Privacy Policy

Effective date: March 29, 2026

Collabo ("we", "us", "our") is operated by Ethan Lee. This policy explains what data we collect, why, and how we protect it.

1. Information We Collect

Account information. When you create an account, we collect your email address, name, username, and password (stored as a salted hash — we never store your actual password).

Profile information. You may optionally add a profile picture and bio. Profile pictures are stored on AWS S3.

Events and invites. We store the events you create (title, time, location, notes) and invites you send or receive, including RSVP responses.

Approximate location. When you log in, we derive your approximate location (city, region, country) from your IP address using a third-party geolocation service. We do not access your device's GPS or request location permissions. This data is used to deliver relevant sponsored events and for aggregate geography analytics. It is refreshed approximately every 7 days.

Device information. If you enable push notifications, we store your Expo push token to deliver notifications. We do not collect device identifiers beyond this.

Usage data. We log API requests (method, path, status code, response time) for system health monitoring. These logs do not contain message content or personal data beyond user ID.

2. How We Use Your Information

To provide and operate Collabo (events, invites, calendars, groups, friends)
To send push notifications about upcoming events and invite responses
To deliver sponsored events relevant to your approximate location
To send transactional emails (password resets, verification codes) via Resend
To monitor system health and fix bugs
To generate aggregate analytics visible only to administrators

3. Third-Party Services

We use the following third-party services that may process your data:

Expo — push notification delivery
Resend — transactional email delivery
AWS S3 — profile picture storage
ip-api.com — IP-to-location lookup (your IP is sent to this service; see their privacy policy)
Render — application and database hosting

We do not sell, rent, or share your personal information with advertisers or data brokers.

4. Sponsored Events

Collabo may deliver sponsored event notifications based on your approximate geographic location. Sponsors do not receive your personal information — they define targeting criteria (e.g. "users in Austin") and we handle delivery. Sponsors only see aggregate metrics (delivery count, open rate, RSVP count).

5. Data Retention

We retain your account data for as long as your account exists. If you delete your account, your data is permanently deleted from our database. API request logs are retained for system health monitoring and may be periodically purged.

6. Your Rights

Access. You can view your profile, events, and invites within the app at any time.
Correction. You can edit your profile information at any time.
Deletion. You can request account deletion by contacting us. Deletion is permanent and irreversible.
Opt out of push notifications. You can disable push notifications in your device settings at any time.

7. Security

Passwords are hashed using bcrypt. All API communication uses HTTPS. Authentication uses short-lived JWT access tokens with refresh token rotation. Admin actions are logged to an audit trail. We take reasonable measures to protect your data, but no system is 100% secure.

8. Children's Privacy

Collabo is not intended for users under the age of 13. We do not knowingly collect information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.

9. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify users through the app or via email. The "effective date" at the top reflects the most recent revision.

10. Contact

For privacy questions or data deletion requests, contact us at privacy@collabo.cloud.

Collabo is operated by Ethan Lee.