Legal

Privacy Policy

Effective 6 June 2026

This Privacy Policy explains what information we collect when you use BeatThis (the “App”), why we collect it, how it is stored, who it is shared with, and what choices you have about it. We’ve written this in plain language. If anything is unclear, email support@beatthis.me.

1. Who we are

BeatThis is operated by Charles Moreau, an individual based in London, United Kingdom (“we”, “us”, “our”). For any privacy questions or requests, contact us at support@beatthis.me.

2. Information we collect

2.1 Information you provide

• Account information. Email address and password (stored hashed, never in plain text).
• Profile information. Display name, optional profile photo.
• User content. Photos and videos you submit as challenge entries, captions, comments you write, ratings (1–5 stars) and emoji reactions you give.
• Group information. Names of groups you create, join codes, group photos, and the members of those groups (limited to people you have actively chosen to add).
• Moderation reports. When you report a submission, we keep the reason, optional details, and your identity (so we can follow up).

2.2 Information collected automatically

• Push notification token. A device identifier issued by Expo / Apple / Google when you opt in to push notifications. We use it solely to deliver in-app notifications (challenge set, new submission, new comment, new rating).
• Authentication logs. Sign-in timestamps and IP addresses, stored by our authentication provider Supabase for security and abuse-prevention purposes.
• Device information. Basic technical information (operating system, app version) used by the Expo runtime to render the app correctly. We do not embed any analytics, advertising, or tracking SDKs.

2.3 Information we do not collect

• We do not collect precise location.
• We do not collect contacts, calendar, or unrelated photos.
• We do not use third-party advertising identifiers (IDFA, AAID).
• We do not embed any tracking pixels or analytics SDKs (no Google Analytics, Meta SDK, Firebase Analytics, Mixpanel, etc.).

3. How we use information

• To create and maintain your account.
• To deliver the core function of the App: showing your challenge entries to the friends in your group, computing the leaderboard, and surfacing comments / ratings / reactions back to you.
• To send in-app push notifications when something happens that involves you (a new challenge in your group, someone rates your entry, someone comments on your entry, etc.).
• To send transactional emails: email confirmation and password reset.
• To investigate and respond to abuse reports.
• To protect the security of the App and the people who use it.

We do not use your information for advertising, marketing, profiling, or sale.

4. Legal basis (for users in the EEA, UK, and Switzerland)

We process your personal data on the basis of:

• Performance of a contract (Article 6(1)(b) GDPR): the data we collect is necessary to provide you the App once you create an account.
• Legitimate interests (Article 6(1)(f) GDPR): protecting the security of the App, preventing abuse, and responding to reports.
• Consent (Article 6(1)(a) GDPR): for push notifications, which require your explicit permission and can be withdrawn at any time from your device settings.

5. Sharing & processors

We do not sell your information. We do not share it with third parties for their own marketing. We rely on the following service providers (“sub-processors”) to operate the App:

• Supabase — database, authentication, file storage, push notification trigger. Hosted in the EU (Frankfurt region).
• Expo — delivery of push notifications to Apple Push Notification Service and Firebase Cloud Messaging.
• Resend — delivery of transactional emails (confirmation, password reset).
• Apple and Google — for delivering push notifications to your device and for App Store distribution.

Each of these providers processes data only on our instructions and only for the purposes described above.

6. International transfers

Our primary database is hosted in the European Union. Some sub-processors (such as Expo) operate in the United States. Where data is transferred outside the EEA, we rely on the Standard Contractual Clauses approved by the European Commission, or on equivalent mechanisms provided by those processors.

7. Retention

• Account, profile, and content data is retained as long as your account is active.
• When you delete your account, we permanently remove your profile, group memberships, submissions, ratings, comments, reactions, and reports from our database, normally within 24 hours. Cached copies on push delivery services or email-delivery logs may persist for up to 90 days.
• Authentication logs (sign-in timestamps, IP) are kept by Supabase for approximately 90 days.

8. Your rights

Depending on where you live, you have some or all of the following rights:

• Access — ask for a copy of the information we hold about you.
• Correction — correct inaccurate information. You can change your display name and photo directly in the App at any time.
• Deletion — delete your account and all associated content at any time from Settings → Delete account.
• Object / restrict — ask us to stop or restrict certain processing.
• Portability — ask us for your data in a machine-readable format.
• Complaint — lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ico.org.uk).

To exercise any of these rights, email support@beatthis.me. We respond within 30 days.

9. California residents (CCPA / CPRA)

We do not sell or share personal information as those terms are defined under California law. The categories of personal information we collect are: identifiers (email, display name), customer records (account credentials), internet activity (auth logs), and user-generated content (photos, captions, comments, ratings). California residents have the right to know, delete, and correct their personal information; submit requests to the email above.

10. Children

BeatThis is not directed at children under 13. We do not knowingly collect information from children under 13. For users in the European Economic Area, the minimum age is 16 unless your country has set a lower minimum age in accordance with Article 8 GDPR. If you believe a child has provided us with personal information, contact us and we will delete it.

11. Security

We take reasonable technical and organisational measures to protect your information: passwords are stored hashed; data in transit uses TLS; database access is gated by row-level security policies; storage uploads are scoped to your account; sensitive profile fields (push tokens, activity timestamps) are accessible only to you. No system is perfectly secure, however, and we cannot guarantee absolute security.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you in the App and update the “Effective” date above. Continued use of the App after a change indicates your acceptance of the updated policy.

13. Contact

Questions, requests, or complaints: email support@beatthis.me.