BetaIssues
popin
Back to PopIn

Privacy Policy

Last updated:

This Privacy Policy explains what personal information PopIn collects, how we use and share it, and the rights you have over your information. It is written to meet our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, and to provide the transparency expected by the European Union's General Data Protection Regulation (GDPR) for users in the European Economic Area and the United Kingdom.

1.Introduction

PopIn ("we", "us", "our") is a social events platform operated from Australia. We respect your privacy and we have written this policy to make our practices clear. By using the Service or by responding to a PopIn invitation, you agree to the handling of your information as described here.

For the purposes of the GDPR, PopIn is the data controller in relation to the personal data it processes about its users and guests. You can contact us using the details in section 13.

2.What we collect

We collect three broad categories of information: information you give us, information from non-account guests, and information we collect automatically.

From account holders

  • Required: email address, display name, and username.
  • Optional profile fields: date of birth (used to display your age), profile photo, cover photo, city-level location, phone number (only required if you use SMS features), bio, pronouns, interests, and website.
  • Content you create: posts, comments, reactions, events you host, RSVPs you give, messages you send, and any other content you submit to the Service.
  • Social connections: friends, follower and following relationships, and event memberships.
  • Activity data: notifications you receive, online status, last-seen timestamps (only stored if you have online status enabled), and search queries within the Service.
  • Verification data: phone-verification codes you send and receive, and the records needed to confirm your email address.

From non-account guests

When a host invites you to an event by email or SMS and you respond using the invite link, we collect:

  • the name you choose to provide;
  • the email address or phone number the host used to invite you, and the RSVP status (and any plus-ones) you submit;
  • basic technical information (see below).

Automatically collected

  • IP address, approximate geographic region derived from it;
  • browser type and version, operating system, device type, and screen resolution;
  • pages visited, time spent on the Service, and how you arrived;
  • search queries you run within the Service;
  • diagnostic logs needed to operate the Service safely.

3.How we use your information

We use your information for the following purposes:

  • to operate, secure, and improve the Service;
  • to deliver event invitations and reminders, and to record and share RSVP responses with the relevant host;
  • to send transactional emails such as email verification, password resets, and security alerts;
  • to power features such as friend discovery, suggestions, and search;
  • to provide AI-assisted event creation. When you use this feature the event description text you provide is sent to our AI provider (Anthropic) so the assistant can suggest event details. We do not send your name, contact details, or other account identifiers with these requests;
  • to display location-relevant content (such as nearby events on the advanced-search radius filter), based on geolocation you explicitly grant in your browser;
  • to respond to your enquiries and to handle reports or disputes;
  • to comply with legal obligations and to enforce our Terms and Conditions.

Legal bases (GDPR). Where the GDPR applies, the legal bases we rely on are: performance of our contract with you (Article 6(1)(b)) for the operation of your account and event features; your consent (Article 6(1)(a)) for optional features such as geolocation and non-essential communications; our legitimate interests (Article 6(1)(f)) in keeping the Service secure, preventing abuse, and improving it; and legal obligations (Article 6(1)(c)) where applicable.

4.Third-party services

We use a small number of carefully chosen third-party services to deliver PopIn. Each is listed below with the data shared, the purpose, and a link to their own privacy policy.

ServicePurposeData sharedPrivacy policy
TwilioSMS deliveryPhone numbers, message contenttwilio.com
SendGridEmail deliveryEmail addresses, email contentsendgrid.com
Google MapsLocation autocompleteLocation searches, place IDsgoogle.com
KlipyGIF searchSearch queriesklipy.com
AnthropicAI event creationEvent description text onlyanthropic.com
Cloudflare R2 / RenderFile storage, hostingUploaded files, app datacloudflare.com / render.com
Google AdSenseSponsored posts in the feedIP address, browser identifiers, ad cookies, approximate location where enabled. PopIn does not pass your account email, display name or friends list to Google.Google ads

About sponsored posts

PopIn shows a small number of sponsored posts in the home feed. They're clearly labelled "Sponsored", you can hide individual ads from the card itself, and you can turn the whole feature off at any time from Settings → Feed → Sponsored posts.

Sponsored posts are served by Google AdSense. AdSense uses cookies, your device's IP address, and your activity on this site (and, when enabled, on other sites that participate in Google's advertising network) to choose ads and measure their performance. We do not share your PopIn account identifiers (email, username, friends, message content) with Google.

You can:

  • Turn off interest-based ad targeting in Settings → Feed → Ad preferences. PopIn then signals to Google to serve non-personalised ads to your account.
  • Turn off sponsored posts entirely in the same screen. No ad slots will be rendered to your account.
  • Manage your Google ad settings at myadcenter.google.com. These apply to all Google ad surfaces, including PopIn.

We do not sell your personal information to anyone, and we do not use it to show you advertising on PopIn.

5.When we share information

We share your information in the following situations:

  • With other users you choose. The information you put on your profile, the posts and events you create, your RSVPs, and your messages are shared with the users you direct them to, based on the visibility and audience settings you choose.
  • With third-party processors listed in section 4, strictly for the purposes described there.
  • With legal authorities if we receive a valid request that we are legally required to comply with, or where we believe in good faith that disclosure is necessary to protect the safety of any person or to investigate or prevent serious wrongdoing.
  • In a business transfer. If PopIn is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to standard confidentiality protections.

6.How long we keep your data

We keep your information only for as long as we need it for the purposes described in this policy.

  • Active account data is retained while your account is active.
  • Account deletion. When you delete your account, we delete or anonymise your personal information within 30 days. References to you in other users' content (for example a comment you left on a friend's event) may remain but are dissociated from your account.
  • Non-account guest data is retained for 12 months after the event date and then deleted, unless an earlier deletion is requested.
  • Backups. Personal information may persist in encrypted backups for up to 90 days after deletion from our live systems, after which it is overwritten.
  • Legal records. Where we are required by law to retain information for longer (for example to respond to a regulator or to defend a legal claim) we will retain only the minimum needed, for the minimum time needed.

7.Your rights

You have the following rights in relation to your information:

  • Access. You can ask us for a copy of the personal information we hold about you. Most account information is already visible in the Settings area of the app.
  • Correction. You can correct most fields directly from your profile and settings. For anything you cannot edit yourself, contact us.
  • Deletion. You can delete your account at any time from Settings; we will delete your personal information within 30 days, subject to the limited exceptions in section 6.
  • Data portability. You can request an export of your information in a portable format. This feature is in development; in the meantime please contact us and we will provide an export within a reasonable timeframe.
  • Objection and restriction. Where we rely on our legitimate interests, you can object to our processing of your information; we will assess your request and stop the relevant processing unless we have an overriding lawful reason to continue.
  • Withdrawal of consent. Where we rely on your consent (for example for geolocation or non-essential communications) you can withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.
  • Complaints. You can complain about how we handle your information. In Australia you can contact the Office of the Australian Information Commissioner. In the European Economic Area or the United Kingdom you can contact your local data protection authority.

To exercise any of these rights, please contact us at privacy@popin.events. We aim to respond within 30 days. We may need to verify your identity before we act on a request to protect your information.

8.Cookies and similar technologies

We use cookies and similar technologies for three purposes: essential operation, user preferences, and (where you have not opted out) sponsored posts.

  • Session cookies keep you signed in and protect your session against forgery (CSRF).
  • Preference cookies remember settings such as your chosen theme (light or dark) and your language, so you do not need to set them each visit.
  • Local storage is used for non-essential features such as recent searches, saved searches, and dismissal of in-app banners. You can clear this from your browser settings at any time.
  • Advertising cookies (Google AdSense) are loaded when sponsored posts are enabled for your account. Google uses these to choose and measure ads. PopIn does not set or read these cookies directly. You can turn sponsored posts off in Settings → Feed, in which case the AdSense script is not loaded for you and no ad cookies are set.

PopIn itself does not use cross-site analytics, fingerprinting, or third-party trackers that profile you across other websites. The only cross-site party we work with is Google AdSense, and only on the terms described in section 4.

9.Security

We take reasonable steps to protect your information. Passwords are stored hashed, traffic to the Service is encrypted in transit using TLS, and access to production systems is restricted to administrators with a need to access them.

Admin access and moderation. A small number of PopIn administrators have the ability to view account data and content for the purpose of investigating reports, responding to legal requests, and keeping the Service safe. Admin actions are logged. Admins do not browse user data without a legitimate reason.

No system can be guaranteed to be perfectly secure. If we become aware of a data breach that is likely to result in serious harm we will notify affected users and the relevant regulator as required by law.

10.Children

PopIn is not intended for children under 13. If you are between 13 and 16 you may use PopIn only with the active involvement of a parent or legal guardian, who is treated as agreeing to this policy on your behalf.

If we become aware that we have collected personal information from a child under 13 without verified parental consent we will delete that information as soon as possible. If you believe a child under 13 has provided information to us, please contact us at the address in section 13.

11.International transfers

PopIn is operated from Australia. The third-party providers we rely on may store and process information in other countries, including the United States and the European Union. Where we transfer information outside Australia, the European Economic Area, or the United Kingdom, we do so under contractual terms designed to provide a level of protection broadly equivalent to that of the originating jurisdiction (such as the Standard Contractual Clauses approved by the European Commission).

12.Changes to this policy

We may update this Privacy Policy from time to time, for example to reflect changes in our practices, in the Service, or in the law. We will revise the "Last updated" date at the top of this page when we do, and for material changes we will give reasonable advance notice (for example by email or by an in-app notice).

13.Contact us

For privacy questions, requests, or complaints, please contact us at privacy@popin.events. We aim to respond within 30 days. If you are not satisfied with our response you can also contact the regulator in your country (in Australia, the Office of the Australian Information Commissioner).