Privacy Policy

The controller responsible for the processing of your personal data is: Michel Chamoun, Alsterdorfer Straße 488, 22337 Hamburg, Germany.

Email: contact@ooverlap.app

VAT ID: DE365419012

If you have any privacy-related questions or want to exercise your rights, you can contact us at contact@ooverlap.app.

This Privacy Policy applies to personal data processed through:

• the ooverlap mobile app for iOS and Android;
• the ooverlap website;
• event invitation pages and guest access pages;
• communications sent by us in connection with events or your account;
• support and other communications with us.

**3.1 Registered Users

People who create an ooverlap account and use the app or website while logged in.

**3.2 Invite Guests / LWV Guests

People who access an ooverlap invitation or event page through a link without creating a full account ("LWV" stands for "Link Without Verification").

Different features, visibility levels, and data flows may apply depending on whether you are a registered user or a guest.

ooverlap is intended only for individuals who are 16 years of age or older (or the minimum age required by applicable law in your country).

If you are under the age required by applicable law in your country, you may only use the Service with consent from a parent or legal guardian.

We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a person under 16, we may delete that information and disable related access or accounts.

We collect personal data that you provide directly, data generated through your use of the Services, and limited technical data required to operate, secure, and improve the Services.

**6.1 Account and authentication data

• email address;
• password credentials (processed securely through our authentication provider);
• authentication identifiers;
• sign-in method;
• username and display name.

If you sign in using Google or Apple, we may receive account data from those providers, such as your email address, name, and basic profile information.

**6.2 Profile data

• profile photo;
• cover image;
• bio;
• country;
• interests;
• links to social profiles or websites.

**6.3 Event and participation data

• event title, description, date and time, location;
• cover image or cover video;
• RSVPs;
• waitlist status;
• event roles and permissions;
• event history and related timestamps.

**6.4 Social and community data

• membership data;
• role information;
• invitations;
• associations with spaces, groups, and events;
• interactions with other users.

**6.5 User content

• chat messages;
• comments;
• poll questions and poll votes;
• list items and assignments;
• image uploads;
• audio messages;
• documents;
• PDF tickets;
• ride and pickup information;
• story or feed activity summaries.

**6.6 Financial and expense data

• amounts;
• descriptions;
• who paid;
• split information.

ooverlap does not currently process payment card data and does not currently provide payment processing inside the Services.

**6.7 Notifications and communication preferences

• push notification tokens;
• email preferences;
• notification settings;
• unsubscribe status.

**6.8 Support and contact data

• your name;
• email address;
• message contents;
• any attachments or details you provide;
• support history.

**7.1 Data collected from LWV guests

• name;
• email address;
• RSVP status;
• event-related actions;
• comment content;
• poll participation;
• list participation;
• event notification opt-in status;
• session data required to maintain guest access.

**7.2 What guests can view on invite pages

Depending on the event setup, guests may be able to view: invitation title and description, hero image or hero video, host profile name, guest previews, event date, time and address, RSVP totals, polls and lists, a limited gallery preview, and comments.

**7.3 Actions available to LWV guests

• RSVP;
• write and read comments;
• participate in polls;
• view and edit lists;
• download or add calendar information;
• receive event-related emails if they explicitly opt in.

**7.4 Limited public visibility on invite pages

Invite pages may expose certain event information to anyone with the relevant invite link, including a limited set of guest previews, gallery images, comments, polls and lists.

When an LWV guest provides their name and email address, we may create a guest record to support RSVP handling, comments, poll votes, list participation, and event communication.

If that guest later creates a registered ooverlap account using the same email address, we may show a prompt offering to connect those previous guest records to the new account.

This linking is not performed as a silent automatic account takeover. Instead, the user is presented with a clear proposal to connect their past event participation — nothing happens without their explicit consent.

When you use the Services, we may automatically collect limited technical and usage data, including:

• IP address;
• device type;
• operating system;
• browser type;
• app version;
• language settings;
• timestamps;
• request and response metadata;
• crash and error information;
• security logs;
• audit trail information for user actions;
• internal product usage metrics.

For invite pages, we may use a necessary session mechanism, including a session cookie, to maintain guest access and invite-page functionality.

**10.1 Necessary cookies and session technologies

For invite pages and certain website functionality, we may use necessary cookies or equivalent session technologies to keep sessions working, support invite-page interactions, maintain security, prevent misuse, and ensure the website functions properly.

**10.2 Browser caching and technical storage

Media and other website assets may also be cached by your browser or content delivery infrastructure as part of normal technical delivery.

ooverlap does not currently use third-party analytics or advertising cookies for behavioral advertising or ad targeting.

We do not perform background location tracking or continuous GPS monitoring.

We may process location-related data in limited cases, such as event locations entered by users, pickup points for ride coordination, profile-level location preferences such as city or country, or a one-time current location selected by a user when actively using a map or ride-related feature.

We may allow users or guests to add an event to their calendar using an event file or platform intent, such as an .ics file or similar handoff.

ooverlap does not currently perform full third-party calendar synchronization.

**13.1 Event-related emails

We may send event-related emails where necessary to provide the Services or where the recipient has opted in. Examples include RSVP confirmations, event updates, rescheduling notices, location changes, cancellation notices, poll-result notices, reminders, and waitlist updates.

**13.2 Marketing emails

We may send occasional marketing or product-related emails to registered users. Registered users will have a clear ability to unsubscribe.

We do not use LWV guest email addresses for general marketing communications.

**13.3 Push notifications

Registered users may receive push notifications in the app, subject to device permissions and user settings.

We use personal data for the following purposes:

• to create and manage accounts;
• to authenticate users;
• to provide event planning and participation features;
• to enable spaces, groups, event communities, and guest access;
• to process RSVPs, polls, lists, comments, chats, galleries, rides, tickets, and related content;
• to send event-related communications;
• to send marketing communications to registered users where allowed;
• to maintain user preferences and settings;
• to support user requests and customer support;
• to secure the Services and prevent abuse;
• to investigate misuse, fraud, and violations;
• to maintain logs, records, and audit trails;
• to operate, troubleshoot, and improve the Services;
• to comply with legal obligations;
• to establish, exercise, or defend legal claims.

**Content review and moderation.** We may review User Content, including chat messages, direct messages, comments, and other communications, where reasonably necessary to respond to user reports, enforce our Terms of Service, investigate potential violations, comply with legal obligations, or protect the safety of our users. Content review may be performed by authorised team members or, in the future, by automated tools. We do not routinely monitor private conversations, but we may access specific content when a report is filed or when we have a reasonable basis to believe a violation has occurred.

**Reporting and blocking.** You can report content or users through in-app reporting tools. You can also block other users, which prevents them from contacting you or seeing your activity. When you block a user, we store that information to enforce the block across the platform.

**15.1 Performance of a contract

We process personal data where necessary to provide the Services you request, such as account creation and login, event participation, guest RSVP handling, in-app features, and event messaging.

**15.2 Legitimate interests

We process personal data where necessary for our legitimate interests, including operating and improving the Services, securing the platform, maintaining logs and audit trails, preventing abuse and fraud, and enforcing our terms.

**15.3 Consent

We rely on consent where required, including for certain guest email notifications, certain location uses, optional marketing communications, and certain optional permissions on mobile devices.

You may withdraw consent at any time for future processing where consent is the legal basis.

**15.4 Legal obligation

We may process personal data to comply with legal obligations, including recordkeeping and law-enforcement requests where valid.

**16.1 In-app visibility

Within the app, event participants may be able to see participant names and profile images, comments, lists, poll participation, ride information, gallery images, uploaded tickets, and other event-related contributions.

**16.2 Invite-page visibility

On invite pages, some event content may be visible without a full account, including event summary information, selected participant previews, comments, a preview of gallery images, and polls and lists for invited guests.

**16.3 Public and private distinction

Full galleries are restricted to event participants in the app. PDF tickets, ride information, and in-app chat are restricted to invited persons or event-related groups or spaces.

If you delete your account, we may delete or anonymize personal data associated with you, subject to legal, operational, and technical limitations.

Because ooverlap includes collaborative features, some contributions may remain within the event context but be anonymized so that other users can no longer identify the deleted user.

We may also retain limited information where necessary for security, fraud prevention, dispute handling, legal compliance, backup restoration cycles, or enforcement of our rights.

For instructions on how to delete your account, visit https://ooverlap.app/delete-account.

Our current retention approach generally includes:

• Account data: until account deletion, plus up to 90 days;
• LWV guest data: generally until the relevant event has ended plus up to 180 days;
• Unsubscribe / suppression records: up to 3 years;
• Audit trails and administrative logs: up to 12 months;
• Technical server and security logs: generally up to 30 days;
• Error and incident logs: generally up to 90 days;
• Backups: generally up to 30 days;
• Support communications: generally up to 24 months after the matter is closed;
• Media and uploaded content: until deleted by the user or the account is deleted.

We may share personal data with service providers and infrastructure providers that help us operate the Services, in categories including:

• authentication and database hosting;
• cloud hosting and deployment;
• email delivery;
• push notification delivery;
• content delivery and security;
• map and geocoding services;
• OAuth identity providers;
• platform providers such as Apple and Google.

Our current or anticipated service providers include: Supabase, Vercel, Resend, Cloudflare, Google, Apple, Expo, and Geoapify.

We do not sell your personal data.

We primarily use infrastructure located in the European Economic Area or nearby European regions, including Supabase in eu-central-2, Vercel in eu-central-1 (Frankfurt), and Resend in eu-west-1 (Ireland).

Where personal data is transferred outside the EEA or UK, we will take steps to ensure that appropriate safeguards are in place as required by applicable law.

We use technical and organizational measures designed to protect personal data, including:

• encryption in transit;
• secure transport over HTTPS/TLS;
• password protection and secure authentication flows;
• access controls;
• database security controls;
• row-level access restrictions;
• audit logging;
• validation and abuse prevention measures.

However, no service can be completely secure, and we cannot guarantee absolute security.

As of the current product design, ooverlap does not currently do the following as part of its normal operation:

• no background GPS tracking;
• no continuous live location tracking;
• no contact list syncing;
• no device advertising ID collection for ad targeting;
• no payment card data processing;
• no third-party analytics SDKs for behavioral analytics;
• no sale of personal data for advertising purposes.

If this changes in the future, we will update this Privacy Policy.

Depending on your location and applicable law, you may have rights regarding your personal data, including the right to:

• request access to your personal data;
• request correction of inaccurate data;
• request deletion of your data;
• request restriction of processing;
• object to certain processing;
• request portability of your data;
• withdraw consent where processing is based on consent;
• complain to a supervisory authority.

You can exercise your rights by contacting us at contact@ooverlap.app. We may need to verify your identity before responding.

If you are in the European Union, you may also have the right to lodge a complaint with the competent data protection authority in your country.

The Services may contain links to third-party websites, services, or apps. We are not responsible for the privacy practices of third parties. You should review their privacy notices separately.

We may update this Privacy Policy from time to time. If we make material changes, we may provide notice through the app, the website, by email, or by other reasonable means. The "Last updated" date at the top indicates the latest revision date.

If you have questions about this Privacy Policy or want to exercise your privacy rights, contact:

contact@ooverlap.app

Postal address: Michel Chamoun, Alsterdorfer Straße 488, 22337 Hamburg, Germany