Privacy Policy
This policy applies to the Homeboy mobile app and the homeboys.app website. It is published in English; a Traditional Chinese translation is available on request.
1. What we collect
We collect only what we need to make activity discovery and group coordination work.
| Category | Data | Why | Stored |
|---|---|---|---|
| Account | Email/phone, hashed password, signup time | Authenticate you | Supabase Auth |
| Profile | Display name, bio, optional avatar/selfie, DOB, district, language | Show you to other members of joined activities | Supabase Postgres |
| Verification | Selfie image (encrypted), phone number, push token | Confirm real person; prevent abuse | Supabase Storage + Postgres |
| Location | Approximate coordinates (rounded ~100m) | Show activities near you | Supabase PostGIS |
| Activity | Activities you create, join, swipe, check in to | Matching + chat | Supabase Postgres |
| Chat | Group + direct messages, timestamps | Deliver chat | Supabase Postgres |
| Reports | Reports you submit | Moderation | Supabase Postgres |
| Diagnostic | Crash reports, app/OS version | Fix bugs | Expo (no PII) |
We do not collect: contacts, calendar, browsing history, advertising IDs, microphone audio (camera is used only for the selfie), or biometric data beyond the single verification selfie.
2. How we use it
- To run the service: show nearby activities, deliver chat messages, send push notifications.
- To moderate: automated screening of every chat message; manual review of user reports.
- To verify identity: the selfie is compared automatically; not retained longer than 90 days after approval.
- To improve: anonymous, aggregated usage stats. No individual-level analytics.
We do not use your data for advertising, do not sell it to data brokers, and do not allow third-party trackers.
3. What we share
- Other users you've co-attended: display name, avatar, selfie-verified badge — visible inside groups you've joined.
- Service providers: Supabase (database + auth), Expo (push), Apple/Google (push delivery), Twilio or equivalent (SMS verification), OpenAI (content moderation — message text only, no identity data).
- Law enforcement only when required by valid legal process in Taiwan or the operating jurisdiction.
We do not share data with advertisers or analytics brokers.
4. Your controls
In the app: edit any profile field; delete your account from Profile → Settings (purges all data within 30 days); toggle push notifications via system settings; switch language between English and 繁體中文.
By email (peng@homeboys.app): request a copy of your data; immediate deletion (within 7 days); correction of inaccurate data; withdraw consent for non-essential processing.
5. Retention
| Account record | Active + 30 days after deletion |
| Verification selfie | 90 days after approval, then deleted |
| Chat messages | While group exists; max 12 months |
| Reports | 24 months (repeat-offender detection) |
| Crash logs | 30 days |
6. Children
This app is for ages 17+. We do not knowingly collect data from anyone under 17 and will delete it immediately if discovered.
7. International transfers
Data is stored on Supabase infrastructure (currently AWS, region: ap-northeast-1, Tokyo). If you sign up from outside Taiwan, your data is transferred there with appropriate safeguards (Standard Contractual Clauses where applicable).
8. Security
- All data in transit is encrypted (TLS 1.3)
- Database connections use TLS
- Auth tokens stored in iOS Keychain / Android Keystore on device
- Passwords stored as bcrypt hashes (never plaintext)
- Row Level Security on every database table
- Selfie images stored with owner-scoped access only
If we suffer a breach affecting your data, we will notify you within 72 hours by email or in-app notice.
9. Changes
If we materially change this policy, we will notify you in-app at least 14 days before the change takes effect.
10. Contact
Questions, complaints, or data requests: peng@homeboys.app. For Taiwan residents: you may also contact the Personal Data Protection Commission.