Whim

Legal

Privacy Policy

Last Updated: April 24, 2026  ·  Effective Date: April 24, 2026

This Privacy Policy describes how Whim ("Whim," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use the Whim mobile application and website (collectively, the "Service") available at joinwhim.net. This policy is designed to comply with applicable privacy laws, including the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

1.

About Us and Data Controller

Whim is the controller of your personal data. We operate a social event discovery platform that enables users to find, create, attend, and check in to spontaneous local events. Access to certain features of the Service may require institutional email verification.

For privacy-related inquiries: privacy@joinwhim.net

2.

Who Can Use Whim

Whim is intended for individuals aged 18 and older. Whim may require institutional email verification (such as a .edu address) for registration or certain features; these requirements may change at Whim's discretion.

We do not knowingly collect personal information from individuals under the age of 18. If we discover that we have inadvertently collected information from someone under 18, we will promptly delete that information. If you believe a minor has provided us with personal information, please contact us at privacy@joinwhim.net.

3.

Information We Collect

3.1Information You Provide Directly

Account and Identity Information

  • First name and last name
  • Institutional or other email address used for registration
  • Password (stored in cryptographic hash form — we never store plaintext passwords)
  • Email verification responses (one-time passcode confirmation)

Profile Information

  • Username (optional, up to 30 characters)
  • Profile photograph / avatar image (optional)
  • Banner or header image (optional)
  • Biography (optional, up to 300 characters)
  • College or university name (auto-populated from your email domain at registration)
  • Academic major or field of study (optional)
  • Graduation year (optional)
  • Club or organization affiliations (optional)

Event Content

  • Event title, description, and any other text you include in event listings
  • Event location (text address you enter)
  • Event date and time
  • Event cover image (optional)
  • Organization name associated with an event (optional)
  • Event tags selected from predefined categories
  • Maximum participant limits (optional)

Chat Messages

  • Text content of messages you send in event group chats
  • Timestamps and message metadata

Social and Safety Data

  • Friend requests sent and received
  • Accepted friendship connections
  • Users you have blocked
  • Reports you submit about other users
  • Bug reports or feedback you submit

3.2Information We Collect Automatically

Location Information

We collect precise geolocation data (GPS coordinates) in the following specific circumstances:

  • Event Creation:When you create an event and choose to use your current location, we collect your precise GPS coordinates to populate the event's location.
  • Attendance Check-In: When you use the in-app check-in feature, we collect your precise GPS coordinates at the moment of check-in to verify that you are physically within approximately 150 meters of the event location.
  • Background Location: We may request "background location" permission to enable check-in reminder notifications. We do not continuously track or record your location in the background beyond what is necessary for these specific functions.

Your precise real-time GPS coordinates are NOT shared with other Whim users.

Device and Usage Information

  • Device operating system and version
  • App version
  • Push notification token (used solely for delivering push notifications)
  • Session and authentication tokens (stored securely on-device)
  • App interaction data, such as events viewed, swiped, or joined

Log Data

  • Internet Protocol (IP) address
  • Browser type and version (for website access)
  • Pages viewed and time spent
  • Access timestamps
  • Error logs and crash reports

3.3Information from Third Parties

We may receive information from third-party services that we use to operate the Service, including Supabase (our database and authentication provider) and Expo (our push notification provider). We do not purchase data about you from data brokers or other third-party sources.
4.

How We Use Your Information

We use the information we collect for the following purposes:

Account Management and Authentication

  • To create and manage your account
  • To verify your email address and eligibility for the Service
  • To authenticate you when you sign in
  • To enforce our one-account-per-person policy

Providing the Service

  • To display events to you based on your location and preferences
  • To enable you to create, edit, and manage events
  • To facilitate attendance verification at events
  • To display and deliver event group chat messages
  • To manage friend requests and connections

Safety and Moderation

  • To investigate reports of violations of our Terms, Community Guidelines, or Content Policy
  • To enforce our policies and take action against accounts that violate them
  • To prevent fraud, abuse, and unauthorized access

Analytics and Improvement

  • To understand how users interact with the Service
  • To generate aggregated, anonymized statistics about platform usage
  • To diagnose technical issues and monitor platform performance
5.

How We Share Your Information

We do not sell your personal information.

5.1With Other Users (In-App Visibility)

Certain profile and activity information is visible to other authenticated Whim users as part of normal platform operation, including your name, profile picture, username, college, major, graduation year, club affiliations, event hosting history, and verified attendance at events. We do not share your precise GPS coordinates, email address, or password with other users.

5.2With Third-Party Service Providers

Supabase (Supabase Inc.)

Role: Database infrastructure, authentication, and cloud storage provider

Data: All database contents, including your profile, events, messages, and attendance records

Reference: supabase.com/privacy

Expo (Expo Technology Inc.)

Role: Push notification delivery service

Data: Your device's push notification token

Reference: expo.dev/privacy

5.3For Legal Reasons

We may disclose your information if we believe in good faith that such disclosure is necessary to comply with a legal obligation, enforce our Terms, protect the safety of our users, or prevent fraud or security issues.

5.4Business Transfers

If Whim is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your personal information is subject to a different privacy policy.
6.

Location Data — Detailed Disclosure

6.1What Location Data We Collect

We collect precise GPS coordinates (latitude and longitude) in two specific contexts: (a) when you create an event using your current location; and (b) when you check in to an event. Only the verification result (true/false) is permanently stored — your raw check-in coordinates are processed and not permanently stored in our database.

6.2What Location Data We Do NOT Collect

  • We do not continuously track your location
  • We do not build a history of your physical movements
  • We do not share your real-time location with other users
  • We do not use your location for advertising purposes

6.3Background Location Permission

We may request permission to access your location while the app is in the background only to send timely check-in reminder notifications and to allow check-in verification without manually opening the app. You can revoke this permission in your device settings at any time.
7.

Data Retention

Event Listings and MessagesAutomatically deleted approximately 24 hours after the event's scheduled end time.
Attendance RecordsRetained indefinitely as part of your profile's attendance history.
Profile DataRetained until you delete your account.
Authentication DataRetained until account deletion, subject to mandatory legal retention requirements.
Bug and User ReportsRetained by our administrative team for safety and compliance purposes, even after account deletion.
8.

Your Rights and Choices

Right to Access

Request information about what personal data we hold about you.

Right to Correction

Correct inaccurate or incomplete personal data.

Right to Deletion

Request deletion of your personal data through account settings.

Right to Data Portability

Receive a machine-readable copy of your personal data.

Right to Opt Out

Opt out of push notifications through your device's notification settings.

GDPR Rights

EEA users may request restriction of processing or object to processing based on legitimate interests.

To exercise your privacy rights, contact us at privacy@joinwhim.net. We will respond within 30 days.

9.

California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA), including the right to know, right to delete, right to non-discrimination, and the right to opt out of sale. We do not sell personal information as defined under CCPA.

9.1Categories of Personal Information Collected

  • Identifiers: name, email address, user ID
  • Personal information (Cal. Civ. Code 1798.80(e)): name, account credentials
  • Geolocation data: precise GPS coordinates during check-in and event creation
  • Internet or other electronic network activity: app interaction data
  • Professional or employment-related information: major, graduation year
  • Inferences drawn from the above: attendance statistics, event preferences
10.

Data Security

We implement technical and organizational measures to protect your personal information:

  • Row-Level Security (RLS) policies on all database tables
  • Encrypted authentication using Supabase's secure authentication infrastructure
  • HTTPS/TLS encryption for all data in transit
  • Secure, hashed password storage (plaintext passwords are never stored)
  • Access controls limiting data access to authorized personnel
  • Automated event cleanup removing sensitive chat data after events expire
  • Secure local token storage on devices using Expo SecureStore

If you discover a security vulnerability, please report it to security@joinwhim.net.

11.

International Data Transfers

Whim is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. For users in the European Economic Area, we ensure that any such transfers comply with applicable data protection laws, including through standard contractual clauses or other appropriate safeguards as required.

12.

Cookies and Local Storage

The Whim mobile application uses Expo SecureStore to securely store your authentication session token on your device. This is necessary to keep you signed in between app sessions. Expo SecureStore uses the device's native secure storage mechanisms (iOS Keychain and Android Keystore).

13.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting the updated policy within the Service and/or by sending an email notification to your registered address. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

Whim — Privacy Team

Privacy:privacy@joinwhim.net

Security:security@joinwhim.net

Support:support@joinwhim.net

Website:joinwhim.net