Privacy Policy

1. Identity & Contact

Data Controller: BoulderBuddy
Contact:

BoulderBuddy is a social climbing app that helps you find climbing partners, track your sessions, discover gyms, and connect with the climbing community. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the BoulderBuddy iOS app and website.

2. Data We Collect

We collect the following categories of personal data:

Account Data

• Apple ID identifier (for authentication via Sign in with Apple)
• Apple relay email address (if provided by Apple)
• Display name (chosen during onboarding)
• Profile photo (optional, uploaded by you)

Profile Data

• Experience level (beginner, intermediate, advanced, expert)
• Preferred climbing styles (bouldering, lead, top rope, etc.)
• Climbing schedule and availability
• Languages spoken
• Bio / about text

Session Data

• Gym visited (selected by you from a list)
• Session date, start time, and duration
• Session notes, mood, and energy level
• Session photos (uploaded by you)

Social Data

• Connection requests sent and received
• Messages sent through direct messages, group chats, community channels, and session threads
• Channel memberships
• Session posts and interactions (kudos)

Gamification Data

• Badges and achievements earned
• Streaks (climbing sessions and social interactions)

Technical Data

• Device type and operating system version
• App version
• IP address (logged on API requests for security purposes)
• Push notification token (for delivering notifications)

Preference Data

• Language preference
• Timezone
• Units (metric / imperial)
• Notification settings
• Visibility settings (profile, sessions, online status, gym regular)

3. Data We Do NOT Collect

We believe in minimal data collection. The following data is never collected:

• Precise GPS location — Gym selection is manual from a curated list. We do not track your coordinates.
• Contacts or phone number — We never access your device contacts.
• Browsing history — We do not track your activity outside the app.
• Health or fitness data — We do not integrate with HealthKit or any health data provider.
• Advertising identifiers — We do not use IDFA or any advertising tracking.
• Third-party analytics SDKs — We do not use Google Analytics, Firebase Analytics, Mixpanel, or any similar service.

4. Legal Basis for Processing (GDPR Article 6)

We process your data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the BoulderBuddy service — account creation, session tracking, messaging, social features, and partner matching.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement. We balance our legitimate interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): Push notifications (you can opt out at any time via iOS Settings). We ask for your consent where required.

5. Data Sharing

We share your data with the following third parties, strictly as necessary:

• Apple: Sign in with Apple authentication. Apple provides us with a unique identifier and optionally a relay email. See Apple's Privacy Policy.
• Cloud storage provider: Profile photos and session photos are stored securely in our cloud storage. No other personal data is shared with the storage provider.

We do not sell your data to third parties — ever. We have no advertising partners and no data brokers. Your data is used solely to provide the BoulderBuddy service.

6. Data Retention

• Active account: Your data is retained for as long as your account is active. You can edit or delete your data at any time through the app.
• Deleted account: When you delete your account, it is immediately deactivated (soft-deleted). After a 30-day grace period, all your data is permanently removed from our servers. During the grace period, you can sign back in to cancel the deletion.
• Messages: After account deletion, your messages are anonymized — the sender is replaced with “Deleted User” to preserve conversation context for other participants. Message content remains for thread continuity.
• Sessions and posts: Your sessions and session posts are removed upon account deletion.

7. Your Rights (GDPR Articles 15–22)

Under the GDPR, you have the following rights:

• Right of access (Art. 15): You can request a complete export of all your personal data. Use the “Download My Data” option in Settings > Privacy & Data.
• Right to rectification (Art. 16): You can update your profile information at any time through the app (Edit Profile).
• Right to erasure (Art. 17): You can delete your account from Settings. Your data will be permanently removed after a 30-day grace period.
• Right to restrict processing (Art. 18): Contact us to request restriction of processing in specific circumstances.
• Right to data portability (Art. 20): Your data export is provided in structured, machine-readable JSON format that you can save to your device.
• Right to object (Art. 21): You can object to processing based on legitimate interests by contacting us.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you can withdraw at any time. For push notifications, disable them in iOS Settings.

To exercise any of these rights, contact us at or use the in-app features described above. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

8. Data Security

• Encryption in transit: All communication between the app and our servers uses TLS (HTTPS).
• Authentication: We use JWT (JSON Web Tokens) for secure session management.
• No passwords stored: We use Apple Sign-In exclusively — we never store or handle passwords.
• Secure token storage: Authentication tokens are stored in the iOS Keychain on your device.
• Access controls: Server-side access to personal data is restricted and logged.

9. International Data Transfers

Our servers are located in the European Union. If data is transferred outside the EU/EEA in the future, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Children

BoulderBuddy is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at and we will promptly delete such data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app or by other appropriate means before the changes take effect. We encourage you to review this page periodically.

12. Contact

For any privacy-related questions, requests, or concerns, please contact us:

• Email:

We aim to respond to all inquiries within 30 days.