Privacy Policy

Effective date: April 18, 2026

Covee is a social activity-planning app operated by Justen Yao ("we," "us," "our"). This Privacy Policy explains what information we collect when you use Covee, how we use it, and the rights you have over it. We designed Covee to collect as little as possible and to keep what we do collect secure.

1. Information we collect

1.1 Information you provide

• Account details — your name and email address (required to create an account), and optionally your phone number.
• Profile content — your profile photo and a short bio, both optional.
• Activities you create — the title, description, date and time, location (the venue address you type), category, and privacy setting of any activity you host.
• Messages — chat messages you send inside activity chat rooms, and poll votes you cast.
• Friends and invitations — your friend list, friend requests sent and received, and invitations to activities.
• Support requests — anything you email us or send through an in-app report.

1.2 Information collected automatically

• User ID — a unique identifier assigned by Firebase Authentication when you sign up.
• Device identifier — an Expo push notification token (only if you grant notification permissions) so we can deliver push alerts.
• App version and platform — iOS or Android, and the Covee version you are running. Used to deliver compatible updates and diagnose issues.
• App interactions — anonymized metrics about when the app is opened and key features are used, collected via Expo Insights. Used for aggregate analytics.

1.3 Information we intentionally do NOT collect

• Your device's location. Covee requests permission to read your device's GPS location solely to show you nearby activities. Location coordinates are processed on your device only and are never transmitted to our servers, stored, or shared with other users or third parties. If you deny location permission, the app still works — you will simply see activities without a distance filter.
• Your contacts. If you choose to tap "Find Friends," Covee reads phone numbers and email addresses from your device's contact list and sends them to our database as a one-time lookup to find which of your contacts are already on Covee. We do not persist the raw contact list on our servers. Only the matched user IDs are cached locally on your device (not on ours) for 24 hours so you don't have to re-scan. You can decline the contact permission with no loss of core functionality.
• Financial, health, fitness, or biometric data. Covee has no use for these and does not collect them.
• Advertising identifiers. Covee does not show ads and does not collect advertising IDs.

2. How we use your information

• To operate the app — authenticate you, sync your activities and chats, deliver push notifications, and show friends and events in your feed.
• To manage your account — let you update your profile, recover your password, or delete your account.
• To analyze aggregate usage — understand which features are used most and prioritize improvements. We use Expo Insights, which reports counts (not individual activity).
• To enforce safety — filter profanity with filterText(), apply rate limits on activity creation and chat, and respond to user reports and blocks.
• To communicate with you — respond to support emails you send us. We do not send marketing emails.

3. How we share your information

We do not sell your personal information and we do not share it with advertisers, data brokers, or marketing companies. We share it only in the limited circumstances below:

• With other users, by your choice — your name, profile photo, bio, and phone number (if you added one) are visible to your friends and to people in activities you join or host. Your chat messages are visible to other participants in that activity's chat. Activities you host are visible to your friends and, for public activities, to users nearby.
• With our infrastructure providers — we use Google Firebase (Authentication, Firestore, Cloud Storage, Cloud Functions, Hosting) to run the app, and Expo (EAS Build, Expo Push, Expo Insights) for builds, push delivery, and analytics. These providers act as data processors bound by contractual confidentiality and security requirements. They do not use your data for their own purposes.
• For legal reasons — if required by valid legal process (subpoena, court order) or to protect safety, prevent fraud, or enforce our Terms.

4. How long we keep your information

• Your account and profile data is retained as long as your account exists.
• Activities and chat messages are retained as long as the activity exists.
• When you delete your account, your data is removed within seconds. Backup copies held by Firebase / Google Cloud infrastructure are purged per Google's standard backup retention window (typically within 30 days).
• Support emails are retained for as long as needed to resolve the inquiry.

5. How we protect your information

• All traffic between the app and our servers is encrypted in transit via TLS (HTTPS).
• Data at rest is encrypted using Google Cloud's default encryption.
• Access to your data is restricted by Firestore Security Rules, which enforce that only you and the appropriate participants can read or modify specific records.
• We do not store passwords ourselves — Firebase Authentication manages password hashing and verification.

6. Your rights

6.1 Everyone

• Access the information we hold about you.
• Correct inaccurate information by editing your profile in the app.
• Delete your account and associated data at any time.
• Object to any processing by contacting us.

6.2 California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• The right to know what personal information we collect, use, and disclose.
• The right to delete personal information we hold about you.
• The right to correct inaccurate personal information.
• The right to opt out of sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising).
• The right to non-discrimination — we will not penalize you for exercising these rights.

6.3 EU / UK / EEA residents (GDPR / UK GDPR)

If you are in the European Union, United Kingdom, or European Economic Area, you have the following rights under the General Data Protection Regulation:

• Right of access, rectification, erasure, restriction of processing, and data portability.
• Right to object to processing based on legitimate interests.
• Right to withdraw consent at any time for processing based on consent (e.g., contacts scan, push notifications).
• Right to lodge a complaint with a supervisory authority in your country of residence.
• Our legal bases are: your consent (for optional processing like contacts), performance of a contract (to provide the service you signed up for), and our legitimate interests (aggregate analytics, security, fraud prevention).

7. Deleting your account

8. Children's privacy

Covee is intended for users aged 13 and over. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, contact us at official.connectapp@gmail.com and we will delete the account promptly.

9. International transfers

Covee is operated from the United States. When you use Covee from outside the U.S., your information is transferred to and processed on servers located in the U.S. and other countries where Google and Expo operate data centers. These transfers are protected by appropriate safeguards consistent with applicable law.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective date" at the top of this page. Material changes will be announced in-app or by email to your account email before they take effect.

11. Contact

Questions, requests, or concerns? Email us at official.connectapp@gmail.com. We aim to respond within 7 days.