third is a local social discovery app. It helps you find and meet people who are physically nearby and open to connecting. This policy explains what information we collect, why we collect it, and how it is used.

1. Information You Provide

When you create a profile, we collect:

• Email address (used for account authentication)
• Name, date of birth, and gender
• A profile photo
• Intent (how you want to connect), interests, and a short bio

This information is used to build your profile card, which is shown to nearby users when you are open to chat.

2. Location Information

When you toggle "open," third accesses your device's GPS coordinates. Your location is used to:

• Show your profile card to people who are physically nearby (within the same venue or area)
• Identify the venue you are at using the Google Places API
• Determine the distance shown on your card to others

Your precise coordinates are never shown to other users — only a venue name and approximate distance. When you go offline, your location data is deleted from our servers immediately.

3. Waves

When you send a wave to another user, a record is created linking your account to theirs. Waves are used to deliver push notifications and to display your wave history within the app. Waves older than three days are automatically deleted, except for connections where both people have met in person.

4. Push Notifications

If you grant notification permission, we store a push token associated with your account. The token is used to deliver app notifications: when someone waves at you, when someone reveals their identity in response to your wave, and when another user becomes visible nearby. We do not use the token for marketing.

5. Reports and Blocks

When you report or block another user, a record is created for safety and moderation purposes. Reports may be reviewed by the third team to enforce community guidelines.

6. How We Store Your Data

third uses Supabase to store and manage your data. Profile photos are stored in Supabase's secure object storage. Data is stored in the United States. We use Supabase's built-in row-level security to ensure users can only access data they are permitted to see.

When you upload a profile photo, it is automatically scanned via Google Cloud Vision (face detection + safety filter) to confirm a face is present and that the image is not explicit. Photos that fail the check are deleted from storage immediately and never associated with your account. We do not retain any of the analysis output beyond the pass/fail result.

7. Third-Party Services

third uses the following third-party services:

• Supabase — database, authentication, file storage, and realtime
• Google Places API — venue identification based on your GPS coordinates
• Google Cloud Vision — automated face detection and content-safety check on profile photos
• Apple Push Notification Service / Firebase Cloud Messaging (via Expo) — push notification delivery
• Sentry — crash and error reporting; receives stack traces, breadcrumbs, and device metadata for diagnostics. Not used for marketing.
• Resend — transactional email delivery (password reset, email confirmation); processes recipient address and email content during delivery
• Cloudflare — DNS and hosting for our web pages (including this Privacy Policy)
• Google Workspace — receives and stores email sent to addresses on our domain (e.g., moderation report notifications)
• Ko-fi — optional tips and donations. We do not receive or store your payment information — all transactions are handled directly by Ko-fi.

Each of these services has its own privacy policy. We share only the minimum data necessary for each service to function.

8. Age Requirement

third is intended for users who are 18 years of age or older. We do not knowingly collect information from anyone under 18. If you believe a minor has created an account, please contact us and we will remove it promptly.

9. Your Rights

You may at any time:

• Edit or update your profile information within the app
• Go offline to immediately remove your location from our servers
• Delete your account and all associated data directly from the app (Me → Delete account) or via the web form at ethaninnovates.com/delete-account
• Reset your password from the sign-in screen ("Forgot password?")
• Contact us with any other request at

10. Data Retention

Location data is deleted when you go offline, or after 30 minutes of inactivity, whichever comes first.

Wave records persist while they are active in your inbox or outbox. When you unwave a wave you sent, it is deleted three days later. When you dismiss a wave you received, it is deleted three days later. Waves where both people have met in person are preserved indefinitely.

Profile data is retained until you delete your account. When you delete your account, your profile, photo, sent and received waves, and blocks are deleted immediately. Reports linked to your account (filed by you or against you) are anonymized rather than deleted: your account ID is removed from each report, but the report content (reason text, timestamp) is preserved for moderation purposes under our legitimate interest in preventing abuse.

If your account is suspended for violating these terms or our community guidelines, an irreversible cryptographic hash of your email address may be retained to prevent the same address from being used to re-register. The hash cannot be reversed to recover the original email, and the underlying email is not stored.

11. Additional Rights for EU, UK, and California Residents

If you are located in the European Economic Area (EEA), the United Kingdom, or California, you have additional rights regarding your personal information under applicable law (the General Data Protection Regulation, the UK GDPR, and the California Consumer Privacy Act respectively).

These rights include:

• Access — request a copy of the personal information we hold about you.
• Rectification — correct inaccurate or incomplete information.
• Erasure — request deletion of your personal information. This right is also available to all users via in-app deletion or the web form at ethaninnovates.com/delete-account.
• Portability — receive your personal information in a structured, machine-readable format.
• Object or restrict processing — limit how we process your data, except where we have a legal basis to continue.
• Withdraw consent — where processing is based on consent (e.g., notification preferences), you may withdraw it at any time.
• Lodge a complaint (EEA / UK only) — file a complaint with your local data protection supervisory authority if you believe we have violated your rights.
• Non-discrimination (California only) — exercising your rights will not result in denial of service, different prices, or different quality of service.

We do not sell or share your personal information for cross-context behavioral advertising. We do not knowingly process the personal information of minors under 18.

To exercise any of these rights, contact us at . We will respond within 30 days for GDPR / UK GDPR requests and within 45 days for CCPA requests, as required by applicable law.

The legal basis on which we process your data under the GDPR is:

• Performance of a contract — providing the app's core functionality after you sign up.
• Legitimate interests — preventing abuse, ensuring security, and improving the app via diagnostics.
• Consent — for optional features such as push notifications.

12. Changes to This Policy

If we make material changes to this policy, we will update the date at the top of this page. Continued use of the app after changes constitutes acceptance of the revised policy.