Privacy Policy

PopOff ("we," "us," or "our") operates the PopOff web application at getpopoff.com. This Privacy Policy explains what information we collect, how we use it, and your choices regarding your data.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address and an optional username. If you sign in with Google or Apple, we receive the email address and basic profile information provided by those services. We do not access your contacts, photos, or other data from those accounts.

1.2 Preferences & Interests

We store your selected event category interests (e.g., nightlife, live music, comedy) and notification preferences (email reminders, push alerts, weekly digest opt-in/out). These are used solely to personalize your experience.

1.3 Usage & Interaction Data

When you are signed in, we record which events you view, tap, bookmark, and share. This data powers personalized recommendations in your weekly digest and feed ranking. Anonymous (non-signed-in) users may have page-level view counts recorded without any user identifier.

1.4 Comments & Social Activity

If you post comments or likes on events or neighborhoods, that content is stored alongside your user ID and displayed publicly.

1.5 Feedback

When you submit feedback (bug reports, feature requests, or event suggestions), we store the message content, the page you submitted it from, and optionally your email address if you are signed in.

1.6 Location Data

The map feature may request your device location via your browser's geolocation API when you choose to center the map on your current position. We do not store, transmit, or log your location. You can deny this permission at any time through your browser settings.

1.7 Push Notification Data

If you opt in to push notifications, we store a push subscription endpoint and associated delivery keys or device tokens. These are used exclusively to deliver notifications you have opted into (day-of reminders, trending alerts). You can manage those notification preferences in Settings.

1.8 Local Storage

We use your browser's local storage to remember your city preference, onboarding status, and push notification prompt state. This data stays on your device and is not sent to our servers unless you create an account (at which point category interests are migrated to your profile).

2. Analytics

We use PostHog for product analytics to understand how people use PopOff (e.g., which pages are visited most often). PostHog is configured in cookieless mode — it does not set cookies, does not use local storage for persistence, and does not track you across sessions or websites. Analytics data is stored in memory only and is cleared when you close the page.

PostHog collects page URLs, referrer information, and basic browser/device metadata (screen size, browser type). We do not link analytics data to your user account. PostHog's privacy policy is available at posthog.com/privacy.

3. Cookies

PopOff uses a minimal number of cookies, all strictly necessary for the app to function:

• Authentication session cookie — an HTTP-only, secure cookie managed by Supabase to keep you signed in.
• City preference cookie — remembers your selected city (e.g., DC or NYC) so pages load correctly.

We do not use advertising cookies, tracking cookies, or any third-party cookies. No cookie consent banner is required because all cookies are strictly necessary for functionality.

4. How We Use Your Information

• Personalization: Your category interests and interaction history are used to rank events in your feed and curate your weekly digest email.
• Notifications: Your email and push subscription are used to send day-of reminders for bookmarked events, weekly digests, and trending alerts — only for notification types you have opted into.
• Product improvement: Anonymized analytics help us understand which features are used and where users encounter issues.
• Support: Feedback submissions help us fix bugs and prioritize features.

We do not sell, rent, or share your personal information with advertisers or data brokers.

5. Third-Party Services

We use the following third-party services that may process your data as described:

• Supabase (authentication and database hosting) — stores your account data, preferences, and app content. Data is hosted in the US.
• PostHog (analytics) — receives anonymous page view events in cookieless mode. Data is hosted in the US.
• Resend (email delivery) — receives your email address and email content when we send notifications. Used only for transactional emails you have opted into.
• Mapbox (map rendering) — receives map tile requests when you use the map feature. Mapbox may collect IP addresses and usage data per their privacy policy.
• Netlify (hosting) — serves the application. Netlify may log IP addresses and request metadata per their privacy policy.
• Google / Apple (OAuth sign-in) — if you use social sign-in, these providers share your email address with us. We do not send data back to them.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account (available in Settings), all associated data is permanently deleted, including your profile, preferences, bookmarks, comments, interaction history, push subscriptions, and notification logs. This deletion is immediate and irreversible.

Anonymized analytics data in PostHog is retained per PostHog's standard retention policy and cannot be linked back to your account.

Feedback submissions may be retained after account deletion to help us improve the product, but any associated email or user ID is removed.

7. Your Rights & Choices

• Access & update: You can view and update your email, username, interests, and notification preferences in Settings.
• Delete your account: You can permanently delete your account and all associated data from Settings at any time.
• Unsubscribe from emails: Every email includes a one-click unsubscribe link. You can also toggle email notifications off in Settings.
• Revoke push notifications: Toggle push notifications off in Settings or revoke permission in your browser.
• Deny location access: You can deny or revoke geolocation permission in your browser at any time. The app works fully without it.

8. Security

We use industry-standard measures to protect your data, including HTTPS encryption in transit, HTTP-only secure session cookies, HMAC-signed unsubscribe tokens, and server-side admin access controls. Passwords are hashed by Supabase and never stored in plaintext.

9. Children's Privacy

PopOff is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of PopOff after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, please reach out via the Feedback button in the app or email us at zack@getpopoff.com.