Bao — Privacy Policy

Last updated: 17 June 2026


At a glance


1. Who we are

Bao (the "Service") is operated by Monsun Technologies Limited ("Bao", "we", "us", "our"), a company registered in England and Wales under company number 17266355, with its registered office at 66 Paul Street, London, EC2A 4NA, United Kingdom.

For privacy questions, including requests to exercise your rights, contact us at privacy@bao-app.com. For data-protection-specific enquiries from the EEA or UK, contact our Data Protection Officer at dpo@bao-app.com.

This policy describes how we handle personal data when you use the Bao iOS app or interact with us through bao-app.com. By using the Service, you acknowledge the practices described here.

2. The information we collect

2.1 Information you give us

WhatWhenWhy we need it
Phone number (E.164 format)Sign-upIdentifies your account; lets other Bao users find you when they have your number in their contacts
One-time SMS codesSign-up + sign-inVerifies you control the phone number (handled by Firebase Authentication)
Display name (required, 2–30 characters)Sign-up (profile setup) or editRequired to finish sign-up; shown to other users subject to your Name privacy setting
Birthday (optional)Profile setup or editStored on your profile; not currently shown to other users — the Birthday privacy setting is a forward-looking control (see §4.1)
Profile photo (optional)Profile setup or editShown to other users subject to your Photo privacy setting
Privacy settingsSettingsControls who can see your name, photo, and birthday
Recovery email (optional)Profile setup or editLets you regain access to your account if you change or lose your phone number; we use it to send account-recovery codes
Lists, groups, events, messages, RSVPs, location pins you createWhile using the appThe core of what the Service is for

2.2 Information from your device (with your permission)

2.3 Information collected automatically

2.4 Information from other people

When another Bao user invites you to a group or event — even if you weren't a Bao user yet — their invite contains your phone number. Once you sign up, our server matches that number to your account, converts the invitation into a real group membership or event attendee row, and creates a welcome message in a conversation between you and the inviter. See §4.3 for what happens with pre-signup invitations.

3. How we use this information

We process your information to:

We do not use your information for advertising, do not sell personal data, and do not share contact data with brokers.

4. How information is shared

4.1 With other Bao users — gated by your privacy settings

Bao is a social app: parts of your profile are visible to other users. What's visible is governed by your three privacy switches:

The contacts tier is one-sided: another user sees your name (or photo) when you have them in your contacts, regardless of whether they have you. Server-side gating enforces this — your device never receives a name or photo URL that your privacy settings have withheld.

4.2 With service providers

We rely on the following processors to operate the Service. Each acts on our instructions under a written data-processing agreement and may store data outside your country of residence (typically in the United States).

ProviderPurpose
Apple Inc.App distribution; push notifications (APNs)
Google LLC (Firebase Authentication)Phone-number OTP sign-in
Cloudflare, Inc.Object storage (R2) for profile and event images; Durable Objects + Workers for real-time chat
Vercel Inc.Serverless backend hosting
Inngest, Inc.Asynchronous job queue (push-notification fanout)
Neon, Inc.Primary Postgres database
PostHog (EU region)Product analytics (feature usage, engagement, retention)
Sentry (EU region)Crash and error monitoring; performance diagnostics
Resend, Inc.Transactional email: account-recovery codes, data-export download links, abuse-report + ops alerts
Twilio Inc.SMS delivery of the one-time code for data-export downloads
Slack Technologies (optional)Internal abuse-report notifications to our team
MapKit / Apple MapsLocation search and rendering

Data processed per provider:

We will update this list when we add or remove processors.

4.3 Pre-signup invitations

When you (a Bao user) invite a phone number that doesn't yet match any Bao account to a group or event, our server holds that invitation keyed by the phone number until the recipient signs up. On their first sign-in, we:

While an invitation is pending, what we hold depends on the type:

If the event has already ended by the time they sign up, we do not create an attendee row or a welcome message for it. We do not retain expired pre-signup invitations: once an event has ended, any pre-signup invitation to a phone number that has not joined Bao is deleted. We do not keep invitation data about people who never become Bao users.

4.4 In legal and safety circumstances

We may share information when we believe in good faith that it is necessary to: (a) comply with a lawful request from a government or law-enforcement authority; (b) enforce our End User Agreement; (c) prevent or investigate fraud, abuse, or security incidents; (d) protect the safety, rights, or property of Bao, our users, or the public; or (e) facilitate a corporate transaction such as a merger, acquisition, or sale of assets, in which case the recipient will be bound by privacy terms no less protective than these.

4.5 With your direction

Apart from these, Bao has no third-party integrations today. If we add any in future, we will share only what you direct us to share.

5. International transfers

Our service providers (notably Vercel, Firebase, Cloudflare, our database host Neon, and our email / SMS providers Resend and Twilio) are based in or operate from the United States and run global infrastructure. When you use Bao your personal data is transferred to and processed in the United States and other countries that may not provide the same level of data-protection law as your country of residence.

Our analytics provider, PostHog, processes the usage events described in §2.3 in its EU region, and our error-monitoring provider, Sentry, processes the crash/error reports described in §2.3 in its EU region, so that data is stored in the European Union.

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK / Swiss addenda where applicable) as the safeguard for such transfers. You may request a copy of the clauses at privacy@bao-app.com.

6. How long we keep your information

We keep your account information for as long as your account is active. The specifics:

When you uninstall the app, the local SQLite database and on-disk photo caches are removed by iOS as part of the standard sandbox cleanup. On your next install Bao detects the absence of a launch-time marker and additionally signs you out of any cached Firebase session, so the next launch starts fresh.

7. Your rights

Depending on where you live, you may have some or all of the following rights regarding your personal data:

To exercise these rights, use the in-app controls where available — profile edits, Settings → Delete Account, and the in-app data export (which verifies you with a one-time code sent to your account phone number). For anything else, contact privacy@bao-app.com; we will take reasonable steps to verify your identity before acting on a request.

8. Children

The Service is not intended for, and we do not knowingly collect personal data from, anyone under 16. Bao is rated 16+ on the App Store. If you believe someone under 16 has provided us with personal data, contact privacy@bao-app.com and we will delete the account.

9. Security

We protect personal data using a combination of technical and organisational measures, including:

No method of transmission or storage is 100% secure. If we become aware of a security incident affecting your personal data, we will notify you as required by law.

10. Managing your privacy in the app

You can adjust your privacy practices at any time from the iOS device:

11. Cookies and similar technologies

The Bao mobile app does not use cookies. Our in-app product analytics (§2.3, §4.2) are implemented with a first-party mobile SDK and do not rely on cookies, advertising identifiers (IDFA), or cross-app tracking; we do not use your data for advertising. The bao-app.com marketing website may use a small number of strictly necessary cookies; if we add website analytics or tracking cookies in future, we will update this policy and present a consent banner.

12. Changes to this policy

We may update this policy as the Service evolves. The "Last updated" date at the top of the page reflects the most recent revision. If the changes are material, we will provide notice in the app or by email before they take effect.

13. Contact us

TopicEmail
Privacy questions & rights requestsprivacy@bao-app.com
Data-protection (DPO) enquiries (EEA / UK)dpo@bao-app.com
Security reportssecurity@bao-app.com
Generalhello@bao-app.com

Or write to us at Monsun Technologies Limited, 66 Paul Street, London, EC2A 4NA, United Kingdom.