy. The services we use include:

• Supabase: For user authentication, database management, and secure storage of your profile information. We use this service, which is built on a PostgreSQL database with the PostGIS extension, to securely store and process your location data to power the proximity features. We use security policies such as Row Level Security to protect your private data.

• Vercel: We use Vercel for frontend hosting and serverless function execution (APIs) for our mobile and web applications. Vercel does not store your core user data or database.

• Expo: We use Expo to build and deploy our App to the Apple App Store and Google Play Store. Expo Application Services (EAS) also handles our push notification service. When you opt-in to push notifications, we send your device's push token to Expo's servers, which then deliver the notifications to you.

• Google Workspace: We use Google Workspace, including Gmail, to manage our business email communications, which includes responding to user inquiries and support requests.

• SendGrid: For sending transactional emails (account registration, email verification, password reset, and similar account notices) via SMTP (Simple Mail Transfer Protocol). Implemented through our Supabase integration; SendGrid processes your email address and necessary message metadata to deliver these emails. We may receive basic delivery/bounce status for emails.

We may add or replace service providers over time; if our practices materially change, we will update this Policy.

4. Your Choices and Rights

Depending on your location, you may have some or all of the following rights; we honor valid requests consistent with applicable law. You have significant control over your personal information and can exercise your rights at any time.

a. Account and Profile Management

• Access and Update: You can access, review, and update your profile information, including your profile picture, display name, profile description, and profile fields, directly within the App.

• Show Distance: You can turn Show Distance on or off at any time in the App's Settings. When off, other users will not see a distance for you, and you will not see distance for others. Distance appears only when both users have this setting enabled.

• Account Deletion: You can delete your Baxstory account at any time through the App's settings. When you initiate an account deletion, we will permanently delete or de-identify your personal data, subject to limited exceptions (e.g., short-term backups, security logs, and legal obligations); any remaining copies are automatically purged on a rolling basis.

• Sign Out: You can sign out of your account at any time. This will terminate your session on the device, automatically toggle your profile to "Incognito", and immediately delete your last known location. Your account and its other data will remain on our servers for future use.

b. Data and Permissions

• Location Permissions: You can manage your location permissions at any time through your device's settings. For Baxstory’s core proximity features, “Allow While Using” is sufficient while the App is open. Background Location Updates are optional and can be enabled in the App’s Settings (requires "Always" permission on iOS). If you don’t enable background updates, discovery works while the App is open but may be limited in the background. If you don’t enable Background Location Updates, your nearby visibility relies on your last foreground update and may expire after approximately 30 minutes while the App is in the background.

• Push Notifications: You can manage your push notification preferences at any time through your device's settings.

• Right to Know and Access: You have the right to request a copy of the personal information we have collected about you.

• Right to Correct: You have the right to ask us to correct any inaccurate personal information we hold about you.

• Right to Erasure ("Right to Be Forgotten"): You have the right to request that we delete your personal information. Please note that this is distinct from account deletion and can be initiated by contacting us directly.

• Right to Restrict Processing: You have the right to request that we limit the ways we use your personal information.

• Right to Object: You have the right to object to the processing of your personal information for certain purposes.

c. Exercising Your Rights

To exercise any of the rights listed above, other than those available in the App's settings, please contact us at support@baxstory.com. We will respond to your request in accordance with applicable data protection laws. We will not discriminate against you for exercising any of your privacy rights.

For certain requests we may need to verify your identity (for example, by confirming control of your account or email). You may authorize an agent to submit a request where permitted by law; we may require proof of authorization and your identity. If we deny a request, you may appeal by emailing support@baxstory.com with “Appeal” in the subject.

d. California Notice (CCPA/CPRA)

At this time, Baxstory does not meet the thresholds that would classify it as a ‘business’ under the California Consumer Privacy Act (CCPA/CPRA). If that changes, we will update this Policy and provide any required notices. We do not sell or “share” your personal information as those terms are defined under applicable U.S. state privacy laws.

Sensitive Personal Information: Although we receive device coordinates to power proximity features, we do not use or disclose sensitive personal information (including precise geolocation) for purposes subject to the California right to limit, and we do not sell or share such information. We do not offer programs that are considered “financial incentives” under U.S. state privacy laws.

California “Notice at Collection” (Summary)

e. Other U.S. State Rights (CO/CT/VA/UT)

Residents of Colorado, Connecticut, Virginia, and Utah may have similar rights regarding access, correction, deletion, and objection/opt-out. You can exercise these rights by emailing support@baxstory.com. If we deny a request, you may appeal by replying to our decision with “Appeal” in the subject line.

5. Data Security

We implement reasonable technical and organizational measures designed to protect your information from unauthorized access, use, alteration, or destruction. This includes using secure services like Supabase with appropriate security policies (e.g., Row Level Security). We use role-based access controls and least-privilege permissions. However, no method of transmission over the Internet or method of electronic storage is 100% secure. To minimize exposure, we compute distance on our servers and display coarse, bucketed values rather than exact coordinates. Data in transit is protected with Transport Layer Security (TLS) (i.e., HTTPS), and access to production systems is restricted to authorized personnel. If we learn of a security incident affecting your personal information, we will notify you and any required authorities as required by law.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the App. We may also retain certain information to comply with legal obligations, resolve disputes, and enforce our agreements. Upon account deletion, your personal data is permanently deleted or de-identified, subject to limited exceptions (e.g., short-term backups, security logs, and legal obligations). Anonymized/aggregated data may be retained for analytics.

Location data: we store only your most recent location. Your location is deleted immediately when you sign out, go "Incognito", or if your account is banned. Otherwise, a location is actively used for up to approximately 30 minutes; it’s then removed from visibility and purged from the active table on a rolling basis (typically within approximately 60 minutes). We do not maintain a historical trail of your movements. Limited backup copies may persist briefly and are purged on a rolling basis (See also 'Freshness Window & Visibility' in Section 1.b for how this affects what others may see in the App.)

Proximity pair records: to manage “nearby” notifications, we temporarily keep a minimal pair record (a pseudonymous key for the two users plus timestamps like last in-range and last notified). It does not store precise locations and is kept only as long as needed to prevent repeated notifications.

Enforcement records (e.g., bans/suspensions and related reports) are retained for as long as reasonably necessary to administer safety, handle appeals, prevent abuse, and comply with applicable laws.

Operational parameters (e.g., detection radius, distance bucket size, and freshness windows) may be adjusted from time to time to improve reliability and privacy; if we make a material change that affects how your personal data is used, we will update this Policy and, where required, provide notice.

7. Children's Privacy

Baxstory is not intended for use by individuals under the age of 13. We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and become aware that your child has provided us with personal information, please contact us at support@baxstory.com. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to remove that information from our servers. Users 13–17 may use the App only with a parent/guardian’s permission as described in our Terms; if we learn otherwise, we may disable the account and delete associated data, subject to our legal obligations.

8. Changes to This Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For material changes, we will provide a notice within the App and/or via email where required by law. You are advised to review this Privacy Policy periodically for any changes.

9. User Safety and Reporting

We're committed to fostering a safe and respectful community within Baxstory. If you encounter any content or behavior that you believe violates our Terms of Service or Community Guidelines, or if you ever feel threatened, see illegal activity, or encounter creepy, insulting, or sensitive information in another user's profile, we urge you to:

1. Report the user directly through the App's reporting feature:

   • Navigate to the profile page of the user you wish to report.

   • Look for the "Report" or "Flag" button, typically located in the top right corner of their profile.

   • Tap this button and follow the on-screen prompts to select a reason for your report and, if applicable, provide additional details.

   • Your report will be submitted for our review.

2. Contact our support team directly via email at: support@baxstory.com

3. Contact appropriate authorities if you believe there's a serious threat to your safety or the safety of others. Baxstory is not an emergency service and cannot contact emergency responders on your behalf.

We take all reports seriously and will investigate them in accordance with our policies. Please remember that your safety is paramount.

10. Dispute Resolution

Disputes arising from or relating to this Privacy Policy are subject to the dispute resolution, arbitration, class-action waiver, and venue provisions in our Terms of Service.

11. Contact Us

You may request this notice in an alternative format by emailing: support@baxstory.com

If you have any questions about this Privacy Policy, your rights, or your personal information, please contact us via email: support@baxstory.com