Privacy Policy

Last updated: May 17, 2026

StayHard helps you stay accountable with friends through private daily check-ins, pacts, and a small social graph. This policy explains what we collect, why we process it, and how you can exercise your privacy rights.

This document is intended for end users and regulators. Replace the placeholder controller details below with your legal entity before launch.

1. Who we are

Controller: [Your legal name], [registered address].
Contact: privacy@stayhard.app (privacy requests).
Support: support@stayhard.app.

2. What we collect

  • Account & authentication: email address and password when you create a full account; optional anonymous (guest) sessions are created with a Supabase-generated user identifier.
  • Profile: handle, display name, optional avatar image, device timezone (IANA string, e.g. Europe/Amsterdam, not GPS location).
  • Check-ins: photos you take in-app (main + selfie, where applicable), captions, timestamps, whether the check-in was “late,” and the local calendar day you chose for the post.
  • Social graph & commitments: friendships and invites, groups (“pacts”), membership, and links between posts and pacts.
  • Reactions: emoji-style reactions you add to friends’ eligible posts (stored with your user id).
  • Push notifications (optional): if you enable alerts in Settings and grant OS permission, we store your Expo push token and send notifications for friend requests, pact invites, reactions, and friend check-ins. Delivery is handled by Expo (APNs / FCM). You can turn off each event type in the app.
  • Local check-in reminders: a daily reminder can be scheduled on your device only (not sent from our servers).

3. Why we process data & legal bases (GDPR)

  • Performance of a contract: to provide the service you signed up for (accounts, check-ins, syncing with your circle).
  • Consent: where required for optional features (e.g. local reminders if the OS requires permission).
  • Legitimate interests: limited operational use such as abuse prevention, security, and improving reliability, balanced against your rights.

4. Where data is processed

We use hosted infrastructure that may process data in the European Economic Area, the United Kingdom, the United States, and other regions where our subprocessors operate. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses.

5. Subprocessors

We engage suppliers that process personal data on our instructions:

  • Supabase: authentication, Postgres database, file storage, and related APIs. Privacy
  • Vercel: hosting for the stayhard.app marketing and invite site. Privacy
  • Expo / EAS: mobile build and submission tooling when we release app binaries. Privacy
  • Apple & Google: app distribution when you install from the App Store or Google Play.

Sign data processing agreements (DPAs) with your vendors before processing EU/UK personal data at scale.

6. Retention

We keep your information until you delete your account or we delete it as described here. Some residual backups may persist for a limited period in our suppliers’ systems. Anonymous guest accounts should be treated like full accounts for deletion: use in-app account deletion or contact us.

7. Your rights

Depending on your location (including the EEA, UK, and several US states), you may have the right to access, correct, delete, export, or restrict certain processing, and to object to processing based on legitimate interests. You may lodge a complaint with your local supervisory authority.

The StayHard app includes Export my data and Delete account in Settings. You can also email privacy@stayhard.app for help.

8. Account deletion

When you delete your account in the app, we delete your Supabase auth user, which removes your profile and related app data subject to our database design, and we delete objects stored under your user folder in our private media bucket where applicable. If anything cannot be removed automatically, contact privacy@stayhard.app.

9. Children

StayHard is not directed at children. Do not use the service if you are under the minimum age required in your country to consent to data processing (often 13 in the US and 13–16 in the EU/UK depending on member state rules). We will delete child accounts if we learn of them.

10. Security

We use industry-standard transport security (HTTPS/TLS), access controls, and row-level security in our database so private media is not exposed to unauthorized users. No method of transmission or storage is perfectly secure.

11. Changes

We may update this policy when we change the product or the law requires it. We will post the new version on this page and update the “Last updated” date. For material changes, we may notify you in the app or by email where appropriate.

This policy is provided as a template and is not legal advice. Have it reviewed by qualified counsel before you ship to production, especially if you operate globally or add analytics, ads, or new data categories.