Privacy Policy

1. Information we collect

1.1 Information you provide directly

• Account information: Name, email address, phone number, and profile photo when you create an account.
• Profile information: Display name, preferred mahjong rulesets, skill level, bio, and other optional details you add to your profile.
• Event information: If you host events, we collect event details including title, description, date, time, location, ruleset, pricing, and any policies you set.
• Communications: Messages you send through in-app event chat, direct messages to hosts, and any correspondence with our support team.
• Payment information: When you purchase event tickets or set up payouts as a host, payment processing is handled by Stripe. We do not store your full credit card number, bank account number, or other sensitive financial data on our servers. We receive and store transaction records, payout status, and Stripe account identifiers.
• Contacts: If you grant permission, we access your device's address book to help you find people you know who also use Mahjy. We use phone numbers for matching purposes only. We do not store your full contact list on our servers or use it for marketing.
• Calendar: If you grant permission, we access your device calendar to add event reminders. We do not read or store existing calendar entries.

1.2 Information collected automatically

• Location data: With your permission, we collect your approximate (coarse) location to show you nearby events. We do not track your precise location continuously or in the background. Location data is used solely for event discovery and is not shared with other users beyond the general area displayed on event listings.
• Device information: Device type, operating system version, unique device identifiers, and push notification tokens.
• Usage data: How you interact with the Service, including screens viewed, actions taken (such as RSVPs, event creation, and searches), session duration, and feature usage. This data is collected through our analytics provider to improve the Service.
• Log data: IP address, browser type, access times, and referring URLs when you visit our website.

1.3 Information from third-party services

• Sign-in providers: If you sign in with Apple or Google, we receive your name and email address (or a relay email in the case of Apple's Hide My Email feature). We do not receive your password from these providers.
• Payment providers: Stripe provides us with transaction status, payout status, and account verification status for hosts using Stripe Connect.

2. How we use your information

We use the information we collect to:

• Provide, operate, and maintain the Service, including event discovery, RSVPs, and event management
• Process transactions and send related information, including purchase confirmations, refunds, and payout notifications
• Verify your identity, including phone number verification for account security
• Send push notifications about events you've joined, waitlist updates, chat messages, and other time-sensitive information
• Connect you with people you know through phone number matching
• Display nearby events based on your location
• Manage subscriptions and enforce access permissions based on your subscription tier
• Analyze usage patterns to improve the Service, fix bugs, and develop new features
• Enforce our Terms of Service, including investigating reports and blocking abusive users
• Communicate with you about service updates, security alerts, and support inquiries
• Comply with legal obligations

3. How we share your information

3.1 With other users

• Event hosts see your display name, profile photo, and skill level when you RSVP to their events. Hosts see your name in their attendance lists.
• Event attendees see your display name and profile photo in event chat and attendee lists for events you share.
• Event locations: Exact event addresses are only revealed to approved attendees within 24 hours of the event start time, or upon host approval. Prior to that, only an approximate area is shown.
• Connections: Users who have mutually connected with you can see your display name and profile information. Connections require mutual consent.

3.2 With service providers

We share information with third-party service providers who perform services on our behalf:

• Xano: Backend infrastructure and data storage
• Stripe: Payment processing for event tickets and host payouts via Stripe Connect
• RevenueCat: Subscription management and purchase verification
• Mixpanel: Product analytics and usage tracking
• Radar: Geolocation services for event discovery
• Expo: Push notification delivery
• Apple and Google: Authentication, subscription billing, and app distribution
• Vercel: Website hosting

These providers are contractually obligated to use your information only as necessary to provide their services to us and in accordance with applicable privacy laws.

3.3 For legal reasons

We may disclose your information if required to do so by law, or if we believe in good faith that such disclosure is necessary to:

• Comply with a legal obligation, subpoena, court order, or governmental request
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users or the public

3.4 Business transfers

If Second Arcs LLC is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

3.5 What we never do

• We never sell your personal information to third parties
• We never share your information with third parties for their own marketing purposes
• We never display your email address or phone number to other users
• We never share your exact location with other users
• We never import or connect with external social media platforms (Facebook, Instagram, LinkedIn, etc.)

4. Data retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

• Account data: Retained until you delete your account
• Event data: Event details and attendance records are retained for historical and analytics purposes, even after an event ends
• Chat messages: Event chat messages are retained for the duration of the event and a reasonable period thereafter
• Transaction records: Payment and refund records are retained as required by applicable financial regulations and tax laws (typically 7 years)
• Analytics data: Aggregated and de-identified usage data may be retained indefinitely for product improvement

When you delete your account, we delete or anonymize your personal information within 30 days, except where retention is required by law or for legitimate business purposes such as fraud prevention or financial record-keeping.

5. Account deletion

You can request deletion of your account at any time through the app (Profile > Settings > Delete Account) or by contacting us at support@mahjy.com. Upon receiving a deletion request:

• Your account will be scheduled for deletion with a grace period during which you may cancel the request
• Your profile, display name, and photo will be removed from public visibility immediately
• Your personal data will be permanently deleted within 30 days
• Anonymized records of events you attended or hosted may be retained for host analytics and platform integrity
• Active subscriptions should be cancelled through the Apple App Store or Google Play Store before deleting your account to avoid continued billing

6. Data security

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit using TLS/SSL
• Secure token-based authentication
• Sensitive credentials stored in encrypted device storage (not plain text)
• Payment processing handled entirely by PCI-DSS compliant providers (Stripe)
• Regular review of our data collection, storage, and processing practices

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

7. Your rights and choices

7.1 All users

• Access and update: You can access and update your profile information at any time through the app
• Location: You can revoke location permissions through your device settings at any time. This may limit event discovery functionality.
• Contacts: You can revoke contacts permissions through your device settings. This will prevent the friend-finding feature from working.
• Push notifications: You can disable push notifications through your device settings
• Account deletion: You can delete your account as described in Section 5

7.2 California residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose about you
• Delete your personal information, subject to certain exceptions
• Opt out of the sale or sharing of your personal information. We do not sell your personal information.
• Non-discrimination for exercising your privacy rights
• Correct inaccurate personal information

To exercise these rights, contact us at support@mahjy.com. We will verify your identity before processing your request.

7.3 European users (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under GDPR including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing. Our legal basis for processing your information is your consent (which you may withdraw at any time), performance of our contract with you, and our legitimate interests in operating and improving the Service. To exercise your rights, contact us at support@mahjy.com.

8. Children's privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@mahjy.com, and we will take steps to delete such information promptly.

9. Analytics and tracking

We use Mixpanel to collect anonymized analytics data about how the Service is used. This includes events such as screen views, feature usage, and session information. This data is tied to a device identifier and your user ID for the purpose of improving the Service. We do not use this data for advertising or share it with advertisers.

Our website may use essential cookies for functionality. We do not use advertising cookies or third-party tracking pixels.

As disclosed in our Apple App Store privacy nutrition labels, we collect the following data types: email address, name, phone number, coarse location, contacts (not linked to identity), photos, payment information, purchase history, product interaction data, and device identifiers. None of this data is used for tracking as defined by Apple.

10. Third-party links and services

The Service may contain links to third-party websites or services, such as Stripe's payment pages or Apple/Google subscription management. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app, by email, or by posting a prominent notice on our website. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

12. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Second Arcs LLC
Email: support@mahjy.com