Privacy Policy

1. Information we collect

We collect the following categories of personal information:

• Account information — name, email address, phone number, password hash (managed by Supabase Auth), and your role (customer or provider).
• Address and location — pickup and delivery addresses, geocoded coordinates used for provider matching, and — while the app is in use — approximate or precise device location if you grant the permission. Location is used only to match orders to nearby providers and to calculate ETAs.
• Order history and photos — dates, time windows, weights, pricing, delivery confirmations, and photos taken by customers or providers to document the condition of laundry at pickup and delivery.
• Payment information — billing address, subscription status, and Stripe payment-method tokens. We do not store full credit-card numbers, CVVs, or expiration dates on our servers. Card data is tokenized and handled entirely by Stripe under PCI-DSS SAQ A scope.
• Communication content — in-app messages between customers and providers, and support messages you send us.
• Device and usage data — device model, operating system version, app version, push-notification tokens (Firebase Cloud Messaging / Expo Push), crash reports, and anonymized interaction events.
• Marketing attribution — when you install the app, we use AppsFlyer to understand which campaign referred you. See “Third-party services” below.

2. Why we collect it

• To deliver the service — match orders to providers, process pickups and deliveries, handle subscription billing, and send order-status notifications.
• To keep the service safe — prevent fraud, investigate disputes, verify provider identity (via Stripe Identity), and enforce our Terms.
• To improve the product — understand feature usage, diagnose crashes, and measure acquisition campaign performance.
• To communicate with you — transactional emails (receipts, order updates), push notifications you’ve opted into, and, if you consent, occasional marketing emails you can unsubscribe from at any time.

3. Device permissions (mobile app)

Our Android and iOS app requests the following permissions. We only use them for the purposes listed below.

You can revoke any permission at any time from your device settings. Revoking location or camera access will prevent related features from working but will not delete your account.

4. Third-party services

We share the minimum personal information needed with the following processors. Each is contractually bound to use the data only to perform services for us.

• Supabase — authentication, database hosting, file storage (order photos).
• Stripe — subscription billing, payment tokenization, identity verification for providers, payouts via Stripe Connect.
• Google (Maps, Places, Firebase) — geocoding, address autocomplete, push notifications (FCM).
• Expo / EAS — mobile build and over-the-air update delivery.
• Resend — transactional emails (receipts, order notifications).
• Sentry — crash and error reporting. Stack traces may include device metadata; we strip personally identifying fields before sending.
• PostHog — anonymized product analytics.
• AppsFlyer — marketing attribution (which ad or referral led to your install).
• Railway — hosting provider for our API.

We do not sell personal information to third parties, and we do not share your information with advertisers for ad targeting outside of measuring our own campaigns via AppsFlyer.

5. How long we keep it

Account and order records are retained while your account is active and for up to 7 years after account closure to comply with tax, fraud-prevention, and dispute-resolution obligations. Order photos are retained for up to 12 months after delivery, then deleted or anonymized. Anonymized analytics data may be retained indefinitely.

6. Your rights

Depending on where you live, you may have the right to:

• Request a copy of the personal information we hold about you.
• Correct inaccurate information.
• Delete your account and personal information, subject to record-keeping obligations above.
• Object to or restrict certain processing.
• Withdraw consent for marketing communications at any time.

To exercise any of these rights, email privacy@justfold.app. We respond within 30 days.

California residents have additional rights under the CCPA, including the right to know what categories of personal information we collect and to opt out of any “sale” of personal information. We do not sell personal information.

7. Security

We use industry-standard measures to protect your information in transit and at rest, including TLS for all network traffic, encrypted database storage (Supabase Postgres with encryption-at-rest), tokenized payment data (PCI-DSS SAQ A scope via Stripe), and scoped access controls on internal systems. No online service can guarantee absolute security; we continuously review and update our practices.

8. Children

JustFold is not directed to children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, please contact us and we will delete it.

9. Changes to this policy

We may update this policy when our practices change. Material changes will be announced in the app and via email at least 14 days before taking effect. The “Effective” date at the top of this page always reflects the current version.