Privacy Policy for Baxstory

1. Information We Collect

We collect various types of information to provide and improve the App and its features.

a. Information You Provide Directly

• Account and Profile Information: When you create an account, we collect your email address and a unique user ID. You also provide a username and may choose to create a display name, which is the name visible to other users. We never store passwords in plaintext. Authentication is handled by our provider, and only a salted, hashed form may be stored where applicable.

• Public Profile Information: Your profile picture, display name, profile description, and profile fields are all data you provide directly that is publicly visible to other users in your proximity.

• Communications: When you communicate with us (e.g., for support or to submit a report), we collect the content of your communications and your user ID to respond to your inquiry and take appropriate action.

• Invites & Contacts: We do not import your address book or send invitations from your device. If you use the “Share Baxstory” feature, your operating system handles the share locally; we do not receive your contacts or the recipients you choose.

b. Information Collected Automatically

Location Data: This is central to Baxstory's functionality.

• Approximate Proximity: We compute proximity on our servers within a radius currently capped at 150 meters. Distances are rounded to the nearest 25 meters and capped at “150+m.” Distances are shown only if both users enable Show Distance. We never expose precise coordinates to other users.

• Background Location Updates: Your device sends us location updates periodically while the App is in use and, subject to your device/OS settings, in the background. Timing varies by device and settings. This helps you discover new potential connections as people move around.

• "Always Allow" Permission: For the App to function as intended and to provide continuous proximity detection, we recommend granting ‘Always Allow’ location permission on your device. Without this permission, proximity features may be limited or unavailable.

• Precision: We use your device’s operating system location services, which estimate your position using GPS, Wi-Fi and cellular network signals (and similar sensors). We receive only the resulting coordinates and accuracy estimate. Your exact location is never shared with other users; it’s used on our servers only to compute coarse, bucketed proximity.

• Diagnostics & Log Data: Our servers and hosting providers (e.g., for the web/API) automatically receive limited technical information, such as IP address, device/OS and app version, language, timestamps, and crash/diagnostic logs. We use this only to operate, secure, and improve the App; we do not use it for targeted advertising or user profiling.

App-Specific Usage Data (Associated with your Account):

We collect data about your interactions within the App and associate it with your user ID. This is done to provide features and insights to you, while protecting the privacy of other users. This includes:

• Profile Views: We track the number of times your profile is viewed. We do not disclose the identities of users who viewed your profile to you.

• Profile Field Hearts: We track the number of times users "heart" a field on your profile. We do not disclose the identities of users who heart your profile fields or which specific field they hearted.

• Blocking: When you block another user, we record this action and associate it with your account. The blocked user is not notified. You can see a list of users you have blocked in your settings and can unblock them at any time.

• Flagging/Reporting: When you flag or report another user, we collect your user ID and the user ID of the flagged user, along with the content of your report. This information is used for safety and to enforce our Terms of Service. The flagged user is not notified that they have been reported.

c. Data Related to Your Settings and Account Status

• Incognito/Active Mode: We record whether you have toggled “Incognito” or “Active” mode. When Incognito is on, the App will not collect or process your device’s location for proximity features and your profile will not be surfaced to other users. Limited operational telemetry (e.g., diagnostics, security logs) may still be collected. You can switch Incognito off at any time in Settings.

• Show Distance Preference: We store a simple on/off setting for whether you want distance displayed to others. Distance is only shown when both users have this setting enabled.

• Account Enforcement Status (Bans/Suspensions): If your account is restricted for safety or policy reasons, we store a record of the restriction (e.g., reason and, if applicable, an expiration time) to administer and audit enforcement actions.

• Battery Saver Mode: We record whether you have enabled "Battery Saver Mode," which may reduce the accuracy of location tracking to conserve your device's battery.

• Push Notifications: If you opt in, we record your preference and your device’s push token to deliver notifications via our provider (Expo). You can disable push at any time in your device settings.

• Account Status and Activity: We collect data related to your account's status, including your account creation date, onboarding status, and timestamps for your last activity and profile updates.

• Sign Out: When you sign out, your session is terminated on the device, but your account and its data remain on our servers so you can sign back in later. Location tracking of your device stops when you sign out.

• Account Deletion: When you delete your account, we will permanently delete or de-identify your personal data, subject to limited exceptions (e.g., short-term backups, security logs, and legal obligations), after which remaining copies are automatically purged on a rolling basis. After you delete your account, we stop using your personal information for marketing or product promotion, retaining only what’s reasonably needed for backups, security logs, legal compliance, dispute resolution, and enforcement.

d. Cookies, Local Storage & SDKs

On the web and in the App, we use first-party local storage technologies (e.g., AsyncStorage and similar) to keep you signed in and remember preferences. We do not use third-party advertising cookies or third-party analytics SDKs in the App at this time. If that changes, we will update this Policy. Most browsers let you control cookies; you can manage app permissions (including location and notifications) in your device’s OS settings. We currently do not respond to ‘Do Not Track’ signals.

2. How We Use Your Information

We use the collected information for various purposes, including:

• To Provide and Maintain the App: We use your location data to power the core functionality of the App, allowing you to discover and connect with nearby users. We use your account and profile information to create your profile and make it visible to other users who are in your proximity.

• To Enhance Your Experience: We use your proximity to other users to show you relevant potential connections. We also use the data collected from your interactions, such as profile views and hearts, to provide you with insights about your profile's performance (e.g., the total number of views or hearts your profile has received).

• For Security, Safety, and Terms Enforcement: We use reports, block lists, and other signals to investigate and respond to potential violations of our Terms of Service or Community Guidelines. We may temporarily limit, suspend, or ban accounts while we review issues. Enforcement records (e.g., reason and timing) are retained as needed to administer appeals, prevent abuse, and comply with legal obligations.

• For App Improvement and Analytics: We use non-identifiable, aggregated data about App usage and interactions (such as the total number of hearts or views across all users) to understand usage patterns, troubleshoot issues, and develop new features.

• For Communication and Support: We use your email address and communication history to send you important updates, notifications (if you have opted in), and to respond to your inquiries, support requests, or reports. We may also send promotional communications where permitted by law. You can opt out of promotional emails at any time; we may still send important service or legal notices.

• For Account Management: We use your account information and activity data (e.g., last active date) to manage your account status and provide features like signing out and account deletion.

• For Nearby Notifications: To manage “nearby” notifications, we temporarily keep a minimal pair record (a pseudonymous key for the two users plus timestamps like last in-range and last notified). It does not store precise locations and is kept only as long as needed to prevent spammy repeats.

We do not use personal information to make automated decisions that produce legal or similarly significant effects. We may create aggregated or de-identified data for analytics and product improvement, and we do not attempt to re-identify it.

3. How We Share Your Information

We do not sell or “share” your personal information as those terms are defined under applicable U.S. state privacy laws. We may share your information with third parties in the following ways:

• With Other Users (Limited & Controlled): Your exact coordinates are never shared. Distance is only shown if both users enable Show Distance, and it is displayed in bucketed ranges (e.g., “50m” or “150+m”). We do not disclose who viewed or hearted your profile, who blocked you, or who reported you. Profiles are not indexed by public search engines and are only visible within the Baxstory App.

• With Authorities or When Legally Required: We may be required to disclose your information if we believe it is necessary to comply with a legal obligation, such as a court order, subpoena, or valid government request. We may also share your information to enforce our Terms of Service, protect our rights or property, or to ensure the safety of our users or the public.

• For Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity as part of the transaction. We will notify you via email or a prominent notice in the App of any such change in ownership or control of your personal information.

• With Your Consent: We may share your information for any other purpose with your explicit consent.

• Affiliates: We may share information with our affiliates under confidentiality obligations for legitimate business purposes.

• Professional Advisors: We may share information with lawyers, auditors, insurers, and similar advisors subject to confidentiality, for compliance and business purposes.

• Linked Third-Party Services: We do not currently offer third-party logins. If we add them, we will receive only the information you authorize from that service, and their use of your information will be governed by their privacy policy.

Service Providers

We use third-party services to help us operate, maintain, and improve the App. These providers are bound by confidentiality obligations and are only permitted to use your information for the specific purposes for which we disclose it to them. These companies act as our service providers/processors and are contractually restricted to using personal information only to provide services to us and in accordance with this Policy. The services we use include:

• Supabase: For user authentication, database management, and secure storage of your profile information. We use this service, which is built on a PostgreSQL database with the PostGIS extension, to securely store and process your location data to power the proximity features. We use security policies such as Row Level Security to protect your private data.

• Vercel: For the web version of our application, we use Vercel to host and deploy the App. Vercel is used to serve the web interface and related assets.

• Expo: We use Expo to build and deploy our App to the Apple App Store and Google Play Store. Expo Application Services (EAS) also handles our push notification service. When you opt-in to push notifications, we send your device's push token to Expo's servers, which then deliver the notifications to you.

• Google Workspace: We use Google Workspace, including Gmail, to manage our business email communications, which includes responding to user inquiries and support requests.

• SendGrid: For sending transactional emails (account registration, email verification, password reset, and similar account notices) via SMTP (Simple Mail Transfer Protocol). Implemented through our Supabase integration; SendGrid processes your email address and necessary message metadata to deliver these emails. We may receive basic delivery/bounce status for emails.

We may add or replace service providers over time; if our practices materially change, we will update this Policy.

4. Your Choices and Rights

Depending on your location, you may have some or all of the following rights; we honor valid requests consistent with applicable law. You have significant control over your personal information and can exercise your rights at any time.

a. Account and Profile Management

• Access and Update: You can access, review, and update your profile information, including your profile picture, display name, profile description, and profile fields, directly within the App.

• Show Distance: You can turn Show Distance on or off at any time in Settings. When off, other users will not see a distance for you, and you will not see distance for others. Distance appears only when both users have this setting enabled.

• Account Deletion: You can delete your Baxstory account at any time through the App's settings. When you initiate an account deletion, we will permanently delete or de-identify your personal data, subject to limited exceptions (e.g., short-term backups, security logs, and legal obligations); any remaining copies are automatically purged on a rolling basis.

• Sign Out: You can sign out of your account at any time. This will terminate your session on the device and stop location tracking, but your account and its data will remain on our servers for future use.

b. Data and Permissions

• Location Permissions: You can manage your location permissions at any time through your device's settings. For Baxstory's core proximity features to work as designed, we recommend granting “Always Allow” location permission. Disabling it will limit background discovery and may make some proximity features unavailable.

• Push Notifications: You can manage your push notification preferences at any time through your device's settings.

• Right to Know and Access: You have the right to request a copy of the personal information we have collected about you.

• Right to Correct: You have the right to ask us to correct any inaccurate personal information we hold about you.

• Right to Erasure ("Right to Be Forgotten"): You have the right to request that we delete your personal information. Please note that this is distinct from account deletion and can be initiated by contacting us directly.

• Right to Restrict Processing: You have the right to request that we limit the ways we use your personal information.

• Right to Object: You have the right to object to the processing of your personal information for certain purposes.

c. Exercising Your Rights

To exercise any of the rights listed above, other than those available in the App's settings, please contact us at support@baxstory.com. We will respond to your request in accordance with applicable data protection laws. We will not discriminate against you for exercising any of your privacy rights.

For certain requests we may need to verify your identity (for example, by confirming control of your account or email). You may authorize an agent to submit a request where permitted by law; we may require proof of authorization and your identity. If we deny a request, you may appeal by emailing support@baxstory.com with “Appeal” in the subject.

d. California Notice (CCPA/CPRA)

At this time, Baxstory does not meet the thresholds that would classify it as a ‘business’ under the California Consumer Privacy Act (CCPA/CPRA). If that changes, we will update this Policy and provide any required notices. We do not sell or “share” your personal information as those terms are defined under applicable U.S. state privacy laws.

Sensitive Personal Information: Although we receive device coordinates to power proximity features, we do not use or disclose sensitive personal information (including precise geolocation) for purposes subject to the California right to limit, and we do not sell or share such information.

5. Data Security

We implement reasonable technical and organizational measures designed to protect your information from unauthorized access, use, alteration, or destruction. This includes using secure services like Supabase with appropriate security policies (e.g., Row Level Security). However, no method of transmission over the Internet or method of electronic storage is 100% secure. To minimize exposure, distance values are computed on our servers and presented in coarse buckets rather than exact measurements or coordinates. Data in transit is protected with Transport Layer Security (TLS) (i.e., HTTPS), and access to production systems is restricted to authorized personnel. If we learn of a security incident affecting your personal information, we will notify you and any required authorities as required by law.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the App. We may also retain certain information to comply with legal obligations, resolve disputes, and enforce our agreements. Upon account deletion, your personal data is permanently deleted or de-identified, subject to limited exceptions (e.g., short-term backups, security logs, and legal obligations). Anonymized/aggregated data may be retained for analytics.

Location data: we store only your most recent location. For proximity, a location is currently considered fresh for about 30 minutes; after ~60 minutes your last location is no longer retained in our active table. We do not maintain a historical trail of your movements. Limited backup copies may persist briefly and are purged on a rolling basis.

Proximity pair records: to manage “nearby” notifications, we temporarily keep a minimal pair record (a pseudonymous key for the two users plus timestamps like last in-range and last notified). It does not store precise locations and is kept only as long as needed to prevent repeated notifications.

Enforcement records (e.g., bans/suspensions and related reports) are retained for as long as reasonably necessary to administer safety, handle appeals, prevent abuse, and comply with applicable laws.

Operational parameters (e.g., detection radius, distance bucket size, and freshness windows) may be adjusted from time to time to improve reliability and privacy; if we make a material change that affects how your personal data is used, we will update this Policy and, where required, provide notice.

7. Children's Privacy

Baxstory is not intended for use by individuals under the age of 13. We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and become aware that your child has provided us with personal information, please contact us at support@baxstory.com. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to remove that information from our servers. Users 13–17 may use the App only with a parent/guardian’s permission as described in our Terms; if we learn otherwise, we may disable the account and delete associated data, subject to our legal obligations.

8. Changes to This Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For material changes, we will provide a notice within the App and/or via email where required by law. You are advised to review this Privacy Policy periodically for any changes.

9. User Safety and Reporting

We're committed to fostering a safe and respectful community within Baxstory. If you encounter any content or behavior that you believe violates our Terms of Service or Community Guidelines, or if you ever feel threatened, see illegal activity, or encounter creepy, insulting, or sensitive information in another user's profile, we urge you to:

1. Report the user directly through the App's reporting feature:

   • Navigate to the profile page of the user you wish to report.

   • Look for the "Report" or "Flag" button, typically located in the top right corner of their profile.

   • Tap this button and follow the on-screen prompts to select a reason for your report and, if applicable, provide additional details.

   • Your report will be submitted for our review.

2. Contact our support team directly via email at: support@baxstory.com

3. Contact appropriate authorities if you believe there's a serious threat to your safety or the safety of others. Baxstory is not an emergency service and cannot contact emergency responders on your behalf.

We take all reports seriously and will investigate them in accordance with our policies. Please remember that your safety is paramount.

10. Dispute Resolution

Disputes arising from or relating to this Privacy Policy are subject to the dispute resolution, arbitration, class-action waiver, and venue provisions in our Terms of Service.

11. Contact Us

If you have any questions about this Privacy Policy, your rights, or your personal information, please contact us via email: support@baxstory.com