1. Plain-English summary
- We collect what you give us (email, profile, RSVPs) + what you do (clicks, sessions, locations if you opt in).
- We use it to show you events, prevent fraud, send notifications you opted into, and improve the platform.
- We never sell personal data. We never run programmatic ads. We never use dark patterns.
- You can export everything or delete your account at any time, no friction.
- Your data lives on US-based AWS (via Supabase + Vercel) with encryption at rest + in transit.
2. What we collect
| Category | Examples | Why | Retention |
|---|---|---|---|
| Account | Email, password hash, name, avatar | Sign-in, identification | While account active + 30d |
| Profile | Bio, taste, vibes, city, accessibility prefs | Personalization | While account active + 30d |
| Activity | RSVPs, saved events, friends, reviews | Core product | While account active + 30d |
| Payments | Stripe customer ID, last-4, txn history | Tickets, refunds, subscriptions | 7 years (tax/legal) |
| Communications | RFQ chat, event chat, support tickets | Service delivery | While account active + 30d |
| Telemetry | Page views, clicks, errors, performance | Improve product, fix bugs | 30d hot / 90d cold |
| Location | City (always), precise GPS (only if opted in) | Local feed, presence (opt-in) | Session-only for GPS |
| Device | User agent, screen size, push token | Compatibility, push delivery | While token valid |
| Compliance | Audit log of admin/financial actions | Security, fraud, legal | 7 years |
3. What we don't collect
- We don't fingerprint your device.
- We don't cross-site track you (no Facebook Pixel, no Google Tag Manager).
- We don't scan your address book unless you explicitly invite friends.
- We don't profile minors. Kid-facing surfaces (under-18 ticket flows) are ad-free + tracking-free.
4. Who we share with
- Stripe — payments. We never see your card.
- Resend — email delivery. Receives recipient + content.
- Supabase + Vercel — infrastructure providers (US-based, SOC 2).
- Anthropic — Claude model API for AI features. Per their terms, requests are not used for training.
- Sentry — error tracking. PII scrubbed at emission per EXECUTION-BIBLE §15.101.
- Hosts + venues — receive minimal data needed for the event (your name + email if RSVP'd, ticket QR token).
- Law enforcement — only with valid legal process. We publish a transparency report annually.
5. Your rights (GDPR + CCPA + NY SHIELD)
- Access: /account/export — JSON of everything we have on you in <30 sec.
- Deletion: /account/delete — 30-day grace, then permanent.
- Correction: /profile for self-serve. Email privacy@flock.city for anything not editable.
- Portability: Export is JSON in a documented schema. Re-importable to other platforms.
- Opt-out of marketing: Every email has a one-click unsubscribe. /preferences for granular controls.
- Opt-out of cookies: See Cookie Policy. Essential cookies cannot be disabled (auth, security).
- EU users: You can complain to your local data-protection authority.
- California users: CCPA-specific opt-outs at privacy@flock.city. We do not “sell” data per CCPA definition.
6. Security
- TLS 1.3 in transit. AES-256 at rest (Supabase + Vercel managed).
- Passwords hashed via bcrypt (Supabase Auth default).
- Two-factor authentication (TOTP) available at /account/security. Admin-action enforcement is on a per-action allowlist; we'll publish the list as it expands.
- Webhook signatures verified (Stripe HMAC, Resend Svix) with a ±5min replay window before any side-effect.
- Row-Level Security (RLS) enforced on every user-owned table. Operational tables (cron logs, system metrics) are service-role only — never anon-readable. Row-level audit log immutable per EXECUTION-BIBLE §15.79.
- Vulnerability disclosure: /.well-known/security.txt.
- Public security posture: /security.
7. Cookies + tracking
See Cookie Policy. Short version: essential cookies only by default. No third-party trackers. Analytics cookies are first-party (we built our own analytics; no PostHog or Mixpanel).
Cookie preferences
We use four categories of cookies. You can change your choice any time — your preference is stored in a 365-day cookie named flock_cookie_consent.
| Category | What it enables | Default | Required |
|---|---|---|---|
| Necessary | Auth session, CSRF tokens, security | On | Yes — cannot be disabled |
| Analytics | First-party page-view tracking + Sentry error replays | Off | No |
| Maps | Mapbox GL interactive event maps | Off | No — venue name shown as fallback |
| Marketing pixels | Third-party embed widgets (e.g. venue social widgets) | Off | No |
Stripe cookies are necessary for payment processing per Stripe's cookie policy and are always present when you check out.
8. Children
Flock is for users 13+ (16+ in some EU countries per GDPR-K). Under-18 ticket flows require parental consent. We don't knowingly collect data from under-13 users; if you believe we have, email privacy@flock.cityand we'll delete within 7 days.
9. International transfers
Flock servers are US-based (AWS us-east-1 via Vercel + Supabase). EU/UK users' data is transferred to the US under Standard Contractual Clauses (SCCs). Schrems II addressed: TLS in transit + encryption at rest + no government data sharing without legal process.
10. Breach notification
If a breach affects your data, you get an email within 72 hours of confirmation. Public incident report posted to /status + /changelog.
11. AI & automated decisions
- Recommendation feed: AI-curated, overridable from /preferences.
- Content moderation: hash + LLM pre-checks; user appeals via trust@flock.city.
- No automated decision has legal or significant effect on you (no algorithmic credit, employment, housing).
- Confidence intervals + source citations on every AI surface per EXECUTION-BIBLE §15.62, §15.63.
12. Contact
- Privacy: privacy@flock.city
- EU rep: TBD (will appoint when EU revenue > threshold)
- Data Protection Officer: TBD (not yet required by scale)
GDPR · CCPA · NY SHIELD compliant. Reviewed quarterly per EXECUTION-BIBLE §15.5 + §15.77.