Privacy Policy

Version 3.1Effective 18 March 2026

Privacy Policy

Effective Date: March 9, 2026 Last Updated: March 9, 2026

Table of Contents

  1. Introduction
  2. Who We Are
  3. Information We Collect
  4. How We Use Your Information
  5. Legal Basis for Processing
  6. How We Share Your Information
  7. International Data Transfers
  8. Data Security
  9. Data Retention
  10. Your Rights Under GDPR
  11. Children's Privacy
  12. Local Storage and Tracking
  13. Changes to This Privacy Policy
  14. Contact Us
  15. Additional Information

1. Introduction

This Privacy Policy explains what personal data Blyp ("we," "our," or "us") collects, why we collect it, how we use and protect it, and what rights you have over it. It covers our mobile application and related services (the "Service").

This policy complies with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws. For a quick overview, see our Privacy at a Glance summary.

By using the Service, you acknowledge that you've read and understood this Privacy Policy. If you don't agree with it, don't use the Service.

2. Who We Are

Blyp Oy is the data controller responsible for your personal data. We are established in the European Union (Finland) and don't require a separate EU representative under GDPR Article 27.

For questions about this policy or how we handle your data, contact us at [email protected].

3. Information We Collect

3.1 Information You Provide

3.1.1 Account and Profile Information

When you create an account, we collect:

  • Required: Email address, password (stored as a bcrypt hash; we never see or store your plaintext password), and date of birth (to verify you're at least 16)
  • Profile details: Name, username, gender, profile photo, cover photo, and bio
  • Authentication provider: Whether you signed up via email, Google Sign-In, or Apple Authentication
  • Referral codes: If you used an invite code or generated one for others

We don't collect education, job title, or country of residence.

3.1.2 User-Generated Content

Content you create through the Service, including:

  • Travel content: Itineraries, spots, packing lists, tips, reviews, and ratings
  • Social content: Feed posts, comments, likes, reposts, groups, and group events
  • Messages: Direct messages and group messages
  • Saved content: Itineraries and spots you bookmark
  • Been map: Countries you mark as visited

3.1.3 Location Information

With your permission, we collect your device location for nearby content and map features. Spots, itineraries, and groups you create may include precise coordinates visible to other users. You can disable location services through your device settings at any time.

3.1.4 Communication and Moderation Data

Reports you submit about content or users, feedback you send through in-app forms, support requests, and copyright claims. We also store block actions when you block another user.

3.2 Information We Collect Automatically

When you use the Service, we collect:

  • Technical data: Device type, operating system, app version, and network status
  • Usage data (with consent): Screen views, navigation patterns, and feature usage via our analytics service
  • Search queries: Your search terms and search type, stored with your user ID in our search logs
  • Push notification data: Device push tokens and your notification preferences (tokens are cleared when you log out)
  • Messaging metadata: Read receipts and delivery status
  • Device fingerprint: A SHA-256 hash of device characteristics (brand, model, OS, app version) used for guest session identification and fraud prevention
  • Trust signals: Automated trust scoring events triggered by account activity (e.g., content creation, social interactions)

We do not collect your IP address. Code that previously captured IP addresses for data export and account deletion has been removed.

3.3 Information from Third-Party Sources

  • Google Sign-In and Apple Authentication: If you use social sign-in, Google or Apple sends us an identity token containing your email and (optionally) your name. We use this only to create or authenticate your account.
  • Email verification: During registration, we verify your email address through a third-party validation service.
  • Other users: Friend requests, group invitations, and shared content from other Blyp users.

4. How We Use Your Information

4.1 Provide and Maintain the Service

Legal Basis: Contract (GDPR Article 6(1)(b))

We use your data to create and manage your account, authenticate logins, display your profile to other users, enable itinerary and spot creation, facilitate messaging, deliver push notifications, track message read status, process searches, and save your preferences.

4.2 Personalize Your Experience

Legal Basis: Legitimate Interest (Article 6(1)(f)) / Consent (for certain features)

We use your data to recommend itineraries, suggest friends and groups, show nearby places, provide location features (with permission), and remember your language and theme preferences.

4.3 Communicate with You

Legal Basis: Contract / Legitimate Interest

We email you for account verification, password resets, policy updates, and support responses. We also use the Gmail API (via a Google service account) to send referral invitation emails on behalf of users who share invite codes.

4.4 Improve the Service

Legal Basis: Legitimate Interest / Consent (for analytics)

We analyze aggregated and pseudonymized data to find and fix bugs, test new features, understand usage patterns, and optimize performance.

4.5 Ensure Safety and Security

Legal Basis: Legitimate Interest / Legal Obligation

We use your data to detect fraud and abuse, enforce our Terms of Service, investigate reports, and respond to legal requests.

4.6 Display Advertising (With Consent)

Legal Basis: Consent (Article 6(1)(a))

If you consent, we show ads and measure their performance. Withdraw consent anytime in Settings > Privacy > Manage Consents.

4.7 Comply with Legal Obligations

Legal Basis: Legal Obligation (Article 6(1)(c))

We may use or disclose your data to comply with laws, respond to lawful government requests, enforce our rights, and verify age requirements.

5. Legal Basis for Processing

5.1 Contract (Article 6(1)(b))

Account creation, core features (messaging, itineraries, social interactions), and service delivery as described in our Terms of Service.

5.2 Consent (Article 6(1)(a))

We use a granular consent system. You can independently opt in or out of each category:

  • Analytics: Usage tracking and feature analytics
  • Advertising: Ads from our advertising partners
  • Crash Reporting: Error and crash reports for bug fixing
  • Location Services: GPS-based nearby content and map features
  • Personalization: Content recommendations and activity-based suggestions

Essential services (authentication, core app functionality) don't require separate consent because they're necessary to provide the Service under our contract with you.

You can withdraw consent at any time in Settings > Privacy > Manage Consents. Withdrawal doesn't affect the lawfulness of processing that happened before withdrawal.

5.3 Legitimate Interests (Article 6(1)(f))

Service improvement, security, fraud prevention, usage analysis, feature development, and non-sensitive personalization. We've assessed that these interests don't override your rights and freedoms.

5.4 Legal Obligation (Article 6(1)(c))

Age verification (16+ requirement), legally required record retention, and responses to lawful authority requests.

6. How We Share Your Information

We do not sell your personal data.

6.1 With Other Users

Public information: Your name, username, profile photo, bio, public itineraries, spots (including coordinates, descriptions, and photos), reviews, ratings, comments, feed posts, and group memberships.

Engagement data: View and click counts on your content may be visible to you as the creator in aggregated form.

Friends-only information: Private itineraries, your friends list, and friend-shared content.

Never shared publicly: Your email address, date of birth, password, direct messages, device information, and precise real-time location.

6.2 With Service Providers

We use third-party services that process data on our behalf under Data Processing Agreements:

Infrastructure and Backend: EU-based cloud hosting providers (eu-central-1 region) handle database hosting, authentication, file storage, and real-time features. All primary application data is stored in the EU.

Authentication Providers: Google Sign-In and Apple Authentication receive and return identity tokens (email, name) during social sign-in.

Mapping and Location: Open-source mapping libraries power interactive maps and location search. These services receive geographic coordinates and search queries. No personally identifiable information is shared.

Email Services: We use Google's Gmail API (via a service account) to send referral invitation emails. The only data sent is the recipient's email address and the invitation content.

Notifications: A push notification service receives device push tokens and notification content to deliver messages to your device.

Analytics and Error Reporting (consent required): Analytics and error monitoring services receive pseudonymized usage data, device info, and error logs. Analytics data is processed in the EU.

Advertising (consent required): An advertising network receives ad interaction data and device identifiers to serve and measure ads.

Security and Verification: Bot protection and email validation services verify accounts during registration.

You can request the specific names of our service providers by contacting our DPO at [email protected].

6.3 For Legal Reasons

We may disclose your data to comply with legal obligations, court orders, or subpoenas; protect our rights or property; investigate fraud or security issues; or protect user safety.

6.4 Business Transfers

In a merger, acquisition, or asset sale, your data may transfer as part of that transaction. We'll notify you via email and/or in-app notice before your data becomes subject to a different privacy policy.

6.5 With Your Explicit Consent

We may share your data with third parties when you explicitly consent.

6.6 Third-Party Links

The Service may link to external websites we don't control. Review their privacy policies before sharing personal information with them.

7. International Data Transfers

7.1 Primary Storage

Your data is stored in the European Union (eu-central-1 region).

7.2 Transfers Outside the EU

Some service providers (analytics, error monitoring, advertising, authentication) may process data outside the EEA. We use Standard Contractual Clauses (SCCs) and rely on adequacy decisions where available to protect these transfers.

7.3 Your Rights

You can request information about safeguards for international transfers, object to transfers in certain cases, or request copies of SCCs. Contact our DPO.

8. Data Security

8.1 Technical Measures

  • Encryption in transit: All communication between your device and our servers uses TLS/HTTPS
  • Local storage encryption: Sensitive data stored on your device (consent preferences, tokens) is encrypted with AES-256
  • Password hashing: Passwords are hashed with bcrypt. We never store or see plaintext passwords
  • Authentication: Token-based (JWT) with automatic expiration and refresh
  • Rate limiting: User-triggered actions are rate-limited to prevent abuse
  • Input sanitization: All user inputs are sanitized against XSS and injection attacks before database writes
  • UUID validation: All database operations validate identifier format before execution

8.2 Organizational Measures

We follow data minimization principles, restrict data access to authorized personnel, and maintain incident response procedures.

8.3 Your Role

Protect your account by using a strong password (at least 8 characters with uppercase letters, numbers, and symbols), never sharing credentials, enabling device security (PIN, biometrics), logging out on shared devices, and keeping the app updated.

8.4 Limitations

No system is perfectly secure. We implement strong protections, but we can't guarantee absolute security. You're responsible for keeping your account credentials confidential.

8.5 Breach Notification

If a data breach affects your personal data, we'll notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach poses high risk to your rights, we'll notify you without undue delay per Article 34, describing the breach, its potential impact, and actions we've taken.

9. Data Retention

9.1 Active Accounts

We retain all account data, profile information, content, and activity logs as long as your account is active.

9.2 Deleted Accounts

When you request account deletion:

  • Your account is immediately deactivated — your profile, content, and data become invisible to all other users
  • You have 14 days to cancel the deletion by logging back in
  • After 14 days, your personal data is permanently and irreversibly deleted
  • Your profile photos and itinerary images are deleted from storage
  • Your personal data (profile, messages, relationships) is permanently removed
  • Public itineraries you created may be anonymized rather than deleted to preserve community value (GDPR Article 17(3)(a) — freedom of expression and information)
  • A minimal audit log is retained for a limited period for legal compliance
  • Litigation hold: If your account or content is subject to a pending legal proceeding, regulatory investigation, or lawful preservation request, we may suspend the deletion timeline until the hold is lifted. We'll notify you when a hold is placed unless legally prohibited from doing so.

9.4 Other Retention

  • User content (messages, spots, reviews, feed posts): Retained until you delete it or your account
  • Push tokens: Cleared on logout or account deletion
  • Search logs: Stored with your user ID. No automatic expiration currently exists for search logs
  • Analytics data: Retained in pseudonymized form for limited periods
  • Invite data: Cleaned up every 6 hours via automated job
  • Orphaned files: Storage cleanup runs weekly to remove files no longer linked to active content
  • Anonymized/aggregated data: May be retained indefinitely for service improvement. This data can't identify you and isn't personal data under GDPR

10. Your Rights Under GDPR

10.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you.

How: Go to Settings > Privacy Dashboard > Export My Data. Your data is compiled into a JSON file available for download within the app. Exports are rate-limited to one request per 24 hours. You can also contact our DPO at [email protected].

10.2 Right to Rectification (Article 16)

You can correct inaccurate or incomplete data.

How: Go to Settings > Edit Profile to update your name, username, bio, gender, profile photo, or cover photo. For email changes or other data corrections, contact our DPO.

10.3 Right to Erasure (Article 17)

You can request deletion of your personal data.

How:

  1. Go to Settings > Delete Account
  2. Re-enter your password for verification
  3. Confirm your decision

Public itineraries may be anonymized rather than deleted (GDPR Article 17(3)(a) exemption — freedom of expression and information). Some data may be retained for legal compliance.

10.4 Right to Restriction of Processing (Article 18)

You can ask us to limit how we use your data when you contest its accuracy, believe processing is unlawful but don't want erasure, need the data for legal claims after we no longer need it, or have objected to processing pending verification.

How: Contact our DPO at [email protected].

10.5 Right to Data Portability (Article 20)

You can receive your data in a structured, machine-readable format (JSON) to transmit to another service.

How: Settings > Privacy Dashboard > Export My Data. Same export as Right of Access.

10.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing.

How: For analytics and advertising, toggle them off in Settings > Privacy > Manage Consents (changes take effect immediately). For other processing, contact our DPO with your objection.

10.7 Automated Decision-Making (Article 22)

We don't use automated decision-making that produces legal or similarly significant effects. Our recommendation algorithms suggest content but don't make binding decisions about you.

10.8 Right to Withdraw Consent (Article 7(3))

Go to Settings > Privacy > Manage Consents. Toggle off any category: Analytics, Advertising, Crash Reporting, Location Services, or Personalization. Changes take effect immediately. Essential services can't be disabled.

10.9 Granular Data Deletion

In addition to full account deletion, we maintain server-side functions to delete specific data categories (analytics data, search history, view history). These are not currently accessible through the app interface. Contact our DPO at [email protected] to request deletion of specific data categories.

10.10 Right to Lodge a Complaint (Article 77)

If you believe we've violated your privacy rights, you can complain to any EU data protection authority. A full list is at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Our lead supervisory authority is the Office of the Data Protection Ombudsman (Finland): https://tietosuoja.fi/en/home

10.11 Exercising Your Rights

In-app: Most rights can be exercised directly through Settings. Email: Contact our DPO at [email protected]. Response time: We'll respond within one month per GDPR Article 12(3). This may be extended by two additional months for complex requests, in which case we'll inform you within the first month. Cost: Free, except for manifestly unfounded or excessive requests. Verification: We may ask you to verify your identity before processing a request.

11. Children's Privacy

11.1 Age Requirement

You must be at least 16 years old to use Blyp. The Service is not intended for anyone under 16.

11.2 How We Enforce This

During account setup, we require your date of birth. If you're under 16, the app blocks you from completing your profile. Note: email/password account creation happens before the age check, so an auth record may exist briefly. If the age check fails, the account can't be used.

11.3 If We Discover Underage Users

If we learn we've collected data from someone under 16, we'll delete the data and terminate the account as quickly as possible. Parents or guardians who believe their child has provided us with personal information should contact us at [email protected].

12. Local Storage and Tracking

Blyp is a mobile app. We use local device storage, not browser cookies.

Essential (always active):

  • Authentication tokens and session data
  • App settings (language, theme)
  • Cached data for offline use
  • Encrypted consent preferences (AES-256)

Analytics (consent required):

  • Screen views, feature usage, navigation patterns
  • Offline event queue (up to 1,000 events stored locally until connectivity returns)

Crash Reporting (consent required):

  • Error and crash data for debugging

Advertising (consent required):

  • Ad impressions, clicks, and performance data

How to manage: Settings > Privacy > Manage Consents. Essential storage can't be disabled. You can also clear all app data through your device settings (this will log you out).

13. Changes to This Privacy Policy

13.1 How We'll Notify You

Material changes (anything that affects your rights): In-app notification, email to your registered address, and an updated "Last Updated" date.

Minor changes (clarifications, formatting): Updated "Last Updated" date. The revised policy takes effect immediately.

13.2 Your Options

If you don't agree with changes, you can delete your account (Settings > Delete Account) or stop using the Service.

For material changes that affect your rights or the legal basis for processing, we'll ask you to review and accept the updated policy before continuing to use the Service. We won't infer consent from continued use alone.

13.3 Previous Versions

Contact our DPO at [email protected] to request earlier versions of this policy.

14. Contact Us

For support, legal, copyright, or data protection inquiries, contact us at [email protected].

Company: Blyp Oy

Supervisory Authority: Office of the Data Protection Ombudsman (Finland): https://tietosuoja.fi/en/home

Full list of EU authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

15. Additional Information

15.1 California Privacy Rights (CCPA)

California residents may have additional rights under the CCPA:

  • Right to Know: Request disclosure of collected personal information
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out of Sale: We don't sell personal data
  • Right to Non-Discrimination: We won't penalize you for exercising your rights

Contact [email protected] to exercise these rights.

15.2 UK GDPR

UK residents have similar protections under UK GDPR. Contact our DPO for UK-specific requests.

Last Updated: March 9, 2026 Version: 3.1