Privacy Policy
Hi — I'm Peng, the founder of Homeboys. I built this app because I'm a guy in my 30s and making friends as an adult is hard. Homeboys is for men 30+ who want to do things together — boxing, hiking, basketball, hotpot, whatever — and walk away with a real friend. It is not a dating app.
This page explains, in plain language, what data the app collects, why, who else sees it, and how you can get rid of it. The operator of the service is Incultnito LLC, a Wyoming limited liability company. If anything below is unclear, email me at [email protected] and I'll fix it.
1. Who this policy covers
This policy covers the Homeboys mobile app (iOS and Android) and the homeboys.app website. It applies to anyone who creates an account or visits the site.
Minimum age: 18. Homeboys is for adults. If you are under 18, do not create an account. If we learn an account belongs to a minor, we will delete it.
2. Who is the data controller
- Legal entity: Incultnito LLC, a Wyoming limited liability company (USA).
- Operator: Peng, founder, based in Taiwan.
- Contact for any privacy question, request, or complaint: [email protected].
We do not have a dedicated Data Protection Officer because we are a small pre-launch team. Privacy requests go to the email above and I answer them personally.
3. What we actually collect (and why)
We collect only what the app needs to do its job: help you find activities near you, let you join groups, and keep bad actors out. Here is the full list.
| Data | Why we collect it | Where it lives | Legal basis |
|---|---|---|---|
| Email address + password (hashed) | Create and authenticate your account | Supabase Auth | Contract |
| Display name | Show you to other members of activities you join | Supabase database | Contract |
| Avatar photo (optional) | Help group members recognise you | Supabase Storage | Consent |
| Bio (optional, free text) | Let you introduce yourself | Supabase database | Consent |
| Interests, preferred time, preferred distance, skill level, preferred group size, language | Rank activities you are more likely to enjoy | Supabase database | Contract |
| Approximate location (GPS coordinates, rounded so it does not pin your home) | Show activities within your chosen radius | Supabase database (PostGIS) | Consent — you can deny location permission and use the app at city/district level |
| Phone number (when you opt into phone verification) | Confirm you are a real person; required to send DMs and to host evening activities (after 21:00 Taipei local time) | Supabase database + Twilio (SMS delivery) | Contract + legitimate interest in fraud / safety |
| Selfie photo (when you opt into selfie verification) | Confirm a real human is behind the account; required to host activities. The image is sent once to OpenAI's Vision API to check for a live face, then a verified=true flag is set on your profile. | Supabase Storage (see retention below) + OpenAI (transient) | Consent + legitimate interest in safety |
| Activities you create, swipe on, join, or check in to | Match-making, group chat, and the "mutual attendance" rule that unlocks DMs | Supabase database | Contract |
| Group chat messages + direct messages | Deliver messages to the right people | Supabase database | Contract |
| Reports you file (against a user, message, or activity) | Safety review and moderation | Supabase database | Legitimate interest in safety |
| Push notification token (Expo) | Send you push notifications about chats, joins, reminders | Supabase database + Expo push service | Consent — denying notification permission disables this |
| Date of birth (only if you fill it in) | Confirm 18+ for accounts that opt to set it | Supabase database | Consent |
What we do not collect
- No web analytics, no cookies for tracking, no third-party tag managers. The homeboys.app website is a plain HTML page with no JavaScript trackers.
- No advertising IDs, no device fingerprinting, no contact list / address book upload.
- No payment information — Homeboys is free.
- No precise sensor data (accelerometer, microphone audio, photos other than the ones you explicitly pick or take).
4. Legal basis for processing (GDPR-style summary)
For users in jurisdictions that require a legal basis to be named:
- Contract — most processing (account, profile, activities, messages) is needed to provide the service you signed up for.
- Consent — for optional things like avatar, bio, GPS, push notifications, selfie verification, phone verification. You can revoke consent at any time by removing the data or deleting your account.
- Legitimate interest — fraud prevention, abuse prevention, content moderation, and keeping evening activities safer than daytime activities.
5. Who else sees your data (sub-processors)
Homeboys is a small team. We use a handful of established vendors to actually run the service. We do not sell data to anyone. The vendors only process data on our behalf and only for the purpose described.
- Supabase Inc. (database, auth, storage, realtime). Hosted in the United States. supabase.com/privacy
- Twilio Inc. (SMS delivery for phone OTP, via Twilio Verify). Hosted in the United States. twilio.com/legal/privacy
- OpenAI, L.L.C. (one-shot selfie liveness check via the Vision API; OpenAI states API inputs are not used for model training by default). Hosted in the United States. openai.com/policies/privacy-policy
- Mapbox, Inc. (map tiles, when you view a map). Hosted in the United States. mapbox.com/legal/privacy
- OpenStreetMap Foundation / Nominatim (geocoding when you search for a venue). Hosted in the EU. osmfoundation.org Privacy Policy
- Expo (650 Industries, Inc.) (push notification delivery). Hosted in the United States. expo.dev/privacy
- Cloudflare, Inc. (Cloudflare Pages hosts the homeboys.app website and acts as our CDN). cloudflare.com/privacypolicy
We may also be required to share data with law enforcement if served with a valid legal order. We will only disclose what the order compels.
6. Where the data is stored (international transfers)
Most of our vendors are based in the United States. If you use Homeboys from Taiwan, the EU, the UK, or anywhere outside the US, your data will be transferred to and processed in the US. For users in the EU/UK, we rely on the vendors' Standard Contractual Clauses and their own transfer safeguards (see each vendor's privacy policy above). For users in Taiwan, transfers comply with the Personal Data Protection Act ("個人資料保護法").
7. How long we keep it (retention)
- Account, profile, preferences: as long as your account exists.
- Activities, swipes, group chat messages, DMs, attendance log: as long as your account exists, then deleted with your account.
- Selfie verification image: we currently retain the uploaded selfie in our private storage bucket so we can re-review if a report comes in. We plan to move to "delete-after-verification" — only the
selfie_verified=trueflag persists. Until that is shipped, the image is stored in the same private, RLS-protected bucket as your avatar and is not visible to other users. - Phone number: kept while phone verification is active; removed if you delete your account.
- Push tokens: kept while the app is installed; removed when you log out, uninstall, or revoke notification permission.
- Reports: kept indefinitely as a safety record, even after the reporter or reported user deletes their account, but disconnected from the deleted profile.
- Server logs / error logs: rolling 30-day window, then automatically purged.
8. Your rights
Regardless of where you live, you can ask us to:
- Access — get a copy of the data we hold about you.
- Correct — fix anything that is wrong. (Most fields are editable directly in the app's profile screen.)
- Delete — erase your account and the data attached to it.
- Port — receive your data in a structured, machine-readable format (JSON).
- Object — tell us to stop processing where the basis is legitimate interest.
- Withdraw consent — for anything we collected based on consent (avatar, bio, location, push, selfie, phone).
- Complain — to your local data protection authority. In Taiwan that is the relevant administrative authority under the Personal Data Protection Act; in the EU it is your national supervisory authority.
How to exercise these rights:
- In-app: Profile → Edit (rectification) and Profile → Delete account (erasure). The delete-account in-app flow is on our short-list; until it ships, email us and we will delete within 7 days.
- By email: [email protected]. Please email from the address attached to your account so we can confirm it is you. We aim to respond within 30 days.
9. Security
- All traffic between the app and our servers is encrypted in transit using TLS.
- Data at rest in Supabase is encrypted by Supabase's underlying infrastructure.
- Database access is gated by Postgres Row-Level Security policies — a user can only read their own profile, profiles of people in shared activities, messages in activities they joined, and DMs they are a party to. Swipes are private; nobody else can see who you swiped on.
- Passwords are hashed by Supabase Auth and never visible to us in plain text.
- Selfie images and avatars are stored in a private bucket; URLs are signed.
- We do not store payment information.
No system is perfectly secure. If you believe your account has been compromised, email us immediately and we will lock it.
10. Cookies and web analytics
The homeboys.app marketing website does not use cookies or web analytics. There are no third-party scripts, no Google Analytics, no pixels, no consent banner because there is nothing to consent to. The app itself does not use web cookies (it stores an auth token via expo-secure-store, which is the device keychain, not a browser cookie).
11. Push notifications
If you grant notification permission, we send you push notifications about new messages, activity joins, and reminders. Delivery happens through Expo's push service (which routes via Apple APNs and Google FCM). You can disable notifications any time in your phone's settings.
12. Children
Homeboys is for adults aged 18 or older. We do not knowingly collect data from minors. If you become aware that a minor has an account, email us and we will delete it.
13. Changes to this policy
If we make a meaningful change (new vendor, new data category, change in retention), we will update the "Last updated" date at the top and, for material changes, notify you in-app or by email before it takes effect. Minor wording fixes will be made silently.
14. Contact
Any question, request, or correction — email [email protected].
Incultnito LLC · Wyoming, USA · Operator: Peng (Taiwan)
隱私權政策
嗨,我是 Homeboys 的創辦人 Peng。我做這個 app,是因為自己也是三十幾歲的男生,長大之後要交朋友真的很難。老友 Homeboys 是為 30 歲以上的男性而生——一起打拳、爬山、打球、吃火鍋,做完一件事,認識一個真的朋友。這不是交友軟體(dating app)。
這份政策用最直白的話說明:我們收集哪些資料、為什麼收集、誰會看到、你怎麼把它拿回來或刪掉。本服務的營運者是 Incultnito LLC,一家設立於美國懷俄明州的有限責任公司。任何不清楚的地方,請來信 [email protected]。
1. 本政策適用範圍
適用於 Homeboys 行動應用程式(iOS 與 Android)以及 homeboys.app 網站。任何註冊帳號或造訪網站的人都適用。
最低年齡:18 歲。未滿 18 歲請勿註冊。若我們發現帳號屬於未成年人,將予以刪除。
2. 個資管理者是誰
- 法律主體:Incultnito LLC(美國懷俄明州有限責任公司)。
- 實際營運:創辦人 Peng,居住於台灣。
- 隱私問題、申訴、行使權利請聯絡:[email protected]。
我們是上線前的小團隊,沒有專職的資料保護官(DPO)。所有來信由我本人回覆。
3. 我們實際收集了哪些資料(以及為什麼)
只收 app 真正需要用到的——幫你找到附近的活動、加入群組、把行為不當的人擋在外面。完整清單如下:
| 資料 | 為什麼 | 儲存在哪 | 法律依據 |
|---|---|---|---|
| 電子郵件 + 密碼(雜湊處理) | 建立帳號、登入 | Supabase Auth | 履行契約 |
| 暱稱 | 讓同活動的成員認得你 | Supabase 資料庫 | 履行契約 |
| 頭像照片(選填) | 群組裡好辨識 | Supabase Storage | 同意 |
| 自我介紹(選填,純文字) | 讓你介紹自己 | Supabase 資料庫 | 同意 |
| 興趣、偏好時段、活動半徑、技能等級、人數偏好、語言 | 把你比較會想去的活動排前面 | Supabase 資料庫 | 履行契約 |
| 大概的位置(GPS 座標,會做精度模糊化,不會精準到你家) | 顯示你選定半徑內的活動 | Supabase 資料庫(PostGIS) | 同意——你可以拒絕定位權限,仍以行政區層級使用 app |
| 手機號碼(開啟手機驗證時) | 確認是真人;發送私訊與主辦晚間活動(台北時間 21:00 之後)需先通過手機驗證 | Supabase 資料庫 + Twilio(簡訊發送) | 履行契約 + 反詐騙正當利益 |
| 自拍照(開啟自拍驗證時) | 確認帳號背後是真人;主辦活動需通過此驗證。照片會傳一次給 OpenAI Vision API 做活體檢測,然後在你的個人檔上設為 verified=true。 | Supabase Storage(保留方式見下節)+ OpenAI(暫存) | 同意 + 安全正當利益 |
| 你建立、滑動、加入或報到的活動 | 媒合、群組聊天、雙方都到場後才開啟私訊的規則 | Supabase 資料庫 | 履行契約 |
| 群組聊天訊息 + 私訊 | 把訊息送到正確的人那裡 | Supabase 資料庫 | 履行契約 |
| 你提出的檢舉 | 安全審查與內容審核 | Supabase 資料庫 | 安全正當利益 |
| 推播通知 token(Expo) | 傳送聊天、加入、提醒等通知 | Supabase 資料庫 + Expo 推播服務 | 同意——拒絕通知權限會自動停用 |
| 出生日期(僅在你自願填寫時) | 確認 18 歲以上 | Supabase 資料庫 | 同意 |
我們不收集的東西
- 沒有網站分析、沒有追蹤 cookie、沒有第三方 tag manager。homeboys.app 是純 HTML 頁面,沒有任何 JavaScript 追蹤腳本。
- 沒有廣告 ID、沒有裝置指紋、不會讀取你的通訊錄。
- 沒有付款資訊——Homeboys 完全免費。
- 沒有精細感測資料(加速度計、麥克風音訊;除了你主動拍或選的照片,不會自動讀取相片庫)。
4. 處理的法律依據(GDPR 風格摘要)
- 履行契約——大部分的處理(帳號、個人檔、活動、訊息)是為了提供你註冊的服務。
- 同意——選填項目:頭像、自我介紹、GPS、推播、自拍驗證、手機驗證。你可以隨時撤回同意,方式是移除該資料或刪除帳號。
- 正當利益——反詐騙、防止濫用、內容審核、晚間活動的額外安全要求。
5. 還有誰會看到你的資料(次處理者)
Homeboys 是個小團隊,我們把實際運作交給幾家成熟的服務商。我們不販售任何資料。這些服務商只在我們的指示下、為了上述目的處理資料。
- Supabase Inc.(資料庫、Auth、Storage、即時通訊),美國。supabase.com/privacy
- Twilio Inc.(簡訊 OTP,透過 Twilio Verify),美國。twilio.com/legal/privacy
- OpenAI, L.L.C.(自拍活體檢測,透過 Vision API;OpenAI 聲明 API 輸入預設不會用於模型訓練),美國。openai.com/policies/privacy-policy
- Mapbox, Inc.(地圖圖磚),美國。mapbox.com/legal/privacy
- OpenStreetMap Foundation / Nominatim(場地搜尋、地址解析),歐盟。osmfoundation.org 隱私政策
- Expo(650 Industries, Inc.)(推播通知派送),美國。expo.dev/privacy
- Cloudflare, Inc.(Cloudflare Pages 託管 homeboys.app 網站,並擔任 CDN)。cloudflare.com/privacypolicy
若收到合法的執法機關命令,我們可能會依命令範圍提供必要資料,並僅限該範圍。
6. 資料的存放位置(跨境傳輸)
我們大部分的服務商在美國。如果你從台灣、歐盟、英國或美國以外的地方使用 Homeboys,你的資料會被傳輸到美國處理。對於歐盟/英國使用者,我們依賴各服務商的標準契約條款(SCCs)與其本身的傳輸保障措施(請參閱上述各家隱私政策)。對於台灣使用者,相關傳輸符合《個人資料保護法》之規範。
7. 我們保留多久(保存期間)
- 帳號、個人檔、偏好設定:帳號存在的期間。
- 活動、滑動紀錄、群組聊天、私訊、報到紀錄:帳號存在的期間;刪除帳號時一併刪除。
- 自拍驗證照片:目前我們將上傳的自拍保留在私有儲存空間,以便檢舉時可以重新審查。我們計畫改為「驗證完成即刪除,只保留
selfie_verified=true旗標」。在那之前,照片存放在跟頭像同一個受 RLS 保護的私有 bucket,其他使用者看不到。 - 手機號碼:手機驗證有效期間;刪除帳號時移除。
- 推播 token:app 安裝期間;登出、解除安裝或撤回通知權限時移除。
- 檢舉紀錄:作為安全紀錄無限期保留,即使檢舉者或被檢舉者刪除帳號,紀錄會與已刪除的個人檔解除關聯。
- 伺服器日誌/錯誤日誌:滾動式保留 30 天後自動清除。
8. 你的權利
不論你居住在哪裡,你都可以要求我們:
- 查閱——取得我們持有你的資料副本。
- 更正——修正錯誤資訊(多數欄位可在 app 個人檔直接編輯)。
- 刪除——刪除帳號及相關資料。
- 資料可攜——以結構化、機器可讀的格式(JSON)取得你的資料。
- 反對——對基於正當利益的處理表達反對。
- 撤回同意——針對任何基於同意取得的項目(頭像、自我介紹、定位、推播、自拍、手機)。
- 申訴——向你所在地的個資主管機關申訴。在台灣為《個人資料保護法》下的相關主管機關;在歐盟為你所在國的監督機構。
如何行使這些權利:
- App 內:個人檔 → 編輯(更正)、個人檔 → 刪除帳號(清除)。App 內刪除流程在開發排程中,尚未上線前請來信,我們會在 7 天內處理。
- 電子郵件:[email protected]。請使用你註冊時的信箱寫信,以便驗證身分。我們會在 30 天內回覆。
9. 安全措施
- App 與我們伺服器之間的所有流量皆以 TLS 加密。
- Supabase 儲存的資料於靜態狀態下由基礎設施加密。
- 資料庫存取由 PostgreSQL Row-Level Security(RLS)控管——使用者只能讀取自己的個人檔、共同活動成員的個人檔、自己加入活動的訊息、以及自己參與的私訊。滑動紀錄完全私密,沒人能看到你滑了誰。
- 密碼由 Supabase Auth 雜湊,我們看不到明文。
- 自拍照與頭像存於私有 bucket,URL 以簽章控管。
- 我們不儲存任何付款資訊。
沒有完美安全的系統。若懷疑帳號被盜,立刻來信,我們會立即鎖定。
10. Cookie 與網站分析
homeboys.app 行銷網站不使用 cookie 或任何網站分析工具。沒有第三方腳本、沒有 Google Analytics、沒有像素、沒有 cookie 同意橫幅——因為沒有東西需要你同意。App 本身也不使用網頁 cookie(登入 token 透過 expo-secure-store 存於裝置 keychain,並非瀏覽器 cookie)。
11. 推播通知
若你授予通知權限,我們會傳送新訊息、活動加入與提醒等推播。實際派送透過 Expo 的推播服務(再轉送至 Apple APNs 與 Google FCM)。可隨時於手機系統設定關閉。
12. 兒少保護
Homeboys 服務對象為 18 歲以上成年人。我們不會明知而收集未成年人之資料。若你發現帳號屬於未成年人,請來信,我們會予以刪除。
13. 政策變更
如有重大變更(新增服務商、新增資料類別、保存期間調整),我們會更新頁首的「最後更新」日期,並於 app 內或以電子郵件先行通知。文字小幅修正則不另行通知。
14. 聯絡我們
任何問題、要求或更正,請來信 [email protected]。
Incultnito LLC · 美國懷俄明州 · 營運者:Peng(台灣)