Privacy Policy

1. Who we are

"Blurtd," "we," "us," and "our" mean the team operating the Blurtd mobile app and website at blurtd.app. We're the data controller for the personal data described in this policy.

You can reach us at hello@blurtd.app for privacy questions, data requests, or just to say hi.

2. What we collect

Different parts of Blurtd collect different things. We try to keep it minimal.

2.1. When you join a room as a guest (no account)

• A device ID we generate on your phone and store securely on the device — used to remember which Player you are across rounds in the same room.
• A display name you type or that we generate.
• Game state for the room: your votes, scores, and the order you joined.

That's it. No email, no social account, no contacts, no location.

2.2. When you sign in with email or as the source player

• Email address (for sign-in and account recovery).
• Display name and optional profile fields.
• Authentication tokens issued by Supabase (our auth provider). We never see or store passwords in plain text.

2.3. When you connect TikTok (and later, Instagram or YouTube)

• An OAuth refresh token stored on our server so we can fetch your liked-clip metadata for active rounds.
• Your platform user ID (TikTok open_id, etc.).
• Liked-clip metadata — clip IDs, the platform, the embed URL, the public uploader, and the timestamp it was liked.

We do not download or store the video files themselves. When a round shows a clip, your phone streams it directly from TikTok's CDN using TikTok's own embed URL. We're a router, not a vault.

2.4. Game data

• The room PIN, room mode, round count, and the player roster.
• Each round's active clip reference and the votes cast.
• Aggregate scores.

2.5. Diagnostics & analytics

• Crash and error logs via Sentry — these include device model, OS version, and a stack trace, but we strip personal identifiers before they leave your device.
• Product analytics events via Mixpanel — things like "round_played", "vote_cast", "paywall_seen". Tied to your Player ID, never to your email or contacts.

2.6. Payments

Subscriptions and one-time unlocks (PartyPass, Pro Weekly, Lifetime) are processed by Apple App Store, Google Play Store, and our subscription manager RevenueCat. We never see your card number, billing address, or banking details. We see only the entitlement (do you have an active subscription, yes or no) and an opaque purchase ID.

3. What we don't do

• We don't show ads, so we don't build advertising profiles or share data with ad networks.
• We don't store the contents of your TikTok liked videos (audio, video, images) on our servers.
• We don't read your contacts, photo library, calendar, or location.
• We don't track you across other apps or websites.
• We don't fingerprint your device for advertising purposes.

4. How we use data

We use the data described above to:

• Run the game — let you join rooms, cast votes, and see results.
• Authenticate you and remember which rooms you're a member of.
• Fetch the next liked clip from your connected platform when you're the source player for a round.
• Diagnose crashes and fix bugs.
• Understand product usage in aggregate (which game modes are popular, where players drop off) to improve the product.
• Process payments via the App Store / Play Store / RevenueCat.
• Prevent abuse — rate limit suspicious traffic, detect cheating.
• Comply with law when validly compelled.

5. Who we share data with

We share the minimum necessary with these categories of recipients:

• Other players in your room — they see your display name, your liked-clip thumbnails for the rounds you're the source, and your votes (after the reveal).
• Service providers we rely on to run the product:
  • Supabase — database, auth, real-time, edge functions.
  • RevenueCat — subscription management.
  • Mixpanel — product analytics.
  • Sentry — error monitoring.
  • Expo / EAS — builds and push notifications.
  • Cloudflare — website hosting and DDoS protection.
• Apple and Google for App Store / Play Store distribution and payment processing.
• TikTok / Instagram / YouTube — only when you authorize a connection and only the OAuth handshake required for that platform's API.
• Law enforcement and regulators — only when validly compelled by a court order, subpoena, or equivalent process from a jurisdiction with authority over us.

6. TikTok and other platforms

When you tap "Connect TikTok," you're sent to TikTok's own OAuth screen. TikTok asks them, not us, to authorize Blurtd. After you approve:

• TikTok gives us a refresh token (stored encrypted on our servers).
• We use that token to call TikTok's Data Portability API, which returns metadata about your liked videos — clip IDs, embed URLs, timestamps.
• For each round where you're the source player, we pick one liked clip and stream it to the room via TikTok's embed.
• Your TikTok credentials, account password, and direct messages are never visible to us. TikTok holds those.

You can disconnect TikTok at any time inside the app's account settings, or by revoking access from your TikTok account's connected apps page. When you disconnect, we delete the refresh token and stop fetching.

The same model will apply to Instagram Reels and YouTube Shorts when those integrations launch. We never use scraping or unofficial APIs.

7. The privacy preview

Before any liked clip you're the source for is shown to a room, the app displays a privacy preview: the exact set of clips that will be in the rotation for that round. You can:

• Confirm and play the round.
• Skip individual clips you'd rather not share.
• Cancel the round and disconnect.

This preview is opt-in, per session. You can revoke connection access and request deletion of stored metadata at any time (see Your rights).

8. How long we keep data

• Account data: as long as your account is active, plus 30 days after deletion to handle support.
• Game data: rooms and rounds are retained for 90 days for replay and dispute resolution, then purged.
• Liked-clip metadata: retained while your platform connection is active; deleted within 7 days of disconnection.
• Analytics events: retained for 24 months in aggregate form.
• Crash logs: retained for 90 days.
• Payment records: retained per legal/tax obligations (typically 7 years).

9. Your rights (GDPR / CCPA / others)

If you're in the EU, UK, California, or another jurisdiction with similar data protection laws, you have these rights at any time:

• Access — request a copy of the personal data we hold about you.
• Correction — fix anything inaccurate.
• Deletion — "right to be forgotten." We delete your account and personal data within 30 days of a confirmed request, except where law requires us to retain certain records (e.g., tax).
• Portability — get your data in a machine-readable format.
• Restriction or objection to certain processing.
• Opt-out of "sale" or "sharing" — we don't sell or share your data for cross-context behavioral advertising, so this is a no-op for us, but the right exists.
• Withdraw consent — for any processing based on consent (e.g., analytics).
• Lodge a complaint with your local data protection authority.

To exercise any of these, email hello@blurtd.app with the subject "Privacy Request." We respond within 30 days. We may ask you to verify identity (e.g., from the email tied to your account).

10. Children

Blurtd is not directed to children. We don't knowingly collect personal data from anyone under 13 in the United States or under 16 in the European Union. If you believe a child has signed up, email hello@blurtd.app and we'll delete the account.

11. International transfers

Our servers are located in the United States and the European Union. If you're outside these regions, your data will be transferred to and processed in countries that may have different data protection laws than yours. Where required (e.g., for EU residents), we use Standard Contractual Clauses or equivalent safeguards approved by the European Commission.

12. Cookies and local storage

The Blurtd mobile app does not use cookies. The marketing website (blurtd.app) uses only functional local storage to remember your accessibility preferences. We do not run third-party analytics, advertising, or tracking on the website.

13. Security

We protect your data with industry-standard practices: TLS for all network traffic, encryption at rest in our database, restricted internal access on a need-to-know basis, automated dependency monitoring, and incident-response procedures. No system is 100% secure. If we ever discover a breach affecting your personal data, we will notify you and the relevant authorities as required by law.

14. Changes to this policy

We'll update this policy when our practices change. The "Effective" date at the top reflects the latest version. For material changes (anything that meaningfully expands what we collect, who we share with, or how we use data), we'll give you reasonable notice — typically a banner in the app and an email if we have one for you.

15. Contact

Privacy questions, data requests, or concerns:
hello@blurtd.app · subject line "Privacy."

If you're in the EU and not satisfied with our response, you can complain to your local data protection authority.

See also: Terms of Service. Back to blurtd.app.