BuddyNow Privacy Policy
BuddyNow, also known as 搭搭, helps eligible users find a buddy for study, running, gym, meals, or another low-pressure activity in the next hour. This policy explains what we collect, why we collect it, and how you can control your data.
Short version: BuddyNow is for users aged 18 or above. You may sign in with a supported school email or with Sign in with Apple. School-email users from supported university domains receive a verified-school signal; Apple users are full users but do not receive a school verification badge. We use your sign-in data, posts, location mode, applications, matches, and messages to run the matching experience, and reports, blocks, and ratings to keep the community safer. When location is enabled, BuddyNow uses foreground precise-location snapshots for nearby matching; when it is unavailable, BuddyNow does not estimate a position for you — you simply use the app without a distance. We show other users only coarse distance labels, not your coordinates or exact meters. We use a narrow crash-reporting service (Sentry) to fix bugs, configured to send no personal content. We do not sell personal data, run ads, use behavioral analytics, collect background location, or collect photos, phone numbers, government IDs, contacts, or payment information.
1. Who We Are
BuddyNow is operated for users in Singapore. For privacy questions, access requests, correction requests, withdrawal of consent, or complaints, contact our Data Protection Officer:
DPO: Founder, BuddyNow
Email: [email protected]
2. Personal Data We Collect
Account and identity data
- Sign-in method. School-email sign-in uses a school email address verified by a one-time password. Current school verification supports
@u.nus.edu,@e.ntu.edu.sg, and@smu.edu.sg. - Sign in with Apple account identifier, when you choose Apple login. Apple gives BuddyNow a stable app-specific identifier. We store that identifier to find or create your BuddyNow account. We do not use Apple login to verify a school.
- Nickname, chosen by you. It is not copied from the email local-part.
- Age or birth-year-derived age used to confirm you are 18 or above during profile creation.
- Gender selection: female, male, non-binary, or skip.
- Avatar settings: two numeric choices for a procedural plant icon, not a photo.
- School, for school-email accounts, derived from your school email domain and shown as a verified-school signal. Apple accounts do not receive this signal.
- Internal account placeholders for Apple accounts, including a synthetic non-deliverable email value and an internal school sentinel. These are storage-only implementation details and are not shown publicly as a school or school email.
Activity data
- Daily social status, such as chatty, quiet, or no preference. It resets daily at UTC midnight.
- Activity posts: activity type, meeting place text, optional note, distance radius, and an optional foreground precise-location snapshot if you grant location permission and the device reports sufficient accuracy. If location is unavailable or low-confidence, no location is attached to the post and it is shown to others without a distance. Posts expire after 60 minutes.
- Post applications and their status: pending, approved, rejected, or withdrawn.
- Matches, which record an approved application between two users for a post.
- Chat messages between a matched pair. Messages are 1-500 characters and limited to 200 messages per match.
- Ratings after a meetup: outcome, sentiment, fixed tags such as punctual, friendly, late, or hard to find, and an optional private short note. Negative tags and notes are used for internal quality and safety review and are not shown publicly to other users in v1.
- Trust counters, including completed meetup count and no-show count.
Safety data
- Reports submitted by one user about another, including report category, optional body text, and the match-id context if the report was filed from a specific chat. The reported user is never told a report was filed.
- Internal reviewer notes added by our safety team during investigation. These are admin-only and never shown to either party.
- Blocks between users. Blocking creates silent bidirectional invisibility — the blocked user is not notified.
Operational data
- Sessions, including session ID, hashed token, 30-day expiry, and revocation status.
- OTP rate-limit timestamps within a sliding 60-minute window.
- Push notification token if you grant notification permission. The mobile app uses Expo push tokens; Expo relays delivery through Apple Push Notification service or Google FCM as needed. Used only to deliver match / message alerts. Dropped on account deletion or sign-out.
- Structured server logs containing user ID strings for operations and security. Logs do not include email addresses or message/report bodies.
- Crash and unhandled-exception events captured by Sentry — stack trace, environment tag, and build version. No email, message body, report body, or location is intentionally sent. By-design business errors (rate limits, validation failures, expired sessions) are filtered out.
Data we do not collect
We do not collect real names, phone numbers, photos, government IDs, payment information, home addresses, contacts or address book data, background location, behavioral analytics, tracking pixels, advertising IDs, or data from behavioral-tracking SDKs such as Facebook SDK or Google Analytics. Crash reporting via Sentry is enabled — see § 6 Sharing and Processors for what Sentry receives and how it is constrained.
3. Why We Collect and Use Data
| Purpose | Data used |
|---|---|
| Authenticate accounts, verify school status where applicable, and prevent misuse | School email, OTP records, school domain, Apple account identifier, sessions, rate-limit timestamps |
| Create and operate your profile | Nickname, age, gender selection, avatar settings, verified school where applicable |
| Show 1-hour activity posts and match users | Activity type, meeting place, notes, radius, optional foreground precise-location snapshot, applications, matches |
| Enable 1-on-1 chat after approval | Match record and chat messages |
| Support trust and safety review | Ratings, reports, blocks, trust counters, relevant operational logs |
| Maintain security, troubleshoot service issues, and enforce limits | Sessions, hashed tokens, logs, rate-limit timestamps |
| Comply with legal obligations and handle complaints | Account, safety, operational, and audit records relevant to the request |
4. Consent and Withdrawal
By creating an account and using BuddyNow, you consent to our collection, use, and disclosure of personal data for the purposes described in this policy. Some data is necessary to provide the service. For example, we need your school email or Apple account identifier to authenticate your account, and we need post and application data to make matching work.
You may withdraw consent by deleting your account in the app or by contacting [email protected]. If you withdraw consent for data needed to operate BuddyNow, we may not be able to continue providing the service to you. We will explain the likely consequences before completing a manual withdrawal request where required.
5. Location
Location is optional, foreground-only, and used for nearby matching. If you grant location permission, BuddyNow asks the device for a current location snapshot and sends coordinates to the backend only when the device reports sufficient accuracy. Qualifying fixes are cached briefly, currently up to 3 minutes, so Browse, Compose, and Apply can use the same nearby calculation without repeatedly prompting the device.
If location permission is denied, disabled, or the fix is too inaccurate, BuddyNow does not estimate a position for you. You can still use BuddyNow without a distance: you see an "Anywhere" view of current posts, and a post you create is shown to others without a distance. School is not a matching boundary: when you share a precise location, nearby posts can appear across NUS, NTU, and SMU when both positions are within the selected radius.
Other users do not receive your raw coordinates or exact meter distance. Public distance display is bucketed: roughly 0-100m appears as “Nearby”; 101-400m appears as “0.4km”; 401-700m appears as “0.7km”; 701-1000m appears as “1.0km”; farther distances are rounded upward in similar coarse kilometre steps. BuddyNow does not collect background location or continuously track movement.
6. Sharing and Processors
We do not sell personal data. We share data only as needed to run BuddyNow, comply with law, protect users, or use service providers under appropriate confidentiality and security expectations.
| Processor | Role | Data processed | Location note |
|---|---|---|---|
| Microsoft Azure | Virtual machine hosting for the BuddyNow API and database | All service data stored and processed by the BuddyNow backend | The current production VM is in Azure Japan West unless reconfigured and documented otherwise |
| Cloudflare | DNS, TLS, and Cloudflare Tunnel ingress for api.astralogy.org | Request routing metadata such as IP address, host, path, user-agent, and TLS connection metadata. Cloudflare does not receive database contents except through normal API traffic it proxies. | Cloudflare operates globally; request metadata may be processed outside Singapore |
| Apple Inc. | Sign in with Apple identity provider | Apple identity token and app-specific Apple account identifier needed to authenticate Apple sign-in. BuddyNow stores the identifier, not your Apple password. | Apple operates globally; Apple sign-in data may be processed outside Singapore |
| Resend (Resend, Inc.) | Transactional email for one-time sign-in codes | School email address and OTP email body needed to deliver school-email login. The OTP itself expires in 10 minutes. | Resend is US-based, so OTP email processing involves transfer outside Singapore |
| Sentry (Functional Software Inc.) | Backend and mobile crash / error reporting | Stack traces, environment tag, build version. Tracing and profiling are explicitly disabled; default-PII capture is disabled; by-design business errors (RATE_LIMITED, SESSION_EXPIRED, validation failures) are filtered out. No email, message body, report body, or location is sent. | Sentry is US-based; data transferred outside Singapore |
| Expo Push Service / Apple Push Notification service (APNs) / Google Firebase Cloud Messaging (FCM) | Push notification delivery | Expo push token and notification payload (e.g. "You have a new match"). Expo relays notifications to APNs or FCM as needed. Used only when you grant notification permission. | Expo, Apple, and Google operate globally; payload may transit non-Singapore infrastructure |
| Better Stack | External uptime monitoring | Automated requests to the public /health endpoint and uptime result metadata. It is not configured as a traffic proxy or product analytics service. | Better Stack operates globally; health-check metadata may be processed outside Singapore |
Where personal data is transferred outside Singapore, we take steps intended to ensure a standard of protection comparable to the Personal Data Protection Act 2012 of Singapore, as amended.
7. How Long We Keep Data
- Sessions: 30-day sliding expiry; revoked immediately on sign-out or account deletion.
- Activity posts and location snapshots: posts are live for 60 minutes, then become read-only or expire from discovery. Location snapshots attached to posts, applications, or matching records are kept only while needed for matching, safety review, account deletion handling, or dispute context, and are de-identified per § 8 when tied to a deleted account.
- Chat messages and ratings: retained for the counterparty's reference, trust and safety, and quality review. On account deletion, sender / reviewer / reviewee IDs are nulled where applicable; message text, rating tags, and private note text may remain pseudonymized because they can contain user-entered context.
- Reports: retained for 24 months from creation as a safety audit signal, even after both parties delete their accounts (user IDs nulled per § 8, body and category preserved). Terminal-status reports (actioned / dismissed) are deleted after 24 months.
- OTP rate-limit timestamps: sliding 60-minute anti-abuse window.
- Operational logs (request metadata, user-agent, timestamp): 30 days.
- Sentry crash events: 30 days per Sentry's default retention.
- Records that no longer identify your account may be retained only as long as needed for safety review, legal compliance, abuse prevention, counterparty context, or aggregate service integrity. We review these retained records at least every 24 months.
7a. Data Breach Response
If we discover a personal-data breach likely to cause significant harm to affected users — for example, unauthorized access to email addresses, chat messages, or reports — we will:
- Notify Singapore's Personal Data Protection Commission (PDPC) within 3 calendar days of becoming aware, per Section 26D of the PDPA.
- Notify affected users without undue delay, including the categories of data involved and the steps you can take.
- Take reasonable steps to contain the breach and prevent recurrence.
8. Account Deletion and De-identification
When you delete your account through DELETE /me or the in-app deletion flow, BuddyNow uses two kinds of deletion behavior. Some retained free-text fields may still contain personal data if you or another user typed it into the text, so we describe this as de-identification or pseudonymization where possible rather than full anonymization.
Data wiped or revoked
- All sessions are revoked immediately.
- Your account is marked as pending deletion for a 7-day grace period. During this period, normal authenticated use is blocked.
- Live posts are automatically cancelled and the account is made invisible in user-facing post, application, match, chat, and report surfaces.
- Public trust counters, including Attendance / no-show counters, are reset immediately.
- If you sign in again with a fresh OTP before the 7-day deadline, your account identity and retained block list can be restored, but abandoned posts, applications, matches, and chats are not restored to the live product.
- After the 7-day deadline, an automatic sweep permanently deletes the account row, school email or Apple account identifier, push token, OTP and rate-limit data, feedback body, and the user's owned block list, subject to limited safety-retention records described below.
Data de-identified or pseudonymized and retained
- Applications, matches, post ownership, and meetup state are de-identified by replacing user IDs with null while preserving status, aggregate counts, and counterparty context where needed.
- Chat messages are pseudonymized by replacing sender ID with null, while message body is preserved so the other participant's conversation view remains understandable.
- Ratings are de-identified or pseudonymized by replacing reviewer and reviewee IDs with null, while outcome, sentiment, tags, and private note may be preserved for trust, quality, and safety review.
- Reports are de-identified or pseudonymized by replacing reporter and reported user IDs with null, while body and category are preserved as safety audit signals.
- Blocks are retained through the 7-day grace period so restored accounts keep their safety settings. Server-side block filtering uses a stable account identifier, such as a school-email hash for school-email accounts, so a deleted-and-recreated account cannot trivially bypass another user's safety block; owned block-list records are removed at hard deletion except where limited retention is necessary to protect another user's block.
- Feedback is de-identified or pseudonymized by replacing nickname and user ID with null and replacing the body with a deletion marker at hard deletion.
9. Your Rights
Subject to applicable exceptions under Singapore law, you may request access to your personal data, ask us to correct inaccurate data, withdraw consent, or ask us to delete your account.
- Access: Use
GET /me/exportor the in-app export flow when available. The export currently includes core account and profile data, public trust counters, active session count, and feedback entries linked to your account. For broader access requests, contact the DPO. - Deletion: Use
DELETE /meor the in-app account deletion flow. - Correction: Update editable profile fields in the app or contact the DPO.
- Complaints: Contact the DPO first. We aim to respond within 30 days. If unresolved, you may contact Singapore's Personal Data Protection Commission.
10. Security
We use school email OTP verification or Sign in with Apple, hashed session tokens, iOS Keychain storage through SecureStore (or Android Keystore if/when Android support ships), TLS for all API traffic, rate limits, server-side school allowlists for school verification, and structured logs that avoid email addresses and content bodies. No internet service can be perfectly secure, but we design BuddyNow to collect less data and to protect the data needed to operate the service.
11. Age Restriction
BuddyNow is for users aged 18 or above. Users under 18 may not create an account; the in-app born-year picker enforces this floor. If an underage account is detected, it will be deleted.
12. Changes
We may update this policy as BuddyNow changes. If changes are material, we will give notice in the app or by email where practical. The updated policy will show a new “Last updated” date.