punch.

Privacy Policy

Last updated: June 2026 · Effective date: June 2026

Punch ("we", "us", "our") is a social planning app that helps friend groups discover and share casual plans. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under UK data protection law including the UK GDPR.

The data controller for your personal data is Serena North, operating Punch, contactable at hello@joinpunch.co.uk.

Note: This policy will be updated to reflect a registered company as data controller prior to public release.

1. Information we collect

We collect the following categories of personal data:

  • Account information: Your name and email address, provided directly or via Apple Sign In or Google Sign In.
  • Profile content: Profile photo if you choose to upload one, and your username.
  • User-generated content: Plans and events you create, including title, date, time, location, and any description you provide.
  • Location data: Approximate location you attach to events. We do not continuously track your device location.
  • Calendar data: If you choose to connect your calendar, we read event data to enable calendar sync. We do not store your full calendar — only events you explicitly sync through Punch.
  • Push notification tokens: Device tokens to deliver push notifications. You can disable these at any time in your device settings.
  • Usage data: How you interact with the app, including features used and frequency of use, for the purpose of improving the product.
  • Diagnostic data: Crash reports and performance data to identify and fix technical issues.

2. How we use your information

We use the data we collect to:

  • Create and maintain your account
  • Enable you to create, share, and discover plans with friends
  • Deliver push notifications about plans you're involved in
  • Sync plans to your calendar when you request it
  • Improve the app based on usage patterns
  • Diagnose and fix technical issues
  • Comply with our legal obligations

Our legal basis for processing your data is your consent (when you sign up and grant permissions) and our legitimate interest in operating and improving the service.

3. Information sharing

We do not sell your personal data to third parties. We share data only in the following limited circumstances:

  • With other users: Your name, profile photo, and plans you create are visible to friends you connect with on Punch. Plans you mark as visible to a group are visible to members of that group.
  • Service providers: We use Supabase for backend infrastructure and data storage. These providers process data on our behalf under appropriate data protection agreements.
  • Apple and Google: When you sign in via Apple or Google, those services process your sign-in credentials under their own privacy policies. We receive only the information necessary to create your account.
  • Legal requirements: We may disclose data where required by law or to protect the rights and safety of users.

4. Data retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal reasons.

Content you have shared with other users (such as plans) may remain visible to those users in a depersonalised form after account deletion.

5. Your rights under UK GDPR

If you are based in the UK, you have the following rights regarding your personal data:

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can ask us to correct inaccurate data.
  • Right to erasure: You can ask us to delete your data (subject to legal obligations).
  • Right to restriction: You can ask us to limit how we use your data in certain circumstances.
  • Right to data portability: You can ask for your data in a machine-readable format.
  • Right to object: You can object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at hello@joinpunch.co.uk. We will respond within one calendar month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

6. Children's privacy

Punch is not intended for users under 17 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

7. Security

We use industry-standard security measures to protect your data, including encryption in transit and at rest. However, no method of transmission over the internet is completely secure. We encourage you to use a strong password and to contact us immediately if you suspect any unauthorised access to your account.

8. International transfers

Your data may be processed outside the UK by our service providers. Where this occurs, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

9. Changes to this policy

We may update this policy from time to time. We will notify you of material changes via the app or by email. Continued use of Punch after changes take effect constitutes acceptance of the updated policy. The date at the top of this page reflects the most recent revision.

10. Contact us

If you have any questions about this policy or how we handle your data, please contact:

Serena North
Punch
hello@joinpunch.co.uk