IRL
Home
Legal · Effective 21 April 2026

Privacy Policy

TL;DR

  • We collect only what the app needs to work: phone, location while in use, your display name, photos, messages with people you match with, check-ins.
  • We don't collect email, contacts, calendar, mic, or advertising ID. We don't track you across other apps.
  • We don't sell your data. We don't share it with advertisers.
  • Your data sits in the EU (Neon, Frankfurt region) unless a US subprocessor temporarily handles it (Twilio SMS, Expo push, OpenAI photo verification).
  • You have full GDPR/CCPA rights — access, correction, deletion, export, objection. Email hello@irl.tech and we reply within 30 days.

This policy explains how IRL (the mobile app) handles your personal data. The service is operated by soultosoul LLC, a Wyoming limited liability company with its registered address at 1021 E Lincolnway, Suite 5644, Cheyenne, WY 82001, USA ("soultosoul", "we", "us", "our").

We wrote this in plain English because we'd rather you actually read it. When you see a word like "personal data" it means what GDPR says it means. If anything here conflicts with a mandatory right granted to you by local law, local law wins.

1. What we collect

This is the complete list. If it's not here, we don't collect it.

You give us

  • Phone number. Used to create your account and deliver a one-time SMS verification code. We do not use it for marketing.
  • Display name (first name or nickname) and, optionally, an avatar photo.
  • Posts you create (text + photo) to share with people you've met through IRL.
  • Chat messages you send to people you've matched with.
  • Reports and blocks you submit against other users.

We read from your device (with your permission)

  • Precise location (GPS). Used only while the app is open. We use it to (a) show you nearby spots on the map, (b) match you with people at the same spot, and (c) verify a 50-metre radius when you scan the QR at a meetup. We do not track your location in the background.
  • Push notification token (Apple/Google/Expo identifier). Used to send match and message notifications. Not used for anything else.
  • Camera — only when you take or upload a photo.

We generate automatically

  • Check-in history — which spot, which vibe/purpose, when.
  • Match and connection records — who met whom, where, when.
  • Diagnostics — device model, OS version, app version, crash logs. Not linked to an identifier used to track you across apps.

2. What we don't collect

  • No email address (unless you voluntarily provide one as a venue owner for business verification).
  • No full legal name.
  • No contacts, no calendar, no microphone, no advertising identifier (IDFA/AAID).
  • No cross-app tracking. Our Apple App Privacy label is "Data Not Used to Track You" and that's accurate.
  • No behavioural advertising signals. There are no ads in IRL.

3. How we use it

Each data type is used for a specific, limited purpose.

  • Phone number → authenticate you; send the one-time SMS code via Twilio; prevent duplicate accounts.
  • Location → show spots on the map; match you with people at the same spot; 50-metre QR verification when you actually meet.
  • Display name, avatar, posts, chat → display to the specific users you've matched with or connected to through real-world meetings.
  • Push token → deliver match notifications and new messages.
  • Check-in and match records → power the map, run the matching algorithm, and power the points/invite system.
  • Report/block data, moderation records → investigate abuse, enforce community guidelines, comply with law.
  • Diagnostics → fix crashes, improve stability. Not used for personalisation.

Legal basis under GDPR: we rely on (a) contract performance for everything that makes the app functional (accounts, matching, chat); (b) legitimate interests for fraud prevention, safety, and diagnostics; and (c) your consent for optional device permissions (camera, location). You can withdraw any permission in your phone's settings at any time.

4. Who we share it with

We only share data with service providers ("subprocessors") that we need to run the app. Each one is contractually bound to process your data only on our instructions.

  • Neon (Neon Inc., USA) — managed PostgreSQL; your account data, posts, chat, check-ins, and matches live here. Database region: EU (Frankfurt).
  • Upstash (Upstash Inc., USA) — managed Redis; short-lived data only (SMS OTP codes with a 5-minute TTL, event bus).
  • Vercel (Vercel Inc., USA) — hosting for our API and website; serverless functions may temporarily process requests from edge locations in Germany and the US.
  • Vercel Blob (Vercel Inc., USA) — image storage for avatars and post photos.
  • Expo (650 Industries Inc., USA) — delivers push notifications to your device.
  • Twilio (Twilio Inc., USA) — delivers the SMS verification code.
  • OpenAI (OpenAI, L.L.C., USA) — used only for photo verification when a user claims to be the first person at a newly-submitted spot ("pioneer" feature). We pass the submitted photo plus a spot code to OpenAI — no other user identifiers.

We do not sell personal data. We do not share it with advertisers. We do not provide it to data brokers. If we are ever required to disclose data under valid legal process (subpoena, court order, or GDPR-recognised law-enforcement request), we will review the request and notify you where legally permitted.

5. Data retention

  • SMS verification codes: 5 minutes (Redis TTL), then automatically purged.
  • Expired matches and old check-ins: 90 days after expiry, then deleted.
  • Chat messages: retained while the connection (match) is active; 90 days after disconnection, then deleted.
  • Account data (phone, display name, avatar, posts, history): until you delete your account (see §7).
  • Moderation records (reports you file or reports filed against you, block records): 2 years after account deletion, for safety and law-enforcement cooperation.
  • Diagnostic logs: 30 days.

6. Your rights (GDPR & CCPA)

No matter where you live, you have these rights over your personal data:

  • Access — request a copy of what we hold about you.
  • Rectification — correct anything inaccurate.
  • Erasure ("right to be forgotten") — have your data deleted.
  • Restriction — pause processing in certain circumstances.
  • Portability — get your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — for anything you consented to (camera, location), at any time, via your device settings.
  • Not be discriminated against (CCPA) for exercising a right.

To exercise any right, email hello@irl.tech. We will verify your identity (typically by confirming a text to your registered phone) and respond within 30 days. We don't charge for this.

If you think we've mishandled your data, you can complain to a supervisory authority. If you're in Portugal, that's Comissão Nacional de Proteção de Dados (CNPD). Elsewhere in the EU, it's your country's data protection authority. We'd prefer you try us first, though — we respond within a day when we're working.

7. Account deletion

For Apple reviewersAccount deletion is available directly inside the app at Me (bottom-right tab) → Settings Delete account. If you can't access the app, email support@irl.tech from the phone number tied to the account and we will delete it within 72 hours. This satisfies Apple App Store Review Guideline 5.1.1(v).

When you delete your account:

  • Your profile, posts, and chat messages become inaccessible immediately.
  • Your phone number is hashed so the same number can't re-register as a new account within 30 days (abuse prevention).
  • All personal data is permanently deleted within 30 days, except moderation records (see §5).

8. Security

We take security seriously without promising things we can't guarantee.

  • All data in transit is encrypted with TLS 1.2+.
  • Data at rest is encrypted using our database provider's industry-standard at-rest encryption (Neon).
  • Authentication uses short-lived JWT access tokens signed with a secret we rotate.
  • Database access is restricted to our backend service and scoped per environment.
  • We log and alert on unusual access patterns.
  • If we discover a breach affecting your data, we'll notify affected users and the relevant supervisory authority within 72 hours, as GDPR requires.

No online service is perfectly secure. We protect against known threats; you help by not sharing your SMS verification code and by reporting suspicious accounts.

9. Children

IRL is rated 17+ on the App Store and is not intended for anyone under 17. We do not knowingly collect data from users under 17. If you believe a user is under 17, email hello@irl.tech and we'll investigate and remove the account.

10. International transfers

Our primary database region is the European Union (Neon, Frankfurt). Some of our subprocessors — Twilio, Expo, OpenAI, Vercel — are US-based and may process your data in the US for the specific task we use them for (SMS, push, photo verification, serverless execution).

Where EU data is sent to the US, we rely on (a) the subprocessor's certification under the EU-US Data Privacy Framework where available, or (b) Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Changes to this policy

We update this policy when the app changes. For any material change (new data type, new subprocessor, new purpose), we will notify you in the app and by push notification at least 14 days before the change takes effect. If you don't agree with the change, you can delete your account before then.

12. Contact

Data controller:
soultosoul LLC
1021 E Lincolnway, Suite 5644
Cheyenne, WY 82001
United States

Email: hello@irl.tech

If you're in the EU/EEA and prefer to write to an EU address, email us at the same address and we'll route to our EU representative. We aim to appoint a formal GDPR Article 27 representative in the EU before we exceed the threshold at which one is required.

Effective: 21 April 2026. Last updated: 21 April 2026.

Questions? hello@irl.tech · Terms of Service