Privacy Policy

The Services are intended for users who are at least 18 years old. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us and we will take appropriate steps to delete it.

Account and profile. When you create an account (for example through our iOS app), we collect identifiers and profile details you provide or that are created for your account, such as your user ID, email address (for email sign-in), phone number (for phone sign-in), username, display name, first and last name (if you provide them), profile biography, profile photo, and account preferences (for example whether your profile is private).

Authentication. Depending on the sign-in method you choose, authentication data is processed by our backend authentication provider. Supported methods in the app include email address (one-time code at registration; password at sign-in), verified mobile phone number (SMS one-time code), Sign in with Apple, and Sign in with Google. Each provider receives the data necessary to complete that sign-in flow.

Social and community features. When you use features such as friends, follows, invites, in-app notifications, direct messages in groups, sending or receiving “kandi,” and similar interactions, we store the content of those interactions, participant identifiers, and timestamps as needed to operate the feature.

Photos and other media you upload. If you add a profile photo, group cover image, or photos in a group album, we store those files and related metadata (such as captions and which group they belong to) so they can be shown to you and, where you choose, to other users according to product rules and your settings.

Schedules, events, and locations you interact with. We store events you link to groups, festival schedules you browse or save, and your selected city or region for discovering nearby events. The app lets you pick a location from a list we provide; we store that selection to personalize results.

Waitlist (website). If you join our email waitlist on the public website, we collect the email address you submit so we can contact you about kndi..

Device and technical data. Like most online services, our servers and providers automatically receive technical information when you use the Services, such as IP address, approximate region derived from IP, browser or app version, device type, dates and times of requests, and diagnostic logs needed to keep the Services secure and reliable.

Local data on your device. The iOS app caches data on your device to improve performance and support offline use. This includes festival schedules, your set selections, social feed content, group data, and kandi and bracelet state. Cached data stays on your device and is cleared when you log out or delete the app. Outbound messages you send while offline are queued locally and delivered automatically when connectivity is restored.

Schedule-inferred presence. Certain features show which group members have saved sets at the same stage or time slot as you. This is derived from schedule selections you make in the app — it does not use your device's GPS or location services and does not track your physical position. You can hide your saved sets from group members in your settings.

Push notifications (optional). If you grant permission, the iOS app may send you push notifications about activity relevant to your account (for example, new messages, group invitations, and kandi received). We store a device push token provided by Apple solely to deliver these notifications. You can withdraw permission at any time in your iOS device settings under Notifications.

Camera (optional). If you use QR code scanning to exchange kandi or join a group, the app accesses the device camera only when you start that flow, to read the code. We do not use the camera for other purposes without your action.

Photo library (optional). If you choose images from your photo library (for example for a profile or group photo), the app accesses only the items you select, in line with iOS photo-picker behavior.

• Create and secure your account and sessions.
• Provide core product features: profiles, search, events, groups, schedules, realtime messaging, photos, invites, notifications, and kandi.
• Maintain persistent realtime connections for live messaging and activity updates while the app is in the foreground.
• Send transactional messages needed for authentication (for example email or SMS codes) and important service notices.
• Maintain waitlist communications if you signed up on the website.
• Monitor for abuse, fraud, and security issues; debug and improve stability and performance.
• Comply with law and enforce our Terms of Service.

If you sign in by phone number, we collect your phone number and use it solely to send one-time passcodes (OTPs) for authentication and account security. SMS messages from kndi. are transactional and are not used for marketing.

Phone numbers and SMS opt-in data and consent are not shared with third parties or affiliates for marketing purposes, and we do not sell this information. We share phone numbers only with the SMS delivery vendor configured by our authentication provider, strictly to deliver the OTP you requested.

You can opt out of SMS at any time by replying STOP to any kndi. message; reply HELP for support. Phone numbers are retained while your account is active and deleted when you delete your account, except where retention is required by law.

Where GDPR or similar laws apply, we rely on one or more of the following:

• Contract — processing necessary to provide the Services you request (for example hosting your profile and party content).
• Consent — where required, for example marketing emails beyond strictly transactional notices, or optional permissions such as camera or photo access when the operating system requires consent.
• Legitimate interests — for example securing the Services, understanding aggregate usage to improve the product, and preventing abuse, balanced against your rights.
• Legal obligation — where we must retain or disclose information to comply with the law.

We use service providers to operate kndi.. The following categories and examples aligned with the current codebase include:

• Supabase — hosted database, authentication, file storage (for example avatars and group photos), application APIs, and realtime subscriptions that power live messaging, notifications, and presence features. The app maintains a persistent connection to Supabase Realtime while in use.
• Google — if you choose Sign in with Google, Google processes data as described in Google’s policies for that sign-in flow.
• Apple — if you use Sign in with Apple or install the app from the App Store, Apple processes data under its own policies. Opening maps or links from the app may use Apple or other platforms you choose.
• SMS and email delivery — phone and email one-time codes are delivered through infrastructure configured with our authentication provider (which may use telecommunications or email delivery vendors).
• Public event sources — we integrate and store metadata about concerts and festivals from third-party sources (including EDMTrain and Clashfinder-style data in our catalog) so you can search and attach events to groups. That information is aggregated catalog data, not your private messages.

We do not sell your personal information as “sale” is defined under the CCPA/CPRA. We do not use a dedicated third-party advertising analytics SDK in the product today. If we add analytics or advertising tools in the future, we will update this policy and any required disclosures (including platform data disclosures) before they go live.

We share information with service providers who process it on our instructions to host and operate the Services. We may disclose information if required by law, legal process, or to protect the rights, safety, and security of users, us, or others. If we are involved in a merger, acquisition, or asset sale, your information may transfer as part of that transaction, subject to standard protections.

Parts of the Services are social by design. Depending on your settings and the feature, profile details, messages, photos, and activity may be visible to other users you interact with (for example members of the same group).

We may process and store information in the United States and other countries where we or our providers operate. Those countries may have different data protection laws than your own. Where required, we use appropriate safeguards (such as contractual clauses) for international transfers.

We keep information for as long as your account is active and as needed to provide the Services. We may retain certain records after you close your account where required by law or for legitimate purposes such as security backups, dispute resolution, and enforcing our agreements. Technical logs are typically retained for a limited period.

We use administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

Depending on where you live, you may have rights to access, correct, delete, or export personal information we hold about you, and to object to or restrict certain processing. You may also have the right to withdraw consent where processing is based on consent, without affecting the lawfulness of processing before withdrawal.

California residents (CCPA/CPRA). You have the right to know categories and specific pieces of personal information we collect, the right to delete personal information subject to exceptions, and the right to correct inaccurate information. We do not sell or share personal information for cross-context behavioral advertising as defined by CPRA. You may designate an authorized agent where permitted by law.

Washington residents (My Health MY Data Act). Washington's My Health MY Data Act (MHMD) provides additional protections for consumer health data. To the extent MHMD applies to information we collect — such as location-adjacent data (your selected city or region) or schedule and event attendance patterns that may reflect health-relevant inferences — you have the right to confirm whether we collect such data, access it, withdraw consent to its collection, and request deletion. We do not sell consumer health data. To exercise these rights or for a copy of our MHMD consumer health data policy, contact [email protected].

To exercise rights, contact [email protected]. We may need to verify your request. You may also have the right to lodge a complaint with a supervisory authority in your country.

kndi. uses a third-party SMS provider (currently Twilio) to send one-time verification codes (OTP) via text message when you sign in or create an account using a phone number. These messages are transactional — they are sent only in direct response to your request to authenticate and are not marketing messages.

• Program: kndi. account verification.
• Message frequency: One message per verification request.
• Message and data rates may apply.
• To opt out: Reply STOP to any verification message. You may also disable phone sign-in in your account settings.
• For help: Reply HELP or contact [email protected].

We do not share or sell mobile opt-in data — including your phone number and SMS consent status — with third parties, affiliates, or lead generators for marketing or promotional purposes. Phone numbers collected for SMS verification are used solely to deliver authentication codes and are not transferred to any party for advertising.

Our websites use cookies and similar technologies to operate the Services. These fall into two categories:

• Strictly necessary. Required for the site to function — for example, session authentication tokens and security state. These cannot be disabled without breaking the Services.
• Analytics (if applicable). If we add analytics tools in the future, we will update this section and any required platform disclosures before they go live. We currently do not use standalone third-party analytics cookies.

You can manage or block cookies through your browser settings. Blocking strictly necessary cookies may prevent parts of the Services from functioning. We do not use cookies for cross-site advertising or behavioral tracking.

Apple requires a public Privacy Policy URL for apps distributed through the App Store. Information you provide in App Store privacy labels and product settings should match this Policy and how the app actually behaves.

We do not use App Tracking Transparency prompts for cross-app tracking in the current product because we do not integrate standalone third-party ad tracking SDKs for that purpose. If that changes, we will update the app and this Policy accordingly.

We may update this Privacy Policy from time to time. We will post the updated version on this page and update our records. If changes are material, we will provide additional notice as appropriate (for example, an in-app notice or email where we have your address).