Privacy Policy
Effective date: 2026-05-17
Last updated: 2026-05-17
This Privacy Policy describes how SHINDIG SOCIAL LLC ("we," "us," or "Shindig") collects, uses, and shares personal information when you use the Shindig Social Club mobile application and related services (collectively, the "Service").
If you do not agree with this Policy, please do not use the Service.
1. Information We Collect
1.1 Information you provide
When you create an account and use Shindig, you provide:
Account information: Email address (via Firebase Authentication), full name, birthday (year and month only)
Shipping information: Mailing address used to ship your physical Social Pass NFC card
Payment information: Processed directly by Stripe; we receive a customer identifier and subscription metadata, never your card number
Apple In-App Purchase information: For the $2 Emergency Unlock consumable; processed by Apple
Member status: Whether you are an active subscriber, a Founding Member (grandfathered), or have cancelled
NFC card identifier: The unique identifier of the Social Pass card you pair with the app, used to authorize unlocks
1.2 Information generated by your use of the Service
Lock session data: Start and end timestamps of each session where you lock your device using Shindig, used to compute the "time saved" total displayed to you
Selected apps and categories: An opaque list of apps and categories you have chosen to keep available while your phone is locked. We do not see the names or bundle identifiers of these apps — Apple's Family Controls framework provides only opaque tokens
Event activity: RSVPs and discount redemptions for member events synced from Eventbrite
Socialite interactions: When you read or interact with the in-app Socialite newspaper
1.3 Information from device permissions
The Service requests the following iOS permissions:
Screen Time / Family Controls — required to shield apps when you lock your phone. We never see the apps or categories you select; Apple's framework only provides opaque tokens.
NFC — required to scan your Social Pass card to lock and unlock.
Notifications — used for membership reminders, event reminders, and to confirm lock state changes.
Camera (optional) — only if you use the in-app camera to pair a card or scan a QR code.
You can revoke any permission at any time in iOS Settings.
1.4 Analytics
We use Firebase Analytics (a Google service) to understand how the app is used in aggregate — for example, how many people open the app each day, how long it takes a new member to complete onboarding, and which milestones members reach.
What Firebase Analytics automatically collects:
App open and session events (app_open, session_start, first_open, user_engagement)
A Firebase-generated pseudonymous identifier called an App Instance ID, which is not your Apple ID, not your account, and is not linked to your real identity
Custom events we log:
onboarding_completed — That a member finished onboarding, and whether their Social Pass card has shipped (true/false)
card_linked — That a Social Pass card was successfully paired with the app
lock_activated — That a lock session was started, and whether it was a test lock (true/false)
unlock_success — That a lock session was ended successfully
app_picker_saved — That the user saved their list of allowed apps, and how many apps they chose (count only)
screen_view — The name of the screen the user navigated to
What we do not collect through analytics:
The names or bundle identifiers of apps you choose to allow during a lock (Apple's Family Controls framework does not expose them to us)
Your email address, account ID, name, or any other personally identifying information
Free-text input, message content, or location data
Your IDFA (Apple's advertising identifier)
Event parameters are limited to counts, booleans (true/false flags), and screen names.
Retention: Firebase Analytics event data is retained for up to 14 months and then automatically deleted by Google.
For more detail about what Firebase Analytics collects on our behalf, see Google's Firebase data collection documentation at https://firebase.google.com/support/privacy.
You can disable analytics at any time — see Section 5 ("Your Rights") below.
2. How We Use Your Information
Provide the Service: Create your account, ship your Social Pass card, process your subscription, enforce your chosen app restrictions
Communicate with you: Send transactional emails (welcome, shipping updates, subscription changes), respond to support requests
Send marketing emails: Only with your consent; you can unsubscribe at any time via the link in any email
Improve the Service: Aggregate analytics about how the Service is used
Legal compliance: Respond to lawful requests, enforce our Terms, prevent fraud
We do not sell or share your personal information for cross-context behavioral advertising. We do not share it with third parties for their own marketing purposes.
3. Service Providers (Sub-processors)
We use the following service providers to operate Shindig. Each receives only the information necessary for its specific role.
Google Firebase — Authentication, Firestore, Cloud Functions: Account authentication, database, serverless backend. Data shared: account information, lock session data, app activity.
Google Firebase — Firebase Analytics: Aggregate product analytics (see Google's documentation at https://firebase.google.com/support/privacy). Data shared: pseudonymous App Instance ID; the auto-logged and custom events listed in §1.4; no PII.
Stripe: Payment processing for membership subscriptions. Data shared: email, name, billing address, payment method.
Apple: In-App Purchase processing for the Emergency Unlock; App Store distribution. Data shared: Apple ID email, IAP receipt.
Shopify: Fulfillment of physical Social Pass card orders. Data shared: name, email, phone, shipping address.
ShippingEasy: Postage and label generation, downstream of Shopify. Data shared: shipping address, name.
Flodesk: Transactional and marketing email delivery. Data shared: email address, subscription segment membership.
Eventbrite: Member event listings and discounted ticket purchases. Data shared: email address when you purchase a ticket.
All sub-processors are bound by their respective terms of service and applicable data protection agreements.
4. Data Retention
Active member account data: Retained for the duration of your membership
Account data after cancellation: Retained for 30 days, then redacted
Shipping address for non-members: Purged 90 days after the Social Pass card is marked delivered
Payment records: Retained up to 7 years for financial reporting (Stripe holds the bulk; we retain only references)
Analytics event data (Firebase Analytics): Up to 14 months, then automatically deleted by Google
Account data after you request deletion: Redacted within 30 days
Redaction nullifies your name, email, phone, address, and shipping data while preserving an anonymized account skeleton needed to honor financial and audit obligations.
5. Your Rights
You have the right to:
Access the personal information we hold about you. Email admin@shindigsocial.com to request a copy.
Correct inaccurate information by updating your profile in the app or emailing us.
Delete your account at any time via Settings → Account → Delete Account. All personal information is redacted within 30 days.
Cancel your subscription at any time via Settings → Membership in the app, or via the Stripe customer portal. Your membership remains active until the end of the current billing period.
Unsubscribe from marketing emails via the link in any email. Transactional emails (shipping, billing) cannot be unsubscribed while you have an active account.
Disable analytics at any time. If a Privacy → Analytics toggle is available in the app's Settings, you can use that. You may also email admin@shindigsocial.com to request that analytics collection be disabled for your account.
5.1 California residents (CCPA/CPRA)
You have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including:
The right to know what categories of personal information we collect, the sources, and the purposes for which we use it
The right to delete personal information we have collected about you
The right to correct inaccurate personal information
The right to opt out of the sale or sharing of your personal information
The right to non-discrimination for exercising any of these rights
We do not sell personal information. Whether Firebase Analytics constitutes "sharing" under the CPRA is the subject of evolving regulatory interpretation. Out of caution, we treat analytics as opt-outable: if you do not want your usage data sent to Firebase Analytics, disable it via Settings → Privacy → Analytics (if available) or email admin@shindigsocial.com.
To exercise any of these rights, contact admin@shindigsocial.com.
5.2 Availability of the Service
The Service is offered only to residents of the United States. We do not currently offer the Service to residents of the European Economic Area, the United Kingdom, or Switzerland, and we do not direct the Service to those regions. If you are located outside the United States, please do not create an account or use the Service.
6. Children's Privacy
Shindig is not intended for users under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, contact us at admin@shindigsocial.com and we will delete it.
7. Security
We protect your personal information using:
Encryption at rest — All Firestore data is encrypted with Google-managed AES-256.
Encryption in transit — All communications between the app and our servers use HTTPS.
Access controls — Production data is accessible only to a limited number of authorized personnel and via service accounts with least-privilege scopes.
No password storage — Authentication is handled by Firebase; we never see or store your password.
No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you in accordance with applicable law.
8. International Transfers
We are based in the United States and operate the Service from the United States. Our service providers may process your information in other jurisdictions where they operate. The Service is intended only for users in the United States.
9. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated via in-app notice or email at least 30 days before they take effect.
10. Contact
Questions about this Privacy Policy or your personal information:
SHINDIG SOCIAL LLC
Email: admin@shindigsocial.com
