Privacy Policy

Dusky ("we", "us", "our") is the data controller for your personal data. Contact: dusky.papp@gmail.com.

• Account info: email, username, display name, profile photo, bio, city.
• Location: approximate geolocation (only to show nearby events; never stored continuously).
• Usage: events saved, posts, likes, interactions within the app.
• Device: device type, OS, app version (for support).
• Push tokens: Apple Push Notification (APNs) and Firebase (FCM) tokens, used only to deliver alerts you've opted into. Tokens are deleted when you uninstall the app or disable notifications in Settings.
• Media: photos and videos you post. We strip EXIF metadata (GPS coordinates, device info) from every photo before storing it.

• Contractual necessity: providing the service.
• Legitimate interests: security, fraud prevention, product improvement.
• Consent: location, push notifications, marketing emails.

• Operate Dusky and show nearby events.
• Show your posts and profile to other users.
• Send notifications (only when you've opted in).
• Detect and prevent abuse via AI moderation on uploads.

Posts and captions are screened by an automated AI moderation system before publishing. If a post is rejected and you believe this is in error, you have the right to request human review by emailing dusky.papp@gmail.com. We will re-evaluate the moderation decision manually and notify you of the outcome.

We do not sell your personal data. Limited sharing with essential service providers:

• Supabase — database + authentication (EU hosting).
• OpenAI — content moderation on uploaded captions + images. We do not send personally identifying info with moderation requests.
• Ticketmaster — public event data (one-way: we pull, they don't see you).
• Apple / Google / Expo — push delivery when you opt in.

Supabase data is hosted within the European Economic Area (EEA). Some of our processors operate servers outside the EEA — notably OpenAI (United States) for content moderation and Apple / Google for push notification delivery. Transfers outside the EEA rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission, which is the standard safeguard mechanism under GDPR Art. 46.

We protect your data with industry-standard technical and organisational measures:

• All data in transit is encrypted with TLS 1.2 or higher.
• Passwords are hashed using bcrypt before storage; we never store plaintext passwords.
• Photo uploads have EXIF metadata (GPS coordinates, device model, timestamps) stripped before being saved.
• Database access is gated by row-level security policies and audited at the infrastructure layer.

• Access, rectification, erasure, portability, restriction, objection.
• Withdraw consent at any time in Settings.
• Lodge a complaint with your supervisory authority.

Account data: until you delete your account. Posts (stories): auto-deleted after 5 days. Reports and moderation logs: up to 12 months for safety records.

Dusky is for users 18+. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, contact us and we will delete the account.

We'll notify you of material changes at least 30 days in advance via email or in-app notice.

For any data request: dusky.papp@gmail.com. We respond within 30 days as required by GDPR Art. 12.