Privacy Policy
Effective date: April 19, 2026
1. Introduction
Bumpt is a gamified event networking platform operated by Raymond Torino. This policy explains what data we collect, why we collect it, and how we handle it. We keep things simple and transparent because your trust matters.
2. Data We Collect
Account data
Name, email address, and profile photo from your Google account when you sign in.
Event profile data
Information you provide during onboarding such as your office location, department, tenure, interests, and optional selfie. This data is scoped to each event you join.
Activity data
QR code scans (encounters), quest completions, collectibles earned, leaderboard positions, poll votes, feedback responses, and Q&A questions submitted.
AI-generated data
Chemistry scores, compatibility insights, and conversation prompts generated when you scan another attendee's QR code.
Technical data
Standard server logs (IP address, browser type, timestamps). We do not use third-party analytics or tracking cookies.
3. How We Use Your Data
| Purpose | Legal basis |
|---|---|
| Authenticate your identity | Contract performance |
| Match you with other attendees | Consent (event participation) |
| Generate AI chemistry insights | Consent (event participation) |
| Compute leaderboard scores | Legitimate interest |
| Send push notifications | Consent (opt-in) |
| Provide event analytics to organizers | Legitimate interest |
| Improve the service | Legitimate interest |
4. AI Data Processing
When you scan another attendee's QR code, we send both profiles (interests, department, office) to Anthropic's Claude API to generate chemistry scores and conversation starters. This data is processed in the United States.
Anthropic does not use your data to train their models. The data is processed in real time and not stored by Anthropic beyond the API request lifecycle. See Anthropic's privacy policy for details.
5. Data Sharing
We do not sell your data. We share data only with the following sub-processors to operate the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, file storage, real-time | Singapore |
| Vercel | Application hosting, edge functions | Singapore (sin1) |
| Authentication (SSO) | Global | |
| Anthropic | AI chemistry matching | United States |
| DiceBear | Default avatar generation (no PII sent — uses initials only) | EU (CDN) |
6. Data Retention and Deletion
- Event-scoped data: When an organizer removes you from an event, all your event data (encounters, quests, collectibles, leaderboard entries, feedback, and share tokens) is permanently deleted. You can rejoin and start fresh.
- Share links: Memory artifact share links expire after 7 days and become inaccessible.
- Account deletion: Contact us to delete your account entirely. We will remove all your data across all events.
7. Anonymous Q&A
Questions submitted through the anonymous Q&A feature are truly anonymous. We do not store a user ID, IP address, or any other identifying information with anonymous submissions. There is no way for us, event organizers, or anyone else to trace an anonymous question back to you.
8. Your Rights
Under GDPR and similar data protection laws, you have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Restrict or object to processing
- Data portability (receive your data in a machine-readable format)
- Withdraw consent at any time
To exercise any of these rights, email us at hello@bumpt.app.
9. Cookies
We use only strictly necessary cookies. No tracking, no analytics, no third-party cookies.
| Cookie | Purpose | Type |
|---|---|---|
| authjs.session-token | Authentication session | Strictly necessary |
| bumpt-guest-event-id | Active event context (guest) | Strictly necessary |
| bumpt-admin-event-id | Active event context (admin) | Strictly necessary |
10. Security Measures
- All data transmitted over HTTPS/TLS
- Database access restricted via connection pooler with role-based credentials
- File storage uses signed URLs with time-limited access
- Authentication via Google SSO (no passwords stored)
- Admin actions are audit-logged
- Row-level security on database tables
11. Children's Privacy
Bumpt is designed for corporate events and professional networking. It is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Changes to This Policy
We may update this policy from time to time. If we make significant changes, we will notify you through the app or by email. The effective date at the top of this page will always reflect the latest version.
13. Contact
Questions or concerns? Reach out to:
Raymond Torino
hello@bumpt.app
Last updated: April 19, 2026
↑ Back to top