← Back to MyCircle MyCircle

MyCircle — Privacy Policy

Effective date: 8 June 2026

Last updated: 15 June 2026

This Privacy Policy explains how Rui Almeida, a sole individual operator based in Portugal, trading as MyCircle ("MyCircle", "we", "us", "our"), collects, uses, shares, retains, and protects your personal data when you use the MyCircle mobile application and related services (collectively, the "Service").

We take your privacy seriously. This policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Portuguese Data Protection Act (Lei n.º 58/2019), the California Consumer Privacy Act of 2018 as amended by the CPRA (CCPA/CPRA), the UK GDPR, and other applicable privacy laws.

If you do not agree with this policy, please do not use MyCircle.


1. Who is the data controller?

The data controller for the purposes of GDPR Article 4(7) is:

MyCircle is operated as an independent personal project by a single natural person. There is no parent company, no group of companies, and no formal data-protection officer (DPO). Because of the scale and nature of the processing, MyCircle is not legally required to appoint a DPO under Article 37 GDPR. You may contact the operator directly at the email above for all privacy-related matters.


2. A summary in plain language

Before the formal sections below, here is the short version of what we do and do not do:


3. What personal data we collect

We collect the categories of personal data listed below. Where the legal basis is "consent", you can withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.

3.1 Data you give us when you register or use the app

CategoryExamplesWhy we need itLegal basis (GDPR Art. 6)
IdentifiersEmail address, username, display nameAccount creation, login, identifying you on the platformPerformance of contract (6(1)(b))
Profile dataDate of birth, gender, city, avatar photo, bioVerifying 18+ eligibility, personalising the feed, displaying your profile to other usersPerformance of contract; legitimate interests for age verification (6(1)(b), 6(1)(f))
Location dataGPS coordinates (precise or snapped to a ~1 km grid)Showing nearby people, posts, Moments, eventsConsent (6(1)(a)) — you grant location permission at the OS level
User contentPosts, Moments, captions, comments, likes, messages in Circles and DMs, saved eventsOperating the social featuresPerformance of contract (6(1)(b))
Social graphFriend requests, accepted friendships, blocks, reports you file, Circles you joinOperating the social features and the safety featuresPerformance of contract; legitimate interests for safety (6(1)(b), 6(1)(f))
CommunicationsEmails you send us, in-app reports, appealsCustomer support, safety triageLegitimate interests (6(1)(f))

3.2 Data we collect automatically

CategoryExamplesWhy we need itLegal basis
Technical / device dataDevice model, OS version, app version, language, time zone, push token (when push is enabled), crash and error logs (collected via Sentry — see §6.1), build identifier used for over-the-air updates (delivered via Expo — see §6.1)Running the app, debugging, security, delivering app updates between store releasesLegitimate interests (6(1)(f))
Authentication dataSession tokens, refresh tokens, login timestamps, IP address at loginKeeping you logged in securelyPerformance of contract; legitimate interests for security (6(1)(b), 6(1)(f))
Usage dataWhich screens you open, which features you use, approximate session lengthImproving the appLegitimate interests (6(1)(f))
Advertising identifiersIDFA on iOS (only after you accept the App Tracking Transparency prompt), Google Advertising ID on AndroidShowing ads through AdMobConsent (6(1)(a)) — collected only after you opt in via ATT / UMP

3.3 Data from third parties

If you sign in with Google or Apple, we receive your email address and (for Google) your name and profile picture. We do not receive your password, your contacts, or any other information from those providers.

3.4 Sensitive data

MyCircle is not designed to collect special-category data under Article 9 GDPR (health, religion, ethnicity, sexual orientation, political opinions, biometrics, etc.). If you voluntarily include such information in your bio, posts, or messages, you do so on your own initiative and you consent to its processing for the purposes set out in this policy.


4. How we use your personal data

We use personal data only for the purposes for which it was collected, namely:

  1. To operate the Service — register your account, authenticate you, store and display the content you post, deliver messages, surface nearby users and events.
  2. To personalise your experience — sort the feed by proximity, age band (±5 years by default), and social context.
  3. To keep MyCircle safe — run automated content moderation (Google Cloud Vision SafeSearch), enforce blocks, process reports, detect spam, prevent fraud, and respond to safety incidents.
  4. To communicate with you — send transactional emails (email confirmation, password reset, security alerts), respond to your support requests, notify you of changes to this policy.
  5. To show ads — display banner ads through Google AdMob, subject to your consent in the EU/UK. We share only the minimum data needed for ad delivery (see §6).
  6. To monetise event listings — when you tap "Buy Tickets", we redirect you through an affiliate-tracking URL so that the Ticketing Partner can attribute the sale to MyCircle and pay us a commission. We do not pass your name, email, or any other personal data through the affiliate link — only an opaque click identifier.
  7. To improve the Service — analyse aggregated, anonymised usage to fix bugs and design better features.
  8. To comply with law — respond to lawful requests from public authorities, enforce our Terms of Service, and defend our legal rights.

We will not use your personal data for any new, materially different purpose without first notifying you and, where required, obtaining your consent.


5. Location data — special section

Because location is central to MyCircle, we explain its processing in more detail.

5.1 Why we need it

MyCircle is, by design, a proximity-based social-discovery app. Without your location we cannot surface nearby people, Moments, posts, or events. Location is the core feature, not an optional add-on.

5.2 What we collect

Your most recent location point at the time the app refreshes a discovery feed. We do not maintain a continuous tracking trail. We do not collect location data in the background unless you explicitly grant the "Always" permission (which we do not currently request).

5.3 Precise vs. approximate

In Settings → Privacy → Location accuracy you can choose between:

Posts and Moments you create are also tagged with a location stamp that respects your accuracy setting at the time of posting.

5.4 Who sees your location

5.5 Turning it off

You can:

Disabling location will leave the discovery features empty. The rest of the app (your friends, your Circles, your DMs, your profile) will continue to work.

5.6 Legal basis

We rely on your consent under Article 6(1)(a) GDPR, given by granting location permission at the OS level. You can withdraw consent at any time as described above. Consent withdrawal does not affect the lawfulness of processing carried out before the withdrawal.


6. Who we share your data with

We share your personal data only as described below. We do not sell personal data and we have not sold or shared personal data for cross-context behavioural advertising in the meaning of the CCPA/CPRA in the preceding twelve months, except as described under "Advertising" below.

6.1 Processors acting on our behalf (Article 28 GDPR)

These providers process personal data on our written instructions, under a data-processing agreement that meets Article 28 requirements:

ProcessorRoleData location
Supabase, Inc.Backend infrastructure: database, authentication, storage, edge functions, realtimeUnited States (us-west-1, Northern California)
Google Cloud Platform (Cloud Vision API)Automated content moderation of uploaded images and videosProcessed in transit; not retained by Google beyond the API call
Expo, Inc. (Expo Application Services)Build infrastructure and over-the-air (OTA) updates to deliver app updates between store releases; push-notification infrastructure (planned, not yet active in V1). Expo receives a build identifier and your device's OS version to deliver the correct update.United States
Functional Software, Inc. (Sentry)Crash and error reporting — detecting and diagnosing app crashes and runtime errors. When an error occurs, we share with Sentry: your user identifier (UUID only, no email or name), device model, OS version, app version, IP address (briefly, for delivery routing only — not retained for analytics), and the technical context of the error (stack trace, breadcrumbs, app state at the time of the crash).United States
Apple Inc.iOS push notifications (APNs) — planned, not yet active in V1United States
Google LLCAndroid push notifications (FCM) — planned, not yet active in V1United States

6.2 Independent controllers we share data with

These third parties decide the purposes and means of their own processing. When you interact with them, their privacy policy applies in addition to ours:

PartyWhen we shareWhat is sharedTheir policy
Google AdMobWhile you use the app and ads are shownAdvertising identifier (IDFA / Google Advertising ID), coarse IP-derived location, ad interaction signals, consent stringpolicies.google.com/privacy
Google Sign-InIf you sign in with GoogleYour Google email and basic profile, returned to us by Googlepolicies.google.com/privacy
Apple Sign-InIf you sign in with AppleYour Apple Relay email and a unique Apple identifierapple.com/legal/privacy
Ticketing Partners: SeatGeek, TicketNetwork, StubHub, viagogoWhen you tap "Buy Tickets" and are redirected to their siteAn anonymised click identifier through our affiliate-tracking partners (currently Impact.com, with Partnerize Ltd. as a secondary network) — we do not transmit your name, email, or any directly identifying personal data; any information you then enter on the Ticketing Partner's site (payment, address, etc.) is collected directly by themEach partner publishes its own privacy policy on its own site
Impact.com (Impact Tech, Inc.)Affiliate-link tracking (primary network)Click identifier, referrer, partner program IDimpact.com/privacy-policy
Partnerize Ltd.Affiliate-link tracking (secondary network)Click identifier, referrer, partner program IDpartnerize.com/privacy

6.3 Other recipients

6.4 What we never do


7. International transfers

MyCircle's primary backend (database, authentication, storage, edge functions) is hosted by Supabase, Inc. in the United States (us-west-1, Northern California). This means that personal data of users located in the European Economic Area (EEA), the United Kingdom, and Switzerland is transferred to and processed in the United States. Several of our other processors are also U.S.-based.

We ensure that an adequate level of protection is in place for these international transfers through one or more of the following safeguards under Articles 44–49 GDPR:

By creating an account and using MyCircle, you understand that your personal data will be processed in the United States and you accept the transfer on the legal bases above.

You can request a copy of the safeguards in place by emailing mycircle.app.2026@gmail.com.


8. How long we keep your data

We keep personal data only for as long as we need it for the purposes set out in this policy or as required by law.

DataRetention
Active account profile, posts, Circles, friendsFor as long as your account is active
MomentsAutomatically deleted 24 hours after creation by a scheduled job
Messages in Circles and DMsFor as long as the Circle exists; DMs are deleted when the last member leaves; group Circles auto-archive after 14 days of inactivity (event Circles 14 days after the event end date) and are hard-deleted 7 days later
Content rejected by moderationMedia file deleted immediately; the database row is kept as an audit record (no personal data displayed) until account deletion
Reports filed by you or against youKept until the underlying incident is closed; aggregated statistics may persist
Push tokensDeleted when you disable push notifications or delete your account
Backups and logsOperational logs are kept for up to 90 days; database backups for up to 30 days. After deletion of your account, residual data in backups is purged through the normal backup-rotation cycle
Data exportsThe signed download link is valid for 1 hour; the file itself is auto-deleted from our storage after that
Anonymised analyticsMay be kept indefinitely in a form that cannot be linked back to you

When your account is deleted (see §10), all directly identifying personal data is purged from the live database immediately. Backups are purged through the standard rotation as described above.


9. Your rights

Under the GDPR (Articles 12–22) and equivalent rights under the UK GDPR, the CCPA/CPRA, and similar laws, you have the following rights regarding your personal data:

RightWhat it meansHow to exercise
Access (Art. 15)Get confirmation of what data we hold about you and a copy of itSettings → Privacy → Export my data, or email us
Rectification (Art. 16)Correct inaccurate or incomplete dataEdit your profile in-app, or email us for fields you cannot edit
Erasure / right to be forgotten (Art. 17)Delete your dataSettings → Account → Delete account (see §10), or email us
Restriction (Art. 18)Pause processing while a dispute is resolvedEmail us
Portability (Art. 20)Receive your data in a machine-readable format (JSON)Settings → Privacy → Export my data
Objection (Art. 21)Object to processing based on legitimate interests, including for analyticsEmail us
Withdraw consent (Art. 7(3))Revoke any consent you previously gave (location, ads, push)Toggle the relevant permission off in your device settings or in-app, or email us
Automated decisions (Art. 22)Not be subject to solely automated decisions with legal effect — we do not make any such decisions (automated moderation is reviewable on appeal)n/a

9.1 How to ask

Email mycircle.app.2026@gmail.com from the email address tied to your account, or use the in-app shortcuts above. We will respond within 30 days of receipt, as required by Article 12(3) GDPR. In complex cases we may extend that period by a further two months, in which case we will let you know.

We may need to ask for additional information to verify your identity before fulfilling certain requests, in order to protect you against unauthorised disclosure.

9.2 California residents (CCPA/CPRA)

If you are a California resident, you also have the right to know which categories of personal information we collected, the sources, the purposes, and the categories of third parties with whom we shared it (this policy provides all that information). You have the right to opt out of the "sale" or "sharing" of personal information — though, as stated above, we do not sell personal data. You have the right not to be discriminated against for exercising your rights. Authorised agents may submit requests on your behalf with written proof of authorisation.

9.3 Right to lodge a complaint

If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority. In Portugal, that authority is:

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134, 1.º — 1200-651 Lisboa, Portugal
geral@cnpd.pt — https://www.cnpd.pt

You may also complain to the supervisory authority in your country of residence within the EU/EEA.


10. Account deletion — the one-tap right to be forgotten

You can delete your MyCircle account and all associated personal data at any time, with no friction:

  1. Open the app
  2. Tab → Profile
  3. SettingsAccountDelete account
  4. Type DELETE in the confirmation field
  5. Tap Confirm

What happens next, immediately:

You do not need to give us a reason. We will not try to talk you out of it. There is no "deactivate" middle state — deletion is permanent and immediate.

Residual copies in encrypted backups are purged through the standard backup rotation within 30 days. Some anonymised, aggregated statistics that cannot identify you may persist indefinitely.

If you cannot access the in-app deletion flow (for example, you lost access to your account), email mycircle.app.2026@gmail.com from your account email and we will process the deletion manually within 30 days.

Uninstalling the app from your phone does not, by itself, delete your account. To exercise your right to erasure, please use the in-app flow or contact us.


11. Children

MyCircle is strictly 18+. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will delete it immediately. If you are a parent or guardian and believe your child has provided personal data to MyCircle, please contact us at mycircle.app.2026@gmail.com and we will take prompt action.


12. Security

We protect your personal data through a combination of technical and organisational measures, including:

No system is perfectly secure. We cannot guarantee absolute security, and you remain responsible for protecting your device, your credentials, and your own copies of any media you upload.

Data breach notification

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by Article 33 GDPR, and we will notify affected users without undue delay where Article 34 GDPR requires it.


13. Cookies and similar technologies

The mobile app itself does not use browser cookies. It does use the following equivalent technologies:

You can clear the local cache by reinstalling the app. You can reset your advertising identifier through your device settings (iOS: Settings → Privacy & Security → Tracking; Android: Settings → Google → Ads).

Our marketing website at https://mycircle-page.vercel.app may use a minimal set of cookies for analytics or functionality. Where applicable, the cookie banner on that site explains and obtains consent for them.


14. Advertising and consent

14.1 How ads are delivered

We use Google AdMob to display banner advertisements in the Feed and Events tabs. We do not show ads in Circles, Profile, or Search.

14.2 Consent in the EU and the UK

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you will see a Google-provided consent message (the User Messaging Platform, "UMP") when you first open the app. The consent message lets you choose between personalised ads, non-personalised ads, or to manage your choices in more detail. You can change your choice at any time in Settings → Ad preferences.

If you choose non-personalised ads, AdMob will still serve you ads, but they will be based only on coarse context (e.g., your country) rather than on your behaviour.

14.3 App Tracking Transparency on iOS

On iOS, Apple's framework also requires the App Tracking Transparency prompt before any cross-app or cross-site tracking. Refusing the prompt means you will see non-personalised ads only.

14.4 Premium users

If a "premium" or ad-free option is offered in the future and you subscribe to it, ads will be turned off entirely.


15. Third-party ticket sales — privacy implications

When you tap "Buy Tickets" or any equivalent call-to-action, you leave MyCircle and are redirected, through an affiliate-tracking URL, to a third-party Ticketing Partner's website or app (SeatGeek, TicketNetwork, StubHub, viagogo, or another partner we may add in the future).

See §9 of our Terms of Service for the full liability disclaimer regarding ticket sales.


16. Automated decision-making and profiling

We use limited automated processing for the following purposes:

We do not engage in any other form of automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.


17. Changes to this policy

We may update this policy from time to time. The most current version is always published at https://mycircle-page.vercel.app/privacy, with a "Last updated" date at the top.

For any material change (for example, a new third-party processor, a new category of personal data we collect, or a change in retention periods), we will:

We will not apply a material change to your personal data until at least 30 days after the updated version is published on our website, unless the change is required by law or addresses a security issue, in which case it may take effect immediately.

We encourage you to review this policy periodically. Continuing to use MyCircle after the effective date of an update means you accept the updated policy. If you do not accept it, your remedy is to delete your account (see §10) before the effective date.


18. Contact us

For any privacy-related question, request, or complaint, please contact:

Rui Almeida — operator of MyCircle
mycircle.app.2026@gmail.com
Portugal

We will acknowledge your message and respond within 30 days.

Thank you for using MyCircle. Your privacy matters, and we will continue to design the product to keep it that way.