Download free

Privacy Policy

Last updated: April 22, 2026

This policy explains what data Flock collects, why, and your rights over it. Flock is designed with privacy in mind: we collect only what we need, we never sell your data, and your location is never stored on our servers as history.

1. Who We Are

Flock is operated by Javier Vendrell-Moller, based in Spain (the "data controller" under GDPR). For any privacy-related request, contact privacy@flock-app.app.

2. What We Collect

  • Account info — email address, display name, optional profile photo, and authentication identifiers from Google Sign-In if you use it.
  • Real-time location — GPS coordinates and Bluetooth proximity signals, transmitted only while you are in a flock and location sharing is enabled. Location is relayed in real time to your flock members and is not stored as history on our servers.
  • Bluetooth identifiers — your device broadcasts a short user token over BLE so nearby flock members can find you. Only paired flock members can resolve this token.
  • Contacts — if you grant permission, Flock hashes your contacts locally on your device to suggest friends already on Flock. We never upload raw contact data.
  • Flock membership — which flocks you belong to, festival attendance, and friend connections.
  • Messages and content — chat messages, flares, SOS alerts, rally points, and photos you share within a flock.
  • Device info — push notification tokens, platform (iOS/Android), app version, and crash diagnostics.

3. Why We Collect It (Legal Basis)

Under GDPR, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)) — processing your account, location, and messages is necessary to deliver the service you signed up for.
  • Consent (Art. 6(1)(a)) — for contacts access, push notifications, and optional features. You can withdraw consent at any time in Settings.
  • Legitimate interest (Art. 6(1)(f)) — for crash diagnostics and abuse prevention.

4. Third-Party Processors

We use a minimal set of trusted vendors to operate Flock:

  • Firebase Authentication (Google LLC) — handles sign-in and identity.
  • Firebase Cloud Messaging (Google LLC) — delivers push notifications on Android.
  • Apple Push Notification Service — delivers push notifications on iOS.
  • Railway (EU region) — hosts our application server and database.
  • Sentry — captures anonymized crash reports to fix bugs.

Each processor is bound by a Data Processing Agreement and processes data only on our instructions.

5. International Transfers

Our primary infrastructure is hosted in the EU. Some processors (Firebase, Sentry) may transfer data to the United States. Such transfers rely on the EU–US Data Privacy Framework or Standard Contractual Clauses approved by the European Commission.

6. How Long We Keep Data

  • Account info — retained while your account is active; deleted within 30 days of account deletion.
  • Real-time location — never stored as history. In-flight data is held in memory and discarded.
  • Messages and content — stored while the flock exists; deleted within 30 days of account or flock deletion.
  • Crash diagnostics — retained for up to 90 days, then deleted.
  • Backups — may persist for up to 35 days after deletion for disaster recovery, then purged.

7. What We Don't Do

  • We do not sell your data.
  • We do not store your location history.
  • We do not track you outside the app.
  • We do not show ads.
  • We do not use automated decision-making or profiling that has a legal effect on you.

8. Sharing

Your location and profile are shared only with members of flocks you have joined. We may disclose data if required by law, court order, or to protect someone's life — and only the minimum strictly necessary.

9. Security

All traffic between the app and our servers is encrypted with TLS 1.2+. Passwords are never stored — authentication is handled by Firebase with industry-standard hashing. Bluetooth transmissions contain only short-lived, non-personal identifiers.

10. Your Rights

If you are in the EU/UK, the GDPR gives you the right to:

  • Access — request a copy of the data we hold about you.
  • Rectify — correct inaccurate data.
  • Erase — ask us to delete your account and associated data.
  • Restrict — ask us to stop processing certain data.
  • Port — receive your data in a machine-readable format.
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — for anything you previously consented to.
  • Lodge a complaint — with your local supervisory authority. In Spain, that is the Agencia Española de Protección de Datos (AEPD).

To exercise any right, email privacy@flock-app.app. We respond within 30 days.

11. California Residents

Under the CCPA, California residents have the right to know what personal information we collect, to delete it, and to opt out of its sale. We do not sell personal information. To exercise your CCPA rights, email privacy@flock-app.app.

12. Children

Flock is not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided data to us, contact privacy@flock-app.app and we will delete it promptly.

13. Changes to This Policy

We may update this policy. Material changes will be announced in the app and by email. The "Last updated" date above always reflects the current version.

14. Contact

Privacy and data requests: privacy@flock-app.app
General: hello@flock-app.app