Privacy Policy

1. Introduction

Welcome to Bored. — the app that makes you feel present, pushes you to move, and helps you enjoy every single moment. Available at staybored.app and on iOS and Android.

Bored. offers AI-powered pushup tracking, daily challenges, real-time video duels, social feed, journal, virtual currency ("Boreds"), Learn & Earn quizzes, mystery cards, a spin wheel, and video rooms — all designed to get you off your phone and into the real world.

This Privacy Policy explains what data we collect, why we collect it, how we protect it, and what rights you have. We believe in transparency — no legal fog, no hidden surprises.

By using Bored., you agree to the practices described in this policy. If you do not agree, please discontinue use of the app.

2. Legal Entity & Data Protection Officer

Bored. is operated from Romania, European Union. As an EU-based operator, we are subject to the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Data Protection Officer (DPO): You can reach our DPO for any privacy-related inquiries at contact@staybored.app.

EU Representative: For users in the EU/EEA, our EU representative can be contacted at the same address: contact@staybored.app.

Supervisory Authority: Our lead supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).

3. Information We Collect

We collect only what is necessary to provide and improve the Bored. experience. Here is a detailed breakdown:

a) Account Data

When you create an account, we collect:

• Email address
• Display name and username
• Date of birth (for age verification)
• Profile avatar (if uploaded)
• Bio (if provided)
• Authentication provider (email, Apple, Google, or Facebook)

b) Usage Data

Data you create through using the app:

• Pushup counts and exercise completion data
• Challenge progress and completion history
• Duel results and matchmaking data
• Feed posts, comments, and likes
• Journal entries
• Learn & Earn quiz answers and scores
• Boreds (virtual currency) earned and spent
• Mystery card and spin wheel activity
• Streak and leaderboard data
• Room participation history

c) Device & Technical Data

Collected automatically via Supabase authentication:

• Device type (mobile, tablet, desktop)
• Operating system and version
• Browser type and version
• IP address (for security and fraud prevention)
• General location (country/region level, derived from IP)

d) Camera Data (AI Pushup Tracking)

Our pushup tracking uses TensorFlow.js, which runs entirely on your device. Your camera feed is processed locally in your browser to detect body pose and count pushups. No camera images, video frames, or pose data are ever sent to our servers or any third party. The AI model runs in your browser's memory and is discarded when you close the feature.

e) Video & Audio Data (Rooms & Duels)

When you join a video room or duel, your video and audio are streamed in real-time via LiveKit. Streams are not recorded or stored by us or by LiveKit. Once you leave, the stream data is gone.

f) Push Notification Data

If you enable push notifications, we store your device push token (endpoint URL and platform identifier) to deliver notifications. You can disable notifications at any time in your device settings or in-app settings.

g) Data We Do NOT Collect

• We do not collect precise GPS location
• We do not collect contacts or address book data
• We do not collect financial or payment information
• We do not collect health data beyond pushup counts
• We do not use third-party advertising trackers
• We do not sell or rent your data to anyone

4. How We Use Your Information

We use your data for the following purposes:

• Provide the Service — operate your account, deliver core features (challenges, duels, rooms, feed, journal, quizzes, mystery cards, spin wheel), and maintain the platform.
• Personalize Your Experience — adapt challenge recommendations, track streaks, display leaderboards, and provide relevant content.
• Communicate With You — send push notifications for streaks, challenges, duels, and important account updates. You control notification preferences in Settings.
• Improve the App — analyze usage patterns (in aggregate) to fix bugs, improve features, and develop new ones.
• Ensure Safety & Security — detect and prevent fraud, abuse, spam, and violations of our Terms of Service. Enforce content moderation and community guidelines.
• Legal Compliance — comply with applicable laws, regulations, legal processes, or government requests.

We do not use your data for targeted advertising. We do not profile you for marketing purposes. We do not make automated decisions that produce legal or similarly significant effects on you. In accordance with Apple App Store Guideline 5.1.3, we do not use your health or fitness data (including pushup counts, exercise history, and activity metrics) for marketing, advertising, or data-mining purposes.

5. Third-Party Services

We use the following third-party services to operate Bored. Each has been selected for reliability and security:

Supabase (United States)

Provides our database, user authentication, file storage (avatars, media), and push notification delivery. Data is encrypted at rest and in transit. Supabase is SOC 2 Type II compliant. Supabase Privacy Policy.

LiveKit (United States)

Powers real-time video and audio streaming for rooms and duels. Streams are end-to-end encrypted and not recorded or stored. LiveKit Privacy Policy.

Vercel (United States)

Hosts our web application. Vercel processes standard web request data (IP address, user agent) for delivering the app. Vercel Privacy Policy.

Apple Sign In

If you sign in with Apple, Apple provides us with your name and email (or a relay email if you choose "Hide My Email"). We do not receive your Apple ID password. Apple Privacy Policy.

Google Sign In

If you sign in with Google, Google provides us with your name, email, and profile picture. We do not receive your Google password. Google Privacy Policy.

Facebook Login

If you sign in with Facebook, Meta provides us with your name, email, and profile picture. We do not receive your Facebook password. Meta Privacy Policy.

TensorFlow.js (Local Processing)

Our AI pushup tracker uses TensorFlow.js, an open-source machine learning library that runs entirely in your browser. No data is transmitted to Google or any server. The model weights are downloaded once and cached locally.

6. Data Storage & Security

We implement industry-standard security measures to protect your data:

• Encryption in Transit — all data transmitted between your device and our servers uses HTTPS/TLS encryption.
• Encryption at Rest — data stored in Supabase is encrypted at rest using AES-256.
• Row Level Security (RLS) — Supabase enforces row-level security policies ensuring users can only access their own data.
• Password Security — passwords are hashed using bcrypt with salt. We never store plaintext passwords.
• Access Controls — internal access to user data is restricted to essential personnel on a need-to-know basis.
• Regular Audits — we regularly review our security practices and update them as threats evolve.

While we take every reasonable precaution, no system is 100% secure. We encourage you to use a strong, unique password and enable two-factor authentication where available.

In the event of a data breach that affects your personal data, we will notify you and relevant authorities within 72 hours as required by applicable law.

7. International Data Transfers

Bored. is operated from Romania (EU), but some of our third-party service providers (Supabase, LiveKit, Vercel) are based in the United States. This means your data may be transferred to, stored in, and processed in the US.

We ensure adequate protection for international transfers through:

• Standard Contractual Clauses (SCCs) — EU-approved contractual safeguards with our US-based processors.
• Adequacy Decisions — where applicable, reliance on EU Commission adequacy decisions for the recipient country.
• Supplementary Measures — additional technical and organizational safeguards including encryption and access controls.

For UK users, we rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs. You may request a copy of the relevant transfer safeguards by contacting contact@staybored.app.

8. Data Retention

We retain your data only as long as necessary:

• Active Accounts — your personal data is retained for as long as your account remains active.
• Account Deletion — when you delete your account, all personal data is permanently purged from our systems within 30 days. This includes your profile, posts, journal entries, challenge history, and all associated data.
• Anonymized Data — aggregated, anonymized data that cannot identify you may be retained indefinitely for analytics and service improvement.
• Legal Obligations — we may retain certain data longer if required by applicable law (e.g., tax regulations, fraud prevention, or legal proceedings).
• Backup Systems — data in automated backups will be purged on the next backup rotation cycle after your deletion request.

9. Data Sharing

We do not sell, rent, or trade your personal data. We never have and never will.

We may share data only in these limited circumstances:

• Service Providers — with our third-party processors (listed in Section 5) strictly for operating the app. They are contractually bound to protect your data.
• Aggregated Analytics — we may share anonymized, aggregated statistics for promotional purposes. This data can never identify you.
• Legal Requirements — we may disclose data if required by law, subpoena, court order, or government request.
• Safety — we may share data to protect the rights, safety, or property of Bored., our users, or the public.
• Business Transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified of any such change.

We do not share data with advertisers. We do not participate in data broker networks. We do not allow third parties to collect data from our app for their own purposes.

10. Your Rights (All Users)

Regardless of where you live, all Bored. users have the following rights:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your account and personal data.
• Data Portability — request an export of your data in a machine-readable format (JSON or CSV).
• Restrict Processing — request that we limit how we use your data.
• Object to Processing — object to certain types of processing (e.g., direct marketing).
• Withdraw Consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at contact@staybored.app. We will respond within 30 days (or sooner where required by law). We may ask you to verify your identity before processing your request.

11. GDPR (EU / EEA / UK)

If you are in the European Union, European Economic Area, or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply. As an EU-based company, GDPR is our foundational privacy framework.

Legal Bases for Processing

We process your data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b)) — processing necessary to provide you the Bored. service as described in our Terms of Service — account management, challenges, duels, rooms, feed, leaderboards.
• Consent (Art. 6(1)(a)) — where you have given explicit consent — push notifications, optional profile information, camera access for pushup tracking.
• Legitimate Interest (Art. 6(1)(f)) — processing necessary for our legitimate interests (improving the app, ensuring security, preventing abuse) where not overridden by your rights.
• Legal Obligation (Art. 6(1)(c)) — processing necessary to comply with legal requirements.

Your GDPR Rights

In addition to the general rights in Section 10, you have the right to:

• Lodge a complaint with your local Data Protection Authority. For Romania: ANSPDCP (dataprotection.ro). For a full list of EU DPAs, visit the European Data Protection Board website.
• Withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Object to processing based on legitimate interests. We will stop unless we demonstrate compelling legitimate grounds.
• Not be subject to automated decision-making — we do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities as required under Article 35 of the GDPR.

12. CCPA / CPRA (California, USA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights.

Your California Rights

• Right to Know — you may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and third parties with whom we share it.
• Right to Delete — you may request deletion of your personal information, subject to certain exceptions.
• Right to Correct — you may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — you have the right to opt out of the "sale" or "sharing" of personal information.
• Right to Limit Use of Sensitive Personal Information — you can limit use of sensitive data to what is necessary for providing the service.

Do Not Sell or Share My Personal Information

Bored. does not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not participate in data broker networks or allow third parties to collect your data for targeted advertising.

Financial Incentive Disclosure

Our virtual currency "Boreds" is earned through completing challenges and activities within the app. Boreds have no monetary value, cannot be exchanged for real currency, and are not a financial incentive as defined under CCPA/CPRA. The Boreds system does not constitute a financial incentive program.

Non-Discrimination

We will not discriminate against you for exercising your CCPA/CPRA rights. You will not receive different pricing, quality, or service levels for exercising your rights.

To submit a verifiable consumer request, contact contact@staybored.app. We will verify your identity and respond within 45 days.

13. LGPD (Brazil)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) provides you with specific rights regarding your personal data.

Legal Bases

We process your data under the following LGPD legal bases:

• Consent (Art. 7, I) — for optional features like push notifications and camera access.
• Contract performance (Art. 7, V) — to provide the Bored. service.
• Legitimate interest (Art. 7, IX) — for app improvement and security.

Your LGPD Rights

You have the right to:

• Confirm the existence of processing of your data
• Access, correct, anonymize, block, or delete unnecessary data
• Request data portability
• Request deletion of data processed with consent
• Obtain information about entities with whom your data is shared
• Be informed about the possibility of denying consent and its consequences
• Withdraw consent at any time

You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

14. PIPEDA (Canada)

If you are in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to our handling of your data.

Our PIPEDA Commitments

• Accountability — we are responsible for personal information in our possession and have designated a privacy officer.
• Consent — we collect, use, or disclose your data only with your knowledge and consent, except where permitted by law.
• Purpose Limitation — we collect data only for the purposes identified in this policy.
• Limiting Collection — we collect only what is necessary for stated purposes.
• Accuracy — we keep your data as accurate, complete, and up-to-date as necessary.
• Safeguards — we protect your data with security measures appropriate to the sensitivity of the information.

Your PIPEDA Rights

You have the right to:

• Access your personal information held by us
• Challenge the accuracy and completeness of your data and have it amended
• Withdraw consent (subject to legal or contractual restrictions)

You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

15. POPIA (South Africa)

If you are in South Africa, the Protection of Personal Information Act (POPIA) governs our processing of your personal information.

Processing Conditions

We process your data in accordance with POPIA's conditions for lawful processing:

• Accountability, purpose limitation, and further processing limitation
• Information quality, openness, and security safeguards
• Data subject participation

Your POPIA Rights

You have the right to:

• Be notified that personal information is being collected
• Request access to your personal information
• Request correction or deletion of your personal information
• Object to the processing of your personal information
• Not have your personal information processed for direct marketing via unsolicited communications
• Submit a complaint to the Information Regulator

You may lodge a complaint with the Information Regulator at inforegulator.org.za.

16. Australian Privacy Principles (Australia)

If you are in Australia, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

Our APP Commitments

• We collect personal information only by lawful and fair means
• We use and disclose personal information only for the purpose for which it was collected (or a related purpose you would reasonably expect)
• We take reasonable steps to ensure accuracy, completeness, and currency of your data
• We protect your data from misuse, interference, loss, and unauthorized access
• We provide access to and correction of personal information on request

Cross-Border Disclosure

Your data may be disclosed to overseas recipients (United States) as described in Section 7. We take reasonable steps to ensure overseas recipients comply with the APPs.

You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

17. APPI (Japan)

If you are in Japan, the Act on the Protection of Personal Information (APPI) applies to our handling of your data.

Our APPI Commitments

• Purpose Specification — we specify and publicly announce the purpose of use for all personal information collected.
• Purpose Limitation — we do not use your data beyond the scope necessary to achieve the specified purpose without your consent.
• Proper Acquisition — we acquire personal information by proper and lawful means.
• Accuracy — we strive to keep your data accurate and up-to-date.
• Security Management — we take necessary and appropriate measures to prevent leakage, loss, or damage of personal data.

Third-Party Provision & Cross-Border Transfers

We provide personal data to third-party processors in the United States (see Section 5). We ensure these transfers comply with APPI requirements through contractual safeguards and confirmation that the recipient country has an adequate data protection system or that the recipient has an appropriate data protection framework in place.

Your APPI Rights

You have the right to request disclosure, correction, addition, deletion, suspension of use, erasure, and suspension of third-party provision of your retained personal data.

You may file a complaint with the Personal Information Protection Commission (PPC) of Japan.

18. PDPA (Singapore & Thailand)

Singapore — Personal Data Protection Act 2012

If you are in Singapore, we comply with the PDPA requirements:

• Consent — we obtain your consent before collecting, using, or disclosing personal data.
• Purpose Limitation — we collect, use, and disclose your data only for purposes a reasonable person would consider appropriate.
• Access & Correction — you have the right to access and request correction of your personal data.
• Protection — we protect your data with reasonable security arrangements.
• Retention Limitation — we cease to retain personal data when it is no longer needed for the stated purpose.
• Transfer Limitation — overseas transfers comply with PDPA transfer requirements.

You may file a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

Thailand — Personal Data Protection Act B.E. 2562 (2019)

If you are in Thailand, the Thai PDPA grants you the following rights:

• Right to be informed and to access your personal data
• Right to data portability
• Right to object to data processing
• Right to erasure, restriction, and correction
• Right to withdraw consent

You may file a complaint with the Personal Data Protection Committee (PDPC) of Thailand.

19. Cookies & Local Storage

We do not use tracking cookies. We do not use third-party advertising cookies. We do not participate in cookie-based advertising networks.

What We Do Use

• Essential Auth Cookies — Supabase uses strictly necessary cookies to maintain your authentication session (keeping you logged in). These are functional-only and are not used for tracking or advertising.
• Local Storage — we use your browser's localStorage to save app preferences, display settings, and cached UI state. This data stays on your device and is never transmitted to external services.
• Service Worker Cache — as a Progressive Web App (PWA), we cache static assets for offline functionality. This does not store personal data.

For more details, see our Cookie Policy.

20. Children's Privacy

Protecting children's privacy is extremely important to us. Bored. is not intended for children.

Age Requirements

• United States (COPPA) — children under 13 are not permitted to create an account or use Bored. We do not knowingly collect personal information from children under 13.
• European Union (GDPR) — children under 16 (or the applicable age in the member state, which may be as low as 13) may not use Bored. without verifiable parental consent.
• Other Jurisdictions — we comply with the minimum age requirements of each jurisdiction. Where local law requires a higher minimum age, that higher age applies.

Age Verification

We require date of birth during registration to verify users meet the minimum age requirement. If we learn that we have collected personal data from a child below the applicable age without proper consent, we will promptly delete that information.

No Targeted Advertising to Minors

We do not display targeted advertising to any users, including minors. We do not profile users under 18 for marketing purposes.

If you believe a child has created an account or provided personal data to Bored., please contact us immediately at contact@staybored.app and we will delete the account and data promptly.

21. Data Portability

You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format.

We can provide your data export in the following formats:

• JSON — structured data format, suitable for developers and technical use.
• CSV — spreadsheet-compatible format, suitable for general use.

Your export will include: profile information, activity history, pushup records, challenge completions, feed posts, journal entries, quiz results, Boreds balance, and duel history.

To request a data export, contact contact@staybored.app. We will fulfill your request within 30 days.

22. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or regulatory guidance.

When we update this policy:

• We will update the "Last updated" date at the top of this page.
• For material changes, we will notify you via in-app notification and/or email before the changes take effect.
• We will provide a summary of key changes.
• Where required by law (e.g., GDPR), we will obtain your renewed consent for material changes to how we process your data.

We encourage you to review this page periodically. Continued use of Bored. after changes are posted constitutes acceptance of the updated policy, except where consent is required by law.

23. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, we are here to help.

• Email: contact@staybored.app
• Website: staybored.app
• Data Protection Officer: contact@staybored.app
• Response Time: We aim to respond to all privacy inquiries within 15 business days, and no later than 30 days as required by GDPR and other applicable laws.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (see the relevant jurisdiction section above).

Thank you for trusting Bored. with your data. Now go do some pushups.