Privacy Policy | BuddyBuddy

Last Updated: May 26, 2026

Effective Date: May 4, 2026

1. Introduction

Welcome to BuddyBuddy (“we,” “our,” “us,” or the “Company”). We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Swiss Federal Act on Data Protection (“FADP” / “nDSG”), and other applicable data protection laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application BuddyBuddy (the “App”). The App may be distributed under the name “BuddyBuddy” or “BuddyBuddy App”; both names refer to the same application, and references to “BuddyBuddy” or the “App” in this Privacy Policy apply to either. Please read this Privacy Policy carefully. By using the App, you consent to the data practices described in this policy.

Operating jurisdictions: BuddyBuddy is operated from Switzerland and offers its services to users in Switzerland and in the European Economic Area (EEA). Our primary applicable data protection laws are the Swiss Federal Act on Data Protection (FADP/nDSG) and the EU General Data Protection Regulation (GDPR), which apply in parallel to the corresponding categories of users. Where this policy refers to GDPR provisions, the equivalent provisions of the FADP apply to users in Switzerland (see Section 18.4).

If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

2. Data Controller

The data controller responsible for your personal data is:

Marco Barnobi (operating BuddyBuddy as a natural person) Schiffbaustrasse 9C 8005 Zürich Switzerland

Website: https://buddybuddy.ch Email: legal@buddybuddy.ch

Marco Barnobi, as a natural person resident in Switzerland, is the data controller and the responsible party under the Swiss FADP/nDSG (and, where applicable, under the GDPR).

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Identity and Account Data

Data Type	Purpose	Legal Basis
Email address	Account creation, authentication, communication	Contract performance, Consent
Password (hashed)	Account security	Contract performance
Phone number	Account creation, authentication via SMS, communication	Contract performance
Phone verification status	Anti-fraud, account security	Contract performance, Legitimate interest
Display name	Profile identification, social interaction	Contract performance, Consent
First name	Display on other users’ profiles	Contract performance
Last name (internal)	Used in transactional emails only; never displayed in the App	Contract performance
Date of birth	Age verification, age display to other users	Consent, Legitimate interest (safety)
Age (calculated)	Matching and filtering features	Consent, Legitimate interest
Gender	Profile information, optional matching/filtering	Consent

Note on age visibility: You can choose whether your age is shown on your profile via your privacy settings (“Show age on profile”). However, because BuddyBuddy lets users filter activity discovery by age range, a determined viewer who can repeatedly observe whether your hosted activities appear in their feed under different filter settings could in principle infer that your age falls within a particular range. This kind of inference requires sustained manual effort, only applies to users who host public activities, and does not reveal your exact age or date of birth. We disclose this so you can make an informed choice about whether hiding your age on your profile meaningfully serves your privacy goals.

3.2 Profile Information

Data Type	Purpose	Legal Basis
Biography/Description	Self-presentation to other users	Consent
Profile photograph (one photo)	Visual identification; required to create an account and interact with other users	Contract performance
Self-description tags (up to 20)	Self-presentation, lightweight matching signals	Consent
Languages spoken (up to 10)	Self-presentation, language-based filtering	Consent
Focus interests (up to 10)	Self-presentation, activity recommendation signals	Consent
Instagram handle (optional)	Social connectivity	Explicit Consent

Note on profile photos: Each user has exactly one profile photo at any given time. When you upload a new photo, the previous one is replaced (and the old image is deleted from our storage).

3.3 Location Data

Data Type	Purpose	Legal Basis
Precise GPS coordinates (latitude/longitude)	Distance calculations, discovery features	Explicit Consent (collection via device permission)
Last known location (cached locally)	Distance filtering, improved user experience	Consent
Approximate distance from activity location	Displayed to activity hosts to help them invite relevant nearby users	Contract performance (essential feature)

Note: We do not collect your home address. Activity meeting points (coordinates and human-readable address you enter when creating an activity) are covered separately under Section 3.4.

Important: Location data is considered sensitive. We only collect location data when you explicitly grant permission and when you create or interact with activities. You can revoke location permissions at any time through your device settings.

How distance is used: BuddyBuddy is fundamentally a proximity-based activity platform. Connecting users who are near an activity’s location is essential to the core functionality of the App — without it, the service cannot fulfill its purpose. When an activity host views nearby users to invite, the App displays each user’s approximate distance from the activity location (not from the host’s personal location). Your precise GPS coordinates are never shared with other users. Only a rounded distance value (e.g., “3 km away”) calculated from the activity’s published location is displayed, and only when your Show Distance privacy setting is enabled (see Section 12). Disabling this setting hides the distance label, but you may still appear in nearby user lists since proximity-based discovery is a core feature of the service.

3.4 Activity and Event Data

Data Type	Purpose	Legal Basis
Activity title and description	Event organization	Contract performance
Activity date and time	Event scheduling	Contract performance
Activity location (coordinates and address)	Event location, participant navigation	Contract performance, Consent
Activity photographs	Visual representation of events	Consent
Participant information	Group coordination	Contract performance
Activity status	Event management	Contract performance
Activity participation visibility	Display of activities you’re attending on your profile	Contract performance, Consent

3.5 Communication Data

Data Type	Purpose	Legal Basis
Chat messages	Communication between participants	Contract performance
Join request messages	Activity participation requests	Contract performance
Message timestamps	Message ordering, read receipts	Contract performance
Read receipts	Communication status	Legitimate interest

3.6 Interaction and Behavioral Data

Data Type	Purpose	Legal Basis
Activity interactions (swipes: passed/requested/accepted)	Matching algorithm, preventing duplicate content	Legitimate interest, Contract performance
Join requests and responses	Activity participation management	Contract performance
Friendships / buddies (friend list, follow list)	Social graph, friend-only visibility, friend activity notifications	Contract performance
Blocked users / blocked-by lists	Safety; preventing contact and content visibility between blocked parties	Legitimate interest (user safety), Contract performance
Notification interactions	Service improvement	Legitimate interest
Last active / last login / login count	Activity ranking (“active recently” signals), security monitoring	Legitimate interest

Note: Activity interaction data (swipes) is retained to prevent showing you the same activities repeatedly and to improve our matching algorithms.

3.7 Technical and Device Data

Data Type	Purpose	Legal Basis
Device type and platform (iOS/Android)	App functionality, compatibility	Legitimate interest
App version	Technical support, updates	Legitimate interest
Push notification tokens (FCM)	Delivery of notifications	Consent
Firebase app instance ID	Usage analytics, app improvement	Legitimate interest
Crash reports and stack traces	App stability monitoring, bug fixing	Legitimate interest
IP address	Security, fraud prevention, consent logging	Legitimate interest
Network information	Service optimization, troubleshooting	Legitimate interest

Note on IP addresses: We may collect your IP address when you register or interact with the App. IP addresses are used for:

Security and fraud prevention
Recording consent (as required by GDPR accountability)
Geographic region detection (not precise location)
Technical troubleshooting

IP addresses captured at sign-in and sign-up are stored in an auth_audit log for up to 12 months and are reviewed only when investigating suspected abuse or coordinated ban-evasion. After 12 months they are automatically purged. IP addresses are not used for tracking, profiling, or advertising purposes.

3.8 Preference Data

Data Type	Purpose	Legal Basis
Notification preferences	Customized notification delivery	Consent
Privacy settings (show age, show distance, discovery visibility)	User privacy control	Consent
Discovery filter preferences (distance, age range, group size)	Personalized content	Contract performance

3.9 No Profiling Based on Personal Characteristics

BuddyBuddy processes profile and activity content to enable user-to-user interaction. We do not analyze, categorize, or profile users based on appearance, beliefs, ethnicity, health status, sexual orientation, or any other personal characteristic, and we do not perform facial recognition or biometric identification on profile or activity photos.

Liveness verification (optional): The optional liveness verification flow uses on-device anti-spoofing gestures to confirm a live person is using the camera. It runs entirely on your device — no image, video, or face data is uploaded or stored, and we do not generate face templates or match faces across users. We only record whether the check was passed and when. See Section 15 for camera-permission details.

Voluntary content: Information you choose to share about yourself through your profile, activity descriptions, or photos is processed under the lawful bases set out in Section 5 (primarily contract performance and your consent for the relevant feature). You can remove or modify this content at any time by editing your profile, deleting photos, or deleting your account.

4. How We Collect Your Data

We collect personal data through the following methods:

4.1 Data You Provide Directly

Account registration information
Profile information you enter
Photos you upload
Messages you send
Activities you create
Preferences you set

4.2 Data Collected Automatically

Device and technical information
Location data (with your permission)
Usage and interaction data
Push notification tokens

4.3 Data from Third-Party Authentication Providers

When you choose to sign in or register using a third-party authentication service, we receive information from that service:

If you authenticate using your Google account, we receive:

Data Type	Purpose	Legal Basis
Email address	Account creation, communication	Contract performance
Display name	Profile pre-population	Consent
Profile picture URL	Profile pre-population (optional)	Consent
Google account identifier	Account linking, authentication	Contract performance

Your Google account password is never shared with us. For more information, see Google’s Privacy Policy.

If you authenticate using your Apple ID, we receive:

Data Type	Purpose	Legal Basis
Email address	Account creation, communication	Contract performance
Name (if you choose to share)	Profile pre-population	Consent
Apple user identifier	Account linking, authentication	Contract performance

Note: Apple offers a “Hide My Email” feature that provides a private relay email address. If you choose this option, we receive a unique Apple-generated email address that forwards to your real email. We cannot see your actual email address.

Your Apple ID password is never shared with us. For more information, see Apple’s Privacy Policy.

Phone Number Authentication

If you authenticate using your phone number, we collect:

Data Type	Purpose	Legal Basis
Phone number	Account creation, verification	Contract performance
SMS verification status	Security, fraud prevention	Contract performance

We use Firebase Authentication to send SMS verification codes. Standard SMS rates may apply.

4.4 Data from Analytics and Crash Reporting Services

We use Firebase Analytics and Firebase Crashlytics (provided by Google LLC) to understand how the App is used and to improve its stability:

Firebase Analytics collects usage events (e.g., screen views, feature interactions), session data, device type, OS version, and a Firebase app instance ID. It does not collect your Advertising ID (AD_ID) — we have opted out of advertising identifier collection. Analytics data is linked to your user ID to understand aggregate usage patterns.
Firebase Crashlytics collects crash reports including stack traces, device model, OS version, and app state at the time of the crash. This data is used solely to identify and fix bugs. Crash data is not intentionally used to directly identify you.

Note: Analytics collection is automatically disabled in debug/development builds and only active in production releases.

For processing activities that require consent, we obtain and record consent as follows:

At Registration:

You must affirmatively accept this Privacy Policy by checking a checkbox
The checkbox is not pre-checked (consent is not assumed)
You cannot create an account without accepting the Privacy Policy
We record: timestamp, IP address (if available), version of Privacy Policy accepted

Important - Consent Unbundling (Art. 7(2) GDPR):

We distinguish between required and optional processing:

Processing Type	Required?	Can Use App Without?
Account creation & management	Required	No
Core activity features	Required	No
User-to-user messaging	Required	No
Location data	Optional	Yes (limited functionality)
Push notifications	Optional	Yes
Analytics	Optional	Yes
Profile discovery visibility	Optional	Yes (can hide profile)

You can use BuddyBuddy’s core features while declining optional processing. Declining optional consent will not prevent account creation, but may limit certain features (e.g., you cannot create location-based activities without granting location permission).

For Location Data:

Your device’s operating system requests permission before we access location
You can grant or deny permission
We only access location when you explicitly grant permission
You can revoke permission at any time via device settings
Declining does not prevent account creation or use of non-location features

For Push Notifications:

Your device’s operating system requests permission before we send notifications
We only send notifications after you grant permission
You can revoke permission at any time via device settings or in-app
Declining does not affect any other App functionality

For Analytics and Crash Reporting:

We use Firebase Analytics and Firebase Crashlytics to understand App usage and improve stability
We do not collect your Advertising ID (AD_ID) — advertising identifier collection is disabled
Analytics data includes usage events, session data, device info, and a Firebase-generated app instance ID
Crash reports include technical error data (stack traces, device model, OS version) and are not linked to your identity
Analytics and crash reporting do not affect App functionality

For Camera and Photos:

Your device’s operating system requests permission before we access your camera or photo library
Camera access is used solely for taking photos for your profile or activities, and for the optional on-device liveness verification flow (see Section 15)
You choose which photos to take or upload
Uploading photos constitutes consent to display them to other users

For Calendar:

Your device’s operating system requests permission before we read from or write to your calendar
Calendar access is used solely to add activities you join to your device calendar, on your explicit action
Calendar contents are not transmitted to our servers
Declining calendar permission does not affect any other App functionality

Consent Records: We maintain records of consent including:

What was consented to
When consent was given
How consent was given (registration flow, permission prompt)
Version of Privacy Policy in effect at the time

5. Purposes and Legal Bases for Processing

We process your personal data for the following purposes. We only collect data that is strictly necessary for each stated purpose (data minimization principle).

Processing necessary for the performance of our contract with you:

Creating and managing your account
Enabling you to create and join activities
Facilitating communication between users
Processing join requests
Displaying approximate distance of users from activity locations to enable proximity-based discovery and invitations (essential feature — see Section 3.3)
Collecting and displaying your profile photo for account creation and user-to-user interaction (without which other users cannot meaningfully recognize or interact with you — see Section 3.2)
Providing core App functionality

Without this processing, we cannot provide the App’s services to you. In particular, BuddyBuddy is a proximity-based activity platform. The ability to discover and invite users near an activity’s location is fundamental to the service. Without proximity-based discovery, the App would be unable to fulfill its core purpose of connecting people for nearby activities.

Processing based on your explicit, informed, freely given consent:

Processing your precise location data
Sending push notifications
Displaying your age to other users where enabled through your privacy settings (see Section 3.1 for a note on residual inference via age-range filtering)
Showing your Instagram handle
Processing analytics data where consent is required under applicable law

You may withdraw consent at any time via Settings > Privacy or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

Processing necessary for our legitimate interests, balanced against your rights:

Processing Activity	Our Legitimate Interest	Balancing Test	Your Rights
Improving and optimizing the App	Business improvement, user experience	Minimal privacy impact, anonymized data used	Opt-out via settings
Preventing fraud and abuse	Platform integrity, user safety	Essential for safe platform, minimal data used	Object via contact
Ensuring platform safety	Legal compliance, user protection	Overriding safety interest	Object via contact
Analyzing usage patterns	Service improvement	Anonymized/aggregated only	Disable analytics
Preventing duplicate content	User experience	Necessary for core feature	N/A
Technical troubleshooting	Service continuity	Limited to technical data	Object via contact

You have the right to object to processing based on legitimate interests. Contact us to exercise this right, and we will cease processing unless we demonstrate compelling legitimate grounds.

Processing necessary to comply with legal obligations:

Complying with applicable laws and regulations
Responding to valid legal requests from authorities
Maintaining legally required records
Cooperating with law enforcement when legally required

In exceptional circumstances, we may process data to protect vital interests:

Emergency situations involving risk to life or safety
Reporting imminent threats to authorities

This basis is used only in genuine emergencies.

6.1 Service Providers

We use the following third-party service providers who process data on our behalf:

Firebase (Google LLC)

Services used: Authentication, Cloud Firestore (database), Cloud Storage, Cloud Functions, Cloud Messaging (push notifications), Analytics, Crashlytics
Data processed: Personal data necessary to provide the relevant services — including profile and account data, photos, messages, authentication tokens, and device/usage data where applicable
Storage location: Cloud Firestore (your account, profile, activity, and chat data) is hosted in europe-west1 (Belgium, EU). Cloud Storage (your profile and activity photos) is hosted in the same European region. Cloud Functions execute in us-central1 (United States), so Function-mediated data flows transit and are processed in the United States. Firebase Authentication metadata, Cloud Messaging, Analytics, and Crashlytics are operated globally by Google and may involve processing in the United States and other countries.
Safeguards: Standard Contractual Clauses (SCCs), Google’s Data Processing Terms, EU-U.S. Data Privacy Framework certification (Google LLC)
Privacy Policy: https://firebase.google.com/support/privacy

Google Maps Platform (Google LLC)

Services used: Maps display, Geocoding, Places API
Data processed: Location coordinates, address queries
Location: United States and other countries
Safeguards: Standard Contractual Clauses (SCCs)
Privacy Policy: https://policies.google.com/privacy

Google Gemini API (Google LLC)

Services used: AI-assisted content moderation pre-screening; AI-assisted activity label suggestions
Data processed: Only the activity title and description text you enter when creating an activity. No user identifiers, account data, email, photos, location coordinates, or messages are sent to the Gemini API.
Purpose: Platform safety (detecting potentially inappropriate content) and user experience (suggesting an activity category you can accept, edit, or replace)
Use for model training: Under the terms applicable to our paid Gemini API usage, Google does not use the inputs we send or the responses we receive to train or improve its models. Google retains data only short-term for abuse monitoring and legal compliance.
Location: United States and other countries
Safeguards: Standard Contractual Clauses (SCCs), Google’s Data Processing Addendum, EU-U.S. Data Privacy Framework certification
Privacy Policy / Terms: https://ai.google.dev/gemini-api/terms

RevenueCat, Inc.

Services used: Subscription management and entitlement validation for premium (paid) features
Data processed: Pseudonymous user identifier, subscription/purchase events, platform (iOS/Android), app version. Payment card details are handled by Apple App Store / Google Play and are not received by RevenueCat or by us.
Purpose: Validating active subscriptions, restoring purchases across devices, fraud prevention on subscription entitlements
Location: United States and other countries
Safeguards: Standard Contractual Clauses (SCCs), RevenueCat Data Processing Addendum
Privacy Policy: https://www.revenuecat.com/privacy

Postmark (ActiveCampaign LLC / Wildbit)

Services used: Transactional email delivery only (verification codes, account-related notifications, security and operational emails, important policy updates)
Data processed: Recipient email address, recipient display name, email subject and body content, delivery metadata (sent/delivered/bounced)
Purpose: Delivering operational and transactional emails required to operate the App. We do not send marketing emails through Postmark.
Location: United States; EU data residency available and may be used for EEA users
Safeguards: Standard Contractual Clauses (SCCs), Postmark Data Processing Addendum
Privacy Policy: https://postmarkapp.com/privacy-policy

6.2 International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) and Switzerland, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place.

Transfer Mechanisms

Standard Contractual Clauses (SCCs): We use the 2021 EU Commission-approved SCCs with our service providers
Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission or Swiss authorities
EU-U.S. Data Privacy Framework: Google LLC (Firebase, Google Maps) is certified under the EU-U.S. Data Privacy Framework

Transfer Safeguards

Google LLC (Firebase, Google Maps) is certified under the EU-U.S. Data Privacy Framework. We rely on Standard Contractual Clauses (SCCs), supplementary technical measures, and Google’s contractual commitments to ensure adequate protection for international transfers.

Supplementary Technical Measures

We implement the following supplementary measures to protect transferred data:

Encryption in transit: All data transfers use TLS 1.2+ encryption between your device and Firebase servers
Encryption at rest: Data stored on Firebase servers is encrypted at rest using AES-256 (managed by Google)
Access controls: Strict authentication and authorization for data access
Data minimization: We transfer only data necessary for service provision
Pseudonymization: Where possible, we use user IDs rather than directly identifying information

Your Rights Regarding International Transfers

You have the right to:

Request information about specific transfers and safeguards
Object to transfers based on your specific situation
Lodge a complaint with your supervisory authority regarding transfers

To exercise these rights, contact us at legal@buddybuddy.ch.

6.3 Other Disclosures

We may disclose your personal data:

To other users as part of the App’s functionality (profile information, activity details, messages)
To comply with legal obligations or valid legal requests
To protect our rights, privacy, safety, or property
In connection with a merger, acquisition, or sale of assets (where legally required or reasonably practicable, with prior notice)

7. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy. Below we explain why each retention period is necessary (as required by GDPR’s purpose limitation principle):

7.0 Data Retention Summary Table

Data Category	Retention Period	Justification
Account & Profile Data
Account data	Deleted from production systems within 30 days of an account-deletion request. Residual copies in encrypted backups are overwritten as backups rotate, and are fully purged within 90 days of the original deletion request.	Core service provision while active; specific deletion windows ensure user data is removed predictably from live systems while accommodating standard backup-rotation cycles.
Profile information	Until account deletion	Required for user identification and social interaction while account is active
Profile photos	Until deleted by user or account deletion	User-controlled content; needed for profile display
Liveness verification status (verified yes/no, timestamp)	Until account deletion	Display of verification badge and eligibility for fully-verified features. The on-device check produces no image or biometric data, so there is nothing else to retain
Push notification tokens	Until invalid or account deletion	Required for notification delivery; automatically cleared when invalid
Activity-Related Data
Activity data	Retained while at least one participant remains in the conversation. Hard-deleted at the latest of (a) 90 days after the activity date and (b) 30 days after all participants have left, whichever comes later — so the conversation thread stays available for the published 90-day window even if everyone has left the hangout.	Allows post-activity reference, dispute resolution, and safety review while honoring the published 90-day window so participants who return within that period still find the conversation.
Activity group chat messages	Each message is retained for 90 days from when it was sent (rolling window — older messages are continuously trimmed). The conversation thread (membership and metadata) remains for as long as you are a participant. Exception: if a safety report references content from a chat, the relevant content may be retained until the report is resolved, up to a maximum of 2 years from the report’s filing date (matching the User Reports retention). Lawful bases for the extended retention: GDPR Art. 17(3)(e) (establishment, exercise or defence of legal claims) and Art. 6(1)(f) (legitimate interest in platform safety).	Enables communication context for activity coordination, dispute resolution, and safety review while limiting how long historical message content sits on our servers.
Join requests	90 days after activity date	Enables activity history review and dispute resolution
Activity invitations	90 days after activity date	Invitation history for dispute resolution; no value after activity ends
Attendance verifications	90 days after activity date	Post-activity verification records; needed for reliability score disputes
Verification determinations	90 days after verification	Final attendance determination results; retained for reliability score audit
Social & Messaging Data
Direct messages (DM chats)	Until both users delete accounts or unfriend; when a user deletes their account, their identity is anonymized but message content is preserved	User-to-user communication history; retained for ongoing conversations between friends; identity anonymized upon account deletion to protect deleted user’s privacy while preserving conversation context for the other participant
Friendships	Until unfriended or account deletion	Active relationship data; needed while friendship exists
Activity interactions (swipes)	Duration of account existence	Prevents showing duplicate activities; improves user experience
User reliability scores	Duration of account existence	Trust and safety feature; needed for platform integrity
Administrative Data
Notification records	90 days	Technical troubleshooting and delivery confirmation
User reports	2 years	Safety investigations and pattern detection; legal compliance
User feedback	1 year	Product improvement; no longer needed after addressed
Rate limit records	24 hours	Technical spam prevention; short-term operational data
Safety & Anti-abuse Data
Block events log (`user_blocks`)	2 years	System-side log of block events used to detect abuse patterns and validate user-facing block lists. Distinct from your personal block list in your profile, which is deleted on account deletion. Access is internal-only via Cloud Functions.
Anti-evasion safety record (`graveyard_users`)	5 years from account deletion (occasionally longer where an active safety review requires it under Art. 17(3)(d) GDPR)	When an account is deleted, we retain a record containing the user’s sanitised email, original user ID, deletion timestamp, the reports filed against them, the reports they filed, block history, and aggregate counts of unique reporters and blocks. We use this only if the same email is later used to register a new account, in which case our safety team carries over the prior reports to the new account and may automatically flag it for closer review when the prior account had three or more unique reporters or was already under review. Lawful basis: legitimate interest under GDPR Art. 6(1)(f) — preventing platform abuse and protecting other users (Recital 47 “preventing fraud” and Recital 49 “network and information security”). Internal Legitimate Interests Assessment is documented at `legal/LIA_GRAVEYARD_USERS.md`. You can request erasure of this record by emailing legal@buddybuddy.ch; we will erase it unless we determine that an active safety review requires continued retention, in which case we will tell you and explain why.
Temporary Verification Data
Email verification codes	24 hours	One-time use; automatically expires
Deletion verification codes	24 hours	One-time use; automatically expires
Email change codes	24 hours	One-time use; automatically expires
Analytics & Crash Data
Firebase Analytics events	14 months (managed by Firebase)	Firebase retains event-level data for up to 14 months; aggregated reports are available indefinitely
Firebase Crashlytics crash reports	90 days (managed by Firebase)	Crash data is retained by Firebase for stability analysis and then automatically deleted

7.1 Retention Period Selection Criteria

We determined these retention periods based on:

Necessity: How long is data needed to fulfill its purpose?
User expectation: What would users reasonably expect?
Legal requirements: Any legal retention obligations?
Technical constraints: What is technically feasible?
Risk assessment: What are the privacy risks of longer retention?

7.2 Automatic Deletion

Data is automatically deleted after the retention period expires through:

A daily scheduled process that trims activity chat messages older than 90 days (a rolling window — the conversation thread itself, including membership and metadata, remains as long as you are a participant)
A daily scheduled process that hard-deletes the activity record and the chat thread once (a) all participants have left for at least 30 days and (b) the activity date is more than 90 days in the past
Daily scheduled processes for short-lived coordination artifacts (join requests, activity invitations, verification determinations, in-app notifications) after their respective 90-day windows
Cascade deletion when accounts are deleted
Automatic token invalidation for push notifications
Firebase-managed retention policies for analytics events and crash reports

After the retention period, data is permanently deleted or anonymized.

8. Your Rights

Under GDPR and Swiss FADP, you have the following rights, subject to applicable legal conditions, limitations, and exceptions:

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, subject to the rights and freedoms of others and applicable legal restrictions.

You have the right to correct inaccurate personal data and to complete incomplete data.

You have the right to request deletion of your personal data when:

The data is no longer necessary for its original purpose
You withdraw consent (where consent was the legal basis)
You object to processing and there are no overriding legitimate grounds
The data was unlawfully processed

Exceptions where we may retain limited data after your erasure request:

Anti-evasion safety record (graveyard_users): when you delete your account, we retain a minimal safety record (sanitised email, original user ID, deletion timestamp, reports made/received, block history) for up to 5 years for the purpose of recognising and reviewing repeat-abuse re-registration on the same email. This is permitted under Art. 17(3)(d) GDPR (retention necessary in the public interest, including for safety-related processing). See §7.0 (“Safety & Anti-abuse Data”) for details and how to request erasure of this record.
Consent evidence (consentRecords): the append-only log of your past consent acts (when you accepted the Privacy Policy and Terms of Service, and the version each time) is retained as required by Art. 7(1) GDPR for as long as we may need to demonstrate that processing was lawful. These records are never modified or deleted.
Open safety reports: if a chat message, conversation, or other activity-related content is the subject of an open safety report at the time of your erasure request — whether the report was filed by you or against you — we may retain the relevant content until the report is resolved, up to a maximum of 2 years from the report’s filing date (matching the User Reports retention period in §7.0). This is permitted under Art. 17(3)(e) GDPR (retention necessary for the establishment, exercise or defence of legal claims, including platform safety review) and Art. 6(1)(f) (legitimate interest in keeping the platform safe for other users). Once the report is closed or the 2-year cap is reached, the retained content is deleted on the next scheduled cleanup cycle.

Note on completion of erasure requests: Where you are the sole administrator of a Circle that has other members, completing your account deletion requires you to first promote another member to administrator or delete the Circle. This requirement protects the rights and choices of the other members; it does not curtail your right to erasure, only sequences the steps required to honour it.

You have the right to restrict processing in certain circumstances.

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

You have the right to object to processing based on legitimate interests at any time.

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

For EU residents:

Your local Data Protection Authority
List of EU DPAs: https://edpb.europa.eu/about-edpb/about-edpb/members_en

For Swiss residents:

Federal Data Protection and Information Commissioner (FDPIC)
Website: https://www.edoeb.admin.ch/

For cross-border complaints involving international transfers: Swiss residents may also contact the FDPIC regarding concerns about international data transfers, including transfers to the United States. The FDPIC can coordinate with other data protection authorities where appropriate.

8.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: legal@buddybuddy.ch
In-App: Settings > Legal > Export My Data / Delete Account (deletion may prompt you to first reassign or delete any Circles where you are the only administrator)

We will respond to your request within 30 days (or as required by applicable law).

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data in accordance with Art. 32 GDPR:

9.1 Technical Measures

Measure	Implementation	Purpose
Encryption in transit	TLS 1.2+ for all API communications	Protects data during transmission
Encryption at rest	AES-256 encryption (Firebase)	Protects stored data
Password security	Bcrypt hashing with salt (Firebase Auth)	Prevents password exposure
Authentication	Firebase Authentication with secure tokens	Verifies user identity
Session management	JWT tokens with expiration	Limits unauthorized access window
Input validation	Server-side validation of all inputs	Prevents injection attacks

9.2 Organizational Measures

Measure	Implementation	Purpose
Access control	Role-based access; principle of least privilege	Limits data exposure
Data processing agreements	Executed with Firebase/Google	Ensures processor compliance
Security reviews	Conducted before major releases	Identifies vulnerabilities
Incident response	Documented procedures for breach handling	Enables rapid response
Development practices	Secure coding guidelines followed	Prevents security flaws

9.3 Firebase Security Rules

We implement Firestore Security Rules that enforce:

User data isolation: Users can only read/write their own profile data
Activity access control: Activity details visible based on privacy settings
Chat privacy: Messages only accessible to activity participants
Photo access: Profile photos accessible only to authenticated users
Admin separation: No client-side admin access to other users’ data

9.4 Data Access Matrix

Data Type	User (self)	Other Users	Us (Admin)	Firebase
Profile data	Full access	Read (if discoverable)	Read (support only)	Storage/processing
Photos	Full access	Read (if discoverable)	Read (support only)	Storage/processing
Messages	Read/write own	Read (if participant)	Read (legal/safety)	Storage/processing
Location	Full access	Approximate distance from activity location only (if Show Distance enabled)	Aggregated only	Processing
Activity interactions	Read own	None	Aggregated only	Storage/processing

9.5 Security Limitations

While we implement industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data or uninterrupted availability of the App or related services.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notification to Supervisory Authority (within 72 hours where required by applicable law):

Report the breach to the competent data protection authority
Document the nature of the breach, categories of data affected, and remedial measures

Notification to You (without undue delay): If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly via:

Email to the address associated with your account
In-app notification
Public communication if direct contact is not feasible

Your Responsibility: You should ensure your email address is current to receive breach notifications.

10. Children’s Privacy

The App is not intended for users under the age of 18. We do not knowingly collect personal data from children under 18 or permit users under 18 to create accounts. If we become aware that we have collected personal data from a child under 18, we will take steps to remove or delete that information promptly and may suspend or terminate the related account.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at legal@buddybuddy.ch so that we can investigate and take appropriate action.

10A. Safety

BuddyBuddy connects users for in-person activities. Your safety when meeting other users is your responsibility. We strongly recommend meeting in public places, informing friends or family of your plans, and reporting any suspicious behavior through the App.

For detailed safety information and disclaimers, see our Terms of Service, Section 6.

We use automated processing for the following purposes:

11.1 Activity Discovery and Ranking

Purpose: To show you relevant activities based on distance and timing
Logic: Activities are ranked based on proximity to your location and time until the activity
Factors used: Geographic distance, time until activity starts, activity status
Factors NOT used: We do not use profiling based on personal characteristics, behavior patterns, or inferred preferences
Impact: Determines the order of activities shown to you
Your rights: You can adjust distance and filtering preferences in Settings

11.2 AI-Assisted Activity Label Suggestion

Purpose: Help you categorize your activity faster when creating it
Data processed: Only the activity title and description you entered
Logic: The text is sent to Google’s Gemini API, which returns a suggested category label
Decision effect: The suggestion is non-binding. You can accept it, edit it, or replace it with any label of your own choice before publishing the activity. The final label is always determined by you.
Legal basis: Contract performance (providing the activity creation feature) and legitimate interest (user experience)
Your rights: You remain in full control of your activity’s label at all times.

11.3 AI-Assisted Content Moderation

Purpose: Detect potentially inappropriate, unsafe, or policy-violating activity content before it is published, to protect users of the platform
Data processed: Only the activity title and description
Logic: The text is sent to Google’s Gemini API, which returns a safety assessment
Decision effect: The AI does not make the final decision. When the AI flags content, the activity is temporarily withheld from publication and referred to a human moderator, who makes the final determination (approve or reject). This ensures meaningful human oversight of every moderation outcome.
Legal basis: Legitimate interest (platform safety and user protection)
Your rights: If your activity is blocked following human review, you will be informed of the outcome. You can contact legal@buddybuddy.ch to request an explanation or to contest the decision.

Does our automated processing produce legal or similarly significant effects?

We have assessed our automated processing and determined that it does not produce legal effects or similarly significantly affect you because:

Activity discovery and ranking: Ranking only affects display order; all activities remain accessible and you can adjust all filters.
AI label suggestion: The output is a non-binding suggestion that you can freely edit or replace; the final decision is always yours.
AI content moderation: The AI only pre-screens content. A human moderator always makes the final decision before any activity is blocked, ensuring meaningful human review (as required by Art. 22(3) GDPR).
No profile-based exclusion: We do not exclude users from activities based on automated profiling.
User control: You can adjust all filtering parameters (distance, age range, time window) and view all available activities; the automated ranking does not gate access.
No economic impact: The App is free to use; automated processing does not affect pricing or access to paid features. Subscription tiers (Section 6.1) are not driven by profiling.
Manual alternative: You can always browse and search activities directly without relying on automated ranking.

11.5 Your Rights Regarding Automated Processing

Our automated processing does not produce legal or similarly significant effects as described in Art. 22 GDPR. Nonetheless, we support the following rights:

Right to explanation: You can contact us to understand how activity ranking works. We will explain the logic involved, the significance, and the envisaged consequences of such processing.
Right to human review: You can request human review of any automated decision affecting you. We commit to reviewing such requests within 14 days.
Right to contest: You can challenge any perceived unfair treatment in activity visibility. We will investigate and provide a reasoned response.
Right to opt-out: You can disable location-based ranking by denying location permissions (though this limits functionality).

If we introduce new automated features in the future, we will reassess their impact under Art. 22 GDPR and update this policy accordingly before deployment.

To exercise these rights, contact us at legal@buddybuddy.ch.

11.6 No Profiling for Marketing or Third Parties

We do not:

Create behavioral profiles for advertising purposes
Sell or share profiling data with third parties
Use automated decision-making for credit, employment, or similar significant decisions
Engage in predictive profiling about your behavior, preferences, or characteristics

12. Privacy Settings and Controls

You can control your privacy through the following in-app settings:

Setting	Description	Location
Show Age	Control whether your age is visible to others	Settings > Privacy
Show Distance	Control whether your approximate distance from an activity location is visible to activity hosts. When disabled, the distance label is hidden but you may still appear in proximity-based discovery (see Section 3.3).	Settings > Privacy
Profile Discovery	Control whether you appear in activity discovery	Settings > Privacy
Show Instagram	Control Instagram handle visibility	Settings > Privacy
Profile Activities	Your upcoming activities are visible to your buddies. Non-buddies may see them with a premium subscription.	N/A (cannot be disabled)
Push Notifications	Control notification preferences	Settings > Notifications
Location Permissions	Control location access	Device Settings

13. Local Data Storage

The App stores some data locally on your device using SharedPreferences:

Filter and preference settings
Cached activity data (for faster loading)
Last known location (for distance calculations)
Hidden/removed chat identifiers

This local data:

Remains on your device only
Is not transmitted to our servers
Can be cleared by uninstalling the App or clearing App data

13A. Website (buddybuddy.ch)

Our website at buddybuddy.ch is a primarily informational site. As of the Effective Date of this Privacy Policy, the website:

Does not use cookies (no session, analytics, or third-party cookies)
Does not use tracking pixels or web beacons
Does not use analytics services (no Google Analytics, no third-party tracking)
Does not collect personal data through the website itself, beyond what your browser routinely sends to any web server (e.g., your IP address and User-Agent), which our hosting provider may log for short-term security and operational purposes

Future changes: If we introduce cookies, analytics, marketing pixels, or other tracking technologies on our website, we will (a) update this Privacy Policy to describe what is set and why, and (b) before any non-essential cookie or tracking script is set, display a cookie / consent mechanism that complies with the ePrivacy Directive (Directive 2002/58/EC, as amended) for visitors in the EEA and with applicable Swiss law. You will be able to refuse non-essential cookies and continue using the website with the same access to information.

14. Push Notifications

We use Firebase Cloud Messaging (FCM) to send push notifications. You will receive notifications for:

New join requests on your activities
Accepted/declined join requests
New messages in your chats
Activity updates and reminders
When participants leave activities

You can control notifications:

In-App: Settings > Notifications
Device Level: Your device’s notification settings

We store your FCM token to deliver notifications. Invalid tokens are automatically removed.

14A. Transactional Emails

We send transactional and operational emails to your registered email address. These include:

Email-address verification codes and confirmations
Account-deletion verification codes and confirmations
Email-address-change verification codes
Security and login notifications (where applicable)
Important changes to this Privacy Policy or our Terms of Service

You cannot opt out of these emails while your account is active, because they are necessary to operate the App and to satisfy legal and security obligations. Legal basis: Contract performance (Art. 6(1)(b) GDPR) and, where applicable, legal obligation (Art. 6(1)(c) GDPR).

We do not send marketing or promotional emails. We do not sell, rent, or share your email address with third parties for their marketing, and we do not use your email content to build advertising profiles.

Transactional emails are delivered through Postmark (see Section 6.1), which processes the recipient email address, message content, and delivery metadata on our behalf under a Data Processing Agreement.

15. Photos and Media

15.1 Camera Access

The App requests access to your device camera to allow you to take photos directly within the App for your profile, for activity images, or for the optional on-device liveness verification flow
Camera access is requested only when you choose to take a photo or start verification (not upon installation)
You can grant or deny camera permission through your device settings at any time
For profile and activity photos, we do not record video, use facial recognition, or perform biometric identification
For liveness verification, an on-device anti-spoofing flow runs locally (Google ML Kit) using your camera. No image, video, or face data is uploaded or stored — only the result (passed yes/no, with a timestamp) is recorded. We do not generate a face template, perform facial recognition, or match faces across users. Liveness verification is optional; you can use the App with phone-only verification
Photos taken via the camera are processed identically to photos selected from your photo library (see below)

15.2 Profile Photos

Each user has exactly one profile photo at any given time
The photo may be taken with the camera or selected from your photo library
Uploading a new profile photo replaces the previous one; the previous image is deleted from Cloud Storage
Photos are compressed (max 1920x1920 pixels, 85% quality)
Photos are stored in Firebase Cloud Storage
Photos are visible to all authenticated users (unless you disable profile discovery)

15.3 Activity Photos

One photo per activity
Same compression settings as profile photos
Visible to all users who can view the activity

15.4 Photo Deletion

You can delete your photos at any time
Deleted photos are removed from Cloud Storage
Cached versions may persist temporarily on other users’ devices

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the new Privacy Policy in the App
Updating the “Last Updated” date
Sending you a notification (for significant changes)

We encourage you to review this Privacy Policy periodically. Your continued use of the App after changes constitutes acceptance of the updated Privacy Policy.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: legal@buddybuddy.ch Website: https://buddybuddy.ch

We aim to respond to all inquiries within 30 days.

18. Jurisdiction-Specific Provisions

18.1 Operating Jurisdictions

BuddyBuddy is operated from Switzerland and offers its services to users in Switzerland and the European Economic Area (EEA).

18.2 European Economic Area (EEA)

For users located in the EEA, this Privacy Policy is intended to comply with the EU General Data Protection Regulation (GDPR). The references to GDPR articles throughout this policy describe how we handle your personal data. You may exercise the rights described in Section 8 (including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent) by contacting legal@buddybuddy.ch.

Supervisory authority: EEA users may lodge a complaint with the data protection authority of their country of residence. A list of EU/EEA authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

18.3 Switzerland

For users in Switzerland, this Privacy Policy complies with the Swiss Federal Act on Data Protection (FADP/nDSG) and its implementing ordinances. The competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).

Additional rights under Swiss law:

Right to information about data processing
Right to data portability
Right to object to automated individual decision-making

18.4 Legal Basis Equivalence

Where this policy refers to GDPR legal bases, the equivalent bases under Swiss law apply:

Contract performance → Contract performance
Consent → Consent
Legitimate interests → Overriding private or public interests
Legal obligation → Legal obligation

19. Definitions

Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.)
Data Controller: The entity that determines the purposes and means of processing personal data
Data Processor: An entity that processes personal data on behalf of the controller
Consent: Freely given, specific, informed, and unambiguous indication of agreement to data processing
GDPR: General Data Protection Regulation (EU) 2016/679
FADP/nDSG: Swiss Federal Act on Data Protection (Bundesgesetz über den Datenschutz)

20. Data Protection Compliance Documentation

20.1 Our Compliance Measures

We maintain appropriate documentation and measures to demonstrate compliance with applicable data protection laws, including records of processing activities, data processing agreements with our service providers, and technical and organizational security measures.

We implement privacy by design principles:

Data minimization: We only collect necessary data
Purpose limitation: Data used only for stated purposes
Storage limitation: Data retained only as long as necessary
Privacy settings default to most protective options where appropriate
Regular privacy reviews of new features

20.3 International Transfer Mechanisms

For transfers outside the EEA/Switzerland:

Primary mechanism: Standard Contractual Clauses (SCCs) - 2021 EU Commission version
Supplementary measures: Encryption, access controls, contractual commitments
Transfer Impact Assessments: Conducted for each third-country transfer

21. Acknowledgment

This Privacy Policy is a notice describing our data practices. It is not itself a consent form, and acceptance of this policy is not a substitute for any specific consent we ask of you.

By using BuddyBuddy, you acknowledge that you have been informed of:

What personal data we collect and the purposes for which we process it (Section 3)
The legal bases on which we rely for each processing activity (Section 5)
The third-party processors involved and how international transfers are safeguarded (Section 6)
How long we retain your data (Section 7)
Your rights under GDPR and Swiss FADP and how to exercise them (Section 8)

Where a specific processing activity requires your consent (for example, precise location, push notifications, the optional Instagram handle, or the optional liveness verification flow), we obtain that consent through separate, granular in-app prompts at the time the processing begins. You can withdraw any such consent at any time through Settings or by contacting legal@buddybuddy.ch. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

22. Severability and Survival

22.1 Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such invalidity shall not affect the validity of the remaining provisions, which shall remain in full force and effect.

22.2 Survival

The following sections shall survive termination of your account or this Privacy Policy: Section 7 (Data Retention), Section 21 (Acknowledgment), and this Section 22.

BuddyBuddy Connecting people through shared activities

This Privacy Policy was last reviewed on May 4, 2026.