Lex poipoi — Legal

Terms
& Privacy

Document vol. I  ·  Effective March 2026

This is an honest account of what we collect, what we promise, and what rights you have. We have tried to write it the way we would want to read it — clearly, without hiding anything uncomfortable in the subordinate clauses.

Version 0.7.0
Effective 1 March 2026
Jurisdiction EU / GDPR
Contact Via form below
Jump to GDPR Request · Terms of Service · Privacy Policy

GDPR — Your Rights

Data Request Form

Under the GDPR you have the right to access, export, or delete your personal data. Use this form to submit a request. We will respond within 30 days.

Your request is submitted directly to our backend — no email address is shown or transmitted through third-party services. Requests are processed within 30 calendar days as required by the GDPR. If you request deletion, your account and all data associated with it will be permanently removed; this action cannot be undone.

Request received.

We will respond to the email address you provided
within 30 calendar days.

Document I

Terms of Service

By creating an account on poipoi you agree to these terms. Please read them — we have tried to make them worth reading.

Who may use poipoi

poipoi is a social network for people that want to discover their city with their friends. To register you must be at least 18 years old, and physically present in the metro area of the city you set on your profile.

You may only have one account. Accounts are personal — they cannot be shared, transferred, or operated on behalf of another person.

Your account

You are responsible for keeping your login credentials secure. You are also responsible for everything that happens under your account. If you believe your account has been compromised, contact us immediately using the form at the top of this page.

When you register, you set a city. This city is permanent — it cannot be changed after registration. It is the trust and cohort boundary on which the product is built. It is enforced at the server level, not just the interface.

You may set an optional departure date. This date is used to display the "leaving in X days" counter on your profile. It can be updated once from your account settings. After your departure date passes, your account does not expire — it simply becomes quieter.

Content you post

You own the content you create on poipoi. By posting it, you grant us a non-exclusive, royalty-free, worldwide licence to store, display, and transmit that content solely for the purpose of operating the service. We will not use your content for any other purpose.

You must not post content that:

  • Is unlawful, defamatory, or constitutes harassment or abuse of another person
  • Infringes the intellectual property rights of another party
  • Contains the personal information of another person without their consent
  • Is spam, automated, or posted by a bot
  • Impersonates another person or entity

We do not proactively moderate content but we act on substantiated reports. If we remove content that violates these terms, we will inform you.

Note on photos. Photos you upload are stored compressed at display and thumbnail size. We do not run facial recognition or sell image data to third parties. You retain all rights to your photographs.

Connections

poipoi has no open search or public directory. You can only connect with people you have physically encountered — either via QR code or through mutual interests and/or connections. Connection via QR code between users in different cities is not permitted.

Connections are not visible on your profile, the interactions are visible to your other connections.

Prohibited conduct

In addition to the content restrictions above, you may not:

  • Attempt to access another user's account or data
  • Reverse-engineer, scrape, or systematically extract data from poipoi
  • Use the service to transmit malware or conduct phishing
  • Create fake or duplicate accounts
  • Attempt to circumvent the city-lock mechanism
  • Use automated tools (bots, scripts) to interact with the service

Violations may result in immediate account suspension or termination without notice.

Ending your account

You may delete your account at any time via your profile settings. Account deletion initiates a full and permanent data purge — your profile, posts, photos, connections, and all associated records are removed. This is irreversible.

We may suspend or terminate your account if you materially violate these terms. We will give you notice unless doing so would compromise security or the welfare of other users.

Liability and disclaimers

poipoi is provided as-is. We make no warranties regarding uptime, data continuity, or fitness for any particular purpose. We are not liable for any indirect, incidental, or consequential damages arising from your use of the service.

Real-world meetings. poipoi facilitates social coordination between real people. We are not responsible for what happens when you meet someone in person. Exercise the same care you would in any social situation.

Our total liability to you for any claim arising from your use of poipoi is limited to the amount you have paid us in the twelve months preceding the claim (which is likely zero, as poipoi is free).

Changes to these terms

We will notify you of material changes to these terms via the in-app notification system at least 14 days before they take effect. Continued use after the effective date constitutes acceptance. If you do not accept the revised terms, you may delete your account before they come into force.

The version number and effective date at the top of this page indicate which version you agreed to at registration.

Document II

Privacy Policy

We collect the minimum information needed to make poipoi work. We do not sell it, mine it for advertising, or share it beyond what this document describes.

What we collect

We collect information you provide directly when you create and use your account:

  • Account data — email address, display name, password (hashed, never stored in plain text), nationality, languages, university, program of study
  • Location data — your city, resolved once at registration via geocoding and stored as a canonical city record in our database
  • Profile content — bio, profile photo, vibe, interests, pinned facts, social links, theme preferences
  • Posts, plans, and photos — all content you create within the app
  • Connection data — who you are connected to and when the connection was made
  • Places visited — location notes you choose to add to your profile, stored as coordinates resolved at the time of input
  • Technical data — browser type, device type, IP address at login (used for security only, not profiling), push notification endpoint tokens

How we use it

We use your data to operate poipoi:

  • To authenticate you and maintain your session
  • To display your profile to your connections
  • To power the feed, plans, notifications, and all other core features
  • To enforce the city-lock and same-city connection constraints
  • To send you in-app and push notifications as configured by your preferences
  • To respond to GDPR requests submitted via the form on this page
  • To detect and prevent abuse

We do not use your data to build profiles for sale, or train machine-learning models. We do not have an advertising business. We reserve the right to display advertisement, and we might customize it to your profile if you consent to it.

Who we share your data with

We share data with a small number of infrastructure providers, each of which is contractually bound to process data only for the purposes we specify. Some of these providers are:

  • Supabase — database and authentication. Data is stored in the EU region
  • Cloudflare R2 — media storage (photos, avatars). Files are served via Cloudflare's CDN
  • Mapbox — geocoding only, called once at registration and once each time a place is added. No ongoing location tracking
  • Azure App Service — application hosting

We do not sell, rent, or broker your personal data to any third party. We will disclose data to law enforcement only if legally required to do so, and we will inform you unless prohibited by law.

Push notifications. Your push subscription endpoint is held by your browser provider (Google, Apple, Mozilla). We use it only to deliver notifications you have enabled. We delete stale endpoints when delivery fails.

How long we keep your data

We retain your data for as long as your account is active. When you delete your account, all personal data — profile, posts, photos, connection records, and push endpoints — is permanently deleted within 30 days. Anonymised, non-identifying aggregate data (e.g. total number of plans created that week) may be retained for operational monitoring.

Backups are retained for up to 90 days. If you delete your account, your data will be purged from live systems immediately and from backups within 90 days.

While an account is active, portions of data might be still purged based on application design choices.

Your rights under the GDPR

If you are in the European Union or European Economic Area, you have the following rights regarding your personal data:

  • Access — the right to request a copy of the data we hold about you
  • Portability — the right to receive your data in a structured, machine-readable format
  • Erasure — the right to have your data permanently deleted ("the right to be forgotten")
  • Rectification — the right to correct inaccurate data (you can edit most profile data directly; use the form below for anything else)
  • Restriction — the right to request that we limit processing of your data in certain circumstances
  • Objection — the right to object to processing based on legitimate interests

To exercise any of these rights, use the Data Request Form at the top of this page. We will respond within 30 calendar days. You also have the right to lodge a complaint with your national data protection authority.

Cookies and local storage

poipoi uses a session cookie to maintain your login state and for analytics purposes.

Push notification subscription data is stored in your browser's service worker registration. This is necessary for notifications to function and is not used for any other purpose. You can revoke push permissions at any time in your browser or device settings.

Home page's intro music is Dance Beat by The_Mountain (sourced from Pixabay), followed by Ain't One Of Us by Goldrap (sourced from Pixabay).