Privacy Policy

This Privacy Policy ("Policy") describes how Njofa Group Inc., a corporation registered in Canada and the publisher of the Fanbula mobile application ("Fanbula," "we," "us," or "our"), collects, uses, discloses, retains, and protects information about you when you create an account, host or attend an in-person gathering, exchange messages, upload media, or otherwise interact with the Fanbula mobile application and any associated websites, application programming interfaces, support channels, or related services (collectively, the "Service").

Fanbula is a social application that helps adults over the age of eighteen organize and attend in-person watch gatherings tied to live sporting events, matches, and tournaments.

This Policy applies to all users located in the United States and Canada. By installing, registering for, or otherwise using the Service, you acknowledge that you have read this Policy and understand how your information is processed.

The entity responsible for processing your personal information through the Service is Njofa Group Inc., a corporation registered in Canada with its registered office at 9 Royalcrest Road, Etobicoke, Ontario M9V 2L6, Canada. Njofa Group Inc. publishes the Fanbula mobile application.

Reach our privacy team at privacy@fanbula.app. For support: support@fanbula.app. For copyright complaints: dmca@fanbula.app. For account-action appeals: appeals@fanbula.app.

Identifiers: display name, email address, internal account identifier, device installation identifier, IP address (security/abuse), session token.

Customer records: salted bcrypt password hash, contact preferences.

Protected classification characteristics: date of birth (solely to verify the 18+ eligibility requirement).

Commercial information: none — the Service is free.

Internet/network activity: APNs/FCM push tokens, in-app event logs (debugging), crash reports, session timing.

Geolocation: coarse (~1 km or coarser) only — never precise GPS, never background-tracked.

Sensory: photos/audio/video you voluntarily upload (avatar, chat attachments).

Inferences: limited non-sensitive inferences to surface nearby parties / relevant tournaments. No advertising profiles.

We do not collect SIN/SSN, driver's licence, passport, or other government IDs. We do not collect financial account numbers or payment card data. We do not collect precise geolocation. We do not collect racial/ethnic origin, religion, sexual orientation, health, genetic, or biometric data.

Delivering the Service (show gatherings near you, host/RSVP, deliver chat).

Authenticating you (sessions, OAuth lookup).

Sending notifications you have opted in to.

Trust, safety, and moderation (investigating violations, removing unlawful content).

Legal/regulatory compliance (subpoenas, statutory obligations).

Improving the Service (aggregated, de-identified usage analytics).

We collect a coarse geolocation signal accurate to approximately one kilometer or coarser — derived either from the OS "approximate location" permission or from a city/region you type into your profile. We do not access your location when the app is not running in the foreground. We do not sell, license, or transfer location data to data brokers.

When you enable notifications, we store the opaque device token APNs (Apple) or FCM (Google) issued, routed through the Expo push service. The token is used only to dispatch notifications you have opted in to and is removed when you sign out, uninstall, or delete your account.

Expo, APNs (Apple), FCM (Google): we transmit the device push token and notification payload to deliver pushes you opted in to.

Google Maps Platform: when you view a map, your device requests map tiles from Google.

TheSportsDB: read-only fetch for match metadata; no personal data shared.

Soketi / Laravel Reverb: self-hosted real-time messaging layer; no third-party processor.

Chatwoot: support conversations; bound by a data-processing agreement.

Identity providers (Google, Apple) when you sign in through them.

Legal recipients: lawful subpoena/court order/government request, fraud-prevention, merger/acquisition (with successor bound by this Policy).

Account profile: while active, plus the wipe + backup-purge windows (Section 11). Chat messages and attachments: 90 days after gathering end; backups purged within 35 days thereafter.

RSVPs: 1 year after the gathering ends. Push tokens: until invalidated. Server access logs: 90 days live + up to 13 months cold archival for incident response.

Support conversations: 24 months after the last message.

Canadian residents have rights under PIPEDA and applicable provincial statutes (including Quebec's Law 25, BC PIPA, Alberta PIPA): access, correction, portability, withdrawal of consent, de-indexation (Quebec), incident-notification rights.

California residents have CCPA/CPRA rights: know, delete, correct, opt-out of sale/sharing for cross-context behavioral advertising, limit use of sensitive personal information, non-discrimination.

WE DO NOT SELL PERSONAL INFORMATION AND WE DO NOT SHARE PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING.

To exercise any right, email privacy@fanbula.app. We respond within 30 days (PIPEDA / Law 25) or 45 days (CCPA / CPRA).

You may delete your account in-app (Settings → Account → Delete my account) or via the web form at /delete-account.

Within 24 hours of confirmation, your account is removed from active production systems (profile hidden, RSVPs withdrawn, messages tombstoned, push tokens revoked, credentials invalidated).

Within 35 days, all backup and disaster-recovery copies are cycled out and purged.

If you signed up with Apple, we additionally call Apple's token-revocation endpoint to invalidate the refresh token associated with your account.

The Service is intended exclusively for individuals 18 years of age or older. There are no exceptions, including no parental-consent pathway.

Because we do not direct the Service to children under 13, COPPA is not applicable.

If we learn that an account belongs to a person under 18, we will suspend the account immediately and delete any personal information associated with it.

Njofa Group Inc. is a Canadian corporation. Fanbula's production infrastructure is operated from Canadian and U.S. data centres, and certain sub-processors operate from the United States. For users in Canada, including Quebec, cross-border transfers comply with PIPEDA and Quebec's Law 25 — including a privacy impact assessment (Law 25 §17) and contractual safeguards (typically standard contractual clauses).

TLS 1.2+ in transit; AES-256 at rest; bcrypt for passwords; role-based access control with MFA for internal access; periodic penetration testing.

Breach notification: in the event of a personal-information breach with risk of serious harm, we notify affected users and regulators within the timelines required by applicable law.

We may revise this Policy from time to time. The current version is identified by the "Last Updated" date displayed at the top of the document and is always available within the application and on this page.

For material changes, we provide at least 30 days' advance notice through an in-app banner, push notification, or email.

Contact privacy@fanbula.app or write to: Njofa Group Inc., Attn: Privacy Office (Fanbula), 9 Royalcrest Road, Etobicoke, Ontario M9V 2L6, Canada.

Canadian residents may complain to the Office of the Privacy Commissioner of Canada or the provincial equivalent (CAI for Quebec, BC/Alberta IPC for those provinces). California residents may contact the California Privacy Protection Agency or the California Attorney General.