Who's Free? Privacy Policy

Effective date: 27 February 2026
Last updated: 18th March 2026

1. Who We Are

Who's Free? is operated by Appfolk Ltd, a company registered in the United Kingdom.

Supervisory authority:Information Commissioner's Office (ICO), United Kingdom

This privacy policy explains how we collect, use, store, and share your personal data when you use the Who's Free? mobile application (“the App”). It applies to all users of the App.

2. What Data We Collect

Account data

Examples: Email address, first name, last name, profile image (provided via your login provider)
Required or optional: Required

Contact information

Examples: Phone number
Required or optional: Optional

Family data

Examples:Family name, children's first names
Required or optional: Required for core features

Social data

Examples: Friend connections, friend request messages
Required or optional: Created through your use of the App

Availability data

Examples: Dates, start and end times, notes, which children are available
Required or optional: Created through your use of the App

Device data

Examples: Push notification token
Required or optional: Optional (requires your permission)

Diagnostics

Examples: Device model, OS version, app version, error stack traces
Required or optional: Automatic; does not include your name, email, IP address, or any account data

Authentication data

Examples: OAuth tokens, session data (managed by Clerk)
Required or optional: Required

Feature usage data

Examples: Feature used (e.g. added availability, sent a friend request), timestamps, login method used, no personal data
Required or optional: Automatic; linked to your account while your account is active

We do not collect location data, financial information, or browsing history.

3. How We Use Your Data

We use your data for the following purposes only:

Providing the service: Creating your account, storing your family and availability information, and connecting you with friends so you can coordinate playdates.
Friend connections:Allowing you to search for other users (if they have enabled discovery), send and receive friend requests, and view your friends' availability.
Push notifications: Sending you alerts when you receive a friend request (only if you opt in to notifications).
Error monitoring: Collecting anonymous crash and performance data to identify and fix bugs.
Product analytics:Recording what features are used and when to understand how the App is used and to improve its features. For example we record that you used the “add availability” feature, but not what information you included.
Account security: Verifying your identity through your login provider and maintaining secure sessions.

We do not use your data for advertising, profiling, or automated decision-making.

4. Lawful Basis for Processing (GDPR)

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful bases:

Contract (Art. 6(1)(b))

Data processed:Account data, family data, children's names, availability, friendships
Purpose: Necessary to provide the service you signed up for

Legitimate interests (Art. 6(1)(f))

Data processed: Crash and performance diagnostics
Purpose: Maintaining and improving app stability; our interest is balanced against your rights as this data is anonymous and not linked to your identity

Legitimate interests (Art. 6(1)(f))

Data processed: Usage data (feature name, timestamp, login method)
Purpose: Understanding how the App is used to improve features; data is linked to your account (until account deletion), not used for advertising, and automatically deleted after 12 months

Consent (Art. 6(1)(a))

Data processed: Push notification token, phone number, discovery setting
Purpose: You can grant or withdraw consent at any time through the App or your device settings

5. Data Sharing and Third Parties

We share data with the following third-party service providers, solely for the purposes described:

Clerk

Purpose: Authentication and account management
Data shared: Email, name, profile image, OAuth tokens
Server location: USA (Google Cloud)
Privacy policy: clerk.com/legal/privacy

Convex

Purpose: Database and backend infrastructure
Data shared: All app data listed in Section 2
Server location: USA (AWS)
Privacy policy: convex.dev/legal/privacy

Sentry

Purpose: Crash and performance monitoring
Data shared:Device model, OS version, app version, error stack traces. Configured with Sentry's built-in setting to exclude IP addresses and user-identifying data.
Server location: EU (Frankfurt, Germany)
Privacy policy: sentry.io/privacy

Expo

Purpose: Push notification delivery
Data shared: Push token, notification content
Server location: USA (Google Cloud)
Privacy policy: expo.dev/privacy

Apple

Purpose: OAuth login (Sign in with Apple)
Data shared: Apple user ID, name, email
Server location: USA / Global
Privacy policy: apple.com/legal/privacy

Google

Purpose: OAuth login (Sign in with Google)
Data shared: Google user ID, name, email, profile picture
Server location: USA / Global
Privacy policy: policies.google.com/privacy

We do not sell your personal data to any third party.

6. International Data Transfers

Your data is transferred to and processed in the United States by Clerk, Convex, Expo, and your OAuth login provider (Apple or Google). These transfers are protected by the following mechanisms:

EU-US Data Privacy Framework (DPF): Clerk, Expo, and Google are certified under the EU-US Data Privacy Framework.
Standard Contractual Clauses (SCCs): Convex uses Standard Contractual Clauses approved by the European Commission and the UK ICO.
Apple's terms:Apple transfers are governed by Apple's own data processing terms and commitments.

Sentry diagnostic data is processed within the EU (Frankfurt, Germany) and is not transferred outside the EU/UK.

7. Data Retention

Availability data: Automatically deleted daily once the availability date has passed
Account, family, and social data: Retained while your account is active
On account deletion:All app data (profile, family, children, friendships, availability) is permanently deleted immediately. Your user ID is removed from all usage event records immediately; the remaining anonymised records are retained for aggregate analysis and automatically deleted after 12 months (see Section 7, “Usage data”). Your Clerk authentication account is permanently deleted within 90 days (see Section 14).
Clerk authentication data:Deleted within 90 days of account termination, per Clerk's retention policy
Sentry diagnostics:Retained for up to 90 days, per Sentry's default retention policy
Usage data (events):On account deletion, your user ID is removed from all event records immediately; the remaining anonymised records (containing only an anonymous identifier, the event name, e.g. “availability.create”, and a timestamp — no personal data) are retained for aggregate analysis. All records are deleted automatically 12 months after their creation.

8. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): request a copy of the personal data we hold about you.
Right to rectification (Art. 16): request correction of inaccurate data. You can also update your name, email, phone number, and profile image directly within the App.
Right to erasure (Art. 17): request deletion of your data. You can delete your account directly within the App (see Section 14).
Right to restriction of processing (Art. 18): request that we limit how we use your data in certain circumstances.
Right to data portability (Art. 20): request your data in a structured, machine-readable format.
Right to object (Art. 21): object to processing based on legitimate interests.
Right to withdraw consent (Art. 7(3)): withdraw consent at any time for processing based on consent (e.g. push notifications, phone number, discovery). Withdrawal does not affect the lawfulness of processing before withdrawal.

We do not carry out any automated decision-making or profiling (Art. 22).

To exercise any of these rights, contact us at privacy@appfolk.co. We will respond within one month.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.

9. Data Shared Between Users

The App is designed to help friends coordinate playdates. As a result, some of your data is visible to other users:

Your friends can see:Your first name, last name, profile image, family name, children's first names, and your availability posts.
Users searching for friends:If you have enabled discovery in your settings, your name and profile image will appear in search results. Non-friends cannot see your availability, children's names, or family name.
Non-users: Cannot see any of your data.

You can disable discovery at any time in your profile settings to stop appearing in search results within the App.

10. Children's Privacy

Who's Free? is designed for adults (parents and guardians). You must be at least 16 years old to create an account.

Children do not create accounts or interact with the App.
Parents and guardians enter their children's first names to facilitate playdate coordination.
We do not collect any data directly from children.
Children's names are not used for advertising, analytics, or any purpose other than displaying them to the parent's friends within the App.
Children's names are permanently deleted when the parent deletes their account.

11. Device Permissions

The App may request the following device permissions, all of which are optional:

Camera: To take a profile picture
Photo library: To choose a profile picture from your photos
Push notifications: To receive alerts when you get a friend request

You can manage these permissions at any time through your device settings.

12. Data Security

We take appropriate technical and organisational measures to protect your data:

All data in transit is encrypted using HTTPS/TLS.
Authentication tokens are stored in your device's secure storage (Expo SecureStore).
Convex (our database provider) encrypts all data at rest using AES-256 and is SOC 2 Type II compliant.
Clerk webhook signatures are verified using HMAC (via Svix) to prevent tampering.
Sentry is configured with personally identifiable information collection disabled (i.e. by setting their sendDefaultPii flag to false).

No system is completely secure. If you become aware of a security vulnerability, please contact us immediately at privacy@appfolk.co.

13. Data Breaches

If we become aware of a personal data breach, we will:

Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware, where required under UK GDPR Article 33.
Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (UK GDPR Article 34).

If you discover or suspect a security vulnerability, please report it to us immediately at privacy@appfolk.co.

14. Account Deletion

You can delete your account at any time from within the App. When you delete your account:

Your user profile, family record, children's records, all friendships, and all availability posts are permanently and immediately deleted from our database.
Your user ID is immediately removed from all usage event records. The remaining anonymised event records (containing only an anonymous identifier, the event name, and a timestamp) are retained for aggregate analysis and cannot be linked back to you.
Your Clerk authentication account is permanently deleted within 90 days of deletion, per Clerk's data retention policy.
This action is irreversible.

If you delete your account through your Clerk account, our system automatically receives a notification and deletes all your data from our database.

15. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you through the App or by other appropriate means. The “Last updated” date at the top of this policy will always reflect the most recent revision.

We encourage you to review this policy periodically.

16. Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us:

Appfolk Ltd
Email: privacy@appfolk.co

To lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
ico.org.uk/make-a-complaint