Privacy Policy

Version 1.0 • Last updated: January 1, 2026

At INJA ("we," "us," or "our"), we are committed to protecting your privacy and ensuring you have control over your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our mobile application and services.

INJA is operated from the European Union and is fully compliant with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Email address, username, display name, and password when you register.
  • Profile Information: Profile picture (optional), home city, and preferences.
  • User Content: Text posts, photos, and other content you share in vibe sessions.
  • Vibe Out Details: Information you provide when organizing an event, such as title, description, time, and specific location.
  • Communications: Messages sent through Vibe Connect, support requests, and feedback.

1.2 Information Collected Automatically

  • Location Data: Your precise location (with your permission) to enable proximity-based features like joining vibe sessions within 200m of a location.
  • Device Information: Device type, operating system, unique device identifiers, and app version.
  • Usage Data: How you interact with the app, features used, and session activity.

1.3 Information from Third Parties

  • Authentication Providers: If you sign in with Google or Apple, we receive your name and email from those services.
  • Location Services: We use Mapbox for maps, which may collect anonymized usage data.

2. How We Use Your Information

We use your information to:

  • Provide Core Features: Enable vibe sessions, proximity checks, and real-time sharing.
  • Facilitate Real-World Meetups: Enable the creation, discovery, and management of Vibe Outs (community pop-up events).
  • Personalize Experience: Show relevant content, news, and events based on your location and city.
  • Power AI Features: Generate session summaries and landmark identifications using Google Gemini.
  • Enable Social Features: Vibe Connect messaging, leaderboards, and badges.
  • Improve the App: Analyze usage patterns to fix bugs and develop new features.
  • Communicate: Send important updates, respond to support requests, and (with permission) notify you about nearby activity.
  • Ensure Safety: Detect and prevent fraud, abuse, and violations of our terms.

3. How We Share Your Information

We do not sell your personal data. We share information only in these limited circumstances:

  • With Other Users: Your posts in vibe sessions are visible to other participants. Your username and profile picture may be visible depending on your privacy settings.
  • Service Providers: We use trusted third-party processors who have executed Data Processing Agreements (DPAs) with us:
    • Supabase: Database and authentication | EU-hosted (Frankfurt) | Privacy Policy
    • Cloudflare R2: Image storage and optimization | EU Data Centers | Privacy Policy | DPA
    • Mapbox: Maps and location services | Privacy Policy
    • OpenStreetMap: Map data used for points of interest | we use OpenStreetMap data (© OpenStreetMap contributors) available under the Open Database License (ODbL).
    • Google Cloud (Gemini AI): AI-powered features | Privacy Policy | DPA
    • Cloudflare: Media storage and delivery (R2) | Privacy Policy | DPA
    • Sentry: Error tracking and app stability | Privacy Policy | DPA
    • Expo: Push notifications and app updates | Privacy Policy
    • Google AdMob: Advertising | We may share device identifiers (e.g., Advertising ID) with Google to deliver personalized ads. You can opt out via your device's privacy settings or the App Tracking Transparency prompt. | Advertising Policy

    All processors have executed Data Processing Agreements (DPAs). International data transfers are protected by Standard Contractual Clauses (SCCs) approved by the EU Commission.

  • Legal Requirements: If required by law, court order, or to protect our rights and safety.

4. Anonymized Data & Business Intelligence

We create anonymized, aggregated datasets about city activity and social trends. These datasets do not contain any personal information that identifies you and cannot be traced back to individual users.

We may license or sell these anonymized datasets to businesses (e.g., venue owners, city planners, market researchers) or academic researchers. You can opt out of having your data included in these anonymized datasets by toggling "Include my data in city insights" in Settings → Privacy.

5. Location Data

Location is central to INJA's functionality, but we handle it with care:

  • Proximity Only: We use your location to check if you're within range of a vibe session (200m to join, 1km to view). We do not continuously track your movements.
  • No Selling: Your location data is never sold to advertisers or third parties.
  • Control: You can disable location access at any time in your device settings. Some features will be limited.
  • Temporary Storage: Location data used for proximity checks is not permanently stored.

6. Your Privacy Controls

INJA gives you control over your privacy:

  • Anonymous Mode: Post without revealing your identity. Others see "Anonymous Vibe" instead of your name.
  • Profile Preview: Choose whether others can view your profile when they tap your name.
  • Vibe Connect: Disable waves and private messages if you prefer not to be contacted.
  • Notifications: Control which notifications you receive.
  • Data Export: Request a copy of all your data.
  • Account Deletion: Permanently delete your account and all associated data at any time.

7. Data Retention

GDPR Principle: We only keep your personal data for as long as necessary (Art. 5(1)(e)).

Retention Periods

Data Type Retention Period Why We Keep It
Your account While your account is active To provide the service
Inactive accounts 2 years after your last login Allow you to return
Analytics data 90 days Service improvement
Session history 1 year after session ends Historical discovery
Vibe Out events 1 year after event ends History and safety
Your posts and photos 1 year after session ends Community value
Deletion audit logs 3 years Compliance, accountability
Consent records 3 years GDPR proof

Automatic Deletion

We run automated cleanup jobs daily to delete data that has exceeded its retention period:

  • Analytics events older than 90 days are automatically deleted
  • Sessions that ended over 1 year ago are deleted with all associated posts
  • Accounts inactive for 2 years receive a warning email 30 days before deletion

Inactive Account Policy

If you don't log in for 2 years, we'll:

  1. Send an email warning 30 days before deletion
  2. Give you a chance to log in and keep your account
  3. Automatically delete your account if no action is taken

You can always delete your account manually in Settings → Privacy & Data → Delete Account.

8. Your Rights (GDPR)

As a European user, you have the following rights:

  • Right to Access: Request a copy of your personal data.
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your data ("right to be forgotten").
  • Right to Restrict Processing: Limit how we use your data.
  • Right to Data Portability: Receive your data in a portable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time for consent-based processing.

To exercise these rights, contact us at [email protected].

8. Data Security

We implement industry-standard security measures:

  • Encryption in transit (TLS/SSL) and at rest
  • Secure authentication with bcrypt password hashing
  • Regular security audits and vulnerability assessments
  • Limited employee access to personal data
  • EU-based data storage where possible

9. Cookies and Tracking

The INJA mobile app does not use cookies. For our website, we use only essential cookies required for basic functionality. We do not use advertising or tracking cookies.

11. Children's Privacy

INJA is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.

12. International Data Transfers

Your data is primarily stored in the European Union. Where data is transferred outside the EU (e.g., to service providers), we ensure appropriate safeguards through Standard Contractual Clauses or adequacy decisions.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or email. The "Last updated" date at the top indicates when the policy was last revised.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

  • Email: [email protected]
  • Address: Hossein Shirali & Mahshid Mohammad Zadeh, Durmersheimer Str. 84, 76185 Karlsruhe, Germany

For GDPR-related inquiries or to exercise your data rights, please email [email protected] with the subject line "GDPR Request."