Privacy Policy

1. Introduction

This Privacy Policy explains how LOKAL (“we,” “us,” “our”) collects, uses, shares, and protects information when you use our mobile application and related services (the “Service”). By using the Service, you agree to the practices described in this policy.

We are committed to protecting your privacy and being transparent about our data practices. This policy is designed to comply with the Apple App Store Review Guidelines, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Canadian privacy legislation including PIPEDA.

2. Information We Collect

A. Information You Provide

• Phone number — to create and secure your account, including receiving SMS verification codes.
• Profile information — name, username, bio, profile photos, date of birth, gender, and preferences you choose to add.
• Interests — topics and categories you select during onboarding or in settings to personalize your experience.
• Content you create — posts (photos and captions), stories, chat messages, comments, reactions, and activity participation details.
• Activity information — details of activities or events you create, including title, description, location, date, time, and age restrictions.
• Recovery email — an optional email address you provide for account recovery purposes.
• Support and feedback — information you provide when contacting us or reporting issues.

B. Information We Collect Automatically

• Device information — device model, operating system version, app version, language, and time zone.
• Network information — IP address and connection type, used for security monitoring and abuse prevention.
• Usage data — features used, screens viewed, interactions (such as taps, joins, and invites), and performance logs.
• Push notification tokens — if you enable notifications, we collect device tokens to deliver push notifications through the Expo Push Notification Service, which relays to Apple Push Notification Service (APNs) and Google Firebase Cloud Messaging (FCM).
• Timestamps — when you create content, send messages, update your profile, or interact with the Service.

C. Information You May Choose to Provide

• Location data — if you grant location permission, we collect precise GPS coordinates to support local discovery, activity creation, nearby user suggestions, activity check-ins, and distance calculations. You can revoke location permission at any time in your device settings.
• Contacts — if you explicitly grant contacts access, we read phone numbers from your device contacts and hash them locally on your device using SHA-256. Only the hashed values are sent to our servers to help you find friends who already use the Service. We do not store your raw contact names or phone numbers on our servers.
• Camera and photo library — if you grant camera or photo library access, we use it to allow you to take and share photos for posts, stories, and your profile. Photos are uploaded to our cloud storage provider.

3. How We Use Information

We use the information we collect to:

• Create and manage accounts — including phone number verification, authentication, and session management.
• Provide core features — messaging, content sharing, activities and events, local discovery, and friend connections.
• Personalize your experience — including match suggestions and people recommendations based on your interests, activity, preferences, location, and interactions.
• Deliver notifications — service communications, security alerts, chat messages, activity reminders, and updates.
• Ensure safety and prevent abuse — processing reports and blocks, enforcing community rules, detecting spam, and performing content moderation.
• Verify identity — analyzing profile photos to confirm they contain a real human face and are appropriate for the platform.
• Improve the Service — debugging, monitoring performance, and developing new features.
• Comply with legal obligations — responding to lawful requests and protecting our legal rights.

4. How Information Is Shared

With Other Users

When you use the Service, certain information is visible to other users based on your choices and settings:

• Your profile information (name, username, profile photo, bio, and age).
• Posts and stories you share publicly.
• Activities you create or join (including your participation status).
• Messages you send to other users in chats.
• Your online status (if enabled in your settings).
• Your approximate location may be used to show distance to other users in discovery features.

With Service Providers

We share information with third-party service providers who help us operate the Service. These providers process data only on our instructions and for the purposes described below:

• Twilio — SMS delivery for phone number verification. Receives your phone number.
• Cloudinary — Cloud storage and image/video processing for user-uploaded photos and media.
• OpenAI — AI processing for profile photo verification, content moderation, and matchmaker features. Receives image URLs and text content for analysis. OpenAI does not use this data for training.
• Expo / APNs / FCM — Push notification delivery. Receives device tokens and notification content.
• Tenor (Google) — GIF search functionality. Search queries are forwarded to Tenor's API.

For Safety and Legal Reasons

We may share information if required by law, to protect users, to investigate abuse, or to respond to lawful requests from authorities.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, where permitted by law. We will notify you of any such change.

5. User Generated Content

Content you create and share on the Service — including posts, stories, photos, captions, and activity details — may be visible to other users. You retain ownership of the content you create. By sharing content on the Service, you grant us a license to host, store, reproduce, and display your content solely to operate and provide the Service, including sharing it with other users as you direct.

Posts contain two photos: a selfie and a scene photo. Both photos are uploaded and stored together. Public posts are visible to other users on the Service.

6. Communications and Messaging

The Service provides messaging features with configurable retention settings:

• Saved messages — retained until you or the recipient deletes them.
• 24-hour messages — automatically deleted after 24 hours, unless individually saved by a participant.
• Instant messages — designed to disappear after viewing, filtered from view based on client-side timestamps.

Message content may be analyzed for safety purposes. Initial message requests between users are checked using automated text moderation to detect harmful content before delivery. Limited backups of messages may exist for a short period for reliability and security purposes.

7. Location Information

If you grant location permission, we collect precise GPS coordinates. We use location for:

• Discovering nearby users and activities.
• Calculating and displaying distances to activities and other users.
• Enabling activity check-in verification.
• Creating location-based activities.
• Personalizing discovery and match suggestions.

Your location coordinates are stored on our servers along with a timestamp of the last update. Location is updated when you use discovery or activity features. You can revoke location permission at any time through your device settings, which will limit access to location-dependent features.

Certain features such as people discovery require location. If location permission is not granted, these features may be unavailable or limited.

8. AI and Automated Processing

The Service uses artificial intelligence and automated systems in the following ways:

Profile Photo Verification

When you upload a profile photo, it is analyzed using AI (OpenAI GPT-4o) to verify that it contains a real human face, is appropriate, and meets our community standards. The analysis checks for the presence of a face, image quality, and content appropriateness. We do not use facial recognition to identify individuals.

Content Moderation

Posts and message requests may be analyzed using AI for NSFW content detection and text moderation to maintain a safe community environment.

Matchmaker

The Service may recommend people through a matchmaker feature that uses AI-assisted ranking. The matchmaker processes your profile information (interests, preferences), in-app interactions (joins, chats, activity participation), and engagement signals to suggest compatible users. Your answers to matchmaker questions are processed by AI to extract personality traits. Raw answer text is not stored — only a cryptographic hash (HMAC) and extracted trait data are retained. We do not sell your personal information. We do not use sensitive personal data to target advertisements.

Age-Based Filtering

Discovery and suggestion features automatically filter results based on age, limiting recommendations to users within approximately 10 years of your age for safety purposes.

9. Data Retention

We retain your information for as long as your account is active and as needed to provide the Service. Specific retention practices include:

• Account data — retained while your account is active. If you request deletion, your account is hidden immediately and permanently deleted after 30 days.
• Messages — retention depends on the chat's delete mode setting (saved, 24-hour, or instant). Saved messages persist until manually deleted. Time-limited messages are automatically deleted after their expiry window.
• Posts and stories — retained while your account is active. Deleted when you delete them or when your account is permanently deleted.
• Location data — the most recent coordinates and timestamp are stored while your account is active. Cleared upon account deletion.
• Matchmaker data — trait data and hashed answers are retained while the feature is active. Raw text answers are never stored.
• Authentication tokens — session tokens are invalidated upon logout or account deletion.

10. Security

We use reasonable safeguards to protect your data, including:

• JWT-based session authentication with token expiration.
• Phone number hashing for contact matching (SHA-256).
• Rate limiting on authentication and sensitive endpoints.
• Input validation and sanitization on all API endpoints.
• Request origin verification and CORS protection.
• HMAC hashing for matchmaker text answers to prevent raw text storage.
• Security middleware for suspicious request detection.

No system is 100% secure, and we cannot guarantee absolute security. If you become aware of a security issue, please contact us immediately.

11. User Rights and Controls

You have the following rights and controls over your information:

• Access and update — you can view and edit your profile information, interests, and preferences at any time through the app.
• Account deletion — you can request deletion of your account through the in-app “Delete Account” option in Settings. Your profile will be hidden immediately. After 30 days, your account and associated data (posts, stories, messages, activities, follows, blocks, notifications, and sessions) are permanently deleted. If you log back in within 30 days, your account will be reactivated and the deletion cancelled.
• Account deactivation — you can temporarily deactivate your account to hide your profile from other users without permanent deletion.
• Block users — you can block other users to prevent them from contacting you or seeing your content.
• Report users and content — you can report users or content that violates our community guidelines.
• Privacy settings — you can control your online status visibility and discovery preferences (when available).
• Notification controls — you can disable push notifications through your device settings.
• Location controls — you can revoke location permission through your device settings at any time.
• Contacts access — you can revoke contacts access through your device settings at any time.

For GDPR/EEA residents: You have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing and to withdraw consent. To exercise these rights, contact us at the email address below.

For California residents (CCPA): You have the right to know what personal information we collect and how it is used, the right to request deletion, and the right to non-discrimination for exercising your rights. We do not sell your personal information. To exercise these rights, contact us at the email address below.

For Canadian residents (PIPEDA): You have the right to access your personal information, challenge its accuracy, and withdraw consent for its collection, use, or disclosure. To exercise these rights, contact us at the email address below.

12. Children's Privacy

The Service is not intended for children under the age of 13 (or the minimum age required in your jurisdiction). We verify age during account creation and do not knowingly collect information from children under 13. If you believe a child under 13 has provided personal information to us, please contact us immediately and we will take steps to remove the information.

13. International Data Transfers

Your information may be processed and stored in countries other than where you reside, including the United States and Canada. Our servers and third-party service providers may operate in different jurisdictions. We take steps designed to ensure that your data receives an adequate level of protection consistent with this policy, regardless of where it is processed.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the app or by other reasonable means before the changes take effect. Your continued use of the Service after such notice constitutes acceptance of the updated policy.

15. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: support@lokalapp.com