Privacy Policy — Acid
Effective date: April 21, 2026
Last updated: April 21, 2026
This Privacy Policy describes how Acid ("we", "us", "the app") collects, uses, and protects information when you use our mobile application. By using Acid, you agree to the practices described here.
Acid is for users age 13 and older. We do not knowingly collect information from children under 13. If we learn that we have collected data from a child under 13, we will delete it immediately. If you are a parent or guardian and believe your child has provided us with information, please contact us.
1. Information We Collect
Information you provide directly
- Account information: email address, username, password (hashed — we never see it in plain text)
- Year of birth: collected once during sign-up to verify you are 13 or older. We store the year only — never the full date. Your birth year is never shown to other users.
- Profile information: display name, avatar, bio, pronouns — all optional and controlled by you
- Content you post: posts, comments, chat messages, direct messages, wiki entries, event details, reports, and appeals
- Images you upload: avatars, post images, chat images, and community banners
Information we do NOT collect
- Real names
- Phone numbers
- Physical addresses
- Precise location data
- Payment information (Acid is free and does not process payments)
Information collected automatically
- Device information: device model, operating system version, app version — used for crash reporting and debugging
- Crash reports and errors: when the app crashes, we collect technical details to diagnose the issue (via Sentry). Personally identifiable information is stripped from crash reports before sending.
- Push notification tokens: a unique identifier issued by your device's operating system so we can send you notifications (via Firebase Cloud Messaging)
2. How We Use Your Information
- To create and maintain your account
- To verify you are 13 or older (required by law)
- To enforce safety rules — including keeping adults and minors from direct messaging each other
- To display your content to users who are authorized to see it (community members for community posts, recipients for direct messages, etc.)
- To moderate content for safety — all uploaded images are scanned for harmful content before being made available
- To send you notifications you have opted into
- To respond to reports, appeals, and safety concerns
- To diagnose and fix technical issues
3. Protections for Minor Users
Because users under 18 use Acid, we apply extra protections:
- Adult users cannot send direct messages to minor users. This is enforced at the database level.
- A user's minor status is never shown to other users.
- A user's birth year is never exposed through any API or visible profile field.
- Direct message content is never included in push notification payloads — only a generic "New message" preview is shown.
- All uploaded images are re-encoded before being served, which strips EXIF metadata such as GPS coordinates, device information, and timestamps.
- Uploaded images are automatically scanned by Microsoft Azure AI Content Safety for explicit content. Images flagged as explicit are deleted immediately and a high-priority report is created for human review by our moderation team.
- If we become aware of confirmed CSAM on the platform, we delete the content, ban the account, and will report to the National Center for Missing & Exploited Children (NCMEC) as required by US law. Direct integration with NCMEC reporting is on our v1.1 roadmap.
4. How We Share Information
We do not sell your personal information. We share information only in the following limited cases:
- With other users: content you post in a community is shown to community members. Direct messages are shown only to the conversation participants.
- Service providers we use:
- Supabase (database, authentication, and storage hosting)
- Sentry (crash reporting and error tracking — personal information is stripped from reports before sending)
- Apple Push Notification Service (iOS push delivery) and Firebase Cloud Messaging (Android push delivery), both routed through Expo's push notification relay service
- Microsoft Azure AI Content Safety (automated scanning of uploaded images for explicit content)
These providers process data only on our behalf and are bound by their own privacy obligations.
- Legal obligations: we will disclose information when required by law, court order, or to protect safety (including reporting CSAM to NCMEC as legally required).
5. Data Security
- All data is transmitted over encrypted connections (HTTPS/TLS).
- Authentication tokens are stored in your device's secure encrypted storage (iOS Keychain or Android Keystore) — never in unencrypted storage.
- Database access is enforced through row-level security policies. No user can access another user's private data through the app or API.
- Passwords are hashed using industry-standard algorithms and never stored in plain text.
6. Your Rights
You can:
- Access your personal information by viewing your profile and account settings in the app.
- Update your profile information, display name, avatar, bio, and pronouns at any time.
- Delete your account, which permanently removes your personal information and disassociates your public posts (posts may remain as "deleted user" for community history).
- Export your data by emailing us at the address below.
- Opt out of push notifications in your device settings.
If you are in the European Union, the United Kingdom, California, or another jurisdiction with specific data rights (GDPR, UK GDPR, CCPA), you also have the right to object to processing, restrict processing, and lodge a complaint with your data protection authority.
7. Data Retention
- Active accounts: we retain your information as long as your account is active.
- Deleted accounts: your personal information is deleted within 30 days of account deletion.
- Backups: data may persist in encrypted backups for up to 90 days after deletion, after which it is permanently removed.
- Safety records: records of serious policy violations (bans, reports involving illegal content) may be retained longer for safety and legal purposes.
8. Third-Party Links and Content
Acid may contain links to third-party websites or allow users to share external links. We are not responsible for the privacy practices of those sites. Please review their policies before sharing information.
9. International Users
Acid is operated from Ontario, Canada. By using Acid, you consent to the transfer of your information to Canada, which may have different data protection laws than your country.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app and update the "Last updated" date at the top of this page. Continued use of Acid after changes become effective means you accept the updated policy.
11. Contact Us
If you have questions about this Privacy Policy, want to request your data, or believe your child's information has been collected, please contact:
Email: [email protected]
We will respond to all inquiries within 30 days.