1. Introduction

At Play Safe, your privacy is a big deal to us. Actually, it's kind of the whole point. We built this app so that you can keep track of your sexual health without worrying about who else might see your data.

This policy explains exactly what data we collect (spoiler: very little), what stays on your device (spoiler: almost everything), and what your rights are.

2. Your data stays on your device

Here's the most important thing: your personal data is stored on your device and is not stored on our servers.

This includes:

  • Your profile information (sex, risk tolerance)
  • Your sexual activity logs (partners, encounters, protection used)
  • Your STI test results
  • Your safety score and risk calculations
  • Your partner information

We don't have access to this data. We can't see it, we can't read it, and we definitely can't sell it. It lives on your phone and nowhere else.

If you delete the app, this data is deleted with it. There's no cloud backup, no account to log into, and no way for us to recover it.

There are some exceptions where limited data may leave your device in order to operate specific features. These are described in the sections below: anonymous usage analytics, anonymous STI notifications, partner linking, events, premium purchases, and support conversations. None of this data contains personally identifiable health information.

3. Anonymous usage analytics

We collect anonymous usage data to understand how people use Play Safe so we can keep improving it. Think of it like knowing that "lots of people use the safety score feature" without knowing who uses it.

What we collect

We use a service called PostHog to collect anonymous analytics. PostHog data is stored on EU servers. For more details, see PostHog's Privacy Policy. Here's what we collect:

  • Feature usage events: for example, that someone started the onboarding flow, viewed the premium page, or completed a purchase. These events don't contain any personal health data.
  • Anonymous properties: general attributes like your sex, approximate number of past partners, risk tolerance level, and whether you have premium. These help us understand our user base in aggregate. They are not tied to your name, email, or any identifying information.
  • Crash reports: if the app crashes, an anonymous error report may be sent to PostHog. This includes technical information about the error (such as the type of error and where it occurred in the code) but does not contain any personal or health data.

What we don't collect

We never collect:

  • Your name, email, or phone number through analytics
  • Personally identifiable details about your sexual activity, partners, or test results (we may collect anonymous, aggregate statistics such as feature usage counts)
  • Your precise location
  • Any data that could identify you personally

You can opt out

During the app setup, you're given the option to opt out of anonymous usage data collection. You can also change this in the app settings at any time. If you opt out, no analytics data is sent from your device.

4. Anonymous STI notifications

Play Safe offers a feature that lets you anonymously notify past partners if you test positive for an STI. This is entirely optional and helps people take care of their health.

What data is involved

When you use this feature:

  • The phone number you enter for the recipient is sent to our server to deliver the notification.
  • The notification does not reveal your identity to the recipient.
  • We may record your IP address and other metadata when you use this service.

Why we keep this data

We take misuse of this feature seriously. Using a messaging service to harass or threaten someone is a criminal offence in many jurisdictions. If potential misuse is reported to the police by a recipient, we may cooperate with a law enforcement investigation and provide recorded data (including IP addresses).

Recipient opt-out

Anyone who receives an anonymous notification can opt out of future messages by visiting playsafeapp.com/stop. To ensure they never receive another anonymous notification, we store their email address and/or phone number on our server. This information is used solely for the purpose of honoring the opt-out request and is not used for any other purpose.

5. Partner linking

Play Safe offers an optional feature that lets you link with a partner so each of your safety scores reflects the other. Linking is end-to-end encrypted: the secret used to read your shared data exists only on the two paired phones, never on our servers.

What gets shared with a linked partner

  • Your per-STI risk values (the safety-score inputs) at the points in time that matter for the math.
  • The dates and per-STI results of your STI tests.
  • The sexual encounters you log against this specific partner (date, acts, protection use).

What is never shared

  • Encounters with other partners, their identities, or anything they shared with you.
  • Your name, contact information, or any account identifier (Play Safe has no accounts).

How the data travels

Play Safe uses a small relay server so the two of you don't have to be online at the same time. Before anything leaves your phone, it is encrypted with a secret that only the two paired devices share. Specifically:

  • Play Safe (the company) cannot read it.
  • Your internet provider cannot read it.
  • The relay server cannot read it.
  • If the server were ever hacked or seized, the data would still be unreadable.

The pairing link itself (the QR code or the link you share with your partner) contains that secret. It never gets sent to the server in any request; it has to travel only between the two of you.

You can disconnect at any time

Tapping Unlink on either device removes the encrypted data from the relay. The history that was already synced to your device stays so your safety score doesn't change unexpectedly.

6. Events

Play Safe offers an optional event management feature that lets organisers set a safety bar for an event and connect attendees via a privacy-preserving relay. If anyone later tests positive, attendees receive a generic out-of-band nudge to open the app; the actual health detail is only ever visible inside the app, end-to-end encrypted.

What is stored on our servers

  • Event records: when a manager creates an event, we store the event ID, a proof hash derived from the manager's event key (used to authenticate manager-only operations), the event's start date and notification window, and the sealed manager contact (described below).
  • Manager contact (sealed): the manager's email address, phone number, and/or push notification token are encrypted using a public key whose corresponding private key exists only in our server environment. This sealed contact is stored in the event record and is used solely to send the manager a contentless wake-up push when a participant reports a positive test result. The server decrypts it transiently for this purpose.
  • Push notification tokens: if you choose to enable push notifications, your device's Firebase Cloud Messaging (FCM) token may be included in the contact information described above. FCM is provided by Google; see Firebase's Privacy Policy.
  • Relay slot metadata: each admitted participant's relay slot is recorded on the server (a slot ID and a proof hash). This is the same relay infrastructure used for partner linking; the slot ID is an opaque UUID and the proof hash reveals nothing about the participant's identity or health.

What is never stored on our servers

  • Participant contact information: a participant's email, phone, and/or push token are wrapped in a doubly-encrypted blob that only the manager and the server together can open, and only transiently at fan-out time. The blob is stored on the manager's device, not on ours. It is sent to us only when the manager triggers a notification, at which point we peel it, send the nudge, and discard the contact. We never write it to a database.
  • Health data: STI test results, exposure details, and any name or description included in a positive report travel exclusively as end-to-end encrypted messages inside the relay. The server cannot read relay message content.
  • Safety scores or admission decisions: the safety check at the door happens entirely on the manager's device. No score, risk value, or admission outcome is ever sent to us.

What outbound messages contain

All outbound messages triggered by this feature (push notifications, emails, and SMS) are contentless nudges. They contain no health information, no STI names, and no personally identifiable data. Their only content is a generic prompt to open Play Safe, for example: "There is an important health notification waiting for you in Play Safe." The health detail is only ever shown inside the app after the device fetches and decrypts the relay message.

How long we keep this data

Event records and associated relay slots are deleted when the manager deletes the event from within the app. You can also request deletion of all server-side data via the Privacy settings in the app.

7. Premium purchases

Play Safe offers optional premium features available through in-app purchases. These purchases are processed by Apple (on iOS) or Google (on Android) through their respective app stores, and managed by a service called RevenueCat.

We do not directly process your payment information. RevenueCat may collect:

  • Transaction data (purchase date, product, price)
  • Anonymous device identifiers for purchase verification

For more details, see RevenueCat's Privacy Policy.

8. Support & feedback

If you contact us for support, we use Intercom to manage support conversations. Any information you voluntarily share in a support ticket (such as your name, email, or description of an issue, device type, etc) is processed by Intercom.

We only use this information to help you with your issue. For more details, see Intercom's Privacy Policy.

9. Your rights under GDPR

If you're in the European Economic Area (EEA) or the United Kingdom, you have the following rights:

  • Right to access: You can ask us what data we have about you. For most data, the answer is "none" since it's all on your device.
  • Right to correction: You can correct any inaccurate data. For on-device data, you can do this directly in the app.
  • Right to deletion: You can delete your on-device data by deleting the app. For analytics data, you can contact us and we'll delete any anonymous data associated with your device identifier.
  • Right to object: You can opt out of analytics data collection at any time in the app settings.
  • Right to data portability: Since your data is stored locally, you already have full access to it.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.

10. Age requirements

Play Safe is not intended for anyone under the age of 18. We do not knowingly collect data from users under 18. If we learn that we have inadvertently collected data from someone under 18, we will take steps to delete it promptly.

11. Changes to this policy

We may update this privacy policy from time to time. If we make significant changes, we'll let you know through the app or on our website. We encourage you to review this page periodically.

12. Contact us

If you have any questions about this privacy policy or how we handle your data, reach out to us:

Email: privacy@playsafeapp.com