legal

privacy policy

effective as of July 2, 2026

introduction and definitions

This Privacy Policy sets out how we, Duru Alayli (the "producer," "we," "us," "our"), use and protect the personal data you provide to us, or that is otherwise obtained or generated by us, in connection with your use of Pull Up (the "Services"). "You" refers to you, the user of the Services.

We are the entity responsible for the data described in this policy. You can reach us at hello.pullupapp@gmail.com for any privacy question, request, or concern.

principles

We follow simple principles when it comes to your data:

information you provide

Your email address (data linked to you). Used only to authenticate you, verify your account, and send password-reset or account-related emails. Your email is never shown to other users and is never sold. We share it with our email service provider only as necessary to send these emails.

Your name, username, and profile photo (data linked to you). These are visible to any user of the app — not just your friends — since they're used to power search (so people can find and add you as a friend) and are shown wherever your identity appears, such as on plans, reactions, and attendee lists.

Your password. Stored only as a one-way cryptographic hash — we cannot see or recover your actual password, and it is never shared with any third party.

Your user ID. A unique internal identifier assigned to your account when you sign up. Used to link your data (posts, friendships, reactions, etc.) together within our systems, and to identify you in things like push notification delivery. Not shown to other users directly.

Plans and posts you create (data linked to you). Titles, times, and images for plans, and any "pull up" photos you take to prove attendance.

Social data (data linked to you). Your friends list, group memberships, and reactions, used to power the app's core social features.

Device token (data linked to you). Used solely to deliver push notifications to your device through Apple's Push Notification service. Removed when you log out or delete your account.

Location. If you grant location permission, it is used only on your device to display your city in the app's feed header. It is never transmitted to or stored on our servers.

information collected automatically

Like most apps that connect to a server, our backend infrastructure automatically logs limited technical data as part of normal operation — such as IP address, request timestamps, and basic device/app information (e.g. app version, OS version). This data is used only for security, debugging, and keeping the Services running reliably. We do not use it for advertising, and we do not currently run any analytics or tracking SDKs in the app.

photos and metadata

Photos you upload may contain embedded metadata (EXIF data), which can include the location where a photo was taken. We recommend disabling location tagging in your device's camera settings if you'd prefer this information not be included in photos you upload. We are working to strip this metadata automatically before storage; until then, treat any photo you upload as potentially containing this information.

who can see your content

Your name, username, and profile photo are visible to any user of the app through search. Your plans are visible to your friends, or — if posted to a group — to that group's members only. Your pull-up photos are visible to all your friends. None of your content is public outside the app or indexed by search engines.

Currently, you can manage who sees your content by removing a friend or declining a friend request, which stops future visibility between you and that person. If you experience abuse or unwanted contact from another user, contact us at the email below and we will investigate and take appropriate action, which may include removing the account.

how we use your information

We use the information described above solely to operate the app's core features, including:

We do not sell, rent, or "share" (as defined under California law) your data.

legal basis for processing (EEA, UK, and Switzerland)

If you're located in the EEA, UK, or Switzerland, we process your personal data on the following legal bases:

third-party services

We use a small number of service providers to operate the app, each of which only receives the data necessary to perform its specific function:

These providers are not permitted to use your data for their own purposes. Some of these providers may process data in countries other than your own, including the United States. We use providers that maintain privacy and security practices designed to protect personal data and use contractual protections where required by applicable law.

data retention and deletion

You can delete your account at any time from Settings in the app. We delete your profile, posts, photos, friendships, group memberships, and password data from our active systems promptly after your request. Limited copies may remain temporarily in backups, logs, or provider systems and will be deleted or overwritten according to our backup and retention practices, unless we must retain them for security, fraud prevention, or legal obligations.

Because plans and pull-ups often involve other people, some limited traces can remain in other users’ data after you delete your account: the title of a plan you attended may still appear in a friend’s history of that plan, and a reaction you left may still appear on someone else’s post or photo. These traces will display as coming from a deleted account, with no name, username, or profile photo attached.

children's privacy

Pull Up is not intended for anyone under 13. We do not knowingly collect information from children under 13. If you believe a child has created an account, contact us and we'll remove it.

security

Passwords are hashed before storage, and all data in transit is encrypted via HTTPS. While we take reasonable measures to protect your information, no method of transmission or storage is 100% secure.

your rights

You can access, update, or delete most of your personal information directly within the app at any time. To exercise any right described below — including if you no longer have access to your account — email us from the address associated with your account, or any email, and we'll verify your identity before acting on the request.

If you're located in the European Economic Area, UK, or Switzerland, you have rights under the GDPR, including the right to:

If you're a California resident, you have rights under the CCPA/CPRA, including the right to know what personal information we collect, request deletion of it, and not be discriminated against for exercising these rights. As noted above, we do not sell or "share" your personal information for cross-context behavioral advertising.

changes to this policy

This privacy policy will be updated as needed so that it remains accurate, current, and clear — including if we add features like crash reporting, analytics, or new third-party services in the future. If we make material changes, we'll notify you through the app.

contact us

If you have questions about this privacy policy, reach out at hello.pullupapp@gmail.com.