Privacy Policy
What WhiMate collects, who sees it, and the control you have.
Effective June 2026
The short version
We collect only what's needed to run a real-life meetup app, we show other people as little about you as possible, we never sell your data, and you can delete everything at any time.
1. What we collect
- Sign-in β your email. You can use Google, an email + password, or a one-time magic link.
- Google info (if you use it) β name, email, and profile photo to set up your profile. Nothing else from your Google account.
- Your profile β name, avatar, city, bio, Instagram handle (all optional except your name).
- Age & gender β your birth date and gender are stored privately. Others only ever see a derived age number and your gender β never your actual birth date.
- Location β required to participate (see Β§2). Stored as coordinates on our server; other users only see an approximate distance.
- Your activity β posts, responses, RSVPs, messages, ratings, vouches.
- Hangout photos (if you add them) β kept in a private store, shown only to the people you choose (see Β§6).
- A verification selfie (optional) β only if you opt into photo verification. Stored privately, shown only to a moderator, never to other users, deletable on request.
- Notifications (optional) β if you turn on push, we store a device subscription so we can notify you.
- Basic technical data β what your browser sends (e.g. IP, device type) and error reports, to keep the app running.
Why we're allowed to (legal basis): we use this data to provide the service you signed up for (to perform our agreement with you), to keep it safe and prevent abuse (our legitimate interest), and β for location and push notifications β with your consent, which you can withdraw at any time by turning them off.
2. About your location
WhiMate runs on real proximity, so location is required to post, join, or respondto activities β browsing the feed doesn't need it. When you grant permission, we use your device location to power distances, the map, and discovery, and we refresh it quietly when you open the app so it stays current. We never show other users your exact coordinates β only an approximate βX km away.β A fix that goes stale stops counting after about a week. People Nearby is a separate opt-in; you only appear there if you switch it on, and even then others see approximate distance only.
3. What we DON'T collect
- Phone number
- Government ID
- Payment info (the app is free)
- Your contacts, camera roll, or device data beyond what your browser sends
- No advertising profiles and no cross-site trackers
4. Who can see what
- Any signed-in user: your name, avatar, city, bio, Instagram handle, age, gender, and your posts.
- Only the people you match or crew up with: your chat messages and proposals.
- Only the people you pick: hangout photos you restrict.
- Only you: your email, your exact location coordinates, your birth date, your private review notes.
- Nobody, ever: your password β if you set one it's stored only as a secure hash by our auth provider; we never see it.
5. Messages disappear
Coordination chats clear automatically a short time (currently 24 hours) after sending β a feature, not a bug. Don't use them for anything you need to keep.
6. Hangout photos
Photos you add to a hangout live in a private store, never public. Each is visible only to the audience you choose β the whole crew or specific people β and is delivered through short-lived links that expire. You can set a photo to auto-delete after a window you pick, and you (or the hangout host) can delete any photo at any time. Remember that anyone allowed to see a photo could still screenshot it.
7. How long we keep things
We keep your account data until you delete it. Messages clear on their own (Β§5); restricted/expiring photos clear on their schedule (Β§6); stale location stops being used after about a week. Deleting your account removes your profile, posts, matches, and messages. We may keep minimal records where the law requires.
8. Your rights
You can, at any time:
- See your data β /profile.
- Edit it β /profile/edit.
- Download a copy β βDownload my dataβ on /profile/edit exports your profile, posts, RSVPs, matches, reviews and more as a JSON file.
- Delete your account and data β bottom of the edit page.
Depending on where you live you have additional rights β to access, correct, export (port), restrict, or object to how we use your data under GDPR, or to know what we hold and have it deleted under CCPA/CPRA and PIPEDA. The controls above cover most of these directly; for anything else, email hello@whimate.com and we'll action it within 30 days. We won't treat you differently for exercising any of these rights. If you're in the EU/UK and believe we've mishandled your data, you also have the right to complain to your local data-protection authority.
9. You must be 18+
WhiMateis strictly for adults. We don't knowingly collect data from anyone under 18 β if we learn an account belongs to a minor, we remove it.
10. Who processes your data
We use a small set of providers, only to make the app work:
- Supabase β database, sign-in, and private file storage.
- Resend β the emails we send you.
- Google β only if you choose βContinue with Google.β
- Netlify β hosting; serves the app.
- Sentry β error monitoring, to catch crashes (configured to avoid collecting personal data; no session recording).
- PostHog β product analytics, to see which features get used (configured with an anonymous account ID only β no name, email, birthdate, or location; no session recording).
This list was last reviewed June 2026.
We don't sell or share your data for advertising β not now, not ever.
Some of these providers run on infrastructure outside your country (including the United States). Where your data is transferred internationally, we rely on the providers' standard contractual protections to keep it safeguarded.
11. Cookies & storage
One cookie keeps you signed in. We also use a little storage on your device for app preferences (for example, not re-asking for your location too often). No advertising cookies. For product analytics we use PostHog with an anonymous account ID only (see Section 10) β no session recording, and it honours your browser's Do Not Track setting.
12. How we protect it
Data access is locked down per-user at the database level, private files (selfies, hangout photos) sit in private storage served only through short-lived signed links, and passwords are stored only as secure hashes by our auth provider. No system is perfectly secure, but we design for the least exposure.
13. Changes
If we change how we handle your data, we'll update this page and tell you in the app. If a change reduces your privacy, we'll ask before applying it to data we already hold.
14. Contact
hello@whimate.com for anything β questions, a data copy, or a deletion request.
