Privacy Policy — Still Here

Last updated: June 23, 2026
Effective date: June 23, 2026

This is the English version of the Still Here Privacy Policy, provided for international users and review purposes. The Vietnamese version is available at /privacy. If there is any discrepancy, the Vietnamese version prevails.

This Privacy Policy (the "Policy") describes how Still Here ("we", "the app", "the service") collects, uses, stores, shares and protects your information when you use the Still Here mobile application and related services.

Still Here is a location-based, community-contributed map app with gamification mechanics: users visit real places/events to "check in", contribute photos and descriptions, earn points, level up, receive badges, and help keep the map of places "alive". Because of this nature, some information you provide (photos, descriptions, places you create) will be displayed publicly to other users — see Section 6.

By creating an account or using the service, you confirm that you have read and understood this Policy.

1. Data Controller

If you are in a jurisdiction with applicable data-protection laws (e.g. GDPR/EEA), the entity above acts as the data controller.

2. Quick Summary

• We collect account information, your location, check-in photos and descriptions, usage data and technical data to operate the service.
• We support Google Sign-In via Firebase Authentication; in that case we receive your email, name and avatar from your Google account (Sections 3.2 and 7).
• We do not sell your personal data.
• Content you post (photos, descriptions, places/events you create) may be displayed publicly.
• You can delete your account directly in the app; your identifying data is then anonymized (Section 9).
• The service uses location only in the foreground (while the app is open); it does not track your location in the background.

3. Information We Collect

3.1. Information you provide when creating and managing an account

• Username (account) and email address (required).
• Password — stored only as a bcrypt hash; we never store your plaintext password.
• Phone number (optional) and its verification status, if you use phone verification. (Note: in the current version the phone feature may be temporarily hidden; the codebase still supports SMS OTP verification when enabled.)
• One-time passwords (OTP) sent by email (or SMS) to verify ownership of your email/phone and to reset your password.
• Preferences: display language (Vietnamese/English), notification on/off settings.

3.2. Information when you sign in with Google

When you choose "Sign in with Google", authentication is handled via Google Firebase Authentication. We receive the following from your Google profile:

• Email address and email-verified status;
• Display name;
• Profile picture (URL);
• Google account identifier (Google account ID / UID).

We use this information only to create and authenticate your Still Here account. Our use of data received from Google complies with the Google API Services User Data Policy, including the Limited Use requirements — see Section 7.

3.3. User-generated content (may be public)

When using core features, you create content that we store:

• Check-ins: photos, text descriptions, geographic coordinates and timestamps.
• Places, events, customs you create or suggest (name, description, coordinates/province, photos, type, ethnic group, etc.).
• "Quirky" marks, content reports, and contribution suggestions (new place/event types, historical sites/heritage, or software bug reports).
• Voice-entered descriptions: if you use voice input, your speech is converted to text by your device/operating system speech-recognition service; we store only the resulting text in the description, not any audio recording.

Important: Photos, descriptions, and the places/events/customs you create may be displayed publicly on the map, the discovery page, check-in feeds and to other users. Please do not include sensitive information you do not want to be public.

3.4. Location data

• We collect your approximate/precise GPS location while you are using the app (foreground — "when in use") to: find nearby places/events, verify the validity of a check-in, display the map, and send "rescue" notifications for nearby places.
• We store your last known location and its update time to power location-based features.
• Location-spoofing protection: the system computes movement velocity between updates to detect simulated locations (GPS spoofing); this uses your location and time data to ensure fairness.
• You can revoke location access at any time in your operating-system settings; location-based features will then stop working.

3.5. Technical, device and security data

• IP address, user-agent string, device/operating-system type.
• App version and OS information when you submit a bug report.
• Push notification tokens for your devices (up to 5) to deliver notifications.
• Security audit logs: sensitive events such as successful/failed sign-ins, OTP sending/failures, sign-in lockouts, account ban/deletion — together with IP and user-agent — to detect fraud and investigate incidents.
• Operational metrics: aggregated, anonymous data about performance and traffic (response time, number of sign-ins/registrations, active realtime connections) for system monitoring.

3.6. Device permissions the app requests

You may deny or revoke any permission in your OS settings; the corresponding features will then be unavailable.

4. How We Use Information

We use information to:

1. Provide the core service: create and manage accounts, check-ins, maps, discovery of places/events/customs.
2. Authenticate and secure: sign-in, issue and refresh sessions, verify email/phone, reset passwords.
3. Power location features: show nearby content, verify distance on check-in, send place-rescue notifications.
4. Gamification: compute place life points, ranking scores, reputation, badges, user tiers, weekly/monthly leaderboards.
5. Notifications: send in-app and push notifications (according to your settings).
6. Safety and content moderation: filter prohibited keywords and automatically screen text content with AI; handle community reports; hide violating content.
7. Abuse prevention: rate limiting, brute-force protection, location-spoofing detection, duplicate/spam content prevention.
8. Transactional communication: send OTP codes and emails necessary for account operations.
9. Operation and improvement: system monitoring, debugging, aggregate analysis of performance and usage.
10. Legal compliance: meet legal obligations and valid requests from competent authorities.

Legal basis (where GDPR or equivalent applies)

• Performance of a contract: operating your account and the features you request.
• Consent: location access, microphone, push notifications (you can withdraw at any time).
• Legitimate interests: security, fraud prevention, moderation, service improvement.
• Legal obligation: retaining and providing data where required by law.

5. When We Collect

• When you register, sign in (including Google Sign-In) or verify your account.
• When you check in, create content, mark, report or contribute.
• When you grant location/camera/microphone permission and use the related feature.
• Automatically as you interact with the service (technical data, security logs, operational metrics).

6. Sharing and Disclosure

We do not sell your personal data. We share only in the following cases:

6.1. Public content for other users

Photos, descriptions, check-ins, and the places/events/customs you create may be shown publicly together with your display name, badges and achievement stats.

6.2. Service providers (data processors / sub-processors)

We use reputable third parties to operate the service. Each receives only the data necessary for its function:

Some providers may process data outside Vietnam (see Section 11).

6.3. Administrators and moderation

Administrators may review related content and reports to handle violations and ensure community safety.

6.4. Legal requests

We may disclose information when we believe it is necessary to comply with the law, an order from a competent authority, to protect the rights and safety of users or ourselves, or to investigate fraud/abuse.

6.5. Business transfers

In a merger, acquisition or asset transfer, data may be transferred to the successor, with a commitment to continue complying with this Policy.

7. Google User Data and "Limited Use"

Still Here's Google Sign-In feature uses Google API Services via Firebase Authentication.

• We request only the minimal scopes: basic profile information (name, avatar) and email address.
• Data received from Google is used only to create, sign in to and manage your Still Here account.
• We do not transfer Google user data to third parties other than the service providers necessary to operate this feature.
• We do not use Google user data for advertising purposes.
• We do not sell Google user data.

Still Here's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

You can revoke Still Here's access to your Google account at any time at your Google Account permissions page.

8. Data Retention

We retain data only for as long as necessary for the purposes above:

• Account data and content: kept until you delete your account (see Section 9).
• Sessions: access tokens expire after 15 minutes; refresh tokens last up to 30 days and are revoked when you sign out, change your password, or are locked out.
• OTP sessions: automatically expire and are deleted after about 10 minutes.
• Security audit logs: automatically deleted after 90 days.
• Photos: kept until the related check-in is deleted.
• Some aggregate logs (e.g. logs of events that failed to qualify) may be kept in minimal form to assess reputation and detect spam.

9. Your Rights and How to Exercise Them

Depending on your jurisdiction, you may have rights to: access, correct, delete, restrict or object to processing, and data portability.

You can do the following directly in the app:

• View and edit your profile, change your display name.
• Change email (with verification), change password, change/verify phone (when enabled).
• Toggle notifications, change language.
• Revoke location/camera/microphone permissions in your OS settings.

Account & Data Deletion

Option 1 — in the app: go to Profile → Edit profile → Delete account and confirm with your password. This is the fastest way.

Option 2 — if you cannot use the app (e.g. you uninstalled it): email stillhereapp1505@gmail.com from your registered address with the subject "Account deletion request". We process such requests within 30 days.

What happens on deletion: we do not perform a full hard delete; instead we anonymize — your email and phone are replaced with anonymous values (deleted_*), your password is scrambled, your location and push tokens are removed, the account is set to inactive and you can no longer sign in. This preserves the integrity of community history references (e.g. previous check-ins) while removing your identifying information.

Where legally required (e.g. a full erasure request under GDPR), an administrator may perform a complete deletion of check-in data and delete images from storage.

Other requests (a copy of your data, complaints, withdrawing consent beyond the app's scope): please contact stillhereapp1505@gmail.com. You also have the right to lodge a complaint with the competent data-protection authority in your place of residence.

10. Data Security

We apply reasonable technical and organizational measures, including:

• bcrypt password hashing; we do not store plaintext passwords.
• Session tokens are signed and refresh tokens are stored hashed, with rotation and reuse detection to prevent session theft.
• Transport encryption (HTTPS/TLS), with HSTS enabled in production.
• HTTP protection via Helmet, a controlled CORS allowlist, and request size limits.
• Rate limiting and tiered sign-in lockout against password guessing.
• Real file-type checking for uploaded images.
• Security logging to detect and investigate anomalies.

However, no system is perfectly secure. You are responsible for keeping your login credentials confidential.

11. International Data Transfers

Some of our service providers (e.g. Google, Cloudflare, Resend, Mapbox, OpenAI, Expo) may store and process data on servers outside Vietnam. When transferring data across borders, we take reasonable measures to protect your data consistent with this Policy and applicable law.

12. Children

The service is not directed to users under 16 years of age (under Vietnamese law, a person under 16 is considered a child; we therefore require users to be at least 16). We do not knowingly collect personal data from children under the applicable age. If you believe your child has provided us information without appropriate consent, please contact us so we can delete it.

13. Website Privacy (Landing Site)

The Still Here landing website may use basic technical cookies and traffic analytics at a minimal level to operate and improve the site. If we use a third-party analytics tool (e.g. Google Analytics), we will update the details and the cookie-consent mechanism in this section.

14. Changes to This Policy

We may update this Policy from time to time. For material changes, we will update the "Effective date" at the top and, where appropriate, notify you in the app. Your continued use of the service after changes take effect means you accept the updated Policy.

15. Contact

For any questions, requests or complaints about privacy, please contact:

• Privacy email: stillhereapp1505@gmail.com
• Support email: stillhereapp1505@gmail.com
• Operator: GLD Solutions (household business)
• Address: 28 Duong 3, Khu pho 66, Tang Nhon Phu Ward, Ho Chi Minh City, Vietnam