Privacy
Privacy Policy
Last updated: May 1, 2026 · Effective immediately
1. Introduction
Candao (the "App," "we," "us") provides a location-aware platform
where people connect, book stays, hire freelancers, and now collaborate
around shared projects through the Build Together
surface (Crews, Multirole, Brand Campaigns).
This Privacy Policy describes what data we collect, why we collect
it, how we store and share it, and what choices you have. We comply with
the General Data Protection Regulation (GDPR), the California Consumer
Privacy Act (CCPA), and Apple's App Store Review Guideline 5.1
(Privacy).
For privacy-related questions or data requests, contact us at
privacy@candao.io.
2. What we collect
- Email address (and password hash, never the cleartext password)
- Display name and username
- Profile photo (optional)
- Bio, roles you can contribute as ("I can contribute as"), roles
you're looking for ("I'm looking for"), activities you're open to
- Phone number (optional, only when you choose to verify)
- Authentication credentials when you sign in via Apple, Google, or
Facebook
- Precise location when you are "Live" or actively
using location-aware features (Map, Nearby, project pins). Used to
render nearby people, places, and projects.
- Approximate location otherwise. Used for
content-region defaults and discovery fallbacks.
- Location may be used in the background to detect when you leave a
"Live" venue and to maintain Live accuracy. You can disable this in iOS
Settings → Privacy → Location Services.
2.3 Build Together data (NEW —
v1.4)
When you use the Build Together surface, we collect:
- Project metadata you publish (title, description,
stage, benefit, reward expectation, optional location and venue, role
definitions and per-role offers, sponsored/campaign metadata if
applicable).
- Engagement state — your Follow / "I'd use this" /
"I want to test" toggles per project. We aggregate these into public
counts (e.g. "12 people follow this") but the underlying per-user toggle
is private to you and the project owner.
- Membership — when you join a crew as a role: your
commitmentType, commitmentAmount,
availability, presencePref, and the
introMessage you sent the host. The intro message is
visible to the crew owner and members of your role; it is not shown
publicly.
- Crew chat messages — text content of messages you
send in crew discussions. Messages are visible to all active members of
that crew. No image, voice, or file attachments in v1.4.
- Referral attribution — when you open Candao via a
candao.io/p/{id}?ref={user} Universal Link, we record that
the referring user shared a link to you in our referrals
table. This is used to attribute future engagement (joins, bookings)
back to the sharer for community-credit purposes. Phase 2 will introduce
monetary referral payouts; v1.4 records the relationship without paying
anything.
- Last-read state — a single counter per (you ×
project) tracking the chat-message count you have already seen, for
unread-badge math. Not shared with anyone.
2.4 Marketplace data
- Listings you create or save, proposals you make, reviews you write
or receive, bookings, conversations with other users, and meeting
requests.
2.5 User-generated
content reports (NEW — v1.4)
When you tap Report on any user-generated content (a
chat message, a project, another user's profile), we collect:
- The reason you selected (one of: spam, harassment, hate speech,
scam, inappropriate, other).
- An optional free-form detail (max 280 characters).
- The content kind and content id you reported.
- Your user id and a timestamp.
This data is stored in our content_reports table for
moderation. You are not told who reported you, and reported
users are not told who reported them.
- Device type, OS version, app version, push token (for
notifications)
- Crash reports and diagnostic logs
- Aggregated, non-identifying analytics about feature usage (Build
Together telemetry events covered in §6)
2.7 Wallet and payment data
We do not collect bank account or credit-card numbers in the v1.4
build. The token wallet (CDO / project-token balances) is referenced by
user id and stored in our PostgreSQL backend; v1.4 contains no payment
surface. If a future release introduces real payments (Stripe Connect,
in-app purchases, token transfers) we will update this policy and
require you to consent again before any new collection begins.
3. Why we collect it
| Purpose |
Data used |
Lawful basis (GDPR) |
| Provide the core service (sign-in, profile, discovery, chat) |
Account info, device info, location |
Performance of contract |
| Render nearby people, places, and projects |
Location, profile public fields |
Performance of contract / consent |
| Match you to relevant crews and projects |
Roles, lookingFor, openTo, location |
Legitimate interest |
| Moderate UGC and protect users from abuse |
Reports, chat content, profile content |
Legitimate interest / legal obligation |
| Send push notifications (chat, meeting invites, project
updates) |
Push token, account id |
Consent (you can opt out per-category in Settings) |
| Account-deletion cascade and audit trail |
Account id, project membership |
Legal obligation |
| Improve the product (aggregated analytics) |
Telemetry events (§6) |
Legitimate interest |
| Comply with law enforcement requests, fraud prevention |
Whatever is requested with valid legal process |
Legal obligation |
We do not sell your personal information. We do not
run third-party advertising in v1.4.
4. Storage
- Firebase (Google Cloud) — real-time data: chat
messages, push tokens, presence shells, file storage for profile photos.
Region:
us-central1 for candao-mobile (with EU
read replicas for European users where available).
- PostgreSQL on Google Cloud Platform — canonical
user, project, role-membership, engagement, report, referral, and
listing data. Two regional clusters:
candao-prod-us1
(United States) and candao-trading-eu1 (European Union). EU
traffic is served from EU; US and rest-of-world from US.
- All data in transit uses TLS 1.2 or higher. Data at
rest in Firebase and PostgreSQL is encrypted using cloud-provider
managed keys.
We retain data for as long as your account is active, plus the
cascade rules in §7.
5. Sharing
We share data with:
- Other users, where you have made it visible: public
profile, "Live" presence, project content you authored, chat messages
within crews you joined, reviews, public listings.
- Service providers: Google (Firebase + GCP), Apple
(Sign in with Apple, push notifications via APNs), Stripe (in Phase 2
only — not in v1.4), email providers for transactional mail. Each is
bound by data-processing agreements limiting use to providing the
contracted service.
- Law enforcement and legal recipients when compelled
by valid legal process or to protect against fraud or imminent
harm.
We do not sell personal information to advertisers or data
brokers.
6. User-generated
content moderation (NEW — v1.4)
To meet App Store Review Guideline 1.2, we operate the following
moderation system on user-generated content (chat messages, projects,
profiles):
- Reporting: every UGC surface has a "..." menu with
a Report action. You pick a reason and optionally
explain in 280 characters. The report is recorded in
content_reports with your user id and a timestamp.
- Auto-hide threshold: when a single piece of content
is reported by 3 or more distinct users within a 24-hour
window, the content is automatically hidden from all surfaces
pending human moderator review. The author is notified that their
content is under review but is not told who reported it.
- Internal review SLA: our moderators commit to
reviewing every open report within 24 hours. Outcomes:
dismissed (false report), resolved with content soft-deleted, or
resolved with the author warned / suspended.
- Block: when you block another user, you (a) stop
receiving push notifications from them and (b) stop seeing their
messages in any feed where filtering is supported. Block is
one-directional — they are not told you blocked them.
- No retaliation: the reporter's identity is never
disclosed to the reported user. The reported user's identity is never
disclosed to other reporters.
Your reports are retained for 18 months for audit and
pattern-detection purposes, then deleted unless tied to an active
enforcement action.
7. Account deletion (NEW —
v1.4 cascade)
You can permanently delete your account from Settings →
Privacy & Security → Delete Account. Deletion is
irreversible. The cascade runs as follows:
7.1 Personal data — deleted
- Your profile, email, password hash, push tokens, profile photo, bio,
and all account-only metadata are permanently deleted from PostgreSQL
and Firebase Authentication.
- Your private engagement state (Follow / "I'd use this" / "I want to
test" toggles) and your last-read counters are hard-deleted.
- Your private 1:1 conversations are removed from your account; the
other party retains their copy. (Standard messaging-app behavior — we
cannot delete from another user's device.)
7.2 Shared content —
anonymized, not deleted
To preserve continuity of shared projects and crews:
- Projects you own that have at least one other
active crew member: ownership is transferred to that
member, ranked by join date. The project, its description, and its
history continue to exist; your name is no longer associated with
it.
- Projects you own with no other active members: the
project is archived (hidden from feeds) but not
destroyed, preserving the historical record. Your authorship is
anonymized.
- Your crew chat messages remain visible to the other
crew members. The sender name is replaced with "Former
member" and the avatar is removed. Message content is preserved
because deleting it would destroy other members' shared discussion
context.
- Your reports in
content_reports retain
the report itself (so moderation isn't disrupted) but anonymize your
reporter id to the placeholder user.
- Reviews you wrote or received are anonymized in the
same fashion.
7.3 Audit trail
- An anonymized "deletion completed" record is retained in our
internal audit log for 6 months so we can verify
cascade correctness in case of dispute. No personal identifiers in the
audit record beyond the anonymized user-id placeholder.
If you require full erasure of message content for
an exceptional legal reason (a GDPR Article 17 right-to-be-forgotten
request that goes beyond the standard cascade), email privacy@candao.io. We
handle these on a case-by-case basis. Standard cascade satisfies Article
17 for the overwhelming majority of users; exceptional erasure is
reserved for cases where retained content materially identifies you.
8. Referral attribution (NEW —
v1.4)
When another Candao user shares a link to a project, crew, profile,
or meeting with you (via iMessage, WhatsApp, email, etc.), the link
includes a ?ref={their_user_id} query parameter — this is a
Universal Link that opens the Candao app or a web
preview at candao.io.
If you accept that referral by completing a state-changing action
within 7 days (joining the project, marking "I'd use
this," RSVP'ing to the meeting), we record a row in our
referrals table connecting you to the referring user. We
use this data to:
- Credit the referrer in community-leaderboard surfaces.
- Power Phase 2 referral-payout settlement (not active in v1.4 — no
money or tokens move yet).
- Detect fraud (e.g. self-referral via burner accounts).
You can opt out of referral tracking by emailing privacy@candao.io with your
account email and the request "remove my referral attributions." Opting
out does not affect your ability to use the app; it only removes
recorded links between you and people who shared content with you. A
future version of the App may surface an in-app toggle for this.
9. Push notifications
We send push notifications for chat messages, meeting requests,
project updates, and moderation actions. You can disable each category
individually in Settings → Notifications or block all
push from Candao in iOS Settings → Notifications → Candao.
10. Children
Candao is rated 18+ in the App Store and is not
intended for children under 18. We do not knowingly collect data from
users under 18. If we become aware that a user under 18 has registered,
we will delete the account.
11. Your rights (GDPR / CCPA)
You have the right to:
- Access the personal data we hold about you. Email
privacy@candao.io with your
account email; we respond within 30 days with a data export.
- Correct inaccurate data (most fields are editable
in your profile; otherwise email privacy@candao.io).
- Delete your account and trigger the cascade in
§7.
- Object to specific processing, including referral
tracking (§8).
- Lodge a complaint with your local data protection
authority. EU users: your supervisory authority is determined by your
member state. CCPA users: California Attorney General.
12. Changes to this policy
We will update this policy when we materially change how we handle
data. The "Last Updated" date at the top of this page reflects the most
recent change. Material changes are announced via in-app banner and (for
active accounts) email. Continued use of Candao after the effective date
of a change constitutes acceptance.