Privacy Policy

This Privacy Policy describes how Urby (“we,” “our,” or “us”) collects, uses, and discloses your personal information when you use our mobile application and services (the “Service”). This is a provisional policy for an iOS application currently in development; a final version will be reviewed by counsel before public launch.

Information We Collect

Phone Number. We collect your phone number in E.164 format for account authentication via SMS one-time passcode (delivered by Twilio, Inc.). Your phone number is stored encrypted at rest and is additionally hashed (Argon2id with a server-side pepper) for contact-match lookups.

Photos.Photos taken in-app at a spot are uploaded to Cloudflare R2 object storage and associated with your visit record. We do not access your device’s photo library; the app captures photos only via the in-app camera.

Precise Location.When you log a visit, we collect your precise GPS location (with your permission, “While Using App” only) to verify that you are at the spot. We do not track your location in the background.

Contacts.If you grant Contacts permission, the app hashes your contacts’ phone numbers locally on your device (Argon2id with a client salt and our server pepper) and sends only the hashes to our servers to match against other Urby users. Raw contact data is never transmitted to or stored on our servers.

Device Identifiers.We use Apple’s App Attest framework to verify that requests come from a genuine, unmodified copy of our app. We register your device for Apple Push Notifications (APNs) to deliver notifications you have enabled.

Third Parties

We use the following third-party service providers: Twilio (SMS delivery for one-time passcodes), Apple (App Attest device integrity, Apple Push Notification service), and Cloudflare(object storage and content delivery). Each operates under its own privacy policy; we do not sell or share your personal information with third parties for advertising purposes. We do not include any third-party tracking SDKs and do not collect the iOS Advertising Identifier (IDFA).

Account Deletion

You may delete your account at any time from Profile → Settings → Delete Account. Deletion soft-deletes your user record and cascades to your owned visits, cards, and put-on attributions per our retention policy.

Age Requirement

The Service is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. (Note: prior to making the Service available in the European Economic Area, we will revise this minimum age to 16 in line with GDPR Article 8.)

Your Rights (CCPA)

California residents have the right to know what personal information we collect, delete personal information we have collected, and opt out of any sale of personal information. We do not sell personal information.

Your Rights (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to access, rectify, erase, restrict, and port your personal data, and to object to its processing. Contact us at the address below to exercise these rights.

Contact

Questions? Email support@tryurby.com.