blob — privacy policy

1. Who we are

1.1 This Privacy Policy explains how blobme Ltd ("blob", "we", "us" or "our") collects, uses, shares and protects personal data when you use the blob mobile application, website and related services. 1.2 We are the controller of the personal data we collect and use for the purposes described in this Privacy Policy, unless we tell you otherwise. 1.3 Our contact details are: blobme Ltd, 14-16 Stanley Street, Holyhead, Anglesey, LL65 1HG. General and privacy enquiries: help@blobme.ai. 1.4 blobme Ltd does not currently appoint a Data Protection Officer. Privacy matters are handled by Jake Ashworth (help@blobme.ai).

2. Scope and key points

2.1 This Privacy Policy applies to your use of blob in the United Kingdom. 2.2 blob is a social and campus platform. Other users may see information you choose to make visible, including profile information, posts, group activity, marketplace listings, event RSVPs, petition activity and leaderboard information depending on your settings and feature choices. 2.3 Direct and group messages are not end-to-end encrypted. Message content may be accessed in limited circumstances for safety, moderation, legal compliance, security and support purposes. 2.4 Some fields and activity may reveal sensitive information about you. We aim to minimise this risk and provide controls, but you should consider this before sharing information on blob.

3. Personal data we collect

We collect the following categories of personal data: Account and verification — name, university email address, password hash, date of birth, verification code/status, university, course, year of study, degree level. Optional profile fields — gender, pronouns, nationality, languages, accommodation type, hometown, biography, interests, prompts, looking-for preferences, social media links, CV/work information. Profile media — avatar, cover image, photo gallery and associated metadata. Posts, comments and reactions — post text, images/videos, GIFs, polls and votes, tags, privacy setting, comments, replies, likes and emoji reactions. Stories and highlights — story images, text overlays, view records, likes, replies and highlight collections. Messaging — direct and group messages, images, files, GIFs, emoji reactions, polls, read receipts, message requests, reply threads and timestamps. Connections and matching — connection requests/status, blocked users, swipes, match status, timestamps. Events and groups — event creator details, event metadata, location, RSVP and check-in records, group/community/society/module membership, roles and chat activity. Marketplace — seller ID, name, university, listings, prices, images, category, condition, location and sold status. Petitions — petition creator ID, petition content, categories, signatures/support records. Gamification — blob Score inputs, aggregated activity score, rank, leaderboard opt-in status. Reports and moderation — reporter ID, target content/profile/message/listing, reason, description, status, resolution notes and enforcement action. Search, bookmarks and notifications — search queries if retained, saved content references, notification type, timestamps. Location data — place names and latitude/longitude attached to posts, events, marketplace listings or check-ins where enabled. Technical and device data — IP address, device type, operating system, app version, crash reports, logs, security events.

4. Special category data and sensitive inferences

4.1 Some information you provide or generate on blob may reveal or allow inferences about special category data under UK GDPR, including racial or ethnic origin, religious or philosophical beliefs, political opinions, health information or sexual orientation. 4.2 We will not intentionally require special category data unless necessary for a clearly explained feature. Where we process special category data, we will identify an Article 6 lawful basis and an Article 9 condition, such as explicit consent where appropriate. 4.3 You can reduce the amount of sensitive information processed by not completing optional fields, adjusting privacy settings, not joining sensitive groups or petitions, and deleting content you no longer want to share.

5. Purposes and lawful bases

We process personal data for the following purposes, on the following lawful bases: Creating and managing your account — basis: contract. Verifying university/student status — basis: contract and legitimate interests for platform integrity. Providing profiles, posts, comments, groups, messaging and core social features — basis: contract. Optional profile fields and CV/work section — basis: consent or contract depending on the feature. Location tagging and location-based features — basis: consent where precise or optional location is used. Discovery, swiping and matching — basis: consent or contract with clear opt-in. Showing profile views — basis: legitimate interests, subject to user controls. Calculating blob Score internally — basis: legitimate interests. Displaying users on a public leaderboard — basis: consent / opt-in. Events, RSVPs and check-ins — basis: contract and legitimate interests. Marketplace listings — basis: contract; legal obligation where tax/platform reporting applies. Petitions — basis: consent; explicit consent may be required if special category data is involved. Trust and safety, reporting and moderation — basis: legitimate interests; legal obligation where applicable. Security, fraud prevention, debugging and service integrity — basis: legitimate interests. Service communications — basis: contract; legitimate interests. Marketing communications — basis: consent (PECR applies). Analytics and product improvement — basis: consent where analytics cookies/SDKs are used; legitimate interests for strictly necessary operational analytics where appropriate.

6. Profiling and automated processing

6.1 blob uses automated processing to operate features such as discovery, matching, search, notifications, profile views, moderation tooling and blob Score. 6.2 The blob Score is profiling because it evaluates user activity and engagement across the Service. We provide meaningful information about the main factors used and give users controls over public display. 6.3 Public leaderboard participation is opt-in. 6.4 Matching and discovery features may use automated logic to identify mutual interest or show relevant profiles. 6.5 Account suspensions, content removals or other enforcement decisions may involve automated signals but allow human review where required or appropriate.

7. Who we share personal data with

7.1 Other users — your data is shared with other users according to the feature you use and your privacy settings. 7.2 Universities, student unions, societies, clubs or facility operators — where a feature is administered by or linked to one, we may share limited data needed to verify status, administer events or bookings, investigate misuse, manage safety or provide the feature. 7.3 Merchants and partners — if discounts, offers or benefits are enabled, we may share limited data with the relevant merchant or partner where necessary to validate eligibility, redeem an offer or provide customer support. 7.4 Service providers — we use processors to host, store, secure, support and deliver the Service. These include Supabase (database, authentication, real-time messaging and file storage), Expo/React Native services (app delivery and crash reporting), Apple App Store and Google Play (app distribution), Resend (transactional email), and Sentry (error monitoring). 7.5 Law enforcement, regulators and legal requests — we may disclose personal data where required by law, court order, regulatory request or where necessary and proportionate to prevent, detect or report crime. 7.6 Corporate transactions — if we sell, merge, restructure or transfer our business or assets, personal data may be transferred as part of that transaction subject to appropriate safeguards.

8. International transfers

8.1 Your personal data is primarily processed in the European Economic Area. Our primary database and storage provider (Supabase) hosts our project in the EU West (Ireland) region. 8.2 Where personal data is transferred from the UK to the EEA, we rely on the UK's adequacy decision for the EEA. Where personal data is transferred outside the UK and EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. 8.3 You may contact us at help@blobme.ai for more information about the safeguards used for international transfers.

9. Retention

We retain personal data for the following indicative periods: Account and core profile data — until account deletion, plus up to 90 days in backups unless longer retention is required for legal, safety or dispute reasons. Optional profile/CV fields — until removed by the user or account deletion, plus backup period. Posts, comments, reactions and reposts — until deleted by the user or account deletion, subject to copies shared by others, moderation records, legal retention and backups. Stories — visible for 24 hours unless saved as highlights; story view records retained for up to 30 days. Highlights — until removed by the user or account deletion. Direct and group messages — until deleted according to product functionality or account deletion, but copies may remain for other participants and moderation/safety records may be retained for up to 12 months. Swipes and matches — until account deletion or match dismissal, unless needed for safety, abuse prevention or legal reasons. Profile views — for up to 90 days. Events and check-ins — for up to 12 months after the event, unless required for safety, dispute or legal reasons. Marketplace listings — until deleted or marked sold, with transaction/listing metadata retained for up to 24 months or longer where tax/platform reporting obligations apply. Petitions and signatures — until petition closure/deletion or account deletion. blob Score and leaderboard records — current score/rank while account is active. Reports and moderation records — up to 3 years after resolution, or longer where necessary for legal claims, safety or regulatory compliance. Technical logs and security data — typically 30-90 days.

10. Your rights

10.1 Under UK data protection law, you may have rights to access your data, rectify inaccurate data, erase data, restrict processing, object to processing, receive data portability, withdraw consent and challenge certain automated decisions. 10.2 You can exercise your rights by contacting help@blobme.ai. We will respond within one month unless an extension is permitted by law. 10.3 Where we rely on consent, you may withdraw consent at any time. This will not affect processing that occurred before withdrawal. 10.4 You can complain to the Information Commissioner's Office, the UK data protection regulator, although we would appreciate the chance to address your concerns first.

11. Security

11.1 We use technical and organisational measures designed to protect personal data, including encryption in transit, hashed password storage, access controls, logging, monitoring and security review practices. 11.2 No service is completely secure. If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours where required and notify affected users where required by law. 11.3 Because messages are not end-to-end encrypted, you should not use blob messaging for highly sensitive or confidential information.

12. Children

12.1 blob is intended for users aged 18 and over only. 12.2 We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a child, we will take appropriate steps to delete or restrict the account and related data, subject to legal and safety obligations.

13. Changes and contact

13.1 We may update this Privacy Policy from time to time. Where changes are material, we will notify you through the Service or by email where practical. 13.2 Questions about this Privacy Policy should be sent to help@blobme.ai.

privacy policy.