Privacy Policy

Effective: March 1, 2026 · Sour Mango Limited · BR No. 78608208

1. Introduction

Welcome to SourMango Nomads. This Privacy Policy explains how Sour Mango Limited (Unit 2A, 17/F, Glenealy Tower, No.1 Glenealy, Central, Hong Kong S.A.R., BR No. 78608208) collects, uses, discloses, and protects your personal information when you use our mobile application and related services (collectively, the "Services").

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the App.

Important: The App is available worldwide excluding Hong Kong S.A.R. The App is intended for users aged 16 and older. We do not knowingly collect personal information from anyone under the age of 16.

---

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Email address, first and last name, phone number, date of birth, gender
• Profile Information: Profile photo, biography, social media links, traveler type (e.g., Digital Nomad, Backpacker), monthly budget range, travel interests (e.g., Food, Nature, Culture, Adventure)
• Passport & Visa Data: Primary passport country/nationality, additional passport countries (premium members)
• Travel Content: Travel posts (photos, videos, captions, location tags), comments, likes
• Communications: Direct messages with other users, community posts
• Voice & Image Input: Voice recordings for speech-to-text translation, photos of menus/signs/documents for text translation

2.2 Information Collected Automatically

• Location Data: Precise GPS coordinates (latitude/longitude), city and country derived from your location, travel history (cities and countries visited with arrival/departure dates)
• Device Information: Device platform (iOS/Android), push notification tokens
• Crash & Performance Data: Crash logs, error reports, and diagnostic data via Firebase Crashlytics
• Usage Data: Login timestamps, feature interactions, network connectivity status

2.3 Information from Third-Party Services

• Google Sign-In: Email address, name, profile picture
• Sign in with Apple: Email address (may be a private relay address), name
• RevenueCat: Subscription status and entitlements (we do not receive or store your payment card details)

---

3. How We Use Your Information

• Provide and operate the App — account creation, authentication, profile management, travel planning, itinerary generation
• Enable social features — connecting with other travelers ("mates"), messaging, sharing travel posts, location sharing
• Provide travel tools — real-time translation (text, speech, image-based), currency conversion, weather information, flight search, visa requirement lookup
• Deliver AI-powered features — personalized travel recommendations, AI chat assistant
• Process subscriptions — manage premium ("Ripe") membership and in-app purchases via RevenueCat
• Send notifications — push notifications for messages, mate requests, travel reminders, visa expiry alerts
• Improve app stability — crash reporting and diagnostics via Firebase Crashlytics
• Ensure safety and security — fraud detection, abuse prevention, enforcing our terms of service
• Comply with legal obligations — respond to lawful requests from authorities, enforce legal rights

---

4. Location Data

Location data is central to the App's functionality:

• Location detection: We use your device's GPS to detect your current city and country and provide local travel recommendations (nearby attractions, restaurants, coworking spaces, medical facilities).
• Travel history: When you log a location, we store your travel history (cities, countries, arrival/departure dates, transport mode) to build your travel timeline and statistics.
• Location sharing with mates: You may choose to share your real-time location with your connected mates. This feature is off by default and can be toggled on or off at any time in your settings. When enabled, your location is visible only to your approved mates.
• You can revoke location access at any time through your device's operating system settings.

---

5. How We Share Your Information

We do not sell your personal data. We share your information only in the following circumstances:

5.1 With Other Users

• Your public profile (name, photo, bio, travel stats) is visible to other App users.
• Travel posts you publish are visible to other users.
• Direct messages are shared with the intended recipient(s).
• If you enable location sharing, your real-time location is visible to your approved mates.

5.2 With Service Providers

• Google Firebase (Google LLC) — Cloud infrastructure, push notifications (FCM), crash reporting (Crashlytics)
• Google Maps Platform (Google LLC) — Map display, points of interest, place search
• Google Gemini AI (Google LLC) — AI-powered travel recommendations and chat assistant (no personal identifiers sent)
• Google ML Kit (Google LLC) — On-device text translation and OCR (processed on-device, not sent to Google servers)
• RevenueCat (RevenueCat Inc.) — Subscription and in-app purchase management
• Amadeus (Amadeus IT Group) — Flight search and pricing (no personal data)
• Travelpayouts — Flight price data and IATA code resolution (no personal data)
• OpenStreetMap / Nominatim — Reverse geocoding (coordinates to city/country)

5.3 For Legal Reasons

We may disclose your information if required by law, including court orders, government requests, or to protect the rights, property, or safety of Sour Mango Limited, our users, or the public.

5.4 Business Transfers

If Sour Mango Limited is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change.

---

6. International Data Transfers

Our Services operate on multi-region cloud infrastructure. Your personal data may be transferred to and processed in countries other than your country of residence. Where we transfer personal data outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or your explicit consent.

---

7. Data Retention

• Account and profile data: Until account deletion + 30 days
• Travel history: Until account deletion + 30 days
• Chat messages: Until account deletion + 30 days
• Travel posts and media: Until account deletion + 30 days (or until individually deleted by you)
• Crash logs and diagnostics: 90 days (managed by Firebase Crashlytics)
• Push notification tokens: Until account deletion or token invalidation

When you delete your account, we will permanently erase your personal data within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes.

---

8. Data Security

• Encryption in transit: All data transmitted between the App and our servers is encrypted using HTTPS/TLS. Real-time communications use secure WebSocket connections (WSS).
• Secure token storage: Authentication tokens are stored using platform-native secure storage (iOS Keychain / Android Keystore).
• Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
• Media integrity: Uploaded media files are hashed for integrity verification.

Note on chat messages: Messages between users are encrypted in transit and stored on our servers. They are not end-to-end encrypted. We may access message content for safety and moderation purposes or in response to lawful requests.

---

9. Biometric Authentication

The App offers an optional biometric lock feature (Face ID, Touch ID, or fingerprint) to restrict access to the App on your device. This is a convenience and security feature that is entirely optional and controlled by you.

• No biometric data collected: Biometric authentication is handled entirely by your device's operating system (iOS or Android). We do not collect, access, store, process, or transmit any biometric data such as facial geometry, fingerprint patterns, or iris scans.
• Preference storage only: We store a single boolean preference (enabled/disabled) in your device's platform-native secure storage (iOS Keychain / Android Keystore) to remember whether you have opted in to biometric lock.
• On-device only: No biometric data ever leaves your device or reaches our servers.
• User control: You can enable or disable biometric lock at any time in Settings > Security.

---

10. Your Rights

All Users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your account and personal data.
• Withdraw consent: Withdraw consent for processing where consent is the legal basis.

EEA/UK Residents (GDPR / UK GDPR)

• Data portability — receive your data in a structured, machine-readable format
• Restriction of processing in certain circumstances
• Object to processing based on legitimate interests
• Right not to be subject to solely automated decision-making
• Lodge a complaint with your local Data Protection Authority

California Residents (CCPA/CPRA)

• Right to know what personal information we collect and how it is used
• Right to delete personal information
• Right to opt out of sale/sharing — we do not sell or share personal information for cross-context behavioral advertising
• Right to non-discrimination for exercising your privacy rights

Brazilian Residents (LGPD)

• Confirmation of processing
• Access, correction, anonymization, blocking, or deletion of unnecessary or unlawfully processed data
• Data portability to another service provider
• Information about public and private entities with which we share data

We also respect rights under the Australian Privacy Act, Canadian PIPEDA, Japanese APPI, South Korean PIPA, and Singapore/Thailand PDPA.

To exercise your rights, email privacy@sourmango.ai. We will respond within 30 days.

---

11. Children's Privacy

The App is not intended for anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@sourmango.ai.

---

12. Third-Party Links and Services

The App may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

---

13. Push Notifications

We use Firebase Cloud Messaging (FCM) to send push notifications, including new messages from mates, connection requests, and travel-related reminders. You can manage or disable push notifications at any time through your device's system settings.

---

14. Cookies and Tracking Technologies

The App is a native mobile application and does not use browser cookies. Third-party SDKs integrated into the App (such as Firebase) may use device identifiers or similar technologies for their operation. These are used solely for functional purposes and not for advertising or cross-app tracking.

---

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and notify you through the App or via email. Your continued use of the App after any changes constitutes your acceptance of the revised Privacy Policy.

---

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us:

Sour Mango Limited
Unit 2A, 17/F, Glenealy Tower, No.1 Glenealy
Central, Hong Kong S.A.R.
Email: privacy@sourmango.ai

For EEA/UK residents: Although we do not currently have a designated Data Protection Officer, you may direct all privacy-related inquiries to the email address above. You also have the right to lodge a complaint with your local Data Protection Authority.

---

17. Jurisdiction-Specific Disclosures

For Users in the European Economic Area (EEA) and United Kingdom

• Data Controller: Sour Mango Limited (contact details above)
• Legal bases for processing: As set out in Section 3
• International transfers: As set out in Section 6
• Supervisory authority: You have the right to lodge a complaint with your local supervisory authority

For Users in California, United States

In the preceding 12 months, we have collected Identifiers, Personal information, Protected classification characteristics, Geolocation data, Audio/visual information, Electronic network activity, and Inferences. None of these categories have been sold or shared for cross-context behavioral advertising.

For Users in Brazil

• Legal bases for processing under LGPD: Consent, performance of contract, and legitimate interest, as applicable
• Data protection authority: You may contact the Autoridade Nacional de Proteção de Dados (ANPD)

This Privacy Policy is governed by the laws applicable in your jurisdiction of residence.