Privacy Policy
Effective date: 7 May 2026 Last updated: 7 July 2026
Note on the current data controller. The 1fifty mobile application is currently operated by 1fifty BV (Belgium, VAT BE1038210695) during the formation of a dedicated 1fifty legal entity. References to “we”, “us”, and “our” in this Privacy Policy refer to 1fifty BV. Once the dedicated 1fifty legal entity is incorporated, this Privacy Policy will be updated to identify the new controller and you will be notified through the Service.
1. Introduction
This Privacy Policy describes how 1fifty BV (“we,” “us,” or “our”) collects, uses, shares, retains, and protects information when you use the 1fifty mobile application and any related services (collectively, the “Service”). It is provided so you can understand our processing activities and exercise your data-protection rights; it does not replace any consent that we must separately request from you.
We may update this Privacy Policy from time to time. When we make material changes we will notify you through the Service or by other means (e.g., email) and update the “Last updated” date above. Where a change requires your consent, we will request it before relying on that consent.
2. Information We Collect
2.1 Information You Provide Directly
| Category | Examples |
|---|---|
| Account information | Email address; first and last name (optional at sign-up); profile photo. |
| Authentication credentials | Passwords (managed and hashed by Supabase Auth); one-time passcodes (OTP) delivered by email; multi-factor authentication (MFA) tokens and factor names (TOTP). |
| Third-party sign-in | When you sign in with Google, Apple, LinkedIn, Facebook, or X (Twitter), we receive the identifier, email address, display name, and profile image made available by the provider. |
| Workspace data | Every account is provisioned with a personal workspace at sign-up. Workspace name, region, and member metadata are stored alongside your account. |
| Contacts | Names, email addresses, phone numbers, physical addresses, websites, social-media handles, industry tags, labels, free-text notes, and any other information you enter about your contacts. |
| Companies | Company name, legal form, registration number, headquarters address (including geographic coordinates), email addresses, phone numbers, websites, social-media handles, free-text notes, and company logos. |
| Business-card scans and images | Photos of business cards, avatars, and other images you upload or capture. When you use the scanner, we may also store geographic coordinates (latitude and longitude) of the location where the card was scanned, if location permission is granted. Embedded image metadata (EXIF, including GPS coordinates) is re-encoded out before business-card images are persisted to private storage; uploads that cannot be re-encoded are rejected rather than stored with metadata intact. |
| Tasks and events | Task titles, descriptions, due dates, reminders; event names, descriptions, locations (including coordinates), dates, and associated URLs. |
| Templates and labels | Reusable message templates (title, subject, body) and custom labels you create. |
| Free-text “context” fields | Free-text instructions or context you may enter to guide AI features (e.g., enrichment hints). |
| Feedback | Messages, optional screenshots, and your name and email (pre-filled from your account) when you use the in-app feedback feature. |
| Status-page subscriptions | If you subscribe to incident notifications on our public status page (status.1fifty.ai), the email address you provide is stored by our status-page provider (BetterStack — see Section 4.1) and used solely to send incident and maintenance notifications. You may unsubscribe at any time from any notification email. |
2.2 Information Collected Automatically
| Category | Examples |
|---|---|
| Product-analytics events | Pseudonymous user identifier; app lifecycle events (open, foreground, background); screen views; feature-interaction events from the catalog defined in apps/mobile/lib/analytics/events.ts (e.g., contact_created, event_list_sorted). Events do not include names, email addresses, phone numbers, notes, or other free-text user content. |
| Session replays | When session replay is enabled in production builds, the Service captures screen recordings and user-interaction events for diagnostic and product-improvement purposes. All text inputs and all images are masked by default. Screens, modals, and overlays that surface freeform user content (notes, AI output, scanned-card OCR, share-extension payloads, OTP echoes, payment card numbers) are additionally masked at the view-tree level so their content is not captured. |
| Usage records | Feature-level usage counts (e.g., card extractions, contact cleanups, company enrichments, employee searches) used to enforce plan limits and bill on-demand consumption. |
| Technical and diagnostic data | When crash and error reporting is enabled: crash reports, stack traces, performance metrics, breadcrumbs, and device/app identifiers. |
| Audit logs | For security purposes we log: user identifier, email address, IP address, user-agent string, request identifier, action type (e.g., sign-in, sign-up, OTP verification, account deletion), affected resource type and identifier, and success/failure status. |
| Server logs | Structured request logs (HTTP method, path, response status, response time, request identifier) used for operational monitoring, rate-limiting, and security investigations. IP addresses appear in transient rate-limit counters and short-lived logs and are not retained beyond the periods set out in Section 5. |
2.3 Information from Device Permissions
The Service may request the following device permissions. You can grant or revoke any permission at any time in your device settings.
| Permission | Data accessed | Purpose |
|---|---|---|
| Camera | Still images captured by your device camera. | Scanning business cards, capturing QR codes, and taking profile photos. |
| Photo library (read) | Images you select from your device’s photo library. | Choosing avatars, uploading business-card images, attaching screenshots to feedback. |
| Photo library (write) | Permission to save images you’ve created with the Service. | Saving scanned business-card images and downloaded contact photos to your library. |
| Contacts (read) | Names, phone numbers, email addresses, physical addresses, URLs, social profiles, photos, company names, and job titles from your device’s contact book. | Importing your device contacts into the Service. The Service does not write back to your device contacts without your explicit action. |
| Location (foreground only) | Approximate or precise geographic coordinates while the app is in use. | Geo-tagging scanned business cards; suggesting nearby places when you add a meeting location. The Service does not use background location. |
| Notifications | Permission to display local and scheduled notifications. | Event-prep reminders, follow-up reminders, and task alerts. |
The Service explicitly disables and does not request: microphone, background location, calendar, reminders, contacts-write, SMS, call-log, or always-on biometric permissions.
2.4 Information from Third-Party Data Sources
| Source | Data received | Purpose |
|---|---|---|
| CoreSignal | Professional profiles (names, job titles, employment history, education, skills, professional email addresses, LinkedIn URLs) and company profiles (name, industry, workforce data, financials, addresses, social URLs). | Employee and company search, enrichment, and data-collection features. |
| Google Places | Address predictions and place details (formatted address, coordinates). | Address autocomplete when entering company headquarters or event locations. |
| Mediastack | News articles (headline, source, URL, date, summary, optional image URL) matching a company name. | Displaying relevant company news on company detail pages. |
| Open Exchange Rates | Currency exchange-rate quotes (no personal data is sent or received). | Converting billing amounts between native currency, USD, and EUR. |
3. How We Use Your Information
We process your information for the following purposes:
| Purpose | Legal basis (where applicable) |
|---|---|
| Providing the Service — storing your contacts, companies, tasks, events, templates, labels, and images; powering search, scanning, enrichment, and synchronisation features. | Performance of a contract; legitimate interest. |
| Authentication and account management — signing you in, verifying your identity (OTP, MFA), managing your profile and email. | Performance of a contract. |
| AI-powered features — extracting contact data from business-card images; cleaning and normalising contact data; enriching contact and company records with publicly available information. | Performance of a contract; legitimate interest. |
| Billing and subscriptions — tracking feature usage against plan limits; processing in-app purchases via Apple App Store and Google Play (with RevenueCat orchestrating entitlement state); managing future web subscriptions via Stripe. | Performance of a contract. |
| Security and fraud prevention — audit logging; rate-limiting; webhook-signature verification; CSRF protection; input validation; account-deletion handling. | Legitimate interest; legal obligation. |
| Product analytics and improvement — understanding feature usage in aggregate, identifying friction points, prioritising improvements (PostHog product analytics). | Legitimate interest. |
| Diagnostics and session replay — diagnosing UX issues and bugs through screen-replay capture with strict PII masking (PostHog session replay); collecting crash reports and performance data (Sentry). | Legitimate interest. |
| Operational logging — centralised structured logging for incident response, performance monitoring, and capacity planning. | Legitimate interest. |
| External uptime, heartbeat, and status-page services — out-of-band probes against our public endpoints, scheduled-job heartbeats, and a public incident-status page so you can subscribe to outage notifications (BetterStack). | Legitimate interest; consent (subscriber list). |
| Transactional communications — sending OTP codes, magic-link emails, security notifications, and account-related messages. | Performance of a contract. |
| Engagement and lifecycle communications — sending optional onboarding tips, re-engagement reminders, milestone messages, and occasional product announcements by email; and maintaining an address-level do-not-contact (suppression) list so opt-outs and undeliverable addresses are respected. | Segmented for the message itself: for existing paying customers, the ePrivacy “soft opt-in” (ePrivacy Directive Art. 13(2), transposed as Belgian Code of Economic Law Art. XII.13 §2), with an opt-out in every message; for all other recipients, consent (Art. 6(1)(a)). Suppressing hard-bounced addresses for deliverability hygiene: legitimate interest (Art. 6(1)(f)). Honouring opt-outs and complaints: compliance with the Art. 21 objection right and the ePrivacy opt-out (Art. 17(3)(b)). |
| Feedback and support — receiving and responding to your in-app feedback. | Legitimate interest. |
| Legal compliance — responding to lawful requests and complying with applicable law (including tax-record retention for billing). | Legal obligation. |
We do not sell your personal data. We do not use your data for cross-app tracking, behavioural advertising, or model training. For AI features, production LLM routing and account settings must remain configured to avoid providers that use your prompts or outputs for training where the provider exposes that control.
4. How We Share Your Information
We share data only as described below. We do not share data with data brokers or for advertising purposes.
4.1 Service Providers and Third-Party Recipients
The table below lists the service providers and third-party recipients that receive data from us or directly from you in connection with the Service. Where a provider processes personal data on our behalf, it is treated as a processor or sub-processor and must be covered by an Article 28 GDPR data-processing agreement and transfer safeguards where applicable. Some recipients, such as app stores, payment providers, and sign-in providers, may act as independent controllers for parts of their processing under their own terms and privacy notices.
For personal data you upload about third parties (such as your contacts) — for which you act as the controller (or processor) and we act as your processor (or sub-processor) — the data-processing terms required by Article 28 GDPR are set out in our Data Processing Addendum (“DPA”), which is incorporated into our Terms of Service by reference. The canonical Sub-processor list lives at Annex 3 of the DPA; the table below is a public-facing mirror and Annex 3 governs in case of conflict.
| Provider | Data shared | Purpose |
|---|---|---|
Supabase (Supabase Inc.; project hosted in EU North — Stockholm, Sweden on AWS eu-north-1) | Account data, all app content (contacts, companies, tasks, events, templates, images), audit logs, billing records. | Cloud database (PostgreSQL), authentication, file storage, and Realtime infrastructure. |
| PostHog (PostHog Inc.; processed on the EU cluster in Frankfurt) | Pseudonymous user identifier; app interaction events; session replay frames with all text and images masked by default. | Product analytics and session-replay-based diagnostics. |
| Sentry (Functional Software Inc.; project configured for the European Union data-storage region) | User identifier, email address, display name; crash reports, stack traces, performance data; feedback messages and optional screenshots. | Error and crash monitoring; in-app feedback collection. Active when the Sentry DSN is configured. |
| Resend (Resend, Inc.; emails may be routed from the Ireland sending region where configured; account data, email metadata, logs, and API records are stored in the United States) | Recipient email address, your name (where applicable), OTP codes, magic-link tokens, security-notification content, and — for the engagement-email programme described in Section 8 — engagement-email content (onboarding tips, re-engagement reminders, milestone messages, and product announcements) with a per-message unsubscribe link. | Transactional-email delivery and engagement/lifecycle-email delivery (Section 8). Resend is our existing email sub-processor; the engagement-email programme adds no new sub-processor. |
Axiom (Axiom, Inc.; logs hosted in EU Central — Frankfurt, Germany on AWS eu-central-1) | Structured server logs (request method, path, response status, response time, request identifier, hashed/transient IP addresses, audit-event metadata). PII is filtered from logs at the source. | Centralised structured logging for incident response and operational monitoring. |
| BetterStack (Better Stack, Inc. / applicable Better Stack contracting entity; EU data storage where configured, with distributed edge probes and lawful transfers under Better Stack’s DPA) | (a) Probe metadata for our public endpoints (target URL, response status, response time — no user data); (b) opaque per-job heartbeat tokens for scheduled background jobs (no user data); (c) only when you opt in to status-page incident notifications: the email address you provide on status.1fifty.ai. Probes originate from BetterStack’s distributed edge and may transit non-EU regions before being stored in the configured workspace region. | External uptime monitoring, scheduled-job heartbeats, and the public incident-status page at status.1fifty.ai. |
| Crisp (Crisp IM SAS; data processed in the European Union — Nantes, France) | Email address, display name (first + last name), pseudonymous user identifier, plan tier, device fingerprint (model, OS, brand, app version, build), runtime environment, language preference, the device’s push-notification token (APNs on iOS / FCM on Android), and the content of any messages you exchange with us through the in-app chat (including any text or files you attach). When you submit the landing-page waitlist form at 1fifty.ai: email address, language preferences (from your browser), timezone (from your browser), approximate location (country, region, and city) inferred from your IP address by Cloudflare, the page that referred you to the waitlist (where your browser provides one), any UTM marketing-attribution query parameters in the URL, your browser’s User-Agent string, and metadata about the Cloudflare edge that handled your request (datacenter code, ASN, network organisation). | Customer-support chat (“Open live chat” in the app and on the website), operator-initiated proactive support, and profile-timeline events for support-ops context (sign-in, sign-out, subscription changes, account deletion, data-export requests, email/name updates). On the landing site: capture of the waitlist signup itself, plus enough context to localise and time-zone subsequent follow-up communications and to measure which marketing channels drive signups. |
| Apple App Store (Apple Inc., USA) | Payment-card data and billing details that you provide directly to Apple. We do not receive your payment card numbers. | Merchant-of-record processing for in-app purchases on iOS. |
| Google Play (Google LLC, USA) | Payment-card data and billing details that you provide directly to Google. We do not receive your payment card numbers. | Merchant-of-record processing for in-app purchases on Android. |
| RevenueCat (RevenueCat, Inc., USA) | Pseudonymous user identifier (UUID), purchase events, product identifiers, entitlement identifiers, store environment (App Store / Google Play). | Mobile in-app purchase orchestration and subscription state management. |
| Stripe (Stripe, Inc., USA) | User identifier, email address, subscription and invoice metadata. We do not receive or store full payment-card numbers — Stripe handles card data directly. | Payment processing for future web checkout and current backend integration. The user-facing Stripe checkout flow is not active in the current release. |
| OpenRouter (OpenRouter, Inc., USA) | Images of business cards (base64-encoded); contact and company text data (names, addresses, positions, email domains, phone numbers) sent as prompts. | AI-powered extraction, cleanup, and enrichment via large-language-model APIs. |
| CoreSignal (CoreSignal UAB, Lithuania, EU) | Search queries (names, LinkedIn URLs, company names, website domains); employee and company identifiers. | Professional employee and company data search and collection. |
| Mediastack / apilayer (apilayer GmbH, Austria, EU) | Company names as search keywords. | News-article retrieval. |
| Google Places (Google LLC, USA) | Partial address text input; place identifiers. | Address autocomplete and place details. |
| Open Exchange Rates (Open Exchange Rates Ltd., USA) | No personal data — only currency codes. | Currency exchange rates for cross-currency billing display. |
| Railway (Railway Corp.; Redis service hosted in EU West — Amsterdam, Netherlands) | Hashed cache keys; rate-limit counters keyed by IP address; cached API responses; distributed-lock state. Connections are encrypted via TLS (rediss://). | Server-side caching, rate-limiting, request de-duplication, and distributed locks. Railway also hosts the backend application service. |
| Cloudflare (Cloudflare, Inc., USA; global edge network) | Website and admin-page request metadata such as IP address, URL, TLS/security metadata, and cached static assets. No app database content is hosted on Cloudflare Pages. The Cloudflare edge also produces approximate geolocation (country, region, city, postal code, continent) and network metadata (ASN, network organisation) from your IP address for landing-site requests; when you submit the waitlist form, this derived data is forwarded to Crisp (see the Crisp row above) — your raw IP address itself is not. | DNS, CDN, security, and static hosting for the public landing site and admin frontend. |
| Expo Application Services (EAS) (Expo, Inc., USA) | Application binaries and over-the-air update bundles only. No user-account data is shared. | Mobile build, submission, and OTA-update infrastructure. |
4.2 Legal and Safety Disclosures
We may disclose your information if we believe in good faith that disclosure is necessary to:
- comply with applicable law, regulation, or legal process;
- protect the rights, property, or safety of us, our users, or the public;
- detect, prevent, or address fraud, security, or technical issues;
- enforce our Terms of Service.
4.3 Business Transfers
If we are involved in a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy. The planned incorporation of a dedicated 1fifty legal entity and corresponding controller transition will be communicated to you in advance.
5. Data Retention
| Data category | Retention period |
|---|---|
| Account and profile data | Retained while your account is active; cascade-deleted upon account deletion. |
| Workspace metadata | Retained while the workspace exists; cascade-deleted on workspace removal or account deletion. |
| Contacts, companies, tasks, events, templates, labels, images | Retained while your account is active; cascade-deleted when your account is removed. |
| Pending scans (incomplete) | Retained until you complete or discard the scan, or your account is deleted. |
| Scan history | Automatically purged after 90 days. |
| Audit logs | Automatically purged after 90 days. |
| Webhook deduplication records | Automatically purged after 7 days. |
| Engagement-email send ledger | Retained while your account is active to enforce frequency caps and to avoid sending you the same lifecycle email twice. It records which engagement email was sent to you, when, and in which language; it does not store the message body. Cascade-deleted when your account is deleted. |
| Email suppression list (do-not-contact) | An address-level do-not-contact list, keyed on a pseudonymised hash of your email address rather than your account identifier. Retention is differentiated by reason: entries created by an unsubscribe or a spam complaint are retained indefinitely, so that your opt-out is honoured permanently (basis: giving effect to your Art. 21 objection and the ePrivacy opt-out; Art. 17(3)(b) exempts this record from the erasure right). Entries created by a hard bounce (an address we could not deliver to) are retained for a bounded period of 3 months and then expire (basis: legitimate interest in deliverability hygiene — a bounce is a technical signal, not an objection). Because this list is keyed on a hash, a suppression entry survives account deletion — a deliberate exception described in the paragraph below. |
| Billing and subscription records | Retained for the longest period required by Belgian accounting and tax law. Belgian accounting law generally requires books and supporting documents to be kept for at least seven (7) years; Belgian tax and VAT rules may require tax-relevant accounting records, invoices, books, and VAT documents to be kept for ten (10) years, with longer periods of fifteen (15) years or longer where Belgian law specifically requires it for that document type. When you delete your account, the link between billing rows and your user identifier is severed (set to NULL) so that the records can no longer be associated with your identity through our systems, but the underlying accounting entries are preserved as required by law. |
| Usage records | Retained for the current and most recent billing cycles; older records may be aggregated and anonymised. |
| CSRF tokens | Expire after 15 minutes. |
| Server-side request-deduplication caches | Expire after 5 minutes. |
| Server-side response caches (Redis) | Short-lived (5 minutes to 24 hours, depending on data type); automatically evicted. |
| Third-party enrichment caches (CoreSignal company and employee data) | Up to 365 days, with refresh on demand when you trigger an enrichment. Enrichment caches store third-party professional and corporate data sourced from our enrichment provider; they are workspace-scoped and access-gated, and they are not commingled with your contact data. The cache is refreshed when stale or when you explicitly request a refresh. |
| Signed storage URLs (private buckets) | Expire after 1 hour. |
| Data-export files | Auto-deleted approximately 1 hour 5 minutes after generation. |
| Rate-limit counters | Window-dependent (15 minutes to 24 hours). |
| Stale background jobs | Marked failed after 15 minutes of inactivity by a scheduled cleanup job. |
| Client-side session tokens | Stored in the device secure store (Keychain / Keystore); removed on sign-out. |
Client-side caches (AsyncStorage, SQLite local database 1fifty_local.db) | Cleared on sign-out; SQLite data for the user is deleted. |
| PostHog session replays and analytics events | 30 days for session replays (configured in our PostHog dashboard). Analytics events are retained per PostHog’s standard retention. |
| Sentry error and feedback data | Retained per the retention period configured in our Sentry dashboard. |
| BetterStack probe and monitoring data | Probe response logs, monitor incident history, and heartbeat history are retained per the retention period configured in our BetterStack workspace. |
| BetterStack status-page subscriber emails | Retained until you unsubscribe (one-click via any incident notification email) or we close the status page. No additional profile information is associated with the subscription. |
| Crisp People profile and chat transcripts | Retained while your account is active. On account deletion, the People profile and every linked conversation transcript and timeline event are deleted from Crisp via API request as part of the deletion cascade (see paragraph below). If a Crisp-side deletion request fails for any reason, our operations team is notified and the deletion is retried until it succeeds. Inactive Crisp conversations may additionally be auto-pruned per the retention policy configured in our Crisp workspace. |
| Crisp People profile and chat history on a waitlist signup | If you joined the public waitlist on 1fifty.ai, your email address is stored on a Crisp People profile tagged waitlist. It is retained until you ask us to remove it at privacy@1fifty.ai or until the waitlist programme is closed and the segment is purged. |
When you delete your account through Profile → Delete Account, all user-owned database records are cascade-deleted (contacts, companies, tasks, events, templates, labels, scans, preferences, usage records, grants, and per-user Redis state). Storage objects (images, files) under your user identifier are removed from each bucket (avatars, contact-avatars, company-logos, company-cards, data-exports). Your Crisp People profile (email, display name, identifier, device fingerprint, all timeline events, and every linked chat conversation) is deleted server-side via the Crisp REST API as part of the deletion cascade. Audit-log entries containing your user identifier are purged per the 90-day retention schedule. Third-party enrichment records sourced from CoreSignal are not user-owned and are not deleted with your account, but the link between you and those records is removed.
Your engagement-email consent state (stored alongside your preferences) and your engagement-email send ledger are cascade-deleted with your account. One deliberate exception applies to the deletion cascade. If you have unsubscribed from — or filed a spam complaint about — an engagement email, the corresponding entry on our email suppression list is retained even after your account is deleted, so that we can continue to honour your opt-out and never contact you again. That entry is a pseudonymised, keyed hash of your email address (an HMAC computed with a secret key), not your account identifier and not your address in readable form. It remains personal data under the GDPR — membership can be tested by hashing a candidate address, so the value is pseudonymised, not anonymised — but its retention rests specifically on the Article 17(3)(b) exemption and the Article 21 objection right, not on any claim that the hash falls outside the scope of the GDPR.
6. Security
We implement industry-standard technical and organisational measures to protect your information. The canonical technical and organisational measures (TOMs), at the level of control objective and as required by Article 32 GDPR, live at Annex 2 of our Data Processing Addendum; the table below is a public-facing summary and Annex 2 governs in case of conflict.
| Layer | Measure |
|---|---|
| Encryption in transit | All network traffic between the app, our backend, and third-party services uses TLS/HTTPS. Redis connections use TLS (rediss://). HTTP Strict Transport Security (HSTS) is enforced in production with a one-year max-age. |
| Encryption at rest | Data at rest is encrypted by our infrastructure providers (Supabase / AWS). Storage buckets and database volumes are encrypted by default. |
| On-device credential storage | Authentication tokens (access and refresh) are stored in the operating system’s secure enclave / Keychain / Keystore via Expo SecureStore. |
| Row-Level Security (RLS) | Every database table enforcing user-scoped access uses Supabase RLS policies (over 70 policies in place across the schema). Each user can access only their own data. Service-role access is restricted to trusted server-side operations (audit logging, system-level writes, webhook handlers). |
| Authentication | Supabase Auth with JWT and refresh tokens; OTP (magic-link and code) via Resend; OAuth (Google, Apple, LinkedIn, Facebook, X); optional TOTP-based multi-factor authentication. |
| CSRF protection | Double-submit pattern: X-CSRF-Token header (mobile) or header + csrf-token cookie (web). Tokens are timing-safely compared, expire after 15 minutes, and are revoked on sign-out. |
| Custom-header check | Mutation requests require X-Requested-With: xmlhttprequest to mitigate cross-origin attacks. |
| Rate limiting | Redis-backed rate limiting with per-IP and per-user quotas. Separate limits for authentication, AI, external API, billing, and bulk operations. Authentication, billing, AI, and external paths fail closed when Redis is unavailable. Database-level triggers further limit scan history per user. |
| Webhook verification | Stripe webhooks are verified using stripe.webhooks.constructEvent (HMAC-SHA256 signature). RevenueCat webhooks are verified with a timing-safe comparison of Bearer tokens. Duplicate webhook events are detected via an INSERT-first deduplication table. |
| Security headers | X-Content-Type-Options: nosniff, X-Frame-Options: DENY, X-XSS-Protection: 1; mode=block, Referrer-Policy: strict-origin-when-cross-origin, Content-Security-Policy, and Permissions-Policy (which restricts geolocation, microphone, camera, accelerometer, gyroscope, magnetometer, payment, USB, and other browser APIs at the web layer). |
| Input validation | All API inputs are validated with Zod schemas. Utility functions enforce email, URL, phone, and UUID format checks. HTML tags are stripped from text inputs. Request-body size limits are enforced per route. |
| SQL injection defenses | Parameterised queries via the Supabase client SDK; user input is never concatenated into SQL. |
| Audit logging | Every authentication and account-lifecycle action is recorded with user identifier, email, IP address, user-agent, request identifier, resource type, resource identifier, and outcome. |
| Account-deletion cascade | Database records cascade-delete via foreign-key constraints; storage objects are explicitly purged from every bucket; per-user Redis state is exact-key-deleted and SCAN-pattern-deleted; CSRF tokens are revoked. |
| Session-replay PII masking | All text inputs and images are masked by default. Screens that surface freeform user content (notes, AI output, OCR, share-extension payloads, OTP echoes, payment card numbers) are masked at the view-tree level via accessibilityLabel="ph-no-capture" so their content is not captured by the replay SDK. |
| Secrets management | All API keys and credentials are managed through Doppler and are never committed to source control. |
No system is 100% secure. If you discover a vulnerability, please contact us at security@1fifty.ai.
7. Cookies and Local Storage
- Cookies (web only): The Service uses a single optional cookie (
csrf-token) for CSRF protection on the web platform. We do not use advertising, analytics, or third-party tracking cookies. - Mobile local storage: Authentication tokens are stored in the device secure store (Keychain on iOS, Keystore on Android via Expo SecureStore). Non-sensitive preferences (theme, locale, date/time format, font) and offline-queue metadata are stored in AsyncStorage. A local SQLite database (
1fifty_local.db) caches contacts, companies, tasks, events, and enrichment data so the app works offline. All client-side data is cleared on sign-out and the SQLite database is deleted.
8. Your Rights and Choices
Depending on your jurisdiction, you may have some or all of the following rights:
| Right | How to exercise |
|---|---|
| Access | Request a copy of the personal data we hold about you, or download a machine-readable copy directly via Profile → Download My Data in the app. The ZIP includes your account database (contacts, companies, events, tasks, templates, labels, preferences) AND a crisp.json file with the customer-support data held by our Sub-processor Crisp (People profile, custom data, profile-timeline events, and complete chat transcripts of every conversation you have had with our support team). Each Crisp section is marked with a fetchStatus so any partial-failure is transparently disclosed in the export itself rather than silently omitted. |
| Correction | Update inaccurate or incomplete data directly in the app, or contact us. |
| Deletion | Delete your account and associated data at any time from Profile → Delete Account in the app, or by contacting us at privacy@1fifty.ai. When your account is deleted, all user-owned data is permanently removed (see Section 5). |
| Restriction / Objection | Request that we restrict or stop certain processing of your data (for example, object to AI-based processing or session replay). Contact us at privacy@1fifty.ai to exercise this right. |
| Analytics opt-out | Disable product-analytics capture (PostHog) at any time from Profile → Privacy Settings → Analytics. The toggle takes effect immediately and is persisted on the device. Disabling analytics does not affect security audit logging, transactional logging, or error monitoring (which run under separate legal bases). |
| Engagement-email opt-out | Turn engagement emails on or off at any time from Profile → Privacy Settings → Engagement emails in the app, or use the one-click unsubscribe in any engagement email. An opt-out takes effect immediately and is honoured permanently. This does not affect transactional or security emails (OTP codes, magic links, security notifications), which are essential to the Service and cannot be opted out of. |
| Data portability | Download a machine-readable copy of your data from Profile → Download My Data in the app (covers both Supabase-held account data and Crisp-held customer-support data — see the Access row), or request a copy by contacting us. |
| Withdraw consent | Where processing is based on consent, you may withdraw it at any time (for example, by revoking device permissions in your device settings). |
| Lodge a complaint | File a complaint with your local data-protection authority. In Belgium this is the Gegevensbeschermingsautoriteit / Autorité de protection des données (APD/GBA). |
To exercise any of these rights, use the in-app options above or contact us at privacy@1fifty.ai. We will respond within the timeframe required by applicable law (typically 30 days under the GDPR).
Device permissions
You may grant or revoke camera, contacts, photo-library, location, and notification permissions at any time through your device settings (Settings → Privacy on iOS; Settings → Apps on Android). Revoking a permission may limit certain features. The in-app Profile → Privacy Settings screen surfaces the current state of each permission and provides a shortcut to your device’s permission settings.
Push notifications
The Service sends only local and scheduled notifications related to event-prep, follow-up, and task reminders, and only after you opt in through your device settings.
Engagement and marketing emails
Beyond the transactional and security messages described above, we operate an engagement-email programme: occasional onboarding tips, re-engagement reminders when your account has been dormant, milestone messages, and infrequent product announcements — all intended to help you get more value from 1fifty. Every engagement email identifies the sender, includes a valid postal address, and offers both a one-click unsubscribe (through the list-unsubscribe control your mail client exposes) and an unsubscribe link in the message body.
The legal basis is segmented according to who you are. Sending an unsolicited commercial email is governed first by the ePrivacy Directive (2002/58/EC) Article 13(2), transposed in Belgium as Article XII.13 §2 of the Code of Economic Law. This is the rule that specifically governs email marketing (lex specialis), and it takes precedence over the general provisions of the GDPR for the act of transmission:
- If you are an existing paying customer, we may send you engagement emails about our own similar products and features under the ePrivacy “soft opt-in” exception, because you provided your email address in the context of a purchase. You may opt out at any time, including at the moment your email address is collected and in every message we send.
- If you are not a paying customer (for example, on the free tier), we send engagement emails only with your prior, explicit consent (opt-in). This consent is off by default; it is turned on only by an affirmative action that you take.
We do not treat “legitimate interest” (GDPR Article 6(1)(f)) as a substitute for the consent that ePrivacy requires for the act of transmission: consistent with EDPB Opinion 5/2019, legitimate interest cannot displace the ePrivacy consent rule for sending marketing email. (Legitimate interest does support a narrow, non-marketing, deliverability-hygiene activity — suppressing an address that has hard-bounced — as described in Sections 3 and 5.)
How to control engagement emails. You can turn engagement emails on or off at any time from Profile → Privacy Settings → Engagement emails in the app, or by using the one-click unsubscribe in any engagement email. An opt-out takes effect immediately and is honoured permanently (see the suppression-list entry in Section 5). Delivery is handled by our existing email sub-processor, Resend (see Section 4.1) — this programme introduces no new sub-processor. Resend is a US-based provider that processes on our behalf under Standard Contractual Clauses.
Transactional and security emails are separate and non-optional. OTP codes, magic-link sign-in emails, security notifications, and other account-related messages are essential to providing the Service, are sent on the basis of contract performance, and are not part of the engagement-email programme. Turning off engagement emails, unsubscribing from them, or marking one as spam never affects these messages, and never blocks a security or sign-in email.
Sender identity. The controller named in this Privacy Policy, the sender identity and postal address shown in the footer of each engagement email, and the “From” domain used to send it will all name the same legal entity. While the controller transition described at the top of this policy is pending, confirming that alignment is a prerequisite before the first engagement email is sent.
9. International Data Transfers
Your information may be processed and stored in countries other than your country of residence. When personal data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:
- the European Commission’s adequacy decisions;
- Standard Contractual Clauses (SCCs) approved by the European Commission; or
- other lawful transfer mechanisms as appropriate.
Our key providers and third-party recipients, and their primary processing or transfer locations:
The majority of core application data is stored in the European Union. Some providers are US-based or operate global edge/control-plane services; where personal data is transferred outside the EEA, we rely on the transfer safeguards listed above.
| Provider / recipient | Primary processing / transfer location |
|---|---|
| Supabase | European Union (Stockholm, Sweden — AWS eu-north-1) |
| PostHog | European Union (Frankfurt, Germany) |
| Sentry | European Union data-storage region |
| Axiom | European Union (Frankfurt, Germany — AWS eu-central-1) for log-event storage; Axiom, Inc. is US-based |
| Resend | Ireland sending region where configured; United States for account data, email metadata, logs, and API records |
| Railway (Redis + backend service) | European Union (Amsterdam, Netherlands) |
| BetterStack | EU data storage where configured; distributed probe locations and possible US/other processing under Better Stack’s DPA |
| Crisp | European Union (Nantes, France) |
| Cloudflare | Global edge network / United States |
| CoreSignal | Lithuania (EU) |
| apilayer / Mediastack | Austria (EU) |
| Apple App Store | United States |
| Google Play | United States |
| RevenueCat | United States |
| Stripe | United States |
| OpenRouter | United States |
| Google Places | United States |
| Open Exchange Rates | United States |
| Expo Application Services (EAS) | United States |
10. Children’s Privacy
The Service is not directed at individuals under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at privacy@1fifty.ai and we will take steps to delete it.
11. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with additional rights:
- Right to know: You may request the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to correct: You may request correction of inaccurate personal information.
- Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioural advertising.
- Non-discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at privacy@1fifty.ai.
12. European Privacy Rights (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland:
- Data controller (for our processing): 1fifty BV, Oude Antwerpsebaan 109 bus 102, 2800 Mechelen, Belgium (VAT BE1038210695). The 1fifty legal entity currently being incorporated will become the controller upon its incorporation; you will be notified.
- Data Processing Addendum (when you upload personal data of third parties): for personal data you upload about your contacts and other third parties, you act as the controller and we act as your processor. The Article 28 GDPR data-processing terms are set out in our Data Processing Addendum, which is incorporated by reference into our Terms of Service.
- Legal bases: We process personal data under the legal bases described in Section 3 (contract performance, legitimate interest, legal obligation, consent).
- Right to erasure: You can delete your account and data at any time via Profile → Delete Account in the app (Art. 17).
- Right to data portability: You can download your data in a machine-readable format via Profile → Download My Data (Art. 20).
- Right to object: You may object to processing based on legitimate interest; contact us to exercise this right (Art. 21).
- Automated decision-making and profiling (Art. 22): We do not use your personal data to make decisions that produce legal effects concerning you or significantly affect you in a similar manner solely on the basis of automated processing. Our AI features (business-card extraction, contact and company cleanup, contact and company enrichment) generate suggestions that you review and confirm before any data is saved or used; an AI suggestion never alone produces a legal or similarly significant effect.
- Supervisory authority: You have the right to lodge a complaint with your local supervisory authority. In Belgium this is the Gegevensbeschermingsautoriteit / Autorité de protection des données (“APD/GBA”), Drukpersstraat 35, 1000 Brussels, Belgium —
https://www.dataprotectionauthority.be.
13. Third-Party Links
The Service may contain links to third-party websites or services (e.g., LinkedIn profiles, company websites, news articles). We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies.
14. Open-Source Components and Third-Party SDKs
The Service incorporates open-source libraries and third-party SDKs, including Expo and React Native (application framework), the PostHog SDK (product analytics and session replay), the Sentry SDK (error monitoring and feedback), the RevenueCat SDK (in-app purchases), the Supabase JS client (database, authentication, storage, Realtime), and Google Sign-In / Apple Authentication SDKs (third-party sign-in). These components may collect technical and interaction data as described in their respective privacy policies and as configured by us. We do not use advertising SDKs, cross-app trackers, or behavioural-advertising networks.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:
| Controller | 1fifty BV |
| legal@1fifty.ai | |
| Website | https://1fifty.ai |
| Mailing address | 1fifty BV, Oude Antwerpsebaan 109 bus 102, 2800 Mechelen, Belgium |
| VAT number | BE1038210695 |
This Privacy Policy applies to the 1fifty mobile application (iOS and Android) and any related web companion. It does not apply to third-party services linked from the app.