Bubble

Privacy Policy

Last updated: May 23, 2026

This Privacy Policy explains how Bubble Connect Ltd(“Bubble,” “we,” “us”) collects, uses, shares, and protects information when you use the Bubble mobile and web applications, websites, and related services (the “Service”). By using the Service, you agree to the practices described here.

1. Information We Collect

Information you provide

  • Account & profile: name, email, date of birth, profile photo, bio, interests, profession, current city and home city, and other information you choose to add.
  • Content: Bubbles you create or join, posts, comments, reactions, events, RSVPs, and direct messages.
  • Identity verification (selfie & biometric data): if you choose to verify your identity, we collect a short selfie video and reference image and process biometric facial data to confirm you are a real person and that you match your profile photo. See Section 5 (Identity Verification) for details.
  • Communications: messages you send to us (e.g., support requests, reports of other users or content).
  • Waitlist & referrals: email and referral information you submit to the waitlist.

Information collected automatically

  • Device & usage: device type, OS, app version, IP address, identifiers, crash logs, and how you interact with the Service.
  • Location: approximate location (from IP) and, with your permission, precise location to power discovery, maps, and nearby events.
  • Cookies & similar technologies: on the web, we use cookies and similar technologies for authentication, preferences, and analytics.

Information from third parties

  • Sign-in providers (Apple, Google) when you choose to use them — we receive your name, email, and a stable user identifier;
  • Identity verification provider (Amazon Web Services — Rekognition Face Liveness and CompareFaces) returns liveness confidence and face-similarity scores;
  • Analytics, crash-reporting, and infrastructure providers (e.g., Sentry, Vercel Analytics);
  • Payment processors, if you make a purchase.

2. How We Use Information

  • Provide, operate, and improve the Service, including personalized recommendations and search;
  • Authenticate accounts, enable messaging, and deliver push notifications;
  • Show you nearby Bubbles, events, and people, based on your location and interests;
  • Maintain trust and safety: detect and prevent fraud, abuse, harassment, and violations of our Terms or Community Guidelines;
  • Communicate with you about updates, security, and (where you have opted in) marketing;
  • Comply with legal obligations and enforce our agreements.

3. Legal Bases (UK/EEA Users)

Where the UK GDPR or EU GDPR applies, we rely on the following legal bases: performance of a contract (to provide the Service), legitimate interests (to operate, secure, and improve the Service), consent (e.g., for precise location, marketing emails, or certain cookies), and compliance with legal obligations.

4. How Information Is Shared

  • With other members: your profile and the content you post in Bubbles and events are visible to other members according to the visibility you choose (e.g., public, private, invite-only).
  • Service providers: we share information with vendors that process it on our behalf, under contractual confidentiality and security obligations. These include:
    • Hosting & infrastructure: Railway (backend), Vercel (web).
    • Database & file storage: Supabase (Postgres + image storage).
    • Identity verification: Amazon Web Services (Rekognition Face Liveness, Rekognition CompareFaces, S3) — see Section 5.
    • Transactional email: Brevo (signup confirmation, password resets, system notifications).
    • Push notifications: Expo Push Service (which in turn uses Apple APNs and Google FCM to deliver notifications to your device).
    • Authentication providers: Apple Sign-In, Google Sign-In (when you choose those sign-in methods).
    • Crash & error reporting: Sentry.
    • Analytics: Vercel Analytics (web).
    • Maps & place data: Google Maps Platform, Foursquare.
  • Legal & safety: when we believe disclosure is reasonably necessary to comply with law, enforce our Terms, or protect the rights, safety, or property of Bubble, our members, or others.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, subject to appropriate confidentiality protections.

We do not sell your personal information, and we do not share it with advertisers.

5. Identity Verification (Selfie & Biometric Data)

Bubble offers an optional selfie verification feature that helps confirm members are real people who match their profile photo. This section explains how that works and what we do with the biometric data involved.

What we collect

  • A short selfie video and one or more reference frames captured during a liveness check on your device;
  • Liveness-confidence and face-similarity scores returned by our verification provider;
  • The decision outcome (auto-approved, auto-rejected, pending manual review, manually approved/rejected) and, where applicable, the rejection reason and reviewer notes.

How we process it

Selfie video and images are processed by Amazon Web Services (AWS) Rekognition Face Liveness to detect spoofing and confirm a live person is present, and by AWS Rekognition CompareFaces to compare the selfie to the profile photo you provided. AWS processes the data as our service provider; we do not share verification data with third parties for any purpose other than performing the verification.

Where it is stored

Reference selfie images are stored on Supabase (our database/storage provider) in a private bucket, behind short-lived signed URLs. Similarity scores, liveness scores, and decision records are stored alongside your account in our database.

How long we keep it

Selfie images and the underlying biometric data are retained for up to 30 days after the final verification decision, then automatically deleted by a scheduled job. We retain the decision outcome (approved / rejected) and the verification badge state for as long as your account is active, so other members can see that you are verified without us needing to re-process biometric data.

Your choice and lawful basis

Selfie verification is optional. You can use Bubble without verifying. If you do verify, our lawful basis under UK/EU GDPR is your explicit consent (for processing biometric data for identification) and our legitimate interest in maintaining trust and safety on the platform. You may withdraw consent at any time by contacting admin@joinbubble.io; we will delete your selfie and biometric records and remove any verification badge from your profile.

6. Data Retention

We retain personal information for as long as your account is active and as needed to provide the Service. Specific retention periods include:

  • Selfie images and biometric data: up to 30 days after the verification decision, then deleted (see Section 5).
  • Account & content: retained while your account is active; deleted on account deletion, subject to limited exceptions for legal, safety, and fraud-prevention purposes.
  • Backups: deleted on a rolling schedule.

You can delete your account and associated data at any time from the app (Settings → Delete account) or on our account deletion page.

We may retain certain information after account deletion to comply with legal obligations, prevent fraud, resolve disputes, and enforce our agreements.

7. Your Rights and Choices

Depending on where you live, you may have rights to:

  • Access, correct, or delete your personal information;
  • Object to or restrict certain processing;
  • Port your information to another service;
  • Withdraw consent (where processing is based on consent);
  • Lodge a complaint with your local data protection authority (in the UK, the ICO).

You can manage many preferences directly in the app (privacy settings, notifications, location). To exercise other rights, contact admin@joinbubble.io.

8. Security

We use technical and organizational measures to protect your information, including encryption in transit, access controls, and monitoring. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. International Transfers

We are based in the United Kingdom and may transfer, store, and process information in other countries, including those that may not provide the same level of protection as your own. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for international transfers.

10. Children

The Service is intended for users 18 and older. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us information, contact us and we will take appropriate steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice (e.g., in-app or by email). The “Last updated” date at the top of this page indicates when it was last revised.

12. Contact

For privacy questions or to exercise your rights, contact us at admin@joinbubble.io.

Data controller: Bubble Connect Ltd.

Questions? Contact us at admin@joinbubble.io.