Privacy at flocc

What we collect

We collect only what's needed to run the service.

• Hosts (account holders): your display name, email address, and password (stored as a secure hash — we never see the actual password). Optionally: a profile photo and your default contact or payment preferences.
• Event details you create: title, date and time, location, description, schedule, what-to-bring list, cost information, and any host notes. These are stored and shown to guests on your public event page.
• Cover images: photos you upload or link from Unsplash. Uploaded cover images are stored on our server and publicly accessible via a non-guessable URL.
• Event photos: photos uploaded to a past event's gallery are stored securely and are only accessible to people connected to that event — the host, RSVPd guests, and invitees. Direct links do not work without that connection.
• Guests (people who RSVP): name, email address, RSVP response (yes/maybe/no), optional notes (e.g. dietary needs), and plus-one count. Guests do not need an account.
• Technical logs: server logs including IP addresses and timestamps, used for security monitoring and debugging. These are not shared and are not used for profiling.

How we use it

• To run your event page, show RSVP responses to the host, and send password-reset emails.
• To remember your name and email when you return to RSVP for another event (using a cookie — you can clear it any time).
• To notify the host of new RSVPs via an in-app notification.
• We do not sell your data, use it for advertising, or share it with third parties beyond what's needed to operate (e.g. our email delivery provider for password resets).

Who can see what

• Hosts can see the names, email addresses, RSVP responses, notes, and plus-one counts of everyone who RSVPs to their event.
• Guests see only what the host has published on the event page. If the host enables the guest list, guests can see other guests' first names only — not emails, notes, or any other personal detail.
• Public event pages show gathering details (title, date, location, description, and schedule if enabled). They do not show guest emails, notes, or host account information.
• flocc staff may access account and event data to operate and maintain the service. Access is strictly limited to operational needs.

Cookies and sessions

We use a small number of cookies:

• Session cookie: keeps you logged in as a host. It's HttpOnly, SameSite=Lax, and Secure on HTTPS. It expires when your session ends (or after 30 days with "remember me").
• RSVP convenience cookies (flocc_name, flocc_email): remember your name and email so you don't have to retype them if you RSVP for another event on flocc. These last 30 days and are HttpOnly and SameSite=Lax. Guests can clear them by clearing browser cookies.
• We do not use analytics, advertising, or third-party tracking cookies.

Installing flocc to your home screen (PWA)

flocc can be added to your iPhone or Android home screen as a lightweight app (a Progressive Web App, or PWA). Here's what that means for your privacy:

• What's stored on your device: only static app assets — the app icon, CSS stylesheets, and the bird logo. No personal data, no event content, and no account information is ever stored on your device by flocc.
• All your data stays on our servers. Every page and API call goes directly to flocc's servers over a secure HTTPS connection. Nothing private is saved locally in the app.
• Removing the app from your home screen or clearing the app's site data also clears the small cache of static assets. This has no effect on your account or any event data — all of that lives on our servers.
• No push notifications are sent by the installed app. flocc does not currently request notification permission.
• Because this is an alpha release, the installed PWA may require removal and re-installation if we make significant updates. We'll do our best to avoid this.

Data ownership

You retain ownership of all content you create on flocc — event pages, guest lists, photos, descriptions, and any other material you add. flocc stores it to operate the service for you, but it belongs to you. You can delete your events, photos, and account at any time.

Data sharing

• We do not sell your data. Not now, not ever.
• We only share data when it is necessary to operate the platform — for example, using a third-party email delivery provider (Resend) to send password-reset emails.
• We do not share your personal information with advertisers, data brokers, or any other third parties for commercial purposes.

Third-party services

We use the following external services to operate flocc:

• Resend — email delivery for password resets. Only your email address is shared.
• Unsplash — optional cover image search. No personal data is shared; image searches are made anonymously.
• Neon (PostgreSQL) — hosted database that stores your event and account data securely.

Emails

We send emails only for password resets, using a third-party email delivery service (Resend). We do not send marketing emails. Guests only receive emails if the host explicitly sends them using their own email app — flocc does not send emails to guests on the host's behalf.

Data security

• Passwords are stored as secure hashes. We cannot recover or see your actual password.
• Session cookies are HttpOnly and SameSite=Lax. HTTPS is enforced in production.
• Forms are protected against cross-site request forgery (CSRF).
• Rate limiting is applied to login, registration, and RSVP endpoints to prevent abuse.
• Photo uploads are validated for type and content, and metadata (including GPS location) is stripped before storage.

Your choices and rights

• You can update your display name, email, and profile photo from your profile page at any time.
• You can delete events from your dashboard at any time.
• If you'd like your account and all associated data deleted, email us and we'll take care of it promptly.
• Guest RSVP data (name, email, response) is stored until the host deletes the event or the data is removed on request.

Questions or data requests

Contact us at admin@floccwithfriends.com for any privacy questions, data access requests, or deletion requests.