12th Fan – Privacy Policy

1. Information We Collect

We collect and process personal information needed to run 12th Fan as a community and events app. This may include:

• Account details: name, username, email address, authentication identifiers
• Profile and community content: photos, bios, posts, comments, reactions, messages, and similar content you choose to submit
• Event activity: events you create, join, save, or interact with
• Location data when you grant permission (see Location and maps)
• Device and technical data: app version, diagnostics, approximate usage metadata, and identifiers used for security and reliability
• Push notification tokens where you enable notifications
• Verification data when you start optional identity verification (see Identity verification and face liveness)
• Calendar dataonly if you use "Add to calendar" or similar features you explicitly trigger

We do not intend to collect more than is reasonably necessary for the Services. If you choose not to provide certain information, some features may be unavailable.

2. Location and maps

With your permission, we collect device location to show nearby events, distances, map pins, and related community features. You can turn this off in your device settings; some features will not work without it.

Maps are displayed using your device's map SDK. On iOS, map tiles and related requests are handled by Apple's map services (MapKit / Apple Maps) under Apple's terms and privacy policy. On Android, map display may use Google Maps when configured, and Google may process requests needed to render maps under Google's policies.

We use location and map-related information to operate features you request (for example event discovery and navigation context). We do not sell your personal information.

3. How We Use Your Information

We use your information to:

• Create and manage accounts
• Provide and improve our Services
• Enable community and event features
• Personalise user experience
• Communicate important updates
• Prevent fraud, abuse, and security threats
• Analyse app usage and performance

Depending on the activity, we rely on appropriate lawful bases under UK/EEA data protection law — for example performing our contract with you, legitimate interests (such as securing the Services and measuring reliability), consent where we expressly ask for it (such as optional verification), and legal obligations where applicable.

4. Who helps us run the app (subprocessors)

Like most apps, we use specialist providers to host data, authenticate users, send messages, analyse crashes, and deliver certain features. They process information on our instructions and only where needed to provide the Services.

• Supabase — authentication, Postgres database, file storage, realtime channels, and related APIs that store and serve most of your account and community data.
• Google Firebase— Analytics (usage measurement), Crashlytics (crash diagnostics), and Firebase Cloud Messaging (native push plumbing on some devices). Firebase may receive device/app identifiers and event payloads described in Google's documentation.
• Expo — push notification delivery infrastructure (Expo push service) where used, alongside device tokens stored in your profile. Expo also provides the tooling we use to build the mobile app.
• Amazon Web Services (AWS) — optional identity verification, including face liveness via Amazon Rekognition (see below) and verification APIs we host on AWS (for example API Gateway / Lambda).
• Vercel — may host our verification web experience (for example pages under our verify domain) and/or serverless APIs such as automated text moderation endpoints; those systems may process the inputs required for that feature (for example text you submit when moderation runs).
• Resend — where configured as the SMTP/email delivery provider for Supabase Auth, Resend processes recipient addresses and message content/metadata needed to send transactional emails (such as sign-in or verification messages). If we change provider, equivalent processing may occur with another SMTP vendor.
• Apple — Sign in with Apple and Apple Maps / MapKit services as described in the sections below.

This list is not a claim that "no third parties" see your data — it explains the main categories of organisations that may process personal data when you use the Services. Each provider has its own privacy notice for how it handles data on its systems.

5. Identity verification and face liveness

Certain features may require optional identity verification to reduce impersonation, spam, and misuse. If you start verification, you will be guided through steps that can include capturing images/video with your camera and comparing a live capture to your profile photo.

Face liveness checks may run in an in-app browser session that loads a page we host (which may be delivered via Vercel). That flow uses Amazon Rekognition Face Liveness (AWS) to help confirm a live person is present. AWS processes the inputs required for that session under AWS privacy terms. We then use AWS-hosted verification services to compare images and determine whether to mark your profile as verified in Supabase.

We store verification outcomes (such as verified status and timestamps) in your profile where applicable. We do not use this flow to build a general-purpose biometric database unrelated to verification and safety. If you do not start verification, this processing does not occur.

Where UK GDPR applies, verification that involves facial analysis may involve special category data; we rely on your explicit consent at the point you begin the flow, and you can stop at any time before completing it.

6. Sign in with Apple

If you choose Sign in with Apple, Apple processes authentication on Apple's systems. Depending on your choices, Apple may share your name and/or email (including Apple's private relay email feature) with us so we can create and sign you into your account. Apple's handling of that data is governed by Apple's terms and privacy policy.

We use the identifiers Apple provides to link your account in Supabase and to communicate service-related emails where applicable.

7. Device permissions

Depending on the features you use, the app may request access to:

• Camera (profile photos, QR codes, and optional verification / liveness)
• Photo library (choosing images to upload)
• Location (nearby events and maps)
• Notifications (alerts you opt into)
• Calendar (only when you use add-to-calendar features)

You can manage or revoke permissions in your device settings. If you deny access, related features may be limited or unavailable.

8. Community safety and moderation

Because 12th Fan is a community-based platform, we may monitor, review, or remove content and accounts that violate our Terms and Conditions or Community Guidelines.

This may include investigating reports of harassment, abuse, hate speech, impersonation, spam, or unsafe behaviour in order to protect users and maintain platform safety.

Automated moderation may send the text you are posting to our moderation API (which may be hosted on Vercel) solely to classify or block disallowed content; we do not use that processing for unrelated advertising profiling in the app.

9. Cookies and similar technologies

We use cookies, analytics technologies, and similar tools to improve performance, understand usage patterns, and enhance user experience. In the mobile app, this is primarily SDK-based measurement rather than browser cookies.

Firebase Analytics may collect app interaction and device-level data as described in Google's Firebase documentation; Firebase Crashlytics may collect crash diagnostics; Firebase Cloud Messaging and/or Expo push services may process device tokens needed to deliver push notifications. Supabase continues to host your account data and app content separately from Firebase.

10. How long we keep your information

We retain personal information only for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

11. How we protect your information

We use reasonable technical and organisational security measures to protect your information.

However, no internet transmission or electronic storage system can be guaranteed to be completely secure.

12. International transfers

Our subprocessors may process data in the United Kingdom, the European Economic Area, the United States, and other countries where they operate. Where personal data is transferred outside the UK/EEA, we use appropriate safeguards where required (such as standard contractual clauses or equivalent mechanisms offered by our providers).

13. Your rights, account deletion, and complaints

If you are in the UK or EEA, you may have rights under the UK GDPR / GDPR and local law, including to access, rectify, erase, restrict processing, object to certain processing, and port data where applicable. You may also withdraw consent for processing that is based on consent (for example by not completing optional verification).

You can request account deletion from Account Settings where available. We will delete or anonymise personal data unless we must retain limited information to meet legal, security, or dispute-resolution obligations. If you need help, email admin@12thfan.co.uk.

If you are in the UK and believe we have not handled your data fairly, you may complain to the Information Commissioner's Office (ICO). We appreciate the chance to resolve concerns first — please contact us using the details below.

14. Children's privacy

The Services are strictly intended for users aged 18 years or older. We do not knowingly collect personal information from anyone under 18.

15. Changes to this policy

We may update this Privacy Policy from time to time. Any changes will be posted within the Services with an updated revision date.

16. Contact us

If you have questions about this Privacy Policy or your personal information, contact: admin@12thfan.co.uk

17. Company information