Privacy Policy

This Privacy Policy explains how Nariboo ("we", "us") collects, uses, stores, shares, and protects your personal data when you use the Nariboo mobile application (the "App"). It is written to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent privacy laws in other jurisdictions.

By using Nariboo you confirm that you have read and understood this Policy. If you do not agree with it, please do not use the App.

1. Who we are (Data Controller)

Nariboo is operated by the Nariboo team. For any data-protection question, contact: info@nariboo.com.

2. What data we collect

We collect only what we need to run the App. The categories below correspond to actual fields stored in our backend.

2.1 Account data (only if you sign in)

• Email address
• Display name
• Profile photo URL (from Google/Apple sign-in, if provided)
• Authentication provider (email, Google, or Apple)
• Account role (regular user, organizer, admin)
• Preferred language
• Date of birth (only if you submit it — used for age-restricted event filtering)
• Account status flags (disabled, banned)
• Account creation and last-updated timestamps

2.2 App usage data

• Events you swipe right on (your Hotlist)
• Events you tap the ♥ button on (your Likes)
• Events you save (bookmark)
• Events you dismiss (swipe left)
• Events you mark as attending
• Your search radius preference (in kilometres)
• Theme preference (light / dark / system)
• Weather background preference (on/off)
• Aggregate swipe counters (total rights, total lefts)
• Privacy Policy and Terms of Service acceptance timestamps

2.3 Location data

Your approximate device location, used only to show nearby events on the Map tab and compute distances. Location is requested via the operating system's "When In Use" permission and is never read in the background. We do not store your location history.

Latitude / longitude of events you create or edit (organizer role only) is stored on the event document.

2.4 Device integrity data

A Firebase Installations identifier is generated per app install. It lets us detect abusive installs and is used by our ban system. It is not linked to your device's advertising ID.

Firebase App Check tokens (DeviceCheck on iOS, Play Integrity on Android) are exchanged transiently to confirm requests come from a genuine copy of the App. These tokens are not stored by us.

2.5 Content you upload (organizers only)

Event posters (images) and background videos that you upload are stored in Firebase Storage and are publicly readable because they are attached to public event listings.

2.6 Analytics

Anonymous event-level counters (swipes by category, views, likes, saves, attending counts) are written to Firestore to let you see your own usage statistics in the Analytics tab and to let organizers measure event performance. These are aggregates — we do not build a behavioural profile.

2.7 Technical logs

Standard crash reports and error logs (non-identifying) may be collected via Firebase to help us fix bugs.

3. How we use your data (Purposes & Lawful Basis)

• To provide the App's core features — showing, searching, filtering, saving, and liking events. Lawful basis: performance of the contract between you and us (GDPR Art. 6(1)(b)).
• To keep your account secure, prevent fraud, and enforce our Terms of Service (including device bans). Lawful basis: legitimate interests (Art. 6(1)(f)) and compliance with legal obligations (Art. 6(1)(c)).
• To respect your preferences (theme, radius, language). Lawful basis: consent and contract performance.
• For age-restricted event gating, where applicable. Lawful basis: compliance with legal obligations.
• To provide aggregated statistics inside the App. Lawful basis: legitimate interests.

We do not use your personal data for advertising profiling. We do not sell your personal data to any third party.

4. Who we share data with (Processors & Sub-processors)

The App runs on third-party infrastructure. These providers process your data only on our behalf and under written agreements.

• Google / Firebase (United States / EU) — Firebase Authentication, Cloud Firestore, Cloud Storage, App Check, Installations, Analytics.
• Google Sign-In / Apple Sign-In — only if you choose those sign-in methods. These providers send us the minimum profile fields listed in Section 2.1.
• Google Maps Platform — to render the Map tab. The Maps SDK may collect diagnostic data per Google's own privacy policy.
• Open-Meteo (EU-based, non-commercial weather API) — we send only a coarse latitude/longitude rounded for a city-level weather lookup used to pick a background video. No personal identifier is sent.

When Firebase processes data outside the EU, Google's Standard Contractual Clauses and its Data Processing Addendum apply.

5. International transfers

Your data may be processed on servers outside your country of residence (primarily in the United States via Google Cloud). Appropriate safeguards (SCCs) are in place as described above.

6. How long we keep data

• Account data: for the lifetime of your account. When you delete your account we erase (a) your user document, (b) events you organized (cascade delete), and (c) media you uploaded.
• Hotlist / Likes / Saved / Dismissed / Attending lists: as long as your account exists, or until you remove the item.
• Anonymous aggregate counters stored on public event documents may persist after deletion of your account because they are not linked to you.
• Local cache (Hive and image cache): stored on your device only; you can wipe it at any time via Settings → Storage → Clear cache.

7. Your rights under GDPR

You have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data (edit it from Settings).
• Erase your data ("right to be forgotten") — use Settings → Delete account.
• Restrict processing while a dispute is investigated.
• Portability — request a machine-readable export.
• Object to processing based on legitimate interests.
• Withdraw consent at any time (where we rely on consent).
• Lodge a complaint with your local Data Protection Authority.

To exercise any right, email info@nariboo.com. We will respond within 30 days (extendable to 60 days for complex requests, as allowed by GDPR Art. 12(3)).

8. Guests (using the App without signing in)

You can browse, swipe, search, and view the Map without creating an account. In guest mode we do not create a user document and your in-session Hotlist lives only on your device and is lost on a cold start. Device integrity checks (Section 2.4) still apply.

9. Children

Nariboo is not directed at children under 13. We do not knowingly collect data from children under 13. Some events are age-gated by their organizer (e.g., 18+ venues) — we enforce these client-side using the date of birth you optionally provide.

10. Security

We use Firebase Authentication, Firebase App Check, Firestore Security Rules, and Storage Security Rules to restrict access to your data. All traffic between the App and Firebase is TLS encrypted. No system is perfectly secure, however, and you are responsible for keeping your device and sign-in credentials safe.

11. Changes to this Policy

If we materially change this Policy we will bump the version number and ask you to accept it again on next launch. Non-material edits (typos, clarifications) may be published without re-prompt.

12. Contact

Privacy questions: info@nariboo.com
General contact: info@nariboo.com