FeaturesReviewsFAQDownload

Privacy policy

Last updated: 1 March 2026

This privacy policy explains how RHUL Mobile ("we", "us", or "the app") collects, uses, stores, and protects your information when you use our mobile app and website. We believe in transparency and want you to understand exactly what data we handle.

Who we are

RHUL Mobile is an independent, student-built app. We are not affiliated with, endorsed by, or officially connected to Royal Holloway, University of London. We simply built a tool we wished existed as students.

Information we collect

We collect the minimum data needed to provide and improve RHUL Mobile. Here's what we collect:

Account information

When you create an account or sign in:

  • Authentication data: If you sign in with Apple or Google, we receive your email address and name from these providers. We store your email for account management purposes. You can choose to hide your email when signing in with Apple.
  • Profile information: Display name and profile picture that you optionally provide.
  • Anonymous accounts: If you use the app without signing in, we create an anonymous account with a random identifier. No personal information is collected.
  • University verification: You may optionally verify your Royal Holloway email address to access certain features, such as posting on the marketplace.

Device and technical information

When you use the app, we may collect technical details such as:

  • Device model and platform
  • Operating system version
  • App version and build number
  • Push notification token (if notifications are enabled)

Usage analytics

We use PostHog (EU-hosted) for product analytics and debugging:

  • Which screens you view and features you use
  • Content interactions (such as saves, shares, and marketplace actions)
  • App performance and stability signals
  • Session replay with text inputs masked

Session replay helps us identify bugs and UX issues. Your typed text is masked before capture.

User-generated content

If you post on the marketplace, we store:

  • Your post content (title, description, category, price if applicable)
  • Images you upload
  • The contact method you choose to share (phone number, email address, or Instagram handle)
  • Any reports submitted about posts (reason/details) for moderation and safety

Important: Contact information you add to marketplace posts is visible to other users. Only share what you're comfortable making public.

Saved items and preferences

We store your:

  • Saved/bookmarked content (news articles, events, bus stops, societies, etc.)
  • Event RSVPs (events you mark as "going")
  • App preferences and settings
  • Quick actions order customisation
  • Home screen widget configuration (selected bus stops and laundry rooms)

Feedback and support data

If you send feedback through the app, we store:

  • Your feedback message and category (bug, crash, feature request, etc.)
  • Optional technical context (screen name and stack trace)
  • Device context (platform, OS version, app version, model)
  • A PostHog identifier/session reference used for debugging

Permissions and on-device data

The app may request optional permissions when you use specific features:

  • Location: Used for "locate me" and campus walking directions. Location data stays on your device and is not transmitted to our servers. We do not continuously track or store your location history.
  • Camera and photos: Used if you choose to upload an avatar or marketplace image.
  • Calendar: Used only when you choose "Add to calendar" for an event. We write events to your calendar but never read existing calendar data.
  • Notifications: Used for push notifications and local reminders (for example, laundry and bus alerts).
  • Face ID / biometrics: Used by the operating system to protect your authentication session stored in the device keychain. We do not receive or store biometric data.

In-app purchases

If you make in-app purchases (for example, marketplace bump credits or paid entitlements):

  • We do not collect or store your payment details. All payments are processed by Apple (App Store) or Google (Play Store).
  • We use RevenueCat to validate purchases and manage entitlements. RevenueCat receives transaction identifiers associated with your app user ID.
  • We store a record of your purchase (product type, duration, timestamp) to provide the service.

Your credit card number, billing address, and other payment details are handled entirely by Apple or Google and are never shared with us.

Device security

To enforce account bans and prevent abuse, we may generate and store a device fingerprint (a hashed identifier). This helps us prevent banned users from creating new accounts on the same device. We do not use this fingerprint for advertising or tracking purposes.

Home screen widgets

If you use iOS home screen or lock screen widgets (bus departures, laundry availability), the app fetches data from our servers and stores it locally in a shared app container on your device. No additional personal data is collected through widgets.

Website cookies and local storage

On rhulmobile.com, we use cookies and local storage for analytics and consent preferences. We use a cookie banner so you can choose whether to allow analytics tracking.

If you opt out, we store that preference and disable PostHog capture for the site.

Information we do not collect

  • Your academic records, grades, or student ID
  • Your credit card numbers, billing address, or bank details (payments are handled by Apple/Google)
  • Your contacts or existing personal calendar data
  • Persistent precise-location history
  • Any data protected under FERPA or similar regulations

How we use your information

  • To provide the service: Syncing saved items, publishing your content, and delivering core app features.
  • To improve reliability: Understanding usage patterns helps us prioritise features and fix issues.
  • To keep the community safe: Moderating content, handling reports, and preventing abuse.
  • To communicate: Sending service notifications and important product updates.
  • To process purchases: Activating paid features and recording purchase outcomes.

Data storage and security

  • Where: App data is stored using Supabase and related infrastructure providers.
  • Encryption: Data is encrypted in transit (TLS). Storage protections are managed by our infrastructure providers.
  • Access: Access is limited to authorised maintainers and service providers who need it to operate the service.
  • Security: We apply reasonable technical and organisational safeguards, but no system is completely risk-free.

Third-party services

We use these trusted third-party services:

Service Purpose Privacy policy
Supabase Authentication, database, storage, and serverless functions supabase.com/privacy
PostHog Analytics and session replay posthog.com/privacy
Expo Mobile app framework and notification infrastructure expo.dev/privacy
Apple Sign In Authentication (if you choose) apple.com/legal/privacy
Google Sign In Authentication (if you choose) policies.google.com/privacy
RevenueCat In-app purchase management revenuecat.com/privacy
Google Maps Campus map rendering on Android policies.google.com/privacy
Slack Internal moderation and operational alerts (for example, marketplace report workflows) slack.com/privacy-policy

Your rights

You have full control over your data:

  • Access: View your profile and saved data any time in the app.
  • Correction: Update your display name, avatar, and preferences in settings.
  • Deletion: Delete your account from within the app.
  • Portability: Contact us to request an export of your data.
  • Opt-out: You can use the app anonymously without creating a full account, and website visitors can opt out of analytics cookies.

Data retention

  • Active accounts: Data is retained while your account exists.
  • Deleted accounts: When you delete your account, personal information (email, name, avatar, push token, preferences, and uploaded files) is scrubbed immediately. Your data is retained in a de-identified state for up to 30 days for safety review, after which it is permanently deleted from all active systems.
  • Marketplace posts: Automatically expire after 30 days unless renewed.
  • Analytics and feedback logs: Retained according to provider settings and operational/legal needs.

Children's privacy

RHUL Mobile is intended for university students and is not directed at children under 16. We do not knowingly collect information from anyone under 16. If you believe we have collected data from a child, please contact us immediately.

International data transfers

Your data may be processed in countries outside your residence, including through our third-party providers. We rely on provider safeguards for international transfers where required.

Changes to this policy

We may update this privacy policy from time to time. Significant changes will be announced through the app or website. The "Last updated" date at the top shows when this policy was last revised.

Contact us

Questions about this privacy policy or your data? Email us at rhulmobile@shack.solutions.