Privacy Policy

Who's Up mobile application · Effective 17 April 2026

Who's Up ("the app", "we", "us") is a social-signal app that lets you tell your chosen friends you're free to hang out. This policy explains what we collect, why, and how long we keep it. Plain language. No dark patterns.

The short version. We collect your phone number (to sign you in), your name and optional avatar (so friends recognize you), your contacts' phone numbers (to find which ones are already on Who's Up), a push notification token (to ping your friends when you're up), and minimal activity data needed to run the app. We do not sell your data. We do not track you across other apps or websites. We do not run ads. We do not use third-party analytics.

1. Information we collect

Account & profile

Phone number — required. Used to sign you in via SMS one-time passcode and to match you with friends' contacts.
Display name — shown to your friends.
Avatar (optional) — a photo URL you provide.
Timezone and quiet hours — so we don't notify you at 3 AM.

Contacts (only if you grant permission)

If you tap "find friends", the app reads phone numbers from your device's contacts and sends them to our server so we can check which ones are already on Who's Up. Immediately on receipt, each number is hashed using a keyed HMAC and only the hash is compared against our user directory. The plaintext phone numbers from your contacts are not stored. Only the number of contacts checked, the number matched, and the request's IP address are retained — to prevent abuse and enforce rate limits (5 lookups and 2,000 numbers per hour).

Names from your contacts never leave your device. The app remembers which of your contacts matched, locally, so you can label them.

Device & push notifications

Expo push token — the anonymous token Apple/Google issue so we can deliver a push notification to your device. We store one token per device, per user.
Platform — whether your device is iOS, Android, or web.

App activity

"I'm up" sessions — when you press the button, we record a session (start time, expiry) so we can notify your friends and stop notifying them when it ends.
Notification delivery records — which of your friends we sent a notification to for a given session, and whether it was tapped. Used to prevent duplicate notifications and to surface "who saw it".
Friendships & blocks — who you are friends with and who you've blocked. Blocks are private to you.
Invites — when you invite someone by phone number, we store the hashed number (not plaintext) so we can link them to your invite if they join.

Technical

IP address — logged only for the contact-match endpoint, to enforce rate limits and detect abuse. Not used for advertising or profiling.
Crash and error logs — the app and backend emit error logs that may include a user ID, timestamps, and error messages. We do not log phone numbers, names, or contacts.

2. What we do not collect

No location data. We do not request or store GPS, coarse location, or IP-based location.
No ad identifiers (IDFA, AAID). No advertising SDKs.
No third-party analytics SDKs (no Google Analytics, Amplitude, Mixpanel, Segment, etc.).
No cross-app or cross-site tracking.
No browsing or search history.
No health, financial, or biometric data.
No access to your photos, microphone, camera, or calendar.

3. How we use your data

Run the app. Sign you in, show your friends who's up, deliver push notifications, and enforce your quiet hours and blocks.
Match your contacts. Check which of your phone contacts are on Who's Up so you can add them as friends.
Keep it safe. Rate-limit abuse (e.g., someone scraping contacts) and maintain service availability.
Debug. Investigate crashes and errors using our logs.

We never use your data for advertising, profiling, scoring, or selling to third parties.

4. Who we share data with

We share the minimum necessary with service providers that run the app's infrastructure:

Supabase — our database and authentication provider. Stores your profile, friendships, sessions, and hashed contact identifiers.
Twilio (or another SMS provider) — sends the one-time passcode to your phone during sign-in. They process your phone number to deliver the SMS.
Expo Push & Apple Push Notification Service / Firebase Cloud Messaging — deliver push notifications to your device.
Netlify — hosts this website.

We do not share your data with advertisers, data brokers, or analytics companies. We will disclose data only if required by valid legal process (e.g., a subpoena) and we will push back on overly broad requests.

5. Data retention and deletion

While your account is active, we keep your profile, friendships, and activity history for the features to work.
"I'm up" sessions expire automatically and are kept for a rolling window to support reconciliation; notification delivery records are pruned on the same schedule.
Contact-match audit rows (counts and IP) are retained for rate-limit windows and routine operations, typically 30 days.
Deleting your account removes your profile, friendships, blocks, sessions, notification records, device tokens, and invites via cascading delete. Your phone number's hash is removed, so any friend who re-imports their contacts will no longer find you.

To delete your account, use the in-app delete option or email us (see below).

6. Your rights

Regardless of where you live, you can:

Request a copy of the data tied to your account.
Correct your profile information directly in the app.
Delete your account and associated data.
Revoke Contacts permission at any time in your device's Settings; the app will continue to work for notifications, but the contact-match feature won't be available until you re-grant it.

If you are in the EU/UK, you have rights under the GDPR including access, rectification, erasure, restriction, portability, and the right to object. If you are in California, you have rights under the CCPA including the right to know and the right to delete. To exercise any of these rights, email us.

7. Children

Who's Up is not directed to children under 13, and we do not knowingly collect personal information from them. If you believe a child under 13 has provided us personal information, contact us and we will delete it.

8. Security

Phone numbers are stored both in their original form (for your own account) and as an HMAC keyed with a server-side secret (for matching). Other users can only discover you by hashing a number they already have — they can't enumerate users from hashes. Data in transit uses TLS. Database access uses row-level security so users can only read rows they're allowed to see. No system is perfectly secure, so we also keep the data surface small.

9. International transfers

Our infrastructure is hosted in the United States. If you use Who's Up from outside the US, you are transferring your data to the US.

10. Changes to this policy

If we make material changes, we'll update the "Effective" date above and, where appropriate, notify you in the app before the changes take effect. Minor wording edits may be made without notice.

11. Contact

Questions, requests, or concerns:
Christopher Tolisano — christopher@bestdayfitness.com