← Back to in2it
"Your inner world is sacred ground. We built in2it to help you grow, connect, and expand your presence — not
to mine your attention or sell your data. This privacy policy reflects our philosophy: radical
transparency, minimal collection, and conscious stewardship
of the information you share with us."
1. Our Privacy Philosophy
Most apps bury their data practices in dense legalese. We believe that's a failure of integrity. Here's how
we're different:
Our Commitments
- We never sell your data. Not to advertisers, not to data brokers, not to anyone.
Period.
- We never show you ads. We are subscription-supported, not attention-harvesting.
- We collect only what we need. Every data point has a clear, stated purpose tied to
your experience.
- Your growth data stays yours. Your vibe checks, reflections, and personal insights
are never shared with third parties.
- We use encryption everywhere. Data in transit and at rest is encrypted using
industry-standard protocols.
- You can delete everything. Full account deletion removes your data from our
systems.
2. Information We Collect
We collect information in three categories. For each, we tell you what, why, and how
long:
A. Information You Provide
| Data |
Purpose |
Retention |
| Name & email |
Account identity and communication |
Until account deletion |
| Phone number |
Account verification (OTP) and security |
Until account deletion |
| Profile photo |
Humanize your presence during connections |
Until you change or delete it |
| Onboarding responses (life stage, generation, goals) |
Personalize your Presence Journey and connection experiences |
Until account deletion |
| Preference quiz answers |
Calculate your 5-dimension vibe profile for intentional matching |
Until account deletion |
| Vibe check ratings |
Track your connection quality over time for personal insights |
Until account deletion |
| Reflections & journal entries |
Support your growth — visible only to you |
Until you delete them |
| Quest photos |
Capture shared moments during in-person events |
Until event ends or you delete them |
| Feedback & safety reports |
Improve the platform and maintain community safety |
Feedback: 1 year. Safety: as legally required |
B. Information Generated Through Use
| Data |
Purpose |
Retention |
| Connection history |
Let you revisit past connections and track growth patterns |
Until account deletion |
| Compatibility scores |
Match you with aligned participants at events |
Per-event session only |
| Affinity & trust scores |
Improve match quality over time based on your ratings |
Aggregated, not personally identifiable |
| Feature votes |
Shape the product roadmap — your voice matters |
Until account deletion |
| Engagement analytics |
Understand which features help you most |
Aggregated, anonymized |
C. Technical Information
| Data |
Purpose |
Retention |
| Device type & browser |
Deliver the best experience for your device |
Session only |
| IP address |
Timezone detection (for accurate event times) and security |
Not stored long-term; used for geolocation at signup only |
| FCM push token |
Deliver notifications (event reminders, match alerts) |
Until token refresh or account deletion |
| App Check token |
Verify that requests come from legitimate app instances |
Session only — not stored |
3. How We Use Your Information
Every use falls into one of these categories:
- Powering your experience — authentication, event participation, matchmaking,
notifications
- Supporting your growth — generating personal insights, tracking vibe patterns,
delivering AI-powered reflections
- Improving the platform — understanding which features resonate, fixing bugs, ensuring
reliability
- Maintaining safety — detecting abuse, enforcing community standards, processing safety
reports
- Processing payments — subscription management and billing (handled by Stripe and
RevenueCat — we never see your card number)
What We Will Never Do
- Sell, rent, or trade your personal data
- Use your data for targeted advertising
- Create behavioral profiles for third-party advertisers
- Share your vibe checks, reflections, or growth data with anyone
- Use dark patterns to trick you into sharing more
4. Third-Party Services
We use carefully selected partners to deliver specific capabilities. Each has been evaluated for their
privacy practices:
| Service |
What They Do |
What They Access |
| Google Firebase |
Authentication, database, file storage, push notifications, app security |
Email, name, profile data (encrypted at rest) |
| Stripe |
Payment processing |
Payment method (we never see your card number) |
| RevenueCat |
Subscription management |
Subscription status, app user ID |
| Google Gemini AI |
AI-powered insights and reflections |
Anonymized context (no names or emails sent to AI) |
| WebRTC |
Peer-to-peer video connections |
Video/audio streams (encrypted end-to-end, never recorded or stored) |
| Google reCAPTCHA |
Prevent automated abuse |
Device signals (per Google's privacy policy) |
We do not use analytics trackers, social media pixels, or advertising SDKs. We do not share data with
Facebook, Google Ads, or any advertising network.
5. Video Connections & Communication
When you participate in a video connection through in2it:
- Peer-to-peer. Video and audio streams travel directly between you and your connection
partner using WebRTC. They do not pass through our servers.
- Never recorded. We do not record, store, or monitor the content of your video calls.
- Encrypted. All WebRTC connections use DTLS-SRTP encryption.
- Signaling only. Our servers handle only the initial connection setup (signaling) — once
connected, we're out of the loop.
6. AI-Powered Features
in2it uses Google Gemini AI to generate personalized insights, reflection prompts, and growth suggestions.
Here's how we protect your privacy:
- We send anonymized, contextual data to the AI — never your name, email, or identifiable
information
- AI-generated content is stored in your personal data space only — it's never shared
with other users
- We do not use your data to train AI models
- You can delete AI-generated content at any time
7. Data Security
We implement multiple layers of security:
- Encryption in transit — All data transfers use TLS 1.3
- Encryption at rest — Firebase encrypts all stored data using AES-256
- App Check enforcement — Every API request is verified to come from a legitimate app
instance using reCAPTCHA Enterprise
- Firestore security rules — Users can only read and write their own data. No user can
access another user's personal information
- Rate limiting — API endpoints are protected against abuse
- No plaintext secrets — All credentials and API keys are stored securely, never in
client-facing code
8. Security Incident Response
No system is immune to risk. If a security incident affecting your personal data ever occurs, here is exactly
what we will do:
Our Breach Response Commitments
- Within 72 hours — We will notify all affected users via email and in-app
announcement, describing what happened, what data was affected, and what we're doing about it
- Within 72 hours — We will notify relevant supervisory authorities (GDPR Art. 33)
where legally required
- Immediately — We will contain the incident, revoke compromised access, and begin
forensic investigation
- Ongoing — We will provide regular updates until the incident is fully resolved
- Post-incident — We will publish a transparent post-mortem explaining root cause,
impact, and systemic improvements made to prevent recurrence
What We Monitor
- App Check enforcement — blocks requests from unauthorized sources
- Firestore security rules — enforces data isolation per user
- Cloud Function rate limiting — detects anomalous API activity
- Firebase Authentication — monitors for brute force and credential stuffing attempts
If you discover a potential security vulnerability, please report it responsibly to
support@in2it.live. We commit to acknowledging your report within 48 hours and will not
take legal action against good-faith security researchers.
9. Your Rights
You have full sovereignty over your data. Here's what you can do:
| Right |
How |
| Access your data |
Contact us at support@in2it.live for a full export |
| Correct your data |
Edit your profile, preferences, and goals directly in the app |
| Delete your data |
Settings → Delete Account removes all personal data from our systems |
| Export your data |
Request a portable copy via support@in2it.live |
| Withdraw consent |
You can opt out of notifications, revoke permissions, or delete your account at any time |
| Object to processing |
Contact support@in2it.live and we will review and respond within 30 days |
These rights apply regardless of where you live. We honor GDPR, CCPA, and equivalent privacy laws globally
because we believe privacy is a human right, not a regulatory obligation.
10. Children's Privacy
in2it is designed for individuals aged 18 and older. We do not knowingly collect personal information from
anyone under 18. If we discover that a user is under 18, we will promptly delete their account and all
associated data. If you believe a minor has created an account, please contact us at support@in2it.live.
11. Data Retention & Deletion
We retain your data only as long as needed for its stated purpose:
- Active account data — retained while your account is active
- Event-specific data (match results, quest photos) — retained for the event duration
plus 30 days for post-event reflection
- Safety reports — retained as required by applicable law
- Account deletion — when you delete your account, we remove all personal data within 30
days. Anonymized aggregate data (which cannot identify you) may persist for platform improvement
12. Cookies & Local Storage
in2it is a Progressive Web App (PWA). We use:
- Local storage — to remember your login state, app preferences, and install prompt
dismissal (7-day snooze). This data stays on your device.
- Service worker cache — to enable offline access and faster loading. Cached files are
only the app's own code and assets.
- No tracking cookies. We do not use third-party cookies, advertising cookies, or
cross-site tracking of any kind.
13. International Data Transfers
in2it uses Google Cloud infrastructure (Firebase), which may process data in the United States and other
countries where Google operates. Google Cloud complies with GDPR through Standard Contractual Clauses and
other approved transfer mechanisms. Stripe and RevenueCat similarly maintain GDPR-compliant data transfer
agreements.
14. Changes to This Policy
When we make material changes to this policy, we will:
- Post the updated policy with a new "Last updated" date
- Notify you via in-app announcement
- For significant changes, require your renewed acknowledgment before continuing to use the app
15. Contact Us
For any questions, concerns, or data requests:
- Email: support@in2it.live
- Security: support@in2it.live
- Response time: Within 30 days for formal requests, within 72 hours for general
inquiries