Bao — Privacy Policy
Last updated: 17 June 2026
At a glance
- Bao is an event-planning app for friends. We collect what you give us (your phone number, an optional name / birthday / photo) plus the contacts you choose to share with us, and we use it to help you create events, invite people, and chat with the friends you've invited.
- You control what other users see about you through three independent
privacy switches (
Name,Photo,Birthday) inside Settings. - The contact numbers we use to match you with other Bao users are stored only as a non-reversible hash — hashed on our server with a secret key, never as the raw number. A few features do keep a raw phone number where it is functionally required — your own number, people you add to a private list, and non-Bao people you invite to an event or group — as described in §2.2 and §4.3.
- We don't sell your personal data. We don't run advertising. We don't build a profile of you for marketing purposes.
- We use a handful of well-known service providers (Apple, Google Firebase, Cloudflare, Vercel, Inngest, PostHog, Sentry) to operate the app. The full list is in §4.2.
- We collect basic, pseudonymous usage analytics (which features get used, how often) to understand how Bao is used and improve it. These analytics are tied only to an internal account ID — we never send your phone number, contact names, message contents, or screen recordings to our analytics provider.
- We collect crash and error diagnostics to find and fix bugs. These reports are not tied to your account identity and never contain your phone number, contacts, or message contents.
- You can change your privacy settings, turn off Contacts access, or request account deletion at any time — see §10.
1. Who we are
Bao (the "Service") is operated by Monsun Technologies Limited ("Bao", "we", "us", "our"), a company registered in England and Wales under company number 17266355, with its registered office at 66 Paul Street, London, EC2A 4NA, United Kingdom.
For privacy questions, including requests to exercise your rights, contact us at privacy@bao-app.com. For data-protection-specific enquiries from the EEA or UK, contact our Data Protection Officer at dpo@bao-app.com.
This policy describes how we handle personal data when you use the Bao iOS app or interact with us through bao-app.com. By using the Service, you acknowledge the practices described here.
2. The information we collect
2.1 Information you give us
| What | When | Why we need it |
|---|---|---|
| Phone number (E.164 format) | Sign-up | Identifies your account; lets other Bao users find you when they have your number in their contacts |
| One-time SMS codes | Sign-up + sign-in | Verifies you control the phone number (handled by Firebase Authentication) |
| Display name (required, 2–30 characters) | Sign-up (profile setup) or edit | Required to finish sign-up; shown to other users subject to your Name privacy setting |
| Birthday (optional) | Profile setup or edit | Stored on your profile; not currently shown to other users — the Birthday privacy setting is a forward-looking control (see §4.1) |
| Profile photo (optional) | Profile setup or edit | Shown to other users subject to your Photo privacy setting |
| Privacy settings | Settings | Controls who can see your name, photo, and birthday |
| Recovery email (optional) | Profile setup or edit | Lets you regain access to your account if you change or lose your phone number; we use it to send account-recovery codes |
| Lists, groups, events, messages, RSVPs, location pins you create | While using the app | The core of what the Service is for |
2.2 Information from your device (with your permission)
- Contacts. If you grant the iOS Contacts permission, we read the names
and phone numbers in your address book so we can (a) match those numbers
against other Bao users, and (b) let you select people to invite to
lists, groups, and events. We send phone numbers to our server in
normalised E.164 form; the server immediately hashes them with a
secret HMAC key and stores only the hash (
phoneHash) — never the raw number. We mirror the hash back to your device so that future contact syncs only need to send what's changed. Your contacts' names are used only on your own device to show you who's who — we do not retain your contacts' names on our servers, never display them to other users, and never send them to anyone else's device. (Some exceptions where you act explicitly: when you invite someone who isn't on Bao to a specific event or group, or when you add someone to one of your private lists, we store that person's phone number — never their name — so the feature works and your private lists stay in sync across your own devices. Your lists are personal and are never shown to anyone else; the names you see in them are resolved on each of your devices from that device's own address book. For what other people can see — event attendees, and a group's admins — see §4.3.) - Photos. If you choose a profile photo or attach an image to an event, we read that single image from your photo library and upload it to our media storage (Cloudflare R2). We do not browse the rest of your photo library.
- Location. When you pick a location for an event we use Apple's MapKit / CoreLocation services. We store the place you picked (coordinates, name, address) on the event; we do not collect continuous location data, we do not track your background location, and we do not request "Always" location permission.
- Notifications. If you allow push notifications, your iOS device gives us an Apple Push Notification (APNs) token. We send this token to our server so we can notify you of new messages, invites, and RSVPs.
2.3 Information collected automatically
- Device identifier. We generate a random, app-scoped device ID on first launch and use it to keep your contact-sync state correct when you sign in on multiple devices.
- App diagnostics and sync state. We keep per-entity timestamps (when your device last synced lists, groups, events, etc.) and an append-only local audit log of changes you make in the app. The audit log is sent to our server on a best-effort basis to help us diagnose sync issues.
- Crash and error reports. When the app crashes or hits an unexpected error, we send a diagnostic report to our error-monitoring provider, Sentry (see §4.2). A report contains technical information such as the type of error, a stack trace, the failing subsystem, and your device model, OS version, and app version. These reports are not tied to your account identity — we do not attach your user ID, phone number, name, or contacts — and they are processed in Sentry's EU region.
- Product-analytics events. We record a small set of pseudonymous usage events to understand how the app is used and which features to improve — for example, that the app was opened, that an event was created, that an invitation was sent, or that an RSVP was submitted. These events carry only non-identifying metadata (such as the type of action, simple counts, and your device model, OS version, and app version) and are tied to your internal account ID. They never include your phone number, contact names, event titles, message contents, or any other free-text you enter. We do not record your screen, capture on-screen taps automatically, or replay your sessions. These events are processed by PostHog (see §4.2).
- Authentication tokens. Firebase issues an ID token after you sign in; we send that token with every API request so the server can verify it's really you. Tokens are short-lived (1 hour) and refreshed automatically. We also store the Firebase user identifier (UID) tied to your phone number in your account record so we can link your sign-ins to your account; it is cleared when you delete your account.
- IP address. Our server logs the IP address of every API request as a routine part of receiving HTTPS traffic. We use these logs to defend against abuse and to debug; we do not build an advertising profile from them.
2.4 Information from other people
When another Bao user invites you to a group or event — even if you weren't a Bao user yet — their invite contains your phone number. Once you sign up, our server matches that number to your account, converts the invitation into a real group membership or event attendee row, and creates a welcome message in a conversation between you and the inviter. See §4.3 for what happens with pre-signup invitations.
3. How we use this information
We process your information to:
- Run the Service — create your account, sync your data between your devices, deliver invitations and messages, manage RSVPs, and display the right information to the right people.
- Match contacts to other Bao users — using the server-side phone-hash mechanism described above, so when one of your contacts joins Bao you can see them appear in the A–Z section of your contact list.
- Send service-related communications — SMS one-time codes for sign-in (via Firebase), account-recovery codes (by email) and data-export download codes (by SMS) when you request them, and push notifications to your device.
- Operate, maintain, and improve the Service — diagnose bugs, triage sync failures, plan capacity, investigate operational incidents, and analyse aggregate, pseudonymous usage patterns (which features are used and how often) to decide what to build and improve.
- Enforce our terms and prevent abuse — investigate suspected fraud, spam, harassment, or other violations of our End User Agreement.
- Comply with legal obligations — respond to lawful requests from authorities, comply with applicable laws, and exercise or defend legal claims.
We do not use your information for advertising, do not sell personal data, and do not share contact data with brokers.
4. How information is shared
4.1 With other Bao users — gated by your privacy settings
Bao is a social app: parts of your profile are visible to other users. What's visible is governed by your three privacy switches:
Nameprivacy (hidden/contacts/all) — controls whether other users see your name on group rosters, event attendee lists, and contact-photo projections.Photoprivacy (hidden/contacts/all) — same for your profile photo.Birthdayprivacy (hidden/contacts) — your birthday is currently not projected to any other-user surface; this setting is a forward-looking control that will gate future features.
The contacts tier is one-sided: another user sees your name (or
photo) when you have them in your contacts, regardless of whether
they have you. Server-side gating enforces this — your device never
receives a name or photo URL that your privacy settings have withheld.
4.2 With service providers
We rely on the following processors to operate the Service. Each acts on our instructions under a written data-processing agreement and may store data outside your country of residence (typically in the United States).
| Provider | Purpose |
|---|---|
| Apple Inc. | App distribution; push notifications (APNs) |
| Google LLC (Firebase Authentication) | Phone-number OTP sign-in |
| Cloudflare, Inc. | Object storage (R2) for profile and event images; Durable Objects + Workers for real-time chat |
| Vercel Inc. | Serverless backend hosting |
| Inngest, Inc. | Asynchronous job queue (push-notification fanout) |
| Neon, Inc. | Primary Postgres database |
| PostHog (EU region) | Product analytics (feature usage, engagement, retention) |
| Sentry (EU region) | Crash and error monitoring; performance diagnostics |
| Resend, Inc. | Transactional email: account-recovery codes, data-export download links, abuse-report + ops alerts |
| Twilio Inc. | SMS delivery of the one-time code for data-export downloads |
| Slack Technologies (optional) | Internal abuse-report notifications to our team |
| MapKit / Apple Maps | Location search and rendering |
Data processed per provider:
- Apple Inc. — Push tokens; notification payload metadata
- Google LLC (Firebase Authentication) — Phone number; auth tokens; device metadata
- Cloudflare, Inc. — Image bytes; conversation-membership signed tickets; message broadcast payloads
- Vercel Inc. — Every API request and response (transit only); request logs
- Inngest, Inc. — Push payloads + recipient identifiers, transiently
- Neon, Inc. — All persisted application data
- PostHog (EU region) — Pseudonymous internal user ID; usage-event metadata (action types, simple counts); device model, OS version, app version; approximate region derived from IP. No phone numbers, contact names, or free-text content.
- Sentry (EU region) — Crash/error reports: error type, stack trace, failing subsystem, device model, OS version, app version. Not linked to your account identity; no phone numbers, contacts, or message contents.
- Resend, Inc. — Recipient email addresses (your recovery email; the email you give for a data export) and the codes / download links sent to them; abuse-report contents (reporter user ID, target, reason, and your report text) sent to our team
- Twilio Inc. — Your account phone number and a one-time data-export download code
- Slack Technologies (optional) — Abuse-report contents (reporter user ID, target, reason, report text) sent to our internal channel
- MapKit / Apple Maps — Location queries you type while picking event locations
We will update this list when we add or remove processors.
4.3 Pre-signup invitations
When you (a Bao user) invite a phone number that doesn't yet match any Bao account to a group or event, our server holds that invitation keyed by the phone number until the recipient signs up. On their first sign-in, we:
- match the new account to the stored invitation,
- create the corresponding group membership or (if the event is still in the future) event attendance, and
- create a welcome message in a one-to-one conversation between you and the new user, dated at their join moment.
While an invitation is pending, what we hold depends on the type:
- Event invitations. We store the invited person's phone number on that event so that you — and other people invited to the same event — can see who has been invited, and so we can connect them to the event if they join. We only ever show the phone number to other attendees — never the name you have saved for that person in your address book. When the event ends, or the person joins Bao, we remove their number from the event; a past, unmatched invitee then shows simply as "Unmatched account".
- Group invitations. When you invite a phone number that isn't on Bao to a group, we store that phone number on the invitation so the group's admins can see who has been invited but hasn't joined yet, in the group's invited / pending-invitations section. Only admins see these pending numbers — other members do not. We also keep a hashed form of the number so we can match the person to the invitation when they sign up. We only ever show the phone number to admins — never the name you have saved for that person. If the person has not joined within six months, we delete the pending invitation.
If the event has already ended by the time they sign up, we do not create an attendee row or a welcome message for it. We do not retain expired pre-signup invitations: once an event has ended, any pre-signup invitation to a phone number that has not joined Bao is deleted. We do not keep invitation data about people who never become Bao users.
4.4 In legal and safety circumstances
We may share information when we believe in good faith that it is necessary to: (a) comply with a lawful request from a government or law-enforcement authority; (b) enforce our End User Agreement; (c) prevent or investigate fraud, abuse, or security incidents; (d) protect the safety, rights, or property of Bao, our users, or the public; or (e) facilitate a corporate transaction such as a merger, acquisition, or sale of assets, in which case the recipient will be bound by privacy terms no less protective than these.
4.5 With your direction
- Calendar export. You can publish your Bao events to an external calendar app (Apple Calendar, Google Calendar, and the like) by turning on a calendar feed in the app. We generate a private, unguessable subscription URL containing a secret token; any calendar app you give that URL to can read the feed over the internet. The "busy" feed shows only blocked-out time labelled "Busy"; the "full" feed includes your events' titles, descriptions, locations, dates/times, and your own RSVP — but never other attendees' names or identities. You can disable the feed (which revokes the URL) or rotate its token at any time in the app.
- Data export. If you request a copy of your data (see §7), we send it to you using the verified delivery flow described there.
Apart from these, Bao has no third-party integrations today. If we add any in future, we will share only what you direct us to share.
5. International transfers
Our service providers (notably Vercel, Firebase, Cloudflare, our database host Neon, and our email / SMS providers Resend and Twilio) are based in or operate from the United States and run global infrastructure. When you use Bao your personal data is transferred to and processed in the United States and other countries that may not provide the same level of data-protection law as your country of residence.
Our analytics provider, PostHog, processes the usage events described in §2.3 in its EU region, and our error-monitoring provider, Sentry, processes the crash/error reports described in §2.3 in its EU region, so that data is stored in the European Union.
For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK / Swiss addenda where applicable) as the safeguard for such transfers. You may request a copy of the clauses at privacy@bao-app.com.
6. How long we keep your information
We keep your account information for as long as your account is active. The specifics:
- Account profile (phone number, name, birthday, photo): until you delete your account. When you delete your account we erase these identifying fields — your phone number, name, birthday, and photo are cleared from your account record. A minimal anonymized tombstone remains so that shared history (messages and events you took part in) stays coherent for other participants; to them your past content simply shows as "Deleted account". Because your phone number is cleared, signing up again with the same number creates a brand-new account with no link to your old one.
- Suspended accounts (abuse enforcement): if we suspend an account for violating our terms and then erase its data, we erase the same identifying fields as account deletion but retain a one-way hash of the phone number (never the number itself). This lets us keep the suspension in force and stop the same number from simply re-registering to evade it. We rely on our legitimate interest in preventing abuse and protecting our community as the basis for keeping this minimal record, and we use it for no other purpose.
- Messages: retained while your account is active. Deleting a message (for everyone, or just for yourself) hides it from the relevant participants immediately, but we do not currently run a routine purge of the underlying records — they are cleared of identifying information when you delete your account, and otherwise age out only via the backup window below.
- Lists, groups, events: soft-deleted via a
deletedAtflag and removed from active surfaces immediately. The underlying rows are retained (we do not currently hard-delete soft-deleted content); they are cleared of identifying information when you delete your account and age out of backups within the window below. - Phone-number hashes of your device contacts: held while you have contacts permission enabled. Revoking the iOS Contacts permission stops further syncing; we clear the matched-contact cache on the next sync.
- Server-held pre-signup invitations (§4.3): converted on first sign-in. An event invitation whose event has ended without the recipient joining is deleted when the event ends; a group invitation that has not been accepted within six months is deleted. We do not retain invitations for people who never join Bao, and we never use this data to contact non-Bao users.
- Diagnostic logs and audit trail: retained for operational integrity, security, and abuse prevention. Entries are tied to an internal account ID; when you delete your account, the account record that ID points to is cleared of identifying information, so the entries can no longer be linked back to you.
- Crash and error reports (held by Sentry): retained for up to 90 days, after which they are deleted.
- Product-analytics events (held by PostHog): retained in pseudonymous form to help us understand long-term usage and retention trends. They are keyed only to an internal account ID — never to your phone number or name — and when you delete your account, the account record that ID points to is cleared of identifying information, so the remaining events can no longer be linked back to you.
- One-time sign-in SMS codes: the code that verifies your phone number when you sign in is handled entirely by Firebase Authentication; we do not store it on our servers.
- Account-recovery codes: if you set a recovery email and use account recovery, we generate a short-lived code, store only a hash of it, and email the code to your recovery email (via Resend). The hash is cleared once the code is used, once it expires, or after a small number of failed attempts.
- Data-export codes: when you request a data export, we email a download link (via Resend) and text a one-time download code to your account phone number (via Twilio). The code is stored only as a short-lived hash and expires with the download link; we do not retain it afterwards.
- Backups: our database provider (Neon) keeps a rolling point-in-time restore window, so a deleted record may persist in recoverable backups for up to 7 days before it ages out permanently.
When you uninstall the app, the local SQLite database and on-disk photo caches are removed by iOS as part of the standard sandbox cleanup. On your next install Bao detects the absence of a launch-time marker and additionally signs you out of any cached Firebase session, so the next launch starts fresh.
7. Your rights
Depending on where you live, you may have some or all of the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data. Most fields (name, birthday, photo, privacy settings) you can edit yourself in the app.
- Erasure — delete your account and associated personal data at any time from Settings → Delete Account in the app. Deletion erases your identifying profile fields (phone number, name, birthday, photo), removes you from your groups, and drops you from upcoming events; shared history is anonymized to "Deleted account" for other participants. Deletion runs from your signed-in device; if you have lost access to your phone number, use account recovery (a code sent to your recovery email) to sign back in first, then delete in-app.
- Restriction — ask us to limit how we use your data.
- Portability — request a structured, machine-readable export of the data you provided to us.
- Objection — object to processing that we carry out on the basis of legitimate interests (notably, abuse prevention).
- Withdrawal of consent — where we rely on consent (e.g. the Contacts permission), you can withdraw it at any time in iOS Settings.
- Complaint — lodge a complaint with your local data-protection authority. EEA users can find theirs at edpb.europa.eu. UK users can complain to the ICO.
To exercise these rights, use the in-app controls where available — profile edits, Settings → Delete Account, and the in-app data export (which verifies you with a one-time code sent to your account phone number). For anything else, contact privacy@bao-app.com; we will take reasonable steps to verify your identity before acting on a request.
8. Children
The Service is not intended for, and we do not knowingly collect personal data from, anyone under 16. Bao is rated 16+ on the App Store. If you believe someone under 16 has provided us with personal data, contact privacy@bao-app.com and we will delete the account.
9. Security
We protect personal data using a combination of technical and organisational measures, including:
- TLS for all network traffic between your device and our servers.
- Firebase-issued, short-lived ID tokens for API authentication.
- HMAC hashing of the address-book numbers we use for contact matching — those raw numbers are not persisted, only the hash. (Limited exceptions where a raw number is functionally required are described in §2.2 and §4.3.)
- Signed URLs for media downloads, with privacy-setting checks on every signing request.
- Encryption at rest for our primary database and object storage, provided by our hosting partners.
- Access controls limiting which engineers can reach production data.
No method of transmission or storage is 100% secure. If we become aware of a security incident affecting your personal data, we will notify you as required by law.
10. Managing your privacy in the app
You can adjust your privacy practices at any time from the iOS device:
- In-app: Settings → toggle
Name,Photo, andBirthdayprivacy switches; edit or remove your profile photo. - iOS Settings → Privacy & Security → Contacts: turn off Bao's access to your address book.
- iOS Settings → Notifications → Bao: turn off push.
- iOS Settings → General → Background App Refresh: turn off background sync.
- Delete the app: removes all on-device data; combine with the deletion request in §7 to remove the server-side copy.
11. Cookies and similar technologies
The Bao mobile app does not use cookies. Our in-app product analytics (§2.3, §4.2) are implemented with a first-party mobile SDK and do not rely on cookies, advertising identifiers (IDFA), or cross-app tracking; we do not use your data for advertising. The bao-app.com marketing website may use a small number of strictly necessary cookies; if we add website analytics or tracking cookies in future, we will update this policy and present a consent banner.
12. Changes to this policy
We may update this policy as the Service evolves. The "Last updated" date at the top of the page reflects the most recent revision. If the changes are material, we will provide notice in the app or by email before they take effect.
13. Contact us
| Topic | |
|---|---|
| Privacy questions & rights requests | privacy@bao-app.com |
| Data-protection (DPO) enquiries (EEA / UK) | dpo@bao-app.com |
| Security reports | security@bao-app.com |
| General | hello@bao-app.com |
Or write to us at Monsun Technologies Limited, 66 Paul Street, London, EC2A 4NA, United Kingdom.