1.Introduction
PopIn ("we", "us", "our") is a social events platform operated from Australia. We respect your privacy and we have written this policy to make our practices clear. By using the Service or by responding to a PopIn invitation, you agree to the handling of your information as described here.
For the purposes of the GDPR, PopIn is the data controller in relation to the personal data it processes about its users and guests. You can contact us using the details in section 13.
2.What we collect
We collect three broad categories of information: information you give us, information from non-account guests, and information we collect automatically.
From account holders
- Required: email address, display name, and username.
- Optional profile fields: date of birth (used to display your age), profile photo, cover photo, city-level location, phone number (only required if you use SMS features), bio, pronouns, interests, and website.
- Content you create: posts, comments, reactions, events you host, RSVPs you give, messages you send, and any other content you submit to the Service.
- Social connections: friends, follower and following relationships, and event memberships.
- Activity data: notifications you receive, online status, last-seen timestamps (only stored if you have online status enabled), and search queries within the Service.
- Verification data: phone-verification codes you send and receive, and the records needed to confirm your email address.
From non-account guests
When a host invites you to an event by email or SMS and you respond using the invite link, we collect:
- the name you choose to provide;
- the email address or phone number the host used to invite you, and the RSVP status (and any plus-ones) you submit;
- basic technical information (see below).
Automatically collected
- IP address, approximate geographic region derived from it;
- browser type and version, operating system, device type, and screen resolution;
- pages visited, time spent on the Service, and how you arrived;
- search queries you run within the Service;
- diagnostic logs needed to operate the Service safely.
3.How we use your information
We use your information for the following purposes:
- to operate, secure, and improve the Service;
- to deliver event invitations and reminders, and to record and share RSVP responses with the relevant host;
- to send transactional emails such as email verification, password resets, and security alerts;
- to power features such as friend discovery, suggestions, and search;
- to provide AI-assisted event creation. When you use this feature the event description text you provide is sent to our AI provider (Anthropic) so the assistant can suggest event details. We do not send your name, contact details, or other account identifiers with these requests;
- to display location-relevant content (such as nearby events on the advanced-search radius filter), based on geolocation you explicitly grant in your browser;
- to respond to your enquiries and to handle reports or disputes;
- to comply with legal obligations and to enforce our Terms and Conditions.
Legal bases (GDPR). Where the GDPR applies, the legal bases we rely on are: performance of our contract with you (Article 6(1)(b)) for the operation of your account and event features; your consent (Article 6(1)(a)) for optional features such as geolocation and non-essential communications; our legitimate interests (Article 6(1)(f)) in keeping the Service secure, preventing abuse, and improving it; and legal obligations (Article 6(1)(c)) where applicable.
4.What is publicly visible
Some content on PopIn is intentionally visible to the public, including search engines such as Google. This section is a plain-language summary of what is and isn't publicly visible so you can make informed choices about what you share.
Public events
When you create an event you choose its visibility (Public, Friends, Private, or Invite-only). If you set an event to Public and toggle on "Let Google index this event", the event's name, date, location, description, cover photo, and host display name become visible to anyone with the link and may appear in Google search results. Guest lists are never indexed: individual RSVPs (Going / Maybe / Can't make it) remain private to you as host. You can change an event's visibility at any time from the event's edit page; switching away from Public automatically clears the indexing flag.
Your profile and posts
Profile pages on PopIn are not currently publicly accessible. Unauthenticated visitors are redirected to the sign-in page, and search engines are explicitly disallowed from indexing profile URLs via our robots.txt. Posts you create within PopIn follow the audience you pick when posting (Public, Friends, or Private), but only the in-app audience controls apply: signed-in users in the correct audience can see them; the open web cannot.
Help center, blog, and the issues board
The help center articles, blog posts, and the public issues board are written or curated by the PopIn team and are intentionally public. They do not contain user-generated content. The issues board displays issue titles and summaries that you submit via the in-app feedback button; submit reports anonymously if you would prefer not to attach your identity to a public-facing report.
What is never public
- Your email address and phone number;
- Your password and any session tokens;
- Your direct and group messages;
- Your date of birth, even if you provide one;
- Your private notes on events (e.g., dietary, accessibility);
- The list of events you have RSVPd to as a guest.
Auditing what's public about you. The simplest way to see what is publicly visible is to open popin.events in a private browser window without signing in. Anything you can see in that window is what the public sees; anything that redirects you to the sign-in page is not public.
5.Third-party services
We use a small number of carefully chosen third-party services to deliver PopIn. Each is listed below with the data shared, the purpose, and a link to their own privacy policy.
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Twilio | SMS delivery | Phone numbers, message content | twilio.com |
| SendGrid | Email delivery | Email addresses, email content | sendgrid.com |
| Google Maps | Location autocomplete | Location searches, place IDs | google.com |
| Klipy | GIF search | Search queries | klipy.com |
| Anthropic | AI event creation | Event description text only | anthropic.com |
| Cloudflare R2 / Render | File storage, hosting | Uploaded files, app data | cloudflare.com / render.com |
| Google AdSense | Sponsored posts in the feed | IP address, browser identifiers, ad cookies, approximate location where enabled. PopIn does not pass your account email, display name or friends list to Google. | Google ads |
About sponsored posts
PopIn shows a small number of sponsored posts in the home feed. They're clearly labelled "Sponsored", you can hide individual ads from the card itself, and you can turn the whole feature off at any time from Settings → Feed → Sponsored posts.
Sponsored posts are served by Google AdSense. AdSense uses cookies, your device's IP address, and your activity on this site (and, when enabled, on other sites that participate in Google's advertising network) to choose ads and measure their performance. We do not share your PopIn account identifiers (email, username, friends, message content) with Google.
You can:
- Turn off interest-based ad targeting in Settings → Feed → Ad preferences. PopIn then signals to Google to serve non-personalised ads to your account.
- Turn off sponsored posts entirely in the same screen. No ad slots will be rendered to your account.
- Manage your Google ad settings at myadcenter.google.com. These apply to all Google ad surfaces, including PopIn.
We do not sell your personal information to anyone, and we do not use it to show you advertising on PopIn.
7.How long we keep your data
We keep your information only for as long as we need it for the purposes described in this policy.
- Active account data is retained while your account is active.
- Account deletion. When you delete your account, we delete or anonymise your personal information within 30 days. References to you in other users' content (for example a comment you left on a friend's event) may remain but are dissociated from your account.
- Non-account guest data is retained for 12 months after the event date and then deleted, unless an earlier deletion is requested.
- Login activity. We record the timestamp, IP address and user-agent of each successful sign-in so we can provide usage analytics for our admins and detect suspicious activity on your account. These records are retained for 90 days and then automatically deleted. They are only accessible to PopIn administrators.
- Backups. Personal information may persist in encrypted backups for up to 90 days after deletion from our live systems, after which it is overwritten.
- Legal records. Where we are required by law to retain information for longer (for example to respond to a regulator or to defend a legal claim) we will retain only the minimum needed, for the minimum time needed.
8.Your rights
You have the following rights in relation to your information:
- Access. You can ask us for a copy of the personal information we hold about you. Most account information is already visible in the Settings area of the app.
- Correction. You can correct most fields directly from your profile and settings. For anything you cannot edit yourself, contact us.
- Deletion. You can delete your account at any time from Settings; we will delete your personal information within 30 days, subject to the limited exceptions in section 6.
- Data portability. You can request an export of your information in a portable format. This feature is in development; in the meantime please contact us and we will provide an export within a reasonable timeframe.
- Objection and restriction. Where we rely on our legitimate interests, you can object to our processing of your information; we will assess your request and stop the relevant processing unless we have an overriding lawful reason to continue.
- Withdrawal of consent. Where we rely on your consent (for example for geolocation or non-essential communications) you can withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.
- Complaints. You can complain about how we handle your information. In Australia you can contact the Office of the Australian Information Commissioner. In the European Economic Area or the United Kingdom you can contact your local data protection authority.
To exercise any of these rights, please contact us at privacy@popin.events. We aim to respond within 30 days. We may need to verify your identity before we act on a request to protect your information.
10.Security
We take reasonable steps to protect your information. Passwords are stored hashed, traffic to the Service is encrypted in transit using TLS, and access to production systems is restricted to administrators with a need to access them.
Admin access and moderation. A small number of PopIn administrators have the ability to view account data and content for the purpose of investigating reports, responding to legal requests, and keeping the Service safe. Admin actions are logged. Admins do not browse user data without a legitimate reason.
No system can be guaranteed to be perfectly secure. If we become aware of a data breach that is likely to result in serious harm we will notify affected users and the relevant regulator as required by law.
11.Children and minimum age
PopIn is only available to users aged 16 and over. This complies with the Australian Online Safety Amendment (Social Media Minimum Age) Act 2024, which requires age-restricted social media platforms to take reasonable steps to prevent Australians under 16 from creating or holding accounts.
When you create an account we collect your date of birth and store an age-verification record. We use this only to confirm that you meet the minimum age and to provide an audit trail for our regulator. Your date of birth is treated as personal information under the Australian Privacy Principles. Date of birth is not shared with third parties except where required by law or as part of any future age-assurance service we may engage (in which case the third party would be bound to use the data only for the verification purpose).
If you believe an account has been created by someone under 16, please contact us at support@popin.events and we will review the account. We may suspend or delete any account where we determine the account holder is under 16.
Existing users from before the minimum-age requirement took effect are prompted to confirm their date of birth at next sign-in. Until they do, certain social features (posting, commenting, messaging, RSVPing) are not available to them. We do not automatically suspend existing accounts during this transition period.
12.International transfers
PopIn is operated from Australia. The third-party providers we rely on may store and process information in other countries, including the United States and the European Union. Where we transfer information outside Australia, the European Economic Area, or the United Kingdom, we do so under contractual terms designed to provide a level of protection broadly equivalent to that of the originating jurisdiction (such as the Standard Contractual Clauses approved by the European Commission).
13.Changes to this policy
We may update this Privacy Policy from time to time, for example to reflect changes in our practices, in the Service, or in the law. We will revise the "Last updated" date at the top of this page when we do, and for material changes we will give reasonable advance notice (for example by email or by an in-app notice).
14.Contact us
For privacy questions, requests, or complaints, please contact us at privacy@popin.events. We aim to respond within 30 days. If you are not satisfied with our response you can also contact the regulator in your country (in Australia, the Office of the Australian Information Commissioner).