privacy policy
effective as of July 2, 2026
introduction and definitions
This Privacy Policy sets out how we, Duru Alayli (the "producer," "we," "us," "our"), use and protect the personal data you provide to us, or that is otherwise obtained or generated by us, in connection with your use of Pull Up (the "Services"). "You" refers to you, the user of the Services.
We are the entity responsible for the data described in this policy. You can reach us at hello.pullupapp@gmail.com for any privacy question, request, or concern.
principles
We follow simple principles when it comes to your data:
- Your data is only collected and shared with other users where it's necessary for the functionality of the Services (for example, your friends seeing your plans, or other users finding you via search).
- Your data is not sold to any third party, at any time.
- We do not "share" your personal information for cross-context behavioral advertising, as that term is defined under California law.
- We do not use your data for advertising or to build behavioral profiles about you.
information you provide
Your email address (data linked to you). Used only to authenticate you, verify your account, and send password-reset or account-related emails. Your email is never shown to other users and is never sold. We share it with our email service provider only as necessary to send these emails.
Your name, username, and profile photo (data linked to you). These are visible to any user of the app — not just your friends — since they're used to power search (so people can find and add you as a friend) and are shown wherever your identity appears, such as on plans, reactions, and attendee lists.
Your password. Stored only as a one-way cryptographic hash — we cannot see or recover your actual password, and it is never shared with any third party.
Your user ID. A unique internal identifier assigned to your account when you sign up. Used to link your data (posts, friendships, reactions, etc.) together within our systems, and to identify you in things like push notification delivery. Not shown to other users directly.
Plans and posts you create (data linked to you). Titles, times, and images for plans, and any "pull up" photos you take to prove attendance.
- A plan is visible to all your friends by default, or — if you choose to post it to a specific group — only to that group's members.
- A pull-up photo (your proof of attendance) is visible to all of your friends, regardless of whether the original plan was posted to a specific group.
Social data (data linked to you). Your friends list, group memberships, and reactions, used to power the app's core social features.
Device token (data linked to you). Used solely to deliver push notifications to your device through Apple's Push Notification service. Removed when you log out or delete your account.
Location. If you grant location permission, it is used only on your device to display your city in the app's feed header. It is never transmitted to or stored on our servers.
information collected automatically
Like most apps that connect to a server, our backend infrastructure automatically logs limited technical data as part of normal operation — such as IP address, request timestamps, and basic device/app information (e.g. app version, OS version). This data is used only for security, debugging, and keeping the Services running reliably. We do not use it for advertising, and we do not currently run any analytics or tracking SDKs in the app.
photos and metadata
Photos you upload may contain embedded metadata (EXIF data), which can include the location where a photo was taken. We recommend disabling location tagging in your device's camera settings if you'd prefer this information not be included in photos you upload. We are working to strip this metadata automatically before storage; until then, treat any photo you upload as potentially containing this information.
who can see your content
Your name, username, and profile photo are visible to any user of the app through search. Your plans are visible to your friends, or — if posted to a group — to that group's members only. Your pull-up photos are visible to all your friends. None of your content is public outside the app or indexed by search engines.
Currently, you can manage who sees your content by removing a friend or declining a friend request, which stops future visibility between you and that person. If you experience abuse or unwanted contact from another user, contact us at the email below and we will investigate and take appropriate action, which may include removing the account.
how we use your information
We use the information described above solely to operate the app's core features, including:
- authenticating you and keeping your account secure
- letting other users find and add you as a friend through search
- displaying your plans and pull-up photos to the appropriate audience (friends or group members)
- showing who's attending a plan, and updating attendance in real time as people join or leave
- displaying reactions (emoji responses) you leave on plans and pull-up photos, and showing you reactions others leave on yours
- calculating and displaying your personal and friend pull-up streaks
- sending push notifications for relevant activity, like a new friend request, someone joining your plan, or a reaction
We do not sell, rent, or "share" (as defined under California law) your data.
legal basis for processing (EEA, UK, and Switzerland)
If you're located in the EEA, UK, or Switzerland, we process your personal data on the following legal bases:
- Performance of a contract: processing your account information, plans, posts, and social data is necessary to provide the Services you've signed up for.
- Legitimate interests: we process limited technical/log data for security, fraud prevention, and to keep the Services reliable.
- Consent: optional features like push notifications and location access are only enabled if you grant permission, and you can withdraw consent at any time through your device settings.
third-party services
We use a small number of service providers to operate the app, each of which only receives the data necessary to perform its specific function:
- Cloudinary — stores and delivers images you upload
- Resend — sends account verification and password reset emails (these emails link back to our own domain, hellopullup.app, which we control directly and is not a third party)
- Apple Push Notification service — delivers push notifications to your device
- Railway — hosts our backend server and database
- Vercel — hosts our website (hellopullup.app), including this privacy policy and terms of use page
These providers are not permitted to use your data for their own purposes. Some of these providers may process data in countries other than your own, including the United States. We use providers that maintain privacy and security practices designed to protect personal data and use contractual protections where required by applicable law.
data retention and deletion
You can delete your account at any time from Settings in the app. We delete your profile, posts, photos, friendships, group memberships, and password data from our active systems promptly after your request. Limited copies may remain temporarily in backups, logs, or provider systems and will be deleted or overwritten according to our backup and retention practices, unless we must retain them for security, fraud prevention, or legal obligations.
children's privacy
Pull Up is not intended for anyone under 13. We do not knowingly collect information from children under 13. If you believe a child has created an account, contact us and we'll remove it.
security
Passwords are hashed before storage, and all data in transit is encrypted via HTTPS. While we take reasonable measures to protect your information, no method of transmission or storage is 100% secure.
your rights
You can access, update, or delete most of your personal information directly within the app at any time. To exercise any right described below — including if you no longer have access to your account — email us from the address associated with your account, or any email, and we'll verify your identity before acting on the request.
If you're located in the European Economic Area, UK, or Switzerland, you have rights under the GDPR, including the right to:
- access the personal data we hold about you
- correct inaccurate data
- request deletion of your data
- restrict or object to certain processing
- receive your data in a portable format
- lodge a complaint with your local data protection authority
If you're a California resident, you have rights under the CCPA/CPRA, including the right to know what personal information we collect, request deletion of it, and not be discriminated against for exercising these rights. As noted above, we do not sell or "share" your personal information for cross-context behavioral advertising.
changes to this policy
This privacy policy will be updated as needed so that it remains accurate, current, and clear — including if we add features like crash reporting, analytics, or new third-party services in the future. If we make material changes, we'll notify you through the app.
contact us
If you have questions about this privacy policy, reach out at hello.pullupapp@gmail.com.