Privacy Policy | BuddyBuddy

Last Updated: February 22, 2026

Effective Date: February 22, 2026

1. Introduction

Welcome to BuddyBuddy (“we,” “our,” “us,” or the “Company”). We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Swiss Federal Act on Data Protection (“FADP” / “nDSG”), and other applicable data protection laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application BuddyBuddy (the “App”). Please read this Privacy Policy carefully. By using the App, you consent to the data practices described in this policy.

Current Operating Jurisdiction: BuddyBuddy is currently operated exclusively in and from Switzerland. Our primary governing law is the Swiss Federal Act on Data Protection (FADP/nDSG). References to GDPR in this policy are included for transparency and to ensure compliance should we expand to the European Economic Area (EEA) in the future. GDPR provisions apply only to the extent that we intentionally offer services to individuals located in the EEA.

Users Accessing from the EEA: If you access the App from the EEA before we officially launch services in your region, we process your data only to the extent necessary to provide basic access to the App. We do not actively market or target services to EEA residents at this time. Until we officially launch in the EEA and appoint an EU Representative under Art. 27 GDPR, data processing for EEA users is governed by Swiss data protection law (FADP/nDSG), which provides a comparable level of protection.

If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

2. Data Controller

The data controller responsible for your personal data is:

BuddyBuddy Website: https://buddybuddy.ch Email: legal@buddybuddy.ch

For users in Switzerland, this entity also serves as the responsible party under the Swiss FADP.

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Identity and Account Data

Data Type	Purpose	Legal Basis
Email address	Account creation, authentication, communication	Contract performance, Consent
Password (hashed)	Account security	Contract performance
Display name	Profile identification, social interaction	Contract performance, Consent
Date of birth	Age verification, age display to other users	Consent, Legitimate interest (safety)
Age (calculated)	Matching and filtering features	Consent, Legitimate interest

3.2 Profile Information

Data Type	Purpose	Legal Basis
Biography/Description	Self-presentation to other users	Consent
Profile photographs (up to 6)	Visual identification, social interaction	Consent
Instagram handle (optional)	Social connectivity	Explicit Consent

3.3 Location Data

Data Type	Purpose	Legal Basis
Precise GPS coordinates (latitude/longitude)	Activity location, distance calculations, discovery features	Explicit Consent (collection via device permission)
Address information	Activity location display	Explicit Consent
Last known location (cached locally)	Distance filtering, improved user experience	Consent
Approximate distance from activity location	Displayed to activity hosts to help them invite relevant nearby users	Contract performance (essential feature)

Important: Location data is considered sensitive. We only collect location data when you explicitly grant permission and when you create or interact with activities. You can revoke location permissions at any time through your device settings.

How distance is used: BuddyBuddy is fundamentally a proximity-based activity platform. Connecting users who are near an activity’s location is essential to the core functionality of the App — without it, the service cannot fulfill its purpose. When an activity host views nearby users to invite, the App displays each user’s approximate distance from the activity location (not from the host’s personal location). Your precise GPS coordinates are never shared with other users. Only a rounded distance value (e.g., “3 km away”) calculated from the activity’s published location is displayed, and only when your Show Distance privacy setting is enabled (see Section 12). Disabling this setting hides the distance label, but you may still appear in nearby user lists since proximity-based discovery is a core feature of the service.

3.4 Activity and Event Data

Data Type	Purpose	Legal Basis
Activity title and description	Event organization	Contract performance
Activity date and time	Event scheduling	Contract performance
Activity location (coordinates and address)	Event location, participant navigation	Contract performance, Consent
Activity photographs	Visual representation of events	Consent
Participant information	Group coordination	Contract performance
Activity status	Event management	Contract performance
Activity participation visibility	Display of activities you’re attending on your profile	Contract performance, Consent

3.5 Communication Data

Data Type	Purpose	Legal Basis
Chat messages	Communication between participants	Contract performance
Join request messages	Activity participation requests	Contract performance
Message timestamps	Message ordering, read receipts	Contract performance
Read receipts	Communication status	Legitimate interest

3.6 Interaction and Behavioral Data

Data Type	Purpose	Legal Basis
Activity interactions (swipes: passed/requested/accepted)	Matching algorithm, preventing duplicate content	Legitimate interest, Contract performance
Join requests and responses	Activity participation management	Contract performance
Notification interactions	Service improvement	Legitimate interest

Note: Activity interaction data (swipes) is retained to prevent showing you the same activities repeatedly and to improve our matching algorithms.

3.7 Technical and Device Data

Data Type	Purpose	Legal Basis
Device type and platform (iOS/Android)	App functionality, compatibility	Legitimate interest
App version	Technical support, updates	Legitimate interest
Push notification tokens (FCM)	Delivery of notifications	Consent
Device identifiers (for analytics)	Usage analytics, app improvement	Consent
IP address	Security, fraud prevention, consent logging	Legitimate interest
Network information	Service optimization, troubleshooting	Legitimate interest

Note on IP addresses: We may collect your IP address when you register or interact with the App. IP addresses are used for:

Security and fraud prevention
Recording consent (as required by GDPR accountability)
Geographic region detection (not precise location)
Technical troubleshooting

IP addresses are not used for tracking, profiling, or advertising purposes.

3.8 Preference Data

Data Type	Purpose	Legal Basis
Notification preferences	Customized notification delivery	Consent
Privacy settings (show age, show distance, discovery visibility)	User privacy control	Consent
Discovery filter preferences (distance, age range, group size)	Personalized content	Contract performance

Important Notice: BuddyBuddy is an activity-based social platform. We do not intentionally collect special category data (also known as “sensitive personal data”). However, we recognize that:

Photos you upload may reveal information about your racial or ethnic origin, religious beliefs, or health status
Activity descriptions you create or join may indicate religious practices, political views, health conditions, or sexual orientation
Your profile content may contain information you choose to share about your beliefs, lifestyle, or identity

Our approach:

We do not process this data for profiling, targeting, or automated decision-making
We do not analyze photos using facial recognition or biometric processing
We do not categorize users based on inferred sensitive characteristics
Any such data exists only because you chose to include it in your profile or activities

Legal basis: Where special category data is processed, we rely on your explicit consent under Art. 9(2)(a) GDPR. By uploading photos, creating activity descriptions, or adding profile information that reveals special category data, you explicitly consent to:

Storage of this data as part of your profile/activities
Display of this data to other authenticated users (subject to your privacy settings)
Processing necessary to provide the App’s core functionality

Your control: You can remove any special category data at any time by:

Deleting or replacing photos
Editing activity descriptions
Modifying your profile information
Deleting your account entirely

4. How We Collect Your Data

We collect personal data through the following methods:

4.1 Data You Provide Directly

Account registration information
Profile information you enter
Photos you upload
Messages you send
Activities you create
Preferences you set

4.2 Data Collected Automatically

Device and technical information
Location data (with your permission)
Usage and interaction data
Push notification tokens

4.3 Data from Third-Party Authentication Providers

When you choose to sign in or register using a third-party authentication service, we receive information from that service:

If you authenticate using your Google account, we receive:

Data Type	Purpose	Legal Basis
Email address	Account creation, communication	Contract performance
Display name	Profile pre-population	Consent
Profile picture URL	Profile pre-population (optional)	Consent
Google account identifier	Account linking, authentication	Contract performance

Your Google account password is never shared with us. For more information, see Google’s Privacy Policy.

If you authenticate using your Apple ID, we receive:

Data Type	Purpose	Legal Basis
Email address	Account creation, communication	Contract performance
Name (if you choose to share)	Profile pre-population	Consent
Apple user identifier	Account linking, authentication	Contract performance

Note: Apple offers a “Hide My Email” feature that provides a private relay email address. If you choose this option, we receive a unique Apple-generated email address that forwards to your real email. We cannot see your actual email address.

Your Apple ID password is never shared with us. For more information, see Apple’s Privacy Policy.

Phone Number Authentication

If you authenticate using your phone number, we collect:

Data Type	Purpose	Legal Basis
Phone number	Account creation, verification	Contract performance
SMS verification status	Security, fraud prevention	Contract performance

We use Firebase Authentication to send SMS verification codes. Standard SMS rates may apply.

4.4 Data from Analytics Services

Analytics data from Firebase Analytics

For processing activities that require consent, we obtain and record consent as follows:

At Registration:

You must affirmatively accept this Privacy Policy by checking a checkbox
The checkbox is not pre-checked (consent is not assumed)
You cannot create an account without accepting the Privacy Policy
We record: timestamp, IP address (if available), version of Privacy Policy accepted

Important - Consent Unbundling (Art. 7(2) GDPR):

We distinguish between required and optional processing:

Processing Type	Required?	Can Use App Without?
Account creation & management	Required	No
Core activity features	Required	No
User-to-user messaging	Required	No
Location data	Optional	Yes (limited functionality)
Push notifications	Optional	Yes
Analytics	Optional	Yes
Profile discovery visibility	Optional	Yes (can hide profile)

You can use BuddyBuddy’s core features while declining optional processing. Declining optional consent will not prevent account creation, but may limit certain features (e.g., you cannot create location-based activities without granting location permission).

For Location Data:

Your device’s operating system requests permission before we access location
You can grant or deny permission
We only access location when you explicitly grant permission
You can revoke permission at any time via device settings
Declining does not prevent account creation or use of non-location features

For Push Notifications:

Your device’s operating system requests permission before we send notifications
We only send notifications after you grant permission
You can revoke permission at any time via device settings or in-app
Declining does not affect any other App functionality

For Analytics:

Analytics processing helps us improve the App
You can disable analytics via Settings > Privacy (where available)
Disabling analytics does not affect App functionality

For Photos:

Your device’s operating system requests permission before we access your photo library
You choose which photos to upload
Uploading photos constitutes consent to display them to other users

Consent Records: We maintain records of consent including:

What was consented to
When consent was given
How consent was given (registration flow, permission prompt)
Version of Privacy Policy in effect at the time

5. Purposes and Legal Bases for Processing

We process your personal data for the following purposes. We only collect data that is strictly necessary for each stated purpose (data minimization principle).

Processing necessary for the performance of our contract with you:

Creating and managing your account
Enabling you to create and join activities
Facilitating communication between users
Processing join requests
Displaying approximate distance of users from activity locations to enable proximity-based discovery and invitations (essential feature — see Section 3.3)
Providing core App functionality

Without this processing, we cannot provide the App’s services to you. In particular, BuddyBuddy is a proximity-based activity platform. The ability to discover and invite users near an activity’s location is fundamental to the service. Without proximity-based discovery, the App would be unable to fulfill its core purpose of connecting people for nearby activities.

Processing based on your explicit, informed, freely given consent:

Collecting and displaying your profile photos
Processing your precise location data
Sending push notifications
Displaying your age to other users
Showing your Instagram handle
Processing analytics data

You may withdraw consent at any time via Settings > Privacy or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

Processing necessary for our legitimate interests, balanced against your rights:

Processing Activity	Our Legitimate Interest	Balancing Test	Your Rights
Improving and optimizing the App	Business improvement, user experience	Minimal privacy impact, anonymized data used	Opt-out via settings
Preventing fraud and abuse	Platform integrity, user safety	Essential for safe platform, minimal data used	Object via contact
Ensuring platform safety	Legal compliance, user protection	Overriding safety interest	Object via contact
Analyzing usage patterns	Service improvement	Anonymized/aggregated only	Disable analytics
Preventing duplicate content	User experience	Necessary for core feature	N/A
Technical troubleshooting	Service continuity	Limited to technical data	Object via contact

You have the right to object to processing based on legitimate interests. Contact us to exercise this right, and we will cease processing unless we demonstrate compelling legitimate grounds.

Processing necessary to comply with legal obligations:

Complying with applicable laws and regulations
Responding to valid legal requests from authorities
Maintaining legally required records
Cooperating with law enforcement when legally required

In exceptional circumstances, we may process data to protect vital interests:

Emergency situations involving risk to life or safety
Reporting imminent threats to authorities

This basis is used only in genuine emergencies.

6.1 Service Providers

We use the following third-party service providers who process data on our behalf:

Firebase (Google LLC)

Services used: Authentication, Cloud Firestore (database), Cloud Storage, Cloud Messaging (push notifications), Analytics
Data processed: All user data, photos, messages, authentication tokens
Location: Data may be processed in the United States and other countries
Safeguards: Standard Contractual Clauses (SCCs), Google’s Data Processing Terms
Privacy Policy: https://firebase.google.com/support/privacy

Google Maps Platform (Google LLC)

Services used: Maps display, Geocoding, Places API
Data processed: Location coordinates, address queries
Location: United States and other countries
Safeguards: Standard Contractual Clauses (SCCs)
Privacy Policy: https://policies.google.com/privacy

6.2 International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) and Switzerland, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place.

Transfer Mechanisms

Standard Contractual Clauses (SCCs): We use the 2021 EU Commission-approved SCCs with our service providers
Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission or Swiss authorities
EU-U.S. Data Privacy Framework: Google LLC (Firebase, Google Maps) is certified under the EU-U.S. Data Privacy Framework

Transfer Safeguards

Google LLC (Firebase, Google Maps) is certified under the EU-U.S. Data Privacy Framework. We rely on Standard Contractual Clauses (SCCs), supplementary technical measures, and Google’s contractual commitments to ensure adequate protection for international transfers.

Supplementary Technical Measures

We implement the following supplementary measures to protect transferred data:

Encryption in transit: All data transfers use TLS 1.2+ encryption between your device and Firebase servers
Encryption at rest: Data stored on Firebase servers is encrypted at rest using AES-256 (managed by Google)
Access controls: Strict authentication and authorization for data access
Data minimization: We transfer only data necessary for service provision
Pseudonymization: Where possible, we use user IDs rather than directly identifying information

Your Rights Regarding International Transfers

You have the right to:

Request information about specific transfers and safeguards
Object to transfers based on your specific situation
Lodge a complaint with your supervisory authority regarding transfers

To exercise these rights, contact us at legal@buddybuddy.ch.

6.3 Other Disclosures

We may disclose your personal data:

To other users as part of the App’s functionality (profile information, activity details, messages)
To comply with legal obligations or valid legal requests
To protect our rights, privacy, safety, or property
In connection with a merger, acquisition, or sale of assets (with prior notice)

7. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy. Below we explain why each retention period is necessary (as required by GDPR’s purpose limitation principle):

7.0 Data Retention Summary Table

Data Category	Retention Period	Justification
Account & Profile Data
Account data	Until account deletion + 30 days	Core service provision; 30-day grace period allows account recovery if deleted accidentally
Profile information	Until account deletion	Required for user identification and social interaction while account is active
Profile photos	Until deleted by user or account deletion	User-controlled content; needed for profile display
Push notification tokens	Until invalid or account deletion	Required for notification delivery; automatically cleared when invalid
Activity-Related Data
Activity data	90 days after activity date	Allows post-activity reference, dispute resolution, and safety review; 90 days balances utility with privacy
Activity group chat messages	90 days after activity ends	Enables communication context for activity coordination, dispute resolution, and safety review
Join requests	90 days after activity date	Enables activity history review and dispute resolution
Activity invitations	90 days after activity date	Invitation history for dispute resolution; no value after activity ends
Attendance verifications	90 days after activity date	Post-activity verification records; needed for reliability score disputes
Verification determinations	90 days after verification	Final attendance determination results; retained for reliability score audit
Social & Messaging Data
Direct messages (DM chats)	Until both users delete accounts or unfriend	User-to-user communication history; retained for ongoing conversations between friends
Friendships	Until unfriended or account deletion	Active relationship data; needed while friendship exists
Activity interactions (swipes)	Duration of account existence	Prevents showing duplicate activities; improves user experience
User reliability scores	Duration of account existence	Trust and safety feature; needed for platform integrity
Administrative Data
Notification records	90 days	Technical troubleshooting and delivery confirmation
User reports	2 years	Safety investigations and pattern detection; legal compliance
User feedback	1 year	Product improvement; no longer needed after addressed
Rate limit records	24 hours	Technical spam prevention; short-term operational data
Temporary Verification Data
Email verification codes	24 hours	One-time use; automatically expires
Deletion verification codes	24 hours	One-time use; automatically expires
Email change codes	24 hours	One-time use; automatically expires
Analytics Data
Raw analytics events	90 days	Aggregated into metrics, then raw data deleted
Analytics sessions	90 days	Session tracking for product improvement
Analytics user profiles	Duration of account existence	Aggregated usage patterns; tied to account lifecycle
Aggregated analytics metrics	14 months	Service improvement and usage pattern analysis; standard industry retention

7.1 Retention Period Selection Criteria

We determined these retention periods based on:

Necessity: How long is data needed to fulfill its purpose?
User expectation: What would users reasonably expect?
Legal requirements: Any legal retention obligations?
Technical constraints: What is technically feasible?
Risk assessment: What are the privacy risks of longer retention?

7.2 Automatic Deletion

Data is automatically deleted after the retention period expires through:

Scheduled deletion processes for activity-related data
Cascade deletion when accounts are deleted
Automatic token invalidation for push notifications

After the retention period, data is permanently deleted or anonymized.

8. Your Rights

Under GDPR and Swiss FADP, you have the following rights:

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.

You have the right to correct inaccurate personal data and to complete incomplete data.

You have the right to request deletion of your personal data when:

The data is no longer necessary for its original purpose
You withdraw consent (where consent was the legal basis)
You object to processing and there are no overriding legitimate grounds
The data was unlawfully processed

You have the right to restrict processing in certain circumstances.

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

You have the right to object to processing based on legitimate interests at any time.

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

For EU residents:

Your local Data Protection Authority
List of EU DPAs: https://edpb.europa.eu/about-edpb/about-edpb/members_en

For Swiss residents:

Federal Data Protection and Information Commissioner (FDPIC)
Website: https://www.edoeb.admin.ch/

For cross-border complaints involving international transfers: Swiss residents may also contact the FDPIC regarding concerns about international data transfers, including transfers to the United States. The FDPIC can coordinate with other data protection authorities where appropriate.

8.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: legal@buddybuddy.ch
In-App: Settings > Legal > Export My Data / Delete Account

We will respond to your request within 30 days (or as required by applicable law).

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data in accordance with Art. 32 GDPR:

9.1 Technical Measures

Measure	Implementation	Purpose
Encryption in transit	TLS 1.2+ for all API communications	Protects data during transmission
Encryption at rest	AES-256 encryption (Firebase)	Protects stored data
Password security	Bcrypt hashing with salt (Firebase Auth)	Prevents password exposure
Authentication	Firebase Authentication with secure tokens	Verifies user identity
Session management	JWT tokens with expiration	Limits unauthorized access window
Input validation	Server-side validation of all inputs	Prevents injection attacks

9.2 Organizational Measures

Measure	Implementation	Purpose
Access control	Role-based access; principle of least privilege	Limits data exposure
Data processing agreements	Executed with Firebase/Google	Ensures processor compliance
Security reviews	Conducted before major releases	Identifies vulnerabilities
Incident response	Documented procedures for breach handling	Enables rapid response
Development practices	Secure coding guidelines followed	Prevents security flaws

9.3 Firebase Security Rules

We implement Firestore Security Rules that enforce:

User data isolation: Users can only read/write their own profile data
Activity access control: Activity details visible based on privacy settings
Chat privacy: Messages only accessible to activity participants
Photo access: Profile photos accessible only to authenticated users
Admin separation: No client-side admin access to other users’ data

9.4 Data Access Matrix

Data Type	User (self)	Other Users	Us (Admin)	Firebase
Profile data	Full access	Read (if discoverable)	Read (support only)	Storage/processing
Photos	Full access	Read (if discoverable)	Read (support only)	Storage/processing
Messages	Read/write own	Read (if participant)	Read (legal/safety)	Storage/processing
Location	Full access	Approximate distance from activity location only (if Show Distance enabled)	Aggregated only	Processing
Activity interactions	Read own	None	Aggregated only	Storage/processing

9.5 Security Limitations

While we implement industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notification to Supervisory Authority (within 72 hours):

Report the breach to the competent data protection authority
Document the nature of the breach, categories of data affected, and remedial measures

Notification to You (without undue delay): If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly via:

Email to the address associated with your account
In-app notification
Public communication if direct contact is not feasible

Your Responsibility: You should ensure your email address is current to receive breach notifications.

10. Children’s Privacy

The App is not intended for users under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at legal@buddybuddy.ch.

10A. Safety

BuddyBuddy connects users for in-person activities. Your safety when meeting other users is your responsibility. We strongly recommend meeting in public places, informing friends or family of your plans, and reporting any suspicious behavior through the App.

For detailed safety information and disclaimers, see our Terms of Service, Section 6.

We use automated processing for the following purposes:

11.1 Activity Discovery and Ranking

Purpose: To show you relevant activities based on distance and timing
Logic: Activities are ranked based on proximity to your location and time until the activity
Factors used: Geographic distance, time until activity starts, activity status
Factors NOT used: We do not use profiling based on personal characteristics, behavior patterns, or inferred preferences
Impact: Determines the order of activities shown to you
Your rights: You can adjust distance and filtering preferences in Settings

Does our automated processing produce legal or similarly significant effects?

We have assessed our automated processing and determined that it does not produce legal effects or similarly significantly affect you because:

No access restrictions: All activities remain accessible to all users; ranking only affects display order
No profile-based exclusion: We do not exclude users from activities based on automated profiling
User control: You can adjust all filtering parameters and view all available activities
No economic impact: The App is free; ranking does not affect pricing or access to paid features
Manual alternative: You can always manually browse and search for activities

11.3 Your Rights Regarding Automated Processing

Our automated processing does not produce legal or similarly significant effects as described in Art. 22 GDPR. Nonetheless, we support the following rights:

Right to explanation: You can contact us to understand how activity ranking works. We will explain the logic involved, the significance, and the envisaged consequences of such processing.
Right to human review: You can request human review of any automated decision affecting you. We commit to reviewing such requests within 14 days.
Right to contest: You can challenge any perceived unfair treatment in activity visibility. We will investigate and provide a reasoned response.
Right to opt-out: You can disable location-based ranking by denying location permissions (though this limits functionality).

If we introduce new automated features in the future, we will reassess their impact under Art. 22 GDPR and update this policy accordingly before deployment.

To exercise these rights, contact us at legal@buddybuddy.ch.

11.4 No Profiling for Marketing or Third Parties

We do not:

Create behavioral profiles for advertising purposes
Sell or share profiling data with third parties
Use automated decision-making for credit, employment, or similar significant decisions
Engage in predictive profiling about your behavior, preferences, or characteristics

12. Privacy Settings and Controls

You can control your privacy through the following in-app settings:

Setting	Description	Location
Show Age	Control whether your age is visible to others	Settings > Privacy
Show Distance	Control whether your approximate distance from an activity location is visible to activity hosts. When disabled, the distance label is hidden but you may still appear in proximity-based discovery (see Section 3.3).	Settings > Privacy
Profile Discovery	Control whether you appear in activity discovery	Settings > Privacy
Show Instagram	Control Instagram handle visibility	Settings > Privacy
Profile Activities	Your upcoming activities are visible to your buddies. Non-buddies may see them with a premium subscription.	N/A (cannot be disabled)
Push Notifications	Control notification preferences	Settings > Notifications
Location Permissions	Control location access	Device Settings

13. Local Data Storage

The App stores some data locally on your device using SharedPreferences:

Filter and preference settings
Cached activity data (for faster loading)
Last known location (for distance calculations)
Hidden/removed chat identifiers

This local data:

Remains on your device only
Is not transmitted to our servers
Can be cleared by uninstalling the App or clearing App data

14. Push Notifications

We use Firebase Cloud Messaging (FCM) to send push notifications. You will receive notifications for:

New join requests on your activities
Accepted/declined join requests
New messages in your chats
Activity updates and reminders
When participants leave activities

You can control notifications:

In-App: Settings > Notifications
Device Level: Your device’s notification settings

We store your FCM token to deliver notifications. Invalid tokens are automatically removed.

15. Photos and Media

15.1 Profile Photos

You can upload up to 6 profile photos
Photos are compressed (max 1920x1920 pixels, 85% quality)
Photos are stored in Firebase Cloud Storage
Photos are visible to all authenticated users (unless you disable profile discovery)

15.2 Activity Photos

One photo per activity
Same compression settings as profile photos
Visible to all users who can view the activity

15.3 Photo Deletion

You can delete your photos at any time
Deleted photos are removed from Cloud Storage
Cached versions may persist temporarily on other users’ devices

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the new Privacy Policy in the App
Updating the “Last Updated” date
Sending you a notification (for significant changes)

We encourage you to review this Privacy Policy periodically. Your continued use of the App after changes constitutes acceptance of the updated Privacy Policy.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: legal@buddybuddy.ch Website: https://buddybuddy.ch

We aim to respond to all inquiries within 30 days.

18. Jurisdiction-Specific Provisions

18.1 Current Operating Jurisdiction

BuddyBuddy is currently operated exclusively in and from Switzerland. Swiss law, specifically the Swiss Federal Act on Data Protection (FADP/nDSG), is the primary governing law for all data processing activities.

18.2 European Economic Area (EEA)

Status: We do not currently target or actively offer services to individuals in the EEA. GDPR provisions referenced in this policy apply only if and when we officially expand to offer services in the EEA.

For EEA residents who access the App before official EEA launch:

Your data is processed under Swiss data protection law
We process only data necessary to provide basic App access
We do not actively market to or target EEA residents
Full GDPR compliance (including appointment of an EU Representative under Art. 27) will be ensured before any official EEA launch

Once we officially launch in the EEA, this policy will be updated to reflect full GDPR compliance, including designation of a Lead Supervisory Authority under Art. 56 GDPR.

18.3 Switzerland

For users in Switzerland, this Privacy Policy complies with the Swiss Federal Act on Data Protection (FADP/nDSG) and its implementing ordinances. The competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).

Additional rights under Swiss law:

Right to information about data processing
Right to data portability
Right to object to automated individual decision-making

18.4 Legal Basis Equivalence

Where this policy refers to GDPR legal bases, the equivalent bases under Swiss law apply:

Contract performance → Contract performance
Consent → Consent
Legitimate interests → Overriding private or public interests
Legal obligation → Legal obligation

19. Definitions

Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.)
Data Controller: The entity that determines the purposes and means of processing personal data
Data Processor: An entity that processes personal data on behalf of the controller
Consent: Freely given, specific, informed, and unambiguous indication of agreement to data processing
GDPR: General Data Protection Regulation (EU) 2016/679
FADP/nDSG: Swiss Federal Act on Data Protection (Bundesgesetz über den Datenschutz)

20. Data Protection Compliance Documentation

20.1 Our Compliance Measures

We maintain appropriate documentation and measures to demonstrate compliance with applicable data protection laws, including records of processing activities, data processing agreements with our service providers, and technical and organizational security measures.

We implement privacy by design principles:

Data minimization: We only collect necessary data
Purpose limitation: Data used only for stated purposes
Storage limitation: Data retained only as long as necessary
Privacy settings default to most protective options where appropriate
Regular privacy reviews of new features

20.3 International Transfer Mechanisms

For transfers outside the EEA/Switzerland:

Primary mechanism: Standard Contractual Clauses (SCCs) - 2021 EU Commission version
Supplementary measures: Encryption, access controls, contractual commitments
Transfer Impact Assessments: Conducted for each third-country transfer

21. Acknowledgment

By using BuddyBuddy, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described herein.

Specifically, you acknowledge and agree that:

You have had the opportunity to review this Privacy Policy before using the App
You understand what personal data we collect and why
You understand your rights and how to exercise them
You accept the data processing described herein as necessary for the App’s functionality
For processing based on consent, you provide your informed, specific, and unambiguous consent
You may withdraw consent at any time without affecting prior processing
You understand that withdrawing certain consents may limit App functionality

For users in the EU/Switzerland:

You acknowledge that this Privacy Policy complies with GDPR and Swiss FADP requirements
You understand your right to lodge a complaint with your supervisory authority
You understand that we may transfer your data internationally with appropriate safeguards

For processing activities based on consent, you may withdraw your consent at any time through the App settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

22. Severability and Survival

22.1 Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such invalidity shall not affect the validity of the remaining provisions, which shall remain in full force and effect.

22.2 Survival

The following sections shall survive termination of your account or this Privacy Policy: Section 7 (Data Retention), Section 21 (Acknowledgment), and this Section 22.

BuddyBuddy Connecting people through shared activities

This Privacy Policy was last reviewed on February 22, 2026.