This Privacy Policy explains how Rui Almeida, a sole individual operator based in Portugal, trading as MyCircle ("MyCircle", "we", "us", "our"), collects, uses, shares, retains, and protects your personal data when you use the MyCircle mobile application and related services (collectively, the "Service").
We take your privacy seriously. This policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Portuguese Data Protection Act (Lei n.º 58/2019), the California Consumer Privacy Act of 2018 as amended by the CPRA (CCPA/CPRA), the UK GDPR, and other applicable privacy laws.
If you do not agree with this policy, please do not use MyCircle.
The data controller for the purposes of GDPR Article 4(7) is:
MyCircle is operated as an independent personal project by a single natural person. There is no parent company, no group of companies, and no formal data-protection officer (DPO). Because of the scale and nature of the processing, MyCircle is not legally required to appoint a DPO under Article 37 GDPR. You may contact the operator directly at the email above for all privacy-related matters.
Before the formal sections below, here is the short version of what we do and do not do:
We collect the categories of personal data listed below. Where the legal basis is "consent", you can withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.
| Category | Examples | Why we need it | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Identifiers | Email address, username, display name | Account creation, login, identifying you on the platform | Performance of contract (6(1)(b)) |
| Profile data | Date of birth, gender, city, avatar photo, bio | Verifying 18+ eligibility, personalising the feed, displaying your profile to other users | Performance of contract; legitimate interests for age verification (6(1)(b), 6(1)(f)) |
| Location data | GPS coordinates (precise or snapped to a ~1 km grid) | Showing nearby people, posts, Moments, events | Consent (6(1)(a)) — you grant location permission at the OS level |
| User content | Posts, Moments, captions, comments, likes, messages in Circles and DMs, saved events | Operating the social features | Performance of contract (6(1)(b)) |
| Social graph | Friend requests, accepted friendships, blocks, reports you file, Circles you join | Operating the social features and the safety features | Performance of contract; legitimate interests for safety (6(1)(b), 6(1)(f)) |
| Communications | Emails you send us, in-app reports, appeals | Customer support, safety triage | Legitimate interests (6(1)(f)) |
| Category | Examples | Why we need it | Legal basis |
|---|---|---|---|
| Technical / device data | Device model, OS version, app version, language, time zone, push token (when push is enabled), crash and error logs (collected via Sentry — see §6.1), build identifier used for over-the-air updates (delivered via Expo — see §6.1) | Running the app, debugging, security, delivering app updates between store releases | Legitimate interests (6(1)(f)) |
| Authentication data | Session tokens, refresh tokens, login timestamps, IP address at login | Keeping you logged in securely | Performance of contract; legitimate interests for security (6(1)(b), 6(1)(f)) |
| Usage data | Which screens you open, which features you use, approximate session length | Improving the app | Legitimate interests (6(1)(f)) |
| Advertising identifiers | IDFA on iOS (only after you accept the App Tracking Transparency prompt), Google Advertising ID on Android | Showing ads through AdMob | Consent (6(1)(a)) — collected only after you opt in via ATT / UMP |
If you sign in with Google or Apple, we receive your email address and (for Google) your name and profile picture. We do not receive your password, your contacts, or any other information from those providers.
MyCircle is not designed to collect special-category data under Article 9 GDPR (health, religion, ethnicity, sexual orientation, political opinions, biometrics, etc.). If you voluntarily include such information in your bio, posts, or messages, you do so on your own initiative and you consent to its processing for the purposes set out in this policy.
We use personal data only for the purposes for which it was collected, namely:
We will not use your personal data for any new, materially different purpose without first notifying you and, where required, obtaining your consent.
Because location is central to MyCircle, we explain its processing in more detail.
MyCircle is, by design, a proximity-based social-discovery app. Without your location we cannot surface nearby people, Moments, posts, or events. Location is the core feature, not an optional add-on.
Your most recent location point at the time the app refreshes a discovery feed. We do not maintain a continuous tracking trail. We do not collect location data in the background unless you explicitly grant the "Always" permission (which we do not currently request).
In Settings → Privacy → Location accuracy you can choose between:
Posts and Moments you create are also tagged with a location stamp that respects your accuracy setting at the time of posting.
You can:
Disabling location will leave the discovery features empty. The rest of the app (your friends, your Circles, your DMs, your profile) will continue to work.
We rely on your consent under Article 6(1)(a) GDPR, given by granting location permission at the OS level. You can withdraw consent at any time as described above. Consent withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
We share your personal data only as described below. We do not sell personal data and we have not sold or shared personal data for cross-context behavioural advertising in the meaning of the CCPA/CPRA in the preceding twelve months, except as described under "Advertising" below.
These providers process personal data on our written instructions, under a data-processing agreement that meets Article 28 requirements:
| Processor | Role | Data location |
|---|---|---|
| Supabase, Inc. | Backend infrastructure: database, authentication, storage, edge functions, realtime | United States (us-west-1, Northern California) |
| Google Cloud Platform (Cloud Vision API) | Automated content moderation of uploaded images and videos | Processed in transit; not retained by Google beyond the API call |
| Expo, Inc. (Expo Application Services) | Build infrastructure and over-the-air (OTA) updates to deliver app updates between store releases; push-notification infrastructure (planned, not yet active in V1). Expo receives a build identifier and your device's OS version to deliver the correct update. | United States |
| Functional Software, Inc. (Sentry) | Crash and error reporting — detecting and diagnosing app crashes and runtime errors. When an error occurs, we share with Sentry: your user identifier (UUID only, no email or name), device model, OS version, app version, IP address (briefly, for delivery routing only — not retained for analytics), and the technical context of the error (stack trace, breadcrumbs, app state at the time of the crash). | United States |
| Apple Inc. | iOS push notifications (APNs) — planned, not yet active in V1 | United States |
| Google LLC | Android push notifications (FCM) — planned, not yet active in V1 | United States |
These third parties decide the purposes and means of their own processing. When you interact with them, their privacy policy applies in addition to ours:
| Party | When we share | What is shared | Their policy |
|---|---|---|---|
| Google AdMob | While you use the app and ads are shown | Advertising identifier (IDFA / Google Advertising ID), coarse IP-derived location, ad interaction signals, consent string | policies.google.com/privacy |
| Google Sign-In | If you sign in with Google | Your Google email and basic profile, returned to us by Google | policies.google.com/privacy |
| Apple Sign-In | If you sign in with Apple | Your Apple Relay email and a unique Apple identifier | apple.com/legal/privacy |
| Ticketing Partners: SeatGeek, TicketNetwork, StubHub, viagogo | When you tap "Buy Tickets" and are redirected to their site | An anonymised click identifier through our affiliate-tracking partners (currently Impact.com, with Partnerize Ltd. as a secondary network) — we do not transmit your name, email, or any directly identifying personal data; any information you then enter on the Ticketing Partner's site (payment, address, etc.) is collected directly by them | Each partner publishes its own privacy policy on its own site |
| Impact.com (Impact Tech, Inc.) | Affiliate-link tracking (primary network) | Click identifier, referrer, partner program ID | impact.com/privacy-policy |
| Partnerize Ltd. | Affiliate-link tracking (secondary network) | Click identifier, referrer, partner program ID | partnerize.com/privacy |
MyCircle's primary backend (database, authentication, storage, edge functions) is hosted by Supabase, Inc. in the United States (us-west-1, Northern California). This means that personal data of users located in the European Economic Area (EEA), the United Kingdom, and Switzerland is transferred to and processed in the United States. Several of our other processors are also U.S.-based.
We ensure that an adequate level of protection is in place for these international transfers through one or more of the following safeguards under Articles 44–49 GDPR:
By creating an account and using MyCircle, you understand that your personal data will be processed in the United States and you accept the transfer on the legal bases above.
You can request a copy of the safeguards in place by emailing mycircle.app.2026@gmail.com.
We keep personal data only for as long as we need it for the purposes set out in this policy or as required by law.
| Data | Retention |
|---|---|
| Active account profile, posts, Circles, friends | For as long as your account is active |
| Moments | Automatically deleted 24 hours after creation by a scheduled job |
| Messages in Circles and DMs | For as long as the Circle exists; DMs are deleted when the last member leaves; group Circles auto-archive after 14 days of inactivity (event Circles 14 days after the event end date) and are hard-deleted 7 days later |
| Content rejected by moderation | Media file deleted immediately; the database row is kept as an audit record (no personal data displayed) until account deletion |
| Reports filed by you or against you | Kept until the underlying incident is closed; aggregated statistics may persist |
| Push tokens | Deleted when you disable push notifications or delete your account |
| Backups and logs | Operational logs are kept for up to 90 days; database backups for up to 30 days. After deletion of your account, residual data in backups is purged through the normal backup-rotation cycle |
| Data exports | The signed download link is valid for 1 hour; the file itself is auto-deleted from our storage after that |
| Anonymised analytics | May be kept indefinitely in a form that cannot be linked back to you |
When your account is deleted (see §10), all directly identifying personal data is purged from the live database immediately. Backups are purged through the standard rotation as described above.
Under the GDPR (Articles 12–22) and equivalent rights under the UK GDPR, the CCPA/CPRA, and similar laws, you have the following rights regarding your personal data:
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | Get confirmation of what data we hold about you and a copy of it | Settings → Privacy → Export my data, or email us |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Edit your profile in-app, or email us for fields you cannot edit |
| Erasure / right to be forgotten (Art. 17) | Delete your data | Settings → Account → Delete account (see §10), or email us |
| Restriction (Art. 18) | Pause processing while a dispute is resolved | Email us |
| Portability (Art. 20) | Receive your data in a machine-readable format (JSON) | Settings → Privacy → Export my data |
| Objection (Art. 21) | Object to processing based on legitimate interests, including for analytics | Email us |
| Withdraw consent (Art. 7(3)) | Revoke any consent you previously gave (location, ads, push) | Toggle the relevant permission off in your device settings or in-app, or email us |
| Automated decisions (Art. 22) | Not be subject to solely automated decisions with legal effect — we do not make any such decisions (automated moderation is reviewable on appeal) | n/a |
Email mycircle.app.2026@gmail.com from the email address tied to your account, or use the in-app shortcuts above. We will respond within 30 days of receipt, as required by Article 12(3) GDPR. In complex cases we may extend that period by a further two months, in which case we will let you know.
We may need to ask for additional information to verify your identity before fulfilling certain requests, in order to protect you against unauthorised disclosure.
If you are a California resident, you also have the right to know which categories of personal information we collected, the sources, the purposes, and the categories of third parties with whom we shared it (this policy provides all that information). You have the right to opt out of the "sale" or "sharing" of personal information — though, as stated above, we do not sell personal data. You have the right not to be discriminated against for exercising your rights. Authorised agents may submit requests on your behalf with written proof of authorisation.
If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority. In Portugal, that authority is:
Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134, 1.º — 1200-651 Lisboa, Portugal
geral@cnpd.pt — https://www.cnpd.pt
You may also complain to the supervisory authority in your country of residence within the EU/EEA.
You can delete your MyCircle account and all associated personal data at any time, with no friction:
What happens next, immediately:
You do not need to give us a reason. We will not try to talk you out of it. There is no "deactivate" middle state — deletion is permanent and immediate.
Residual copies in encrypted backups are purged through the standard backup rotation within 30 days. Some anonymised, aggregated statistics that cannot identify you may persist indefinitely.
If you cannot access the in-app deletion flow (for example, you lost access to your account), email mycircle.app.2026@gmail.com from your account email and we will process the deletion manually within 30 days.
Uninstalling the app from your phone does not, by itself, delete your account. To exercise your right to erasure, please use the in-app flow or contact us.
MyCircle is strictly 18+. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will delete it immediately. If you are a parent or guardian and believe your child has provided personal data to MyCircle, please contact us at mycircle.app.2026@gmail.com and we will take prompt action.
We protect your personal data through a combination of technical and organisational measures, including:
expo-secure-store, never in plain-text storage;No system is perfectly secure. We cannot guarantee absolute security, and you remain responsible for protecting your device, your credentials, and your own copies of any media you upload.
If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by Article 33 GDPR, and we will notify affected users without undue delay where Article 34 GDPR requires it.
The mobile app itself does not use browser cookies. It does use the following equivalent technologies:
You can clear the local cache by reinstalling the app. You can reset your advertising identifier through your device settings (iOS: Settings → Privacy & Security → Tracking; Android: Settings → Google → Ads).
Our marketing website at https://mycircle-page.vercel.app may use a minimal set of cookies for analytics or functionality. Where applicable, the cookie banner on that site explains and obtains consent for them.
We use Google AdMob to display banner advertisements in the Feed and Events tabs. We do not show ads in Circles, Profile, or Search.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you will see a Google-provided consent message (the User Messaging Platform, "UMP") when you first open the app. The consent message lets you choose between personalised ads, non-personalised ads, or to manage your choices in more detail. You can change your choice at any time in Settings → Ad preferences.
If you choose non-personalised ads, AdMob will still serve you ads, but they will be based only on coarse context (e.g., your country) rather than on your behaviour.
On iOS, Apple's framework also requires the App Tracking Transparency prompt before any cross-app or cross-site tracking. Refusing the prompt means you will see non-personalised ads only.
If a "premium" or ad-free option is offered in the future and you subscribe to it, ads will be turned off entirely.
When you tap "Buy Tickets" or any equivalent call-to-action, you leave MyCircle and are redirected, through an affiliate-tracking URL, to a third-party Ticketing Partner's website or app (SeatGeek, TicketNetwork, StubHub, viagogo, or another partner we may add in the future).
See §9 of our Terms of Service for the full liability disclaimer regarding ticket sales.
We use limited automated processing for the following purposes:
We do not engage in any other form of automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.
We may update this policy from time to time. The most current version is always published at https://mycircle-page.vercel.app/privacy, with a "Last updated" date at the top.
For any material change (for example, a new third-party processor, a new category of personal data we collect, or a change in retention periods), we will:
We will not apply a material change to your personal data until at least 30 days after the updated version is published on our website, unless the change is required by law or addresses a security issue, in which case it may take effect immediately.
We encourage you to review this policy periodically. Continuing to use MyCircle after the effective date of an update means you accept the updated policy. If you do not accept it, your remedy is to delete your account (see §10) before the effective date.
For any privacy-related question, request, or complaint, please contact:
Rui Almeida — operator of MyCircle
mycircle.app.2026@gmail.com
Portugal
We will acknowledge your message and respond within 30 days.
Thank you for using MyCircle. Your privacy matters, and we will continue to design the product to keep it that way.