Privacy Policy
Version 1.2 • Last updated: June 24, 2026
At INJA ("we," "us," or "our"), we are committed to protecting your privacy and ensuring you have control over your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our mobile application, website, and related services.
INJA is operated from the European Union. We design our privacy program around the General Data Protection Regulation (GDPR), app store privacy requirements, and other applicable data protection laws.
1. Information We Collect
1.1 Information You Provide
- Account Information: Email address, username, display name, and password when you register.
- Age Verification: Date of birth or age-confirmation information used to enforce our minimum-age requirement.
- Profile Information: Profile picture (optional), home city, and preferences.
- User Content: Text posts, photos, videos, captions, reports, reactions, and other content you share in sessions, Gatherings, stories, or community features.
- Gathering Details: Information you provide when organizing an event, such as title, description, time, and specific location.
- City Pulse Information: Planning preferences, saved plans, feedback, and activity context you choose to use with City Pulse.
- Communications: Messages sent through Vibe Connect, support requests, and feedback.
1.2 Information Collected Automatically
- Location Data: Your precise location (with your permission) to enable proximity-based features like joining vibe sessions within 200m of a location.
- Device Information: Device type, operating system, app version, push notification tokens, and other technical identifiers needed to operate the Service. Advertising identifiers are not used in the current release because ads are disabled.
- Usage Data: How you interact with the app, features used, and session activity.
- Diagnostics: Crash reports, error logs, performance data, and security events.
1.3 Information from Third Parties
- Authentication Providers: If you sign in with Google or Apple, we receive your name and email from those services.
- Location Services: We use Mapbox for maps, which may collect anonymized usage data.
- Discovery Sources: We display public news, events, maps, and place data from third-party sources. Opening third-party links may subject you to their own policies.
2. How We Use Your Information
We use your information to:
- Provide Core Features: Enable vibe sessions, proximity checks, and real-time sharing.
- Facilitate Real-World Meetups: Enable the creation, discovery, and management of Gatherings and other community events.
- Personalize Experience: Show relevant content, news, and events based on your location and city.
- Power AI Features: Generate City Pulse plans, source-backed summaries, moderation support, translations, and landmark identifications using AI providers such as Google Gemini or Groq where configured. Some INJA features use AI systems, and AI output may be incomplete or inaccurate.
- Enable Social Features: Vibe Connect messaging, leaderboards, and badges.
- Improve the App: Analyze usage patterns to fix bugs and develop new features.
- Communicate: Send important updates, respond to support requests, and (with permission) notify you about nearby activity.
- Ensure Safety: Detect and prevent fraud, abuse, and violations of our terms.
3. How We Share Your Information
We do not sell your personal data. We share information only in these limited circumstances:
- With Other Users: Your posts in vibe sessions are visible to other participants. Your username and profile picture may be visible depending on your privacy settings.
- Service Providers: We use trusted third-party processors and service providers:
- Supabase: Database and authentication | EU-hosted (Frankfurt) | Privacy Policy
- Cloudflare R2: Media storage, backup storage, and delivery | Privacy Policy | DPA
- Mapbox: Maps and location services | Privacy Policy
- OpenStreetMap: Map data used for points of interest | we use OpenStreetMap data (© OpenStreetMap contributors) available under the Open Database License (ODbL).
- Google Cloud (Gemini AI): AI-powered features | Privacy Policy | DPA
- Groq: Optional AI provider for selected AI features where configured | Privacy Policy
- Sentry: Error tracking and app stability | Privacy Policy | DPA
- Expo: Push notifications and app updates | Privacy Policy
- Advertising and subscriptions: Ads, personalized advertising, and paid subscriptions are not enabled in the current release. If we enable them later, we will update this Privacy Policy and the app store privacy disclosures before launch.
We maintain processor agreements or equivalent data protection terms where required. International data transfers are protected by Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful safeguards where applicable.
- Legal Requirements: If required by law, court order, or to protect our rights and safety.
4. Anonymized Data & Business Intelligence
We may create anonymized or aggregated datasets about city activity, product usage, and social trends. These datasets are designed not to identify individual users and are not used to make decisions about you.
We do not sell personal data. If we share aggregate insights with partners, venue owners, city planners, researchers, or similar recipients, we do so only in aggregated or de-identified form. You can opt out of analytics-based product insights by turning off analytics consent in Settings -> Privacy.
5. Location Data
Location is central to INJA's functionality, but we handle it with care:
- Proximity and City Context: We use your location to show nearby content, support city-scoped discovery, and check whether you are close enough to join location-based features. We do not continuously track your movements in the background.
- No Selling: Your location data is never sold to advertisers or third parties.
- Control: You can disable location access at any time in your device settings. Some features will be limited.
- Limited Storage: We store only the location data needed for features you use, such as session, post, story, Gathering, or City Pulse records.
6. Your Privacy Controls
INJA gives you control over your privacy:
- Anonymous Mode: Post without revealing your identity. Others see "Anonymous Vibe" instead of your name.
- Profile Preview: Choose whether others can view your profile when they tap your name.
- Vibe Connect: Disable waves and private messages if you prefer not to be contacted.
- Notifications: Control which notifications you receive.
- City Pulse Memory: Control City Pulse preferences and learned signals.
- Data Export: Request a portable copy of your INJA account, content, settings, and activity data. Verified GDPR access requests for records outside the in-app export can be sent to [email protected].
- Account Deletion: Delete your account and personal profile data at any time. Some public or community content may remain in anonymized form where needed for safety, integrity, or community context, and limited compliance records may be retained. If you cannot access the app, use our public account and data deletion page.
7. Data Retention
GDPR Principle: We only keep your personal data for as long as necessary (Art. 5(1)(e)).
Retention Periods
| Data Type | Retention Period | Why We Keep It |
|---|---|---|
| Your account | While your account is active | To provide the service |
| Inactive accounts | 2 years after your last login, once inactive-account cleanup is enabled | Allow you to return |
| Analytics data | 90 days | Service improvement |
| Session history | 1 year after session ends | Historical discovery |
| Gatherings | Until completed or cancelled, plus a short grace period unless retained for safety or compliance | Coordination, safety, and compliance |
| Your posts, photos, and videos | 1 year after session ends | Community value |
| Deletion audit logs | 3 years | Compliance, accountability |
| Consent records | 3 years | GDPR proof |
Automatic Deletion
We run automated cleanup jobs daily for configured retention policies:
- Analytics events older than 90 days are automatically deleted
- Soft-deleted accounts are anonymized and blocked from reactivation
- Old session deletion and inactive-account deletion are configuration-gated retention actions
- User media in Cloudflare R2 is deleted when the matching live database content is removed
- Encrypted database backups expire through backup retention; if a backup is restored, deletion and anonymization cleanup must run again before restored data becomes production-active
Inactive Account Policy
Inactive-account deletion is enabled only after the warning and review workflow is configured. Before deleting inactive accounts, we'll:
- Send an email warning 30 days before deletion
- Give you a chance to log in and keep your account
- Delete the inactive account if no action is taken
You can always delete your account manually in Settings → Privacy & Data → Delete Account.
8. Your Rights (GDPR)
As a European user, you have the following rights:
- Right to Access: Request a copy of your personal data.
- Right to Rectification: Correct inaccurate or incomplete data.
- Right to Erasure: Request deletion of your data ("right to be forgotten").
- Right to Restrict Processing: Limit how we use your data.
- Right to Data Portability: Receive your data in a portable format.
- Right to Object: Object to processing based on legitimate interests.
- Right to Withdraw Consent: Withdraw consent at any time for consent-based processing.
To exercise these rights, contact us at [email protected]. Account deletion instructions are also available at https://inja.app/account-deletion.html.
9. Data Security
We implement industry-standard security measures:
- Encryption in transit (TLS/SSL) and at rest where supported by our processors
- Secure authentication with bcrypt password hashing
- Regular security reviews and dependency updates
- Limited operational access to personal data
- EU-based data storage where available and appropriate safeguards for international transfers
10. Cookies and Tracking
The INJA mobile app does not use browser cookies. Our website uses an essential consent cookie to remember your cookie choice. We do not load website analytics unless you choose "Accept All" in the cookie banner, and we do not use website advertising cookies.
11. Children's Privacy
INJA is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.
12. International Data Transfers
Your core database data is hosted in the European Union. Some processors, including media delivery, AI, maps, diagnostics, push notifications, and backup infrastructure, may process data outside the EU. Where this happens, we use appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, processor data protection terms, and technical access controls.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or email. The "Last updated" date at the top indicates when the policy was last revised.
14. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us:
- Email: [email protected]
- Address: Hossein Shirali & Mahshid Mohammad Zadeh, Durmersheimer Str. 84, 76185 Karlsruhe, Germany
For GDPR-related inquiries or to exercise your data rights, please email [email protected] with the subject line "GDPR Request."