Privacy Policy

This document names the data our.app collects, what we do with it, who we share it with, and what we don't do. It applies to our.app (mobile and web) and the services we use to run our.app (named below).

If you'd rather skim: we collect what's needed to run the app, we share with the services that make it work, we don't sell to anyone, we don't have advertisers, and we delete your data when you ask.

Account — Your email (from Apple or Google when you sign in), a display name you choose, and an optional profile photo.

Location — A city-level region string for Discover's proximity sort. Precise location only if you explicitly opt in for a "near me" feature; we have none in Phase 1.

Content you create — Posts, messages, profiles, RSVPs, follows, reactions, redemption history, your voice profile prompts, and any AI-drafted content you save.

Financial — Stripe processes payments and holds your card details directly; we never see your card number. We store metadata about your payment method (brand, last 4, expiration) and your Common ledger balance.

Engagement — What you follow, what you've read, what threads you've been part of, what events you've RSVP'd to.

Diagnostics — Crash reports, performance metrics, edge-function error logs. No personal content in these — just the technical signal we need to fix bugs.

Communications — If you email reports@ or privacy@, we keep the message in our support inbox. If you opt into push notifications, we hold the device push token Apple or Google issues; we never see the contents of unrelated notifications.

Run the service — What you create powers what you see — your posts to your feed, your follows to Discover, your Common balance to the wallet.

AI features — When the AI helps you draft a post, distill a voice profile, or suggest a reply, we send your prompt to Anthropic with relevant context. Anthropic returns a response; their API tier we use contractually prohibits training on prompts. Embeddings (similarity search) go through OpenAI on the same training-prohibition tier.

Moderation — Posts and messages run through an automated moderation pass (OpenAI Moderation API) before they're visible to others. If something is flagged or reported, the founder (eventually an ops team) reads it manually within the SLA published in the AUP.

Verification — Before a business is marked Verified, we review the claim using the information they provide and public records. Manual founder-led during Phase 1.

Communicate with you — Transactional emails (claim approvals, billing receipts, account-action confirmations) and push notifications for categories you opt into (DMs, pickup ready, payments, RSVPs).

Aggregate analytics — We look at the shape of usage (coefficients of organic spread, daily active counts) at the aggregate level. Nothing personal leaves the system for this.

Legal compliance — We respond to lawful government requests. The AUP names our platform posture.

Each of these helps us run our.app. Each has their own privacy policy.

Opens this subprocessor's privacy policy in your browser

We share with government agencies if compelled by valid legal process. We tell you if we're allowed to.

We don't sell your data — Not to advertisers, not to data brokers, not to anyone. This is a hard rule for us.

We don't have advertisers — our.app has no advertising surface. Your data is not a product we sell.

We don't use your private messages to train AI — Voice profile prompts and saved AI drafts are stored to improve the AI features for the user who created them. They're never used to train models for general use.

We don't read your private DMs — Messages between you and a business pass through the automated moderation pass on send. The founder doesn't open private threads unless they're reported — and the recipient is the only person who can trigger that review.

We don't use cookies for tracking — The our.app website uses a minimal authentication cookie; the mobile app uses local auth tokens. Neither feeds ad targeting (we have no ads).

You can:

EU customers who want a Data Processing Addendum for a business relationship with our.app — email privacy@.

See your data — Email privacy@our.app; we send a JSON archive of everything tied to your account within 30 days.

Correct something wrong — Email privacy@ with what's incorrect; we update it.

Delete your account — Open Settings → Delete my account. This deletes your identity, profile, posts, messages, threads, RSVPs, follows, payment methods, and Common balance. We'll show you the balance before you confirm — Common you forfeit on deletion is not recoverable. Audit logs reference your user ID for a period after deletion for legal compliance; that data is not searchable by your identity once deletion completes.

Take your data elsewhere — The export above is a portable JSON file.

Object to processing — Notification opt-outs live in Settings; broader objections (to aggregate analytics, to AI processing of your content) — email privacy@.

Complain to a regulator — EU residents can lodge a complaint with their national data-protection authority. California residents have CCPA rights; we honor those for everyone, regardless of where you live.

our.app is for ages 13 and up (16 in some EU jurisdictions). We don't knowingly let minors below those ages create accounts. If you believe we have data from a minor, email privacy@ and we'll delete it.

Account data — Deleted within 30 days of your deletion request.

Posts and messages — Kept for the life of your account; deleted with the account.

Threads — The conversation between you and a business persists; deleting your account redacts your side. The business keeps their side because they wrote it.

AI drafts and voice profile prompts — Kept while your account is active; deleted with the account.

Function error logs — 90 days.

Audit logs (moderation, admin actions) — 7 years for legal compliance. These reference user IDs that no longer resolve once an account is deleted.

Stripe data — Per Stripe's retention policy (currently 7 years for financial records).

Standard practices: HTTPS for everything in transit, encryption at rest on managed Supabase storage, row-level security on every database table, secrets in environment variables (not in code), service-role credentials handled narrowly, least privilege for every internal access.

We don't claim to be unhackable. We do claim to take security seriously and to notify you within 72 hours if a breach affects your data.

our.app is US-based. Your data lives in US-region Supabase storage. EU users: we transfer data under the Standard Contractual Clauses; a Data Processing Addendum is available on request.

We change this when something changes. Every update is announced in the in-app About screen and stays in the changelog at /privacy/changelog. If a change materially affects what we do with your data (new subprocessor, expanded use of existing data), you'll see a transactional push notification before it takes effect.

For privacy questions, data access requests, deletion requests, or corrections, email us. We respond within 30 days; during Phase 1 the founder reads every email personally.

privacy@our.app

Opens a draft email to privacy@our.app