Privacy Policy — Skifty
Effective date: 2026-06-02 Data controller: Acoid HB, Hallebergsvägen 15, 167 37 Bromma, Stockholm, Sweden. Contact: hello@acoid.com.
Skifty ("we", "us") is a mobile app for lending and borrowing items within invite-only groups of people you trust. This policy explains what personal data we process, why, the legal basis, how long we keep it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR).
We are committed to data minimisation: we collect only what the app needs to work. We do not sell your data, do not use it for advertising, and do not track you across other apps or websites.
1. Who this applies to
Users of the Skifty mobile app. Our launch market is Sweden; the service and this policy are governed by EU/Swedish law. You must be at least 16 years old to use Skifty.
2. What we collect, why, and the legal basis
| Data | Examples | Why we process it | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account identifiers | Your account id, email address, and password — handled by our authentication provider (Clerk) | To create and secure your account and sign you in | Contract (Art. 6(1)(b)) |
| Profile | Display name, profile photo (avatar) | To identify you to others in your groups | Contract |
| Group data | Group names, invite codes, and which groups you belong to | To run invite-only groups and show you the right content | Contract |
| Posts | Item titles, descriptions, categories, additional info, and photos you upload | To let you offer or request items | Contract |
| Requests | Borrow requests and their status/timestamps | To run the lend/borrow flow | Contract |
| Messages | Messages you send in chats about an item | To let the two parties to a loan communicate | Contract |
| Social graph | Group membership and which chats you are a party to | To enforce who can see what | Contract |
| Notification tokens | Device push token and platform (iOS/Android) | To send you transactional notifications (e.g. a new message or a request update) | Consent (you grant the OS notification permission) / Contract |
| Abuse-prevention | Your IP address, transiently, as a rate-limit counter on a few endpoints | To prevent abuse (e.g. invite-code guessing, spam) | Legitimate interests (Art. 6(1)(f)) |
| Audit logs | Records of meaningful actions (action name, actor, timestamp) | Security, debugging, and integrity of the service | Legitimate interests |
| Diagnostics | Crash reports and error breadcrumbs, with personal identifiers scrubbed | To detect and fix crashes and bugs | Legitimate interests |
What we do NOT collect
We do not collect your location, contacts, financial information, health data, biometric data, browsing history, or search history. Skifty has no payments in this version.
3. How we share data (processors and recipients)
We do not sell personal data. We use the following processors, who process data on our behalf under data-processing agreements:
| Processor | Role | Data it receives |
|---|---|---|
| Clerk | Authentication | Email, password (hashed), account id, session metadata |
| Supabase | Database + file storage hosting (EU region) | All app data listed in §2 |
| Expo / Apple APNs / Google FCM | Push-notification delivery | Push tokens and templated notification text (never message contents) |
| Sentry | Crash and error monitoring | Stack traces and breadcrumbs, with personal identifiers scrubbed |
Other group members see the data you choose to share within a group: your display name and avatar, your posts and their photos, and your messages in a chat you are a party to. People you are not in a group or chat with cannot see your content.
We may disclose data if required by law or to protect the rights, safety, or security of our users or the service.
4. Where your data is stored
Your data is stored in the European Union. Notification delivery and crash monitoring may involve transfers to providers operating under appropriate safeguards (e.g. EU Standard Contractual Clauses) where applicable.
5. How long we keep it (retention)
- Account and profile data: for as long as your account exists. Deleted when you delete your account (see §7).
- Closed conversations and their messages: kept up to 12 months after the request is closed, then deleted automatically.
- Audit logs: up to 90 days.
- Abuse-prevention IP counters: up to 7 days.
- Backups: held under our provider's standard schedule. Backups are not exempt from your erasure rights — once you are erased from production, your data is not restored from backups into production.
6. Your rights under the GDPR
You have the right to: access your data, rectify inaccurate data, erase your data ("right to be forgotten"), restrict or object to processing, and data portability. You can exercise the main rights directly in the app:
- Access / portability: export your data as a JSON file from within the app.
- Erasure: delete your account from within the app. If you can no longer access the app, email us at hello@acoid.com to request deletion.
- Rectification: edit your profile and your posts in the app.
For any request, or to contact our data protection point of contact, email hello@acoid.com. We respond within 30 days as required by GDPR Article 12(3) (extendable by up to two months for complex requests, with notice). You also have the right to lodge a complaint with the Swedish data protection authority (Integritetsskyddsmyndigheten, IMY) or your local supervisory authority.
7. Account deletion — what happens
When you delete your account (in the app, or by emailing hello@acoid.com if you can no longer access the app), we permanently delete your profile, your posts and uploaded photos, your messages, your requests, the groups you created (other members lose access), your group memberships, and your notification tokens — and we delete your account at our authentication provider (Clerk). Audit-log entries are retained without your account identifier. Deletion is true deletion, not deactivation.
8. Security
We treat the database as the security boundary: access to your data is enforced by row-level security so that only people in your groups or chats can see your content. Data is encrypted in transit (HTTPS/TLS). Session tokens are stored in the device's secure storage (iOS Keychain / Android Keystore). We never ship administrative keys in the app.
9. Children
Skifty is not directed at children under 16. We do not knowingly collect data from children under that age. If you believe a child has provided us data, contact us at hello@acoid.com and we will delete it.
10. Changes to this policy
We may update this policy. We will post the new version with a new effective date and, for material changes, notify you in the app.
11. Contact
Acoid HB, Hallebergsvägen 15, 167 37 Bromma, Stockholm, Sweden. Privacy contact: hello@acoid.com.