1. Introduction
Welcome to Sorom ("we," "us," "our," or "Sorom"). This Privacy Policy explains how Sorom Inc. collects, uses, shares, and protects your personal information when you use our mobile application and related services (collectively, the "Services").
By using Sorom, you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, please do not use our Services.
2. Information We Collect
2.1 Information You Provide
Account Information. When you create an account, we collect your full name, display name, email address, date of birth (we require users to be 18+), username, password (stored in encrypted form), profile photo, bio or description, and home city and country.
Profile & Matching Information. To provide our matching services, we collect your travel preferences and interests, personality assessment responses based on the Big Five traits, communication style preferences, travel style preferences including budget, pace, and spontaneity, languages spoken, travel availability dates and destinations, and match profile photos and descriptions.
Content You Create. This includes journals containing text, photos, and videos; Moments (48-hour stories); travel diaries; comments and reactions; chat messages; and itinerary details.
Safety Information. To support our safety features, we collect emergency contact details including name, phone, email, and relationship; safety check-in schedules; and meetup verification PINs.
Booking Information. When you use our booking features, we collect hotel search preferences, guest information for bookings, booking history, and payment information which is processed securely by third parties.
2.2 Information Collected Automatically
Device Information. We automatically collect information about your device type and model, operating system version, unique device identifiers, and push notification tokens for FCM and APNS.
Usage Information. We collect data about your app interactions and feature usage, search queries, content viewed, time spent on features, crash logs and diagnostics, and analytics events (with opt-out option in Settings → Privacy).
Location Information. We collect location data when you tag content, which is optional and user-initiated, city-level location for matching purposes (approximate), and real-time location when using the Live Connexions feature (opt-in, time-limited sessions). We do NOT continuously track your location.
2.3 Information from Third Parties
Authentication Providers. If you sign in with Google or Apple, we receive basic profile information from these services.
Identity Verification. For Premium users who opt into verification, we receive verification status from Medallion/Authenticate indicating whether you are verified or not verified. We do not receive copies of identity documents.
Payment Processors. RevenueCat processes subscriptions on our behalf, and we receive subscription status only. We do not store credit card numbers.
3. How We Use Your Information
Providing Core Services. We use your information to create and manage your account, enable travel matching based on compatibility, facilitate communication between matched users, display and share your content, and manage itineraries and bookings.
Improving and Personalizing. We calculate compatibility scores, recommend potential travel matches, personalize your feed and content, and analyze usage patterns to improve our features.
Safety and Security. We process emergency contact alerts, enable safety check-ins and panic button features, generate meetup verification PINs, detect and prevent fraud, spam, and abuse, and enforce our Terms of Use.
Communications. We send account-related notifications, deliver push notifications with your permission, send email updates about matches, messages, and activity, and provide customer support.
Legal and Compliance. We use your information to comply with legal obligations, respond to legal requests, and protect rights and safety.
4. How We Share Your Information
4.1 With Other Users
Public Information. Your profile name, photo, and bio are visible based on your privacy settings. Journals marked as "public" are visible to all users, and Moments are visible to your followers.
Matched Users. When you accept a match, your profile details are shared with that match. Chat messages are visible to conversation participants, and shared itinerary information is visible to itinerary members.
Private Accounts. If your account is set to private, your content is only visible to approved followers.
4.2 With Service Providers
We share data with trusted third parties who assist us in operating our Services:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Backend infrastructure, authentication | Account data, content |
| Cloudflare R2 | Media storage | Photos, videos |
| Google Places | Location search | Search queries |
| Amadeus | Flight schedule lookup | Flight numbers, dates |
| Flightstats | Flight tracking | Flight numbers |
| Hotelbeds | Hotel booking | Search criteria, guest info |
| RevenueCat | Subscription management | User ID, purchase data |
| Resend | Email delivery | Email address, notification content |
| Firebase (FCM) | Push notifications | Device tokens, notification content |
| Authenticate (Medallion) | Identity verification | Verification request, status |
| Vonage | SMS notifications (Premium) | Phone numbers, safety alert content |
| PostHog | Product analytics | App usage data, device info (opt-out available) |
4.3 For Legal Reasons
We may disclose information to comply with legal obligations, respond to valid legal requests, protect the safety of users or the public, prevent fraud or security issues, or in connection with a merger or acquisition.
4.4 With Your Consent
We may share information for other purposes with your explicit consent.
5. Your Rights & Choices
5.1 Access & Portability
You can view your profile and account information in the app at any time. You may also request a copy of your data through Settings → Account Management → Export Data, and download your data in a portable format.
5.2 Correction
You can update your profile information at any time through the app.
5.3 Deletion
You can delete individual content such as journals, moments, and comments. You can also delete your entire account through Settings → Account Management → Delete Account. Account deletion removes your data within 30 days, with anonymized backup retention for 12 months.
5.4 Privacy Controls
You can set your account to private so only approved followers can see your content. You can control who sees your location through visibility settings. You can block specific users to prevent them from seeing your content or contacting you. You can disable analytics tracking through Settings → Privacy → Product Analytics. Live Connexions real-time location sharing is always opt-in with time-limited sessions.
5.5 Communication Preferences
You can manage notifications in Settings → Notifications, where you can toggle push notifications and email notifications by type, and mute specific conversations.
5.6 GDPR Rights (EEA/UK Users)
If you are in the European Economic Area or UK, you have the right to access and request a copy of your data, the right to rectification to correct inaccurate data, the right to erasure to request deletion of your data, the right to restrict processing to limit how we use your data, the right to data portability to receive your data in a portable format, the right to object to certain processing, and the right to withdraw consent at any time. To exercise these rights, contact privacy@sorom.co.
5.7 CCPA Rights (California Users)
California residents have the right to know what personal information we collect, request deletion of personal information, opt-out of the sale of personal information (we do not sell your data), and non-discrimination for exercising privacy rights. To exercise these rights, contact privacy@sorom.co.
6. Data Security
We implement security measures including encryption of data in transit using HTTPS/TLS, encryption of sensitive data at rest, Row-Level Security (RLS) on all database tables, secure authentication with PKCE, regular security audits, and access controls and logging. However, no system is 100% secure. Please use strong passwords and protect your account credentials.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion |
| Content (journals, moments) | Until deleted by user or account deletion |
| Moments | Auto-expire after 48 hours |
| Chat messages | Until deleted by user (soft-delete) |
| Deleted content | 12 months (anonymized backup) |
| Expired matches | 1 month after expiration |
| Points transactions | 18 months (inactive points expire) |
| Itineraries (free users) | 72 hours after trip end date |
| Rate limit logs | 7 days |
8. Children's Privacy
Sorom is not intended for users under 18 years of age. We do not knowingly collect information from children. If we learn we have collected data from a child under 18, we will delete it promptly.
9. International Data Transfers
Your data may be processed in countries outside your residence, including the United States. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required.
10. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy with a new "Last Updated" date, sending an email notification for significant changes, and providing an in-app notification. Your continued use of Sorom after changes constitutes acceptance.
11. Contact Us
For privacy questions, concerns, or to exercise your rights, please contact us:
Email: privacy@sorom.co
Data Protection Officer (EEA/UK): dpo@sorom.co