Short version. PassportBro is an iOS app for men researching moving abroad, with a sign-in-required community for crossing paths with other travelers.
Research (quiz, shortlist, trips, compare, ground reports): everything you enter stays on your device. No server for this part.
Community (profile, chat, presence, DMs, push): requires an account. You sign in with Apple or email. We store the minimum we need to run the product — your profile, your photos, the messages you send, and preferences you configure — all scoped to your account and deletable in one tap.
We collect no tracking data, run no analytics SDKs, and don't sell or share data with advertisers.
What data is handled
1. Device-only data (research side)
When you complete the in-app quiz and use the research features, the app stores the following on your device only (using iOS's standard local storage, AsyncStorage):
Your age bracket, dating goal, monthly budget, self-rated looks, height, body type
Any trips you declare — country, month, status (planning / booked / went), and any private note you type
A local timestamp marking when you completed the quiz
This information is used only on your device to rank the countries shown in the app and to show your own planned trips back to you. It is never sent off your device.
2. Account + profile data (server-stored)
To use the community side of the app — profile, chat, presence, DMs, push notifications — you sign in with Apple or email. From that point on our server stores:
An account record managed by Supabase Auth. It contains an internal user ID (UUID), a refresh token, and one of:
If you chose Sign in with Apple: an Apple-issued identifier. Apple optionally shares your email (or a @privaterelay.appleid.com forwarding address if you chose "Hide My Email") and optionally your name — you control both in the Apple sheet. We never see your Apple password.
If you chose Email + password signup: the email address you entered and a salted password hash managed by Supabase Auth. We never see your plaintext password.
Profile content you write during setup and editing: a display name, age range bucket (25-29, 30-34, …), home country, up to 3 target countries you're thinking about moving to, a short bio (up to 280 characters), and a traveler status (dreamer / planning / on_ground / settled).
1–5 profile photos you choose to upload. Each photo goes through automated moderation (see "Third-party services" below) and a human reviewer can see reported photos.
A legacy 4-character handle (e.g. K7X9), if your account was created before we launched identity-based auth. New accounts don't need one.
City-level presence if you opt in from the Community tab — the country and city slug you declare (never street-level or GPS), plus a last_seen timestamp that bumps about once a minute while the app is foregrounded. You can clear it any time with the "Disappear" button; rows also auto-age-out after 14 days of inactivity.
Messages you send in country group chats, city chats, and 1:1 DMs, plus DM request/accept metadata. Every message is attributed to the sender's user ID and has a timestamp.
Consent timestamps for when you accepted the EULA and community guidelines. Apple requires this for user-generated-content apps.
Reports you file against other users or messages (the target's user ID, the message ID if any, and the free-text reason you typed).
An Apple push notification token, stored only if you grant the iOS push permission prompt. Used to deliver notifications for overlaps, DMs, and arrivals. Removed automatically when Apple signals the token is no longer valid, or when you delete your account.
Per-notification-kind mute preferences and a quiet-hours window, if you set them in Settings → Notifications. The quiet-hours record stores the start hour, end hour, and the IANA timezone name captured from your device at save time.
Moderation state: a strike counter and a shadowban flag that increment if your photos or messages repeatedly violate the guidelines. This exists to keep the community safe and is not visible to other users directly.
All account and profile data is transmitted over HTTPS to our Supabase project (hosted in the United States) and persisted in a PostgreSQL database. Row-Level Security policies are enforced per table — you can read public content and only the DMs you're part of; you can update or delete only your own rows.
We do not collect:
Government ID, phone number, or payment information (the app is free)
Precise location (no GPS, no IP-based geolocation beyond what any server request reveals for routing)
Contacts, calendar, microphone, health data, or any iOS permission the app doesn't visibly ask for
Your photo library — we only see the single photos you explicitly pick in the photo picker
3. Automatic request metadata
Like any HTTPS service, our server sees standard request metadata: a source IP address and a User-Agent string on each request. This is used for rate limiting, abuse detection, and normal network routing — it is not used for analytics and is not sold or shared.
Third-party services
Supabase (authentication + database + realtime + storage + edge functions): all server-side state lives in a Supabase project in the United States. supabase.com/privacy.
Apple (App Store, Sign in with Apple, APNs push delivery): Apple's privacy policy applies to your use of the App Store, to Sign in with Apple (if you chose it), and to push delivery. We send the display text of each notification to Apple so they can deliver it to your device; Apple does not retain message bodies after delivery.
Expo (push relay to APNs): we send notifications through Expo's push service, which forwards to APNs. Expo sees the notification payload in transit but does not persist it. expo.dev/privacy.
OpenAI Moderation API: receives message text at send time to flag harassment / threats / hateful content. No user identifiers are attached to the request. Responses are not persisted by OpenAI beyond standard abuse monitoring on their side. openai.com/policies/privacy-policy.
Sightengine (photo moderation): when you upload a profile photo, we send the photo URL to Sightengine's classifier to check for nudity, violence, weapons, and scams. The classifier returns labels and a verdict; we persist the labels for audit. sightengine.com/policies/privacy.
Unsplash (country hero photos): when the app displays a country image, it loads the image from Unsplash's CDN. No user data is sent to Unsplash. unsplash.com/privacy.
We do not use:
Google Analytics, Firebase, Mixpanel, PostHog, Amplitude, Segment, or any other analytics SDK
Any advertising SDK or attribution network
Any cross-app or cross-website tracking technology
Cookies beyond the ones inherent to the hosting provider of this policy page
Community content and moderation
Country group chats and city chats are visible to any signed-in user who opens the relevant chat. Direct messages are private between the two participants — we do not read them as a matter of routine. However, if you report a message or conversation, the moderation team can open that message or thread to review it against the community guidelines.
We may remove content, hide profiles via shadowban, and disable accounts that violate the guidelines. Reports contain only what you typed plus internal IDs and are reviewed by a small moderation team. Repeated violations increment a strike count on the offending account.
Children
PassportBro is not directed at children and is rated 17+ on the App Store. We do not knowingly collect information from anyone under 17. Account creation affirms you meet that age gate. If you believe a minor has created an account, email us and we'll delete it within 24 hours.
Data retention & deletion
Device data. Quiz answers, shortlist, and trips stay on your device until you:
Tap "Reset everything" in the Profile tab, OR
Uninstall the app
Either action permanently erases every piece of research data on the device. Since the research side has no server component, there is nothing for us to delete on our side.
Account data. Your profile, photos, messages, DMs, presence state, push token, preferences, and filed reports stay on our server until you:
Tap "Delete account" in the Profile tab, which calls our server-side delete RPC. Postgres cascade deletes propagate to every message you've posted, every DM thread you were part of (along with the messages in it), your profile row, every profile photo you uploaded, every push token you registered, your notification preferences, your quiet-hours setting, and the reports you filed.
Email the address below and ask for a manual deletion.
Deletion is immediate from the application's perspective. Database backups may retain deleted rows for up to 30 days as part of Supabase's standard backup rotation before they are also purged.
Your rights
Because the research side has no server component, there is nothing for us to "port" or "delete" for you there — uninstalling the app is the equivalent.
For the community side, you may:
Access what's stored: everything on the server about you is visible to you in-app. If you want a machine-readable export, email us.
Correct your profile: edit display name, bio, photos, age range, home country, target countries, and status from the Profile tab.
Delete your account and all associated data: "Delete account" in the Profile tab.
Withdraw consent: deleting the account withdraws all consent for server-side processing going forward.
Residents of the EU/EEA, UK, California, and other jurisdictions with data-protection laws have these rights whether they appear in this policy or not — this policy is just the plain-English version.
Changes to this policy
If we ever materially change how the app handles data, we will update this policy and show you the change inside the app before the new behavior takes effect. Any new data collection would be opt-in.