Privacy Policy

Moves Social Inc. ("Moves," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our services, including our website, mobile applications, and related features. By using Moves, you consent to the data practices described in this policy.

Account Information

When you create an account, we collect your username, phone number (required for verification), and optionally your email address. Your password is hashed using Argon2 and is never stored in plaintext.

Event & Location Data

When you create or interact with events ("moves"), we collect event details including titles, descriptions, dates, times, and location information such as place names, addresses, and geographic coordinates.

Messages & Chat Data

We store messages you send in group and direct chats, including text content, reactions, poll responses, and image attachments.

Financial Data

When you use cost-splitting features, we store expense amounts, currencies, split details, settlement records, and your Stripe account identifier. Payment processing is handled by Stripe — we do not store your credit card numbers or bank account details. For more information, see Stripe's Privacy Policy.

Google Calendar Data

If you choose to connect your Google Calendar, we request read-only access to import your calendar events into Moves. During the connection process, we also receive your Google account identifier and email address via OpenID Connect. We store imported event details (titles, times, descriptions, locations, and timezones), Google calendar and event identifiers, sync tokens, and OAuth tokens in encrypted form. Imported events remain in Moves even if you later disconnect the integration. You can disconnect Google Calendar at any time from your account settings, which stops future syncing.

We use Google Calendar data solely to provide and improve the calendar synchronization feature within Moves. We do not use Google Calendar data for advertising, and no humans read your Google data unless you give explicit consent or it is required for security or legal compliance. We do not transfer Google Calendar data to third parties except as necessary to operate the Service.

Moves' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Push Notification Data

If you enable push notifications, we store your browser push endpoint URL, encryption keys (encrypted at rest using AES-256-GCM), and browser/device identifier.

Cookies & Local Storage

We use a session cookie ("moves_session") for authentication. We also store preferences in your browser, such as theme, calendar display settings, location filters, and your last-used location. Some preferences are stored as cookies and may be sent to our servers to personalize your experience; others are stored only in your browser's local storage.

Usage Data

We collect session information and basic device/browser type for service operation. We do not use third-party analytics services. IP addresses may appear in transient server logs but are not persistently stored or used for tracking.

• Provide, maintain, and improve the Moves platform
• Send you notifications via SMS, push notifications, or email based on your preferences
• Process payments and cost settlements through Stripe
• Synchronize your calendar events when you opt into Google Calendar integration
• Detect and prevent fraud, spam, and abuse
• Comply with legal obligations

We use the following third-party services to operate Moves. Each processes data on our behalf under their own privacy policies:

• Twilio — SMS verification during registration
• Mapbox — Location search and map display
• Google — Calendar synchronization (when opted in)
• Stripe — Payment processing for cost settlements
• Cloudflare — CDN, DDoS protection, and secure tunneling

We do not sell your personal data. We may share your information only in the following circumstances:

• With the third-party service providers listed above, solely to operate the service
• When required by law, regulation, legal process, or governmental request
• In connection with a merger, acquisition, or sale of assets, in which case you will be notified. Any transfer of data received from Google APIs will only occur with your explicit prior consent

Sessions expire after 7 days of inactivity. Account data, events, messages, and related content are retained until you request account deletion. Internal audit records and financial records may be retained longer for security, compliance, and legal purposes.

• SMS: Reply STOP to opt out of SMS messages at any time
• Google Calendar: Disconnect from your account settings at any time
• Notifications: Manage your notification preferences in settings
• Account deletion: Contact us at [email protected] to request deletion of your account and associated data

We implement appropriate technical measures to protect your information, including encrypted storage for sensitive tokens (AES-256-GCM), Argon2 password hashing, HTTPS-only connections, and HttpOnly session cookies. No method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

Moves is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page. Your continued use of Moves after changes are posted constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy, contact us at [email protected].