Privacy Policy

Last updated: February 15, 2026

We encourage you to review this Privacy Policy periodically.

This Privacy Policy explains how ActiviGo ("we", "us", or "our") collects, uses, and protects your information when you use the ActiviGo mobile application ("App") and related services.

By using the App, you acknowledge that your information will be handled as described in this Privacy Policy.

1. INFORMATION WE COLLECT

1.1 Information You Provide

  • Account and profile information: When you register or use the App, we collect and store: email address, name, username, optional biography, and profile photo. This information is linked to your account and is used to provide core App functionality.
  • Authentication data: We use Keycloak (an identity and access management service) for login. We store access and refresh tokens securely on your device (via Expo Secure Store / platform secure storage) to keep you logged in. We do not store your password; authentication is handled by Keycloak. Authentication tokens stored on your device are used solely to maintain your session and access secure features of the App.
  • Sign in with Apple:

    You may choose to sign in using your Apple account through Sign in with Apple. When you use this option, Apple may provide us with certain information associated with your Apple ID, such as a unique identifier and, depending on your settings, your name and email address.

    If you choose to hide your email address, Apple may instead provide a private relay email address that forwards messages to your real email.

    In some cases, Apple may not provide an email address at all when you sign in using Sign in with Apple. When this happens, ActiviGo may create an internal identifier to allow your account to be created and used normally. This identifier is used only within our systems to manage your account. It is not a real email address and cannot be used to contact you, recover your account, or send communications.

    If you later provide an email address in your account settings, it may be used for communication and account recovery.

    We store the information necessary to create and manage your account within ActiviGo, such as an internal account identifier and, when available, the email address or private relay email associated with your account. This information is used solely for authentication and account management purposes.

    We do not access your Apple account password or other Apple account credentials, and we do not use this information for advertising or tracking across apps.

  • Subscription and purchase data: If you subscribe to premium features, we receive subscription lifecycle information (e.g. product identifier, billing cycle dates, cancellation) from RevenueCat, which works with the Apple App Store and Google Play. We store subscription status, cycle dates, and product identifiers in our systems, linked to your account. We do not process or store your payment card details; payments are handled entirely by Apple or Google through their respective in-app purchase systems.
  • Notification preferences: You can choose which types of notifications to receive (e.g. activity join/leave, messages). These preferences are stored and linked to your account. These preferences can be modified at any time in the App settings.
  • User-generated content: Content you create in the App is collected and stored, including: activities (title, description, date, time, location or region, optional coordinates and equipment), messages and reactions in chats and activity groups, reviews of other users or equipment, likes and signalizations on equipment, saved activities, and private join requests. This data is linked to your identity where you are the creator or sender.
  • Location data related to activities: When you create or filter activities, you may provide or select a location (e.g. city, region, department, or specific equipment with latitude/longitude). We store this as part of the activity or filter. Your device’s precise location is used only when the App is actively in use (foreground) to support map and activity features. We do not continuously track your location, and your precise device location is not stored on our servers.

We collect only the information necessary to operate and improve the App’s features.

1.2 Information Collected Automatically (Device and App)

  • Device location (precise): With your permission, we access your device’s precise location to display your position on the map and support map-related features. Location access is requested only while the App is actively in use (foreground). We do not continuously track your location, and we do not store your precise device location on our servers. You may revoke location permission at any time in your device settings.
  • Push notification token: To send you push notifications, we use Firebase Cloud Messaging (FCM). FCM assigns a token to your device. We send this token and your device platform (e.g. "ios" or "android") to our servers and store them linked to your account. This token is used only to deliver push notifications to you. Push notifications are sent only if you grant permission, and you may disable them at any time in your device or in-app settings.
  • Session and usage-related data: We generate and store a session identifier and update “last seen” and “online” status when you use the App to support presence and session management features. This data is linked to your account and is not used for advertising or cross-app tracking.
  • Platform: We record the platform (iOS or Android) when you register a push token, to deliver notifications correctly.

We do not collect advertising identifiers (such as IDFA or GAID), and we do not use third-party analytics, advertising, or crash-reporting SDKs that track users across apps or websites.

We collect only the device and usage data necessary to provide the App’s features and ensure security.

1.3 Information from Third-Party Services

  • Keycloak: We receive from Keycloak a unique user identifier ("Keycloak ID"), and optionally name, email, and username, when you log in. We use this to create or update your account and to authorize API requests. Keycloak processes authentication data in accordance with its own privacy and security practices.
  • RevenueCat: RevenueCat provides us with subscription events (e.g. new subscription, renewal, cancellation, expiration) and transaction identifiers (e.g. original_transaction_id) so we can keep your premium status in sync. We map these identifiers to your account in our backend solely to manage your subscription status and premium access. RevenueCat’s own processing is governed by their privacy policy.
  • Apple / Google: Payment and subscription fulfillment are handled by Apple or Google. We do not receive payment card or bank details. We receive subscription status and related identifiers via RevenueCat and secure server-to-server notifications (webhooks).
  • Firebase (Google): We use Firebase only for Cloud Messaging (push notifications). Firebase may collect data necessary to deliver messages (e.g. FCM token, device type). We do not use Firebase Analytics, advertising features, or other Firebase products for behavioral tracking or profiling.
  • Supabase: We use Supabase for real-time updates (e.g. live notification and chat updates). The App connects to Supabase using an anonymous key; your identity is inferred server-side by our backend when you are logged in. SSuch metadata is used for service reliability and security, not for advertising or profiling.
  • Map providers: The App uses map SDKs (e.g. MapLibre, react-native-maps) to display maps and equipment locations. Map tiles and related requests may be subject to the map provider’s privacy policy; we do not intentionally transmit personal data to map providers beyond what is technically required to display maps and, if permitted, your approximate device location.

We carefully select service providers that support appropriate data protection standards and process data only as necessary to provide their services.

2. HOW WE USE INFORMATION

We use the information we collect only for the following purposes:

  • Provide the App: Create and manage your account, sync your profile, show activities and equipment, support map and location features (only when you grant permission), and deliver messages and notifications.
  • Authentication and security: Validate your identity (via Keycloak), manage sessions, and protect against abuse.
  • Subscriptions: Determine and display your premium status, apply subscription limits (e.g. activities created/joined per period), process restore-purchase requests and manage subscription lifecycle events using data from RevenueCat and our backend. Some subscriptions may include an introductory free trial period (e.g., one free month). If eligible, users will not be charged during the trial period. After the trial ends, the subscription will automatically renew at the applicable monthly price unless canceled before the end of the trial.
  • Communication and Notifications: Send you notifications (e.g. activity reminders, chat messages, reactions) and service-related communications in accordance with your notification preferences.
  • Improvement and operations: Run our backend (e.g. databases, file storage), fix errors, and comply with legal obligations. We do not use your data for third-party advertising or cross-app tracking.

We do not use your data for profiling or automated decision-making that produces legal or similarly significant effects.

3. THIRD-PARTY SERVICES

The following third-party services are integrated into the App or backend. Each provider may collect or process data in accordance with its own privacy policy and applicable laws. We encourage you to review those policies for additional details.

  • Keycloak: Authentication and identity (OAuth2/OpenID Connect). Data shared: identifiers, username, email, name. Used for login and account linking.
  • RevenueCat: Subscription and in-app purchase management. Data shared: app user ID (Keycloak ID), subscription transaction identifiers, and product/entitlement information necessary to manage premium access. Used to sync premium status and handle restore/cancel flows.
  • Apple App Store / Google Play: Payment processing and subscription fulfillment. We do not receive payment card data. Apple and Google process payments under their own terms and privacy policies.
  • Firebase (Google) – Cloud Messaging only: Push notification delivery. Data shared: FCM token and limited device/platform information required to deliver notifications.
  • Supabase: Real-time (WebSocket) updates for notifications and chat. Data: connection and channel metadata; we do not intentionally transmit personal data beyond what is technically required for real-time features (e.g., channel identifiers).
  • MinIO (or compatible object storage): Storing profile photos, chat images, and activity photos. Data: files you upload; object keys may include user or resource identifiers. Used solely for storing content you upload; we do not use this data for third-party marketing or advertising purposes.
  • Map providers (e.g. MapLibre / Mapbox, or default map tiles): Map display and, if you grant permission, showing your position. Requests to map servers may include approximate location coordinates and map tile requests necessary to render the map. See the provider’s privacy policy.

We do not sell your personal information. We do not use third-party analytics, advertising, or crash-reporting SDKs that track users across apps or websites.

Where required, we have entered into appropriate data processing agreements with our service providers.

4. DATA RETENTION

  • Account data: Retained while your account is active. After you delete your account (see Section 5), we remove or anonymize your data as described there.
  • Subscription and purchase-related data: Subscription and RevenueCat mapping data stored in our systems are deleted or cleared when you delete your account. RevenueCat and Apple/Google may retain transaction records according to their policies and legal requirements.
  • Push tokens: Stored while your account exists and you have the App installed. Deactivated on logout; Deleted when the account is deleted or when the token becomes invalid.
  • Notifications: Stored while associated with your account and may be deleted individually or in bulk within the App. We support cleanup of old read notifications; you can delete individual or all notifications.
  • Messages and content: Retained while the related conversation or activity remains active, unless deleted earlier by the user or through account deletion. When you delete your account, we preserve conversations and messages but dissociate them from your identity (e.g. sender set to null).
  • Location data: Your precise device location is not stored on our servers; it is used only for map display during the session. Activity and equipment locations (that you or public data provide) are retained with the activity or equipment record.
  • Cached data on device: Tokens and user info in secure storage are removed when you log out or delete your account. Other local caches (e.g. activity types cache) can be cleared when you clear app data or uninstall. We do not have control over data retained in device-level system backups managed by your operating system.

5. ACCOUNT DELETION

You may delete your account at any time from within the App (Profile page). When you request account deletion:

  • We delete your user account and associated profile (including profile photo from our object storage).
  • We delete your subscription record and RevenueCat subscriber mappings; we request deletion of your subscriber record from RevenueCat in accordance with their data deletion procedures.
  • We delete your push tokens and notification preferences.
  • We delete or anonymize other data linked to you (e.g. equipment reviews, likes, signalizations, private join requests, saved activities, blocked users, activity participants) in line with our data model (cascade or explicit deletion).
  • We remove your identity from Keycloak (your login identity).
  • We preserve conversations and one-to-one messages for other participants but remove or anonymize your identity in those records (e.g., sender set to null), where technically feasible.

After deletion, we do not use your data for ongoing processing. Some data may remain in secure backups or system logs for a limited period due to operational, security, or legal requirements. Such data is isolated and not used for active processing, profiling, or marketing.

Deleting your account does not automatically cancel active subscriptions managed through the Apple App Store or Google Play. Subscriptions must be cancelled separately through your device’s subscription settings. Before you confirm account deletion, the App displays a clear notice explaining that active subscriptions will continue to renew unless cancelled through Apple or Google.

6. SECURITY

We implement reasonable technical and organizational measures designed to protect your personal data.

  • Authentication: Access to the App and API is protected by Keycloak (OAuth2/OIDC). We do not store passwords; tokens are stored using platform-provided secure storage mechanisms (e.g., Expo Secure Store, Keychain/Keystore), where supported by the device.
  • Transport: We use HTTPS for API and Keycloak communication.
  • Backend: Our backend validates tokens and authorizes requests by user; subscription and payment data are processed in a controlled environment. RRevenueCat server-to-server notifications (webhooks) are verified using secure signature validation.
  • Storage: Profile and chat images are stored in object storage (e.g. MinIO) with access controlled by our backend. Access to object storage is mediated through our backend; storage credentials are not exposed to the App.
  • Push tokens: Push tokens are stored server-side and used solely for delivering notifications. We do not sell or use them for advertising or third-party marketing.

While we strive to use commercially reasonable safeguards, no method of transmission over the internet or electronic storage is completely secure. If you believe your account or data has been compromised, please contact us immediately and update your credentials through the authentication provider, if applicable.

7. CHILDREN'S PRIVACY

The App is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that a child has provided us with personal information, please contact us and we will take steps to delete such information in accordance with applicable law.

8. INTERNATIONAL TRANSFERS

We may process data on servers located in the EU or other regions where our service providers operate. We ensure appropriate safeguards are in place as required by applicable law.

9. YOUR RIGHTS

Depending on your jurisdiction and applicable law, you may have the following rights:

  • Request access to the personal data we hold about you.
  • Correct or update your personal data (e.g., through your profile or account settings in the App).
  • Request deletion of your account and associated personal data (see Section 5).
  • Object to or request restriction of certain processing, where applicable.
  • Withdraw consent at any time where we rely on consent as the legal basis for processing (e.g., location or push notifications).
  • Request a copy of your personal data in a structured, commonly used, and machine-readable format, where applicable.

To exercise these rights, use in-app options where available (e.g. edit profile, delete account) or contact us using the details in Section 10. We will respond to verified requests within the time required by applicable law. You may also have the right to lodge a complaint with a supervisory authority.

10. CONTACT INFORMATION

For questions about this Privacy Policy, our data practices, or to exercise your rights under applicable data protection laws, please contact:

ActiviGo Support
support@activigo.com

11. CHANGES TO THIS POLICY

If we make material changes to how we process your personal data, we will provide appropriate notice within the App or through other reasonable means. Your continued use of the App after such notice constitutes acknowledgment of the updated Privacy Policy, where permitted by applicable law.