Privacy Policy

Last Updated: March 8, 2026

Karass ("we," "our," or "us") operates the Karass mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App.

By using the App, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Information You Provide Directly

• Email address (used for account authentication and password recovery)
• Username (displayed within the App to other members)
• Password (stored securely via Firebase Authentication; we never have access to your plaintext password)
• Twitter/X handle (optional, provided during account creation)
• GitHub handle (optional, collected if you sign in via GitHub)

Information Collected Through Third-Party Authentication

If you choose to sign in using Apple, Twitter/X, or GitHub, we receive your public profile display name, provider-specific user ID, and email address (if available from the provider). Apple may provide a private relay email address. We do not receive or store your passwords from these third-party services.

Information Collected Automatically

• Device push notification token (used solely to deliver push notifications)
• Member number (a sequential identifier assigned within the network)
• Bluetooth beacon interactions (see Section 3)

Information We Do NOT Collect

• Precise location or GPS data
• Contacts or address book
• Photos, camera, or microphone data
• Browsing history
• Financial or payment information
• Device identifiers for advertising purposes
• Analytics or tracking data

2. How We Use Your Information

• Create and manage your account
• Authenticate your identity when you sign in
• Send push notifications about announcements and account status (with your permission)
• Display your username to other members within the App
• Enable the Bluetooth beacon discovery feature
• Provide password reset functionality via email
• Fulfill data export requests
• Enforce rate limits to prevent abuse
• Respond to support inquiries

3. Bluetooth and Beacon Functionality

Scanning: The App scans for nearby Karass beacon signals using a unique service UUID. It does not scan for or interact with any non-Karass Bluetooth devices.

Broadcasting: When a designated "Beacon" user activates broadcasting, the App advertises a BLE signal containing only a truncated, irreversible cryptographic hash derived from the user's username. No personally identifiable information is transmitted over Bluetooth.

No location tracking: Bluetooth is used solely for proximity detection between devices. We do not derive, infer, store, or transmit any location data from Bluetooth interactions.

Data retention: Detected beacon identifiers are stored only in device memory during an active scan session and are cleared when scanning stops. They are not transmitted to our servers.

4. Data Storage and Security

Account data is stored in Google Cloud Firestore, hosted in the United States. Authentication is managed by Firebase Authentication using industry-standard encryption. All communication between the App and our servers occurs over HTTPS/TLS encrypted connections.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties.

We may share your information only with service providers (Google Firebase for infrastructure), when required by law, or to protect safety. Your username is visible to other authenticated members. Your email, Twitter handle, and GitHub handle are not shared with other users.

6. Your Rights and Choices

Data Export: You can request a copy of all your data at any time through the App menu ("Request My Data"). This generates a JSON file you can save or share.

Account Deletion: You can permanently delete your account and all associated data at any time through the App menu ("Delete Account"). This deletes your user profile, announcements, beacon records, rate limit records, and Firebase Authentication account. Deletion is irreversible.

Push Notifications: Disable at any time through your device's Settings.

Bluetooth: Disable at any time through your device's Settings.

7. Data Retention

Active accounts: data retained while the account is active. Deleted accounts: all data permanently deleted immediately. Rate limit records: old timestamps pruned automatically. Announcements: expire based on administrator-set dates.

8. Children's Privacy

The App is not intended for children under 13. We do not knowingly collect personal information from children under 13. Contact us at hq@karass.xyz if you believe a child has provided us with personal information.

9. Third-Party Services

• Firebase Authentication (Google) — account management
• Cloud Firestore (Google) — data storage
• Firebase Cloud Messaging (Google) — push notifications
• Sign in with Apple (optional) — third-party sign-in
• Twitter/X OAuth (optional) — third-party sign-in
• GitHub OAuth (optional) — third-party sign-in

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy within the App. Continued use constitutes acceptance.

11. Contact Us

Email: hq@karass.xyz