Data Controller

BubbleUp is operated by:

For Turkish users (KVKK): You may exercise your rights under Law No. 6698 by contacting us at the email address above. We will respond to your request within 30 days.

1. Information We Collect

Account Information

• Email address - For account login and recovery (not required for anonymous users)
• Password - Securely hashed; we never store or see your plain-text password
• Display name - Visible to other users in rooms
• Bio - Optional profile description you choose to share
• Profile photo URL - Optional profile image

Device Information

• Device ID - A randomly generated identifier for your device, used for anonymous login and session management
• Device platform - iOS or Android, for app compatibility

Location Data

We use your location to provide BubbleUp's core features. Your exact GPS coordinates never leave your device. All location data is converted to a "Geohash" (an approximate area identifier) on your device before being transmitted:

• Room Discovery: Your location is converted to a Geohash (~5km area) on your device, and only this approximate identifier is sent to find rooms near you.
• Joining Rooms: Only your Geohash (~5km area) is sent when you join a room to verify you are within the general vicinity.
• Room Creation Privacy: When you create a room, your location is converted to a Geohash on your device. Only an approximate identifier is sent to our servers—typically a ~5km area for nearby rooms or a ~1km grid for custom locations. Your exact coordinates are never transmitted.
• What Others See: Other users see only room markers on the map—they cannot see your personal location or your real-time position.
• Nearby Room Notifications: To notify you about new rooms, we use a broader Geohash (representing a ~39km x 19km area). This ensures notifications reach you without revealing your precise location.

Important: Your exact GPS coordinates never leave your device. All location processing converts coordinates to Geohash identifiers before transmission. We do not store precise coordinates—only approximate area identifiers (~1km to ~5km cells) for rooms are stored. We never share your location with other users.

Usage Data

• Rooms you create (title, description, location, category)
• Messages you send within rooms
• Users you block
• Your notification and privacy preferences

Financial Information

• Payment Data - We do NOT collect or store your credit card or bank details. All transactions are processed by Apple or Google via RevenueCat. We only receive a confirmation of your subscription status and transaction IDs.

OAuth Data (if you sign in with Google or Apple)

• Google account ID or Apple User ID (to link your account)
• Email address from Google or Apple (for account identification)
• Full name from Apple (if provided on first login)

Advertising Data (Free Users Only)

• Advertising Identifier (IDFA on iOS) - Used to show personalized ads and measure ad performance
• Ad Interaction Data - Which ads you view or click on
• Device Information for Ads - Device type, OS version, and app version for ad targeting
• Location Data for Ads - Your approximate location may be used for location-based advertising

Third-Party Ad Networks: We use Google AdMob to display advertisements in the free version of our app. AdMob and its advertising partners may collect device identifiers, IP address, app usage data, and location data for ad personalization and fraud prevention.

Ad Personalization:

• You can opt out of personalized ads through your device settings (iOS: Settings → Privacy & Security → Tracking)
• You can manage ad preferences in the app (Profile → Privacy Preferences)
• Premium (Pro) users do not see advertisements and no advertising data is collected
• Learn more: Google AdMob Privacy Policy

2. How We Use Your Information

We use your information exclusively to provide and improve BubbleUp:

• Room Discovery - Show you chat rooms near your approximate area (~5km Geohash)
• Authentication - Verify your identity and manage your session
• Messaging - Deliver your messages to room participants
• Notifications - Alert you about new messages and new rooms created nearby (based on ~39km Geohash area)
• Moderation - Enforce community guidelines and handle reports
• Account Recovery - Help you regain access if needed

3. Data Sharing

We do not sell your personal information. Data is shared only in these limited circumstances:

With Other Users

• Your display name, bio, and profile photo are visible to users in rooms you join
• Messages you send are visible to all participants in that room
• Your approximate location is shown on the map when you create a room

Third-Party Services

• MapLibre - We use MapLibre, an open-source map library. Map tiles are loaded from OpenStreetMap-based servers. Your approximate viewport is sent to load tiles, not your precise location.
• Google AdMob - We display advertisements through Google AdMob. Google may collect device identifiers and app usage data for ad personalization (if you consent) or to show contextual ads. In GDPR regions, you will see Google's consent dialog. See Google's Privacy Policy for details: policies.google.com/privacy
• Unity Ads - We use Unity Ads as a mediation partner for advertisements. Unity may collect device identifiers and usage data to serve ads. View Unity's Privacy Policy: unity.com/legal/privacy-policy
• RevenueCat - We use RevenueCat to manage subscriptions and in-app purchases. RevenueCat processes transaction data and handles entitlement verification. View their privacy policy: revenuecat.com/privacy
• We do not use third-party analytics SDKs. Usage analytics (if you opt in) are collected directly by us.

Legal Requirements

• We may disclose information when required by law or to protect safety

4. Data Retention

Active Rooms

Room data and messages are stored while the room is active (1 hour to 7 days depending on room duration).

Expired Rooms

• When a room expires, it is moved to the Archived Rooms section in your sidebar.
• Archived rooms are read-only; you can view previous messages but cannot send new ones.
• Room data and messages are preserved to allow you to access your conversation history.
• Archived data may also be retained for moderation, legal compliance, and analytics.
• Archived room data is retained until you request deletion by contacting support.

Account Deletion

• If you delete your account, your profile data is removed immediately
• Messages you sent in rooms remain for moderation purposes
• You can request full data deletion by contacting support

Data Retention Periods

• Active room data - Duration of room (1 hour to 7 days)
• Archived room data - Retained until deletion requested
• Account data - Until account deletion
• Session tokens - Expire automatically and are cleared on logout
• Location data - Your exact coordinates never leave your device; room locations are stored as ~5km Geohash cells

5. Your Rights

You have full control over your data:

• Access - View your profile data anytime in the app
• Correction - Edit your display name, bio, and photo
• Deletion - Delete your account from Settings
• Location Control - Disable location services in your device settings (app requires location to function)
• Notifications - Toggle push notifications in Settings
• Blocking - Block users you don't want to interact with

Privacy-First Location Tracking: Our system is designed so that your exact GPS coordinates never leave your device. All location data is converted to a Geohash on your device before transmission. For room operations, we use ~5km precision; for notifications, ~39km precision. You can opt-out by disabling Location Permissions or Push Notifications.

6. Data Security

We implement industry-standard security measures to protect your data:

• Password Protection - Passwords are securely hashed and never stored in plain text
• Secure Storage - Sensitive data is stored using platform-provided secure storage
• Encrypted Transmission - All data is transmitted using encryption
• Access Controls - Database access is restricted and monitored

7. Children's Privacy

BubbleUp is not intended for users under 18 years of age. We do not knowingly collect information from children under 18. If you believe a child under 18 has provided us with personal information, please contact us immediately.

8. Your Regional Rights

European Union (GDPR)

If you are in the EU/EEA, you have the right to:

• Access, correct, or delete your personal data
• Object to or restrict processing
• Data portability
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

United States (CCPA/CPRA)

California residents have the right to:

• Know what data we collect and how it's used
• Delete your personal information
• Opt out of data sales (we do not sell your data)
• Non-discrimination for exercising rights

Turkey (KVKK)

Turkish residents have the right to:

• Learn whether your data is processed
• Request information about processing
• Request correction or deletion
• Object to automated decision-making
• Claim compensation for damages from unlawful processing

9. Legal Basis for Processing

Under GDPR Article 6, we process your data based on the following legal bases:

Contract (Article 6.1.b)

Processing necessary to provide BubbleUp's core services:

• Email address - Account login and recovery
• Password (hashed) - Authentication
• Display name - Profile identification in rooms
• Messages - Chat functionality delivery
• Google Account ID - OAuth login (if used)
• Apple User ID - OAuth login (if used)
• Subscription Status - To provide Pro features (via RevenueCat)

Consent (Article 6.1.a)

Processing based on your explicit opt-in:

• Location data - Room discovery (anonymized via area-snapping before storage)
• Bio and profile photo - Optional profile information
• Usage analytics - Service improvement (if enabled)
• Personalized ads - Ad customization (if enabled)

Legitimate Interest (Article 6.1.f)

Processing necessary for our legitimate business interests:

• Device ID - Session security and anonymous account identification
• Device platform - App compatibility
• Block records - User safety and harassment prevention

Legal Obligation (Article 6.1.c)

• Data retained for legal compliance when required by law

10. How to Withdraw Consent

• Location - Go to your device Settings > BubbleUp > Location
• Notifications - In-app Settings or device Settings
• Delete Account - In-app Settings > Delete Account

11. Changes to This Policy

We may update this Privacy Policy periodically. For material changes affecting how we process your data, we will request your renewed consent before those changes take effect. Minor updates that do not expand data processing will be notified through the app.

12. Contact Us

For privacy-related questions or to exercise your data rights: