This is the honest account of what we know about you, why we need it, and what you can do about it. We've tried to write it plainly, because a privacy policy no one reads doesn't actually protect anyone.
The short version: we collect the minimum to make UGOIGO work. We don't sell your data. We don't share it with advertisers. You can delete everything, any time, with one tap.
What we store
| What | Why we need it |
|---|---|
| Email address | Your account credential and how we reach you for support. You can sign up with email + password or with Apple Sign In |
| Date of birth | Verifying you're 18 or older. We store only the date you entered — your full DOB is never shown to other users |
| Profile (name, vibes, languages, countries visited, photo, hometown, about, prompts) | Shown to other travelers so they can decide if they want to connect |
| Gender (and an optional self-described label) | Powers optional visibility settings like Safe Mode. You can choose "Prefer not to say" |
| Photo verification status | A flag indicating you completed an on-device liveness check (blink + smile via Apple's Vision framework). We don't store the verification frames |
| Trips (cities, dates, vibes, notes, anchors) | Surfaced to nearby travelers and used to match overlapping plans |
| Messages (text, voice notes, letters) | Delivered to the other person and kept in your shared history |
| Diary entries | Stored privately by default. If you pin one as a "felt note," the entry and its location become visible to other travelers nearby |
| Tonight pings (city, activity, time window) | A 12-hour broadcast for solo travelers currently in the same city. Expires automatically |
| Trusted contacts (Whisper) | Phone numbers and message templates you've saved to reach for during a Whisper moment. Stored only on your account; never shared with other users |
| Location (while the app is open) | Showing you nearby trips and travelers — coordinates are rounded to roughly the nearest 100 meters before they're stored, so the exact spot you opened the app is never visible to another user |
| Background location (only if you grant "Always") | If you opt in, we use background location to notify you when you arrive near a trip destination. You can revoke this in iOS Settings at any time without affecting anything else |
| Device push token | Sending you notifications when someone reaches out |
| Reports and blocks | Letting our moderation team act on abuse, and letting you block someone so they disappear from your view of the app |
We don't touch your contacts, calendar, or browser history. We don't access your photo library beyond images you explicitly choose to upload. We don't follow you across other apps or sites. We don't run third-party analytics or crash-reporting SDKs.
What's public
Your share link — ugoigoapp.com/u/<your-id> — opens a teaser page anyone on the open web can see, even without the app. The web page exposes a deliberate subset of your profile:
- Display name, avatar, and about text
- Hometown
- Vibes you've picked
- Languages you speak
- Countries you've visited
- Photo-verified badge, if you've completed the check
- The date you joined
Everything else stays inside the app: your date of birth, your gender, your trips, your messages, your diary entries (unless you pinned them as felt notes), your tonight pings, your trusted contacts, your last-seen time, your real-time location, and your notification preferences. If you turn off your public profile in Settings → Public profile, the share link returns a "not found" page and you disappear from Discover too.
Who can see what, inside the app
Other users see what you've made public: your profile, your trip posts, your tonight pings, any diary entries you chose to pin as felt notes, and messages you've exchanged with them. Nobody can send you a direct message without your consent — every conversation requires you to approve an interest first.
We can see what you store. We access it only to help with support issues, investigate abuse reports, or track down bugs. We don't read your messages casually.
Our infrastructure partners receive only what they need to do their specific job. Supabase handles our database, authentication, file storage, and realtime delivery. Apple delivers your push notifications via APNs, and powers Sign in with Apple if you chose that option. Resend delivers the moderation and founder-note emails our team receives. Each operates under a data-processing agreement with us. We don't use third-party analytics or crash-reporting services.
Law enforcement can receive data only with a valid legal order. We'll tell you we received one unless we're legally prohibited from doing so.
What you can do
- Edit your profile any time in Settings → Edit Profile.
- Change the email on your account in Settings → Account → Change email. We send a confirmation link to the new address before the change takes effect.
- Disappear from Discover and the public web page in Settings → Public profile. Your existing conversations stay open.
- Turn location sharing off entirely in Settings → Safety → Location sharing. Your stored coordinates are cleared the moment you do.
- Block or unblock other users any time from a profile, a chat, or Settings → Safety → Blocked users.
- Delete your account in Settings → Delete account. Everything is removed immediately. Backup copies are gone within 30 days. This cannot be undone.
- Email privacy@ugoigoapp.com if you want a copy of your data, need to correct something, or want deletion handled outside the app. We respond within 30 days.
Push notifications
We send a push when someone shows interest in your trip, when you receive a message, when a Crew you're in is active, and for a small set of safety prompts. Notifications honor your in-app quiet hours. To turn pushes off entirely, use iOS Settings → Notifications → UGOIGO. To fine-tune categories, use the app's Settings → Notifications screen.
How long we keep it
Your data lives as long as your account does. Delete your account and your profile, trips, prompts, photos, diary, tonight pings, anchors, trusted contacts, and conversations are removed immediately. Avatar files are deleted from storage at the same time. Backup purges complete within 30 days. Messages persist until either party deletes them or closes their account.
One exception, for safety. If other users have filed abuse reports about you, the report records (including the display name and email you used at the time of the report) may be retained after your account is deleted. This lets our moderation team detect repeat bad actors who delete and rejoin. We do not retain any other data about a deleted account for this purpose.
A few other things
Age. UGOIGO is for people 18 and older. Onboarding asks for your date of birth and refuses anyone under 18. We don't knowingly collect data from anyone under that age. If we discover we have, we delete it.
Where our servers are. Our backend runs on Supabase, which may use processors in the United States and other regions. If you're using UGOIGO from elsewhere, your data makes that trip too. Where EU or UK law applies, we operate under Standard Contractual Clauses.
When this changes. If we make changes that meaningfully affect how your data is used, we'll tell you — in-app and by email — before they take effect. Small wording fixes won't trigger a notification.
Questions
Reach us at privacy@ugoigoapp.com. We're real people and we actually read it.