Privacy Policy

Last updated: March 13, 2026

Campfyre ("we", "us", "our") is a spontaneous social discovery app. This Privacy Policy explains what information we collect when you use the campfyre mobile application ("the App"), how we use it, and what rights you have over your data. This page is publicly accessible and requires no login to view.

By using campfyre, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the App.

1. Who We Are

Campfyre is operated by its founders. For all privacy enquiries, contact us at privacy@campfyre.app. We have not appointed a Data Protection Officer (DPO) as we do not meet the threshold requiring one under GDPR Article 37.

2. Information We Collect

Account Information

When you create an account we collect:

Display name and profile photo (optional)
Email address — received from your Apple ID or Google account via Sign In with Apple or Google Sign-In
Authentication tokens (we never see or store your Apple/Google passwords)

Location Data

Location is the core of what campfyre does. We request access to your device's precise GPS location while the app is in use (foreground only). We use this to show you flares happening near you and let others see approximately where your flare is located.

We do not access your location in the background. We do not store a continuous location history. You can deny or revoke location permission at any time in your device Settings — the app will still work but distance-based features will not.

User-Generated Content

Flare titles, descriptions, and settings you create
Chat messages sent in flare group chats or direct messages
Profile bio, photo, and other profile fields you fill in

Usage Data

We collect anonymised, aggregated analytics about how you use the App — screens visited, features used, session length — via Firebase Analytics. This data is not linked to your identity for advertising purposes and is not used to track you across other apps or websites.

Device Information

Device type, operating system version, app version
Push notification token (FCM — Firebase Cloud Messaging), only if you grant notification permission
Crash reports via Firebase Crashlytics: stack traces and device state at time of crash — no personal message content is included

3. Lawful Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we rely on the following lawful bases under GDPR Article 6:

Contract (Article 6(1)(b)): Processing necessary to provide the core service — location matching, flare creation and discovery, group chat. Without this processing we cannot deliver the App's primary function.
Consent (Article 6(1)(a)): Push notifications. We only send notifications with your explicit permission. You may withdraw consent at any time in your device Settings or within the App.
Legitimate interests (Article 6(1)(f)): Crash reporting and aggregated analytics, which we use to improve the stability and quality of the App. Our legitimate interest in providing a reliable service outweighs any minimal privacy impact of anonymised crash data.
Legal obligation (Article 6(1)(c)): We may process data where required to comply with applicable law or a court order.

We do not perform automated decision-making or profiling with legal or similarly significant effects on users.

4. How We Use Your Information

Core features: Show nearby flares, let you create and join events, power real-time group chat
Push notifications: Notify you of activity on your flares or direct messages — only with your explicit permission
Safety: Detect and act on reports of spam, harassment, or policy violations
App stability: Crashlytics crash reports help us fix bugs faster
Product improvement: Aggregated, anonymised analytics help us understand which features are valuable

We do not use your data to build advertising profiles. We do not show ads inside campfyre. We do not track you across other apps or websites owned by other companies.

5. Data Sharing

Service Providers

We use Google Firebase as our backend infrastructure (Authentication, Firestore database, Cloud Storage, Analytics, Crashlytics, Cloud Messaging). Firebase acts as a data processor under our instructions. Google's privacy policy applies to their services: policies.google.com/privacy

Other Users

When you create a flare, your display name and approximate location are visible to nearby users. Chat messages are visible to all participants of that flare or conversation. You control what you share.

We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to any third party for any purpose. We do not share data with advertisers.

Legal Disclosure

We may disclose your information if required to do so by law, court order, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Security

We take reasonable technical and organisational measures to protect your data:

In transit: All data is transmitted over HTTPS/TLS encrypted connections
At rest: Data is stored on Google Firebase infrastructure, which applies encryption at rest by default
Access control: Firestore security rules restrict data access to authenticated users — users can only read data they are permitted to see

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we will notify you and any applicable regulators of a breach where we are legally required to do so.

7. Tracking Across Apps

Campfyre does not use any third-party advertising SDKs or tracking identifiers. We do not track users across apps or websites owned by other companies. Firebase Analytics uses anonymised, aggregated identifiers for internal analytics purposes only — this data is not shared with advertising networks and is not used for cross-app or cross-site tracking.

8. International Data Transfers

Campfyre's backend runs on Google Firebase infrastructure operated by Google LLC, headquartered in the United States. If you are located in the European Economic Area (EEA) or United Kingdom, your data may be transferred to and processed in the United States, which has different data protection standards than those in your country.

These transfers are made subject to Google's Standard Contractual Clauses (SCCs) as adopted by the European Commission, which provide appropriate safeguards for your personal data. Details of Google's transfer mechanisms are available at business.safety.google/gdpr.

9. Data Retention

Account data: Retained until you delete your account
Flares: Auto-expire based on the flare's set duration; expired flares are deleted from our database
Chat messages: Deleted 24 hours after the associated flare ends
Analytics: Aggregated data retained for up to 14 months per Firebase's default retention policy
Crash reports: Retained for 90 days

10. Your Rights

Depending on where you live, you may have the following rights under GDPR, CCPA, or other applicable law:

Access (Article 15): Request a copy of the personal data we hold about you
Rectification (Article 16): Request correction of inaccurate or incomplete data
Erasure (Article 17): Request deletion of your account and associated data — also available in-app at Settings → Account → Delete Account
Restriction (Article 18): Request that we restrict processing of your data in certain circumstances (e.g. while a dispute is resolved)
Portability (Article 20): Request your data in a structured, machine-readable format
Object (Article 21): Object to processing based on legitimate interests — we will stop unless we have compelling legitimate grounds
Withdraw consent: You may revoke location or notification permissions at any time in your device Settings. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at privacy@campfyre.app. We will respond within 30 days.

If you are located in the EEA or UK and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection supervisory authority — for example, the ICO (UK), the CNIL (France), or your country's equivalent authority.

11. Children's Privacy

Campfyre is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at privacy@campfyre.app and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via an in-app notice. Your continued use of campfyre after changes constitutes your acceptance of the updated policy.

13. Contact Us

For any privacy questions, data requests, or concerns:

privacy@campfyre.app

We aim to respond to all privacy enquiries within 30 days.