Last updated 18 June 2026

Privacy Policy

Who is the data controller

Rewire Collective ("Rewire", "we", "us") is the data controller for the personal data described in this notice. Rewire Collective is the registered business name of an individual sole trader registered in Australia (ABN 28 168 078 315), based in Queensland; our full registered address is available on request. For any data-protection matter, contact: privacy@rewirecollective.ai.

EU representative (Article 27)

Because Rewire is established outside the European Union but offers its service to people in the EU, we are appointing a representative in the EU under Article 27 GDPRto act as a point of contact for EU residents and supervisory authorities on data-protection matters. Our EU representative's name and address will be published here once appointed; in the meantime, EU residents can reach us about any data-protection matter at privacy@rewirecollective.ai.

What we collect and why

The list below covers everything we may collect across the waitlist and the launched app. The exact subset that applies to you depends on how you use Rewire.

Waitlist (today)

• Email address — to tell you when Rewire opens in your city. Required.
• City and event interests — optional, to help us prioritise which cities to launch in.
• Your browser's user-agent string — for spam-prevention and rough analytics. Truncated to 500 characters.

Signed-in app (when launched)

• Identity — name, username, email, phone number, year of birth.
• Profile content — bio, avatar, cover photo, city, interests.
• User-generated content — posts, events, comments, photos and videos you upload. We strip location (EXIF/XMP) metadata from JPEG photos on your device before upload. Metadata stripping for other image formats (PNG/WebP) and for video is not yet in place.
• Social graph— who you follow and who follows you, plus anyone you've blocked.
• Engagement signals — likes, rewires, bookmarks, RSVPs to events.
• Moderation events — reports you file, posts you hide, blocks you make.

Why we process it (legal basis)

• Consent (Art 6(1)(a)) — joining the waitlist, opting in to optional features like AI-assisted feed personalization (when it ships).
• Contract (Art 6(1)(b)) — running your account, hosting your content, sending you notifications you signed up for.
• Legitimate interest (Art 6(1)(f)) — spam-prevention, safety, abuse moderation, keeping the service available. We balance these against your rights; if you object, email us.
• Legal obligation (Art 6(1)(c)) — responding to lawful requests from authorities, where required.

Sensitive information

Rewire is not designed to collect special categories of data under Article 9 — such as health, religious or political beliefs, or sexual orientation — and we don't ask for them. But because you choose your interests, the events you join, and what you post, you may reveal such information yourself (for example, by joining a faith-based or LGBTQ+ meetup). Where you do, we process it only on the basis of your explicit consent (Article 9(2)(a)) or because you have manifestly made it public on the platform (Article 9(2)(e)). We never use it to infer sensitive traits about you or to target you, and you can remove it any time by editing or deleting the content.

Who else sees your data

We use a small number of service providers ("data processors") to run the service. Each handles your data only for the purpose listed; the legal safeguards (data-processing agreements and international-transfer mechanisms) are summarised under Subprocessors and safeguards below:

• Supabase — database, authentication, and file storage. Australia (Sydney, ap-southeast-2).
• Apple— Sign in with Apple (optional login method) and Apple Push Notification service. When you sign in with Apple, we receive a pseudonymous Apple user ID and, only if you choose to share it, your name and email. If you pick "Hide My Email", Apple forwards emails to you through their Private Email Relay — we never see your real address. Push notification tokens (when push ships) are stored against your account for delivery routing only.
• Google — used for two distinct purposes: (1) Google Maps tiles when the event-map view loads on Android (coordinates of events being displayed are sent to Google to render the tiles); (2) Google Places API (New)for venue and address autocomplete when you create an event (the text you type is sent to Google, proxied through our backend so the API key isn't exposed on your device). Your device location is never sent to Google by us — see the "device location" clarification below. Sign in with Google is not offered; authentication is via email OTP or Apple only.
• Sentry — crash and error reporting. EU (de.sentry.io). We redact identifying fields before sending.
• Cloudflare — web hosting and CDN for this site. Edge presence is global, origin is EU.
• Cloudflare Stream— video hosting, encoding, and adaptive streaming for video posts uploaded by hosts. Receives the raw video file at upload time and serves the encoded HLS playback to viewers. Operates on Cloudflare's global edge network with origin processing in the EU. Covered by the same DPA as Cloudflare web hosting; SCCs included for any non-EU edge serving.
• Fly.io— application server hosting for our backend API (the service that handles every authenticated request from the mobile app). All API request data is processed in Fly's Sydney (syd) region. No long-term data storage on Fly — durable data lives in Supabase. DPA signed; SCCs included for any cross-border operational data.
• Upstash— managed Redis used for rate- limit counters, server-side caches (feed pages, blocked- user sets), and BullMQ background-job queues. Data is ephemeral (TTL'd) and contains no PII not already present in Supabase. Australia (Sydney region). DPA signed.
• Resend — transactional email delivery for authentication flows (signup confirmation, magic-link login codes, password reset, email-change confirmation, security alerts). EU region (eu-west-1, Ireland), via subdomain send.rewirecollective.ai. Receives only your email address and the message content.
• Microsoft 365 — the mailbox that receives mail sent to any @rewirecollective.ai address (including privacy@, support@). Microsoft EU region.
• Mistral AI— when we ship AI-assisted feed personalization, this is the EU-sovereign LLM we'll route requests to (Paris / Frankfurt). Opt-in only.
• OpenStreetMap Foundation (Nominatim)— our backend uses it to reverse-geocode a device coordinate into a city label (for "near me" discovery and city detection at sign-up); it receives the latitude/longitude we send. Note: venue autocomplete on the Create Event screen used to call Nominatim directly from the device, but on 18 May 2026 we moved that specific feature to Google Places API (New), proxied through our backend, for better residential-address coverage in smaller Spanish municipalities. Nominatim remains in use for reverse-geocoding.

Device location.The mobile app may request your device location (with your permission) for "near me" event discovery and to detect your city during sign-up. When you use either, the coordinate is sent to our Australia-based backend, which filters nearby events server-side and reverse-geocodes the point into a city label via OpenStreetMap's Nominatim service. The coordinate is cached briefly (up to ~24 hours, rounded to roughly a 110-metre grid) and may appear in error logs; it is not stored against your profile. When you open the events map, Google renders the map tiles for the area in view (see Google, above). We don't use your location for advertising or analytics.

We don't sell personal data, ever. We don't use advertising trackers.

Where your data is processed

Rewire's core infrastructure — the database, file and video storage, caches, and API request handling — runs in Australia (Sydney), our launch market. A few ancillary providers operate elsewhere: transactional email and error reporting run in the EU, our support mailbox is in the EU, and our CDN serves globally (see the table below).

International transfers (Article 44). A small number of US-headquartered providers receive limited data to perform a specific function: Apple (push notification tokens and Sign in with Apple attributes), Google (event coordinates to render map tiles, and the venue text you type for address autocomplete), and Cloudflare (whose global edge network may serve this site and video playback from a location outside the EU, though origin processing stays in the EU). These transfers rely on the EU–US Data Privacy Framework (Apple, Google and Cloudflare self-certify) and/or Standard Contractual Clauses (Article 46). Durable storage of your data is now in Australia; because Australia has no EU adequacy decision, transfers of any EU/EEA user data there require an Article 46 safeguard such as Standard Contractual Clauses — which we are verifying and putting in place (it is not yet finalised; see the note above). See the Device location note above for how location coordinates are handled.

Subprocessors and safeguards

Each provider processes your data under a contract — a GDPR Article 28 data-processing agreement where the provider offers one. Transfers outside the European Economic Area rely on the EU–US Data Privacy Framework, the European Commission's Standard Contractual Clauses (Article 46), or an adequacy decision. The basis per provider:

Cookies

We use a small number of cookies on this website, only what's strictly needed to run the service. The mobile app does not use cookies — your session token is stored in iOS Keychain / Android Keystore (encrypted at-rest, isolated per-app).

• Session cookie (HttpOnly, set by Supabase) — keeps you signed in on the web.
• Cloudflare bot-mitigation cookies (__cf_bm, _cfuvid) — protect the site from automated abuse.
• Consent cookie (rewire-consent) — remembers your choice so you don't see the banner every visit. Expires after about 13 months (390 days).

We do not currently use analytics or advertising cookies. The consent banner has toggles for both categories so the infrastructure is in place — flipping them on today does nothing because no such cookies are set. If we add analytics in future, we'll only initialise those SDKs after you opt in.

You can change your cookie preferences at any time via the Manage cookies link in the site footer. This re-opens the consent banner so you can revoke or update your decision.

How long we keep it

• Waitlist email — until we launch in your city, then until you unsubscribe. You can ask us to delete it sooner.
• Account data — until you delete your account. Deletion is immediate and irreversible: your content (posts, events, comments) and engagement records are erased from our database in the same request. Uploaded media is removed from object storage on a best-effort basis immediately after.
• Video files (Cloudflare Stream) — retained for the life of your account. Deleted in the same erasure transaction as your database row; an orphan-sweep job reconciles any best-effort failures.
• Notifications— retained while your account is active. We're rolling out automated pruning that will delete notifications older than 90 days.
• Audit logs and moderation records— retained for abuse-prevention and legal compliance. We're implementing automated deletion with a 7-year maximum retention.

Your rights

Under the GDPR, you have the right to:

• Accessa copy of your data (Article 15). When you have an account, Settings → Download my data exports your data as machine-readable JSON. Media (photos, videos) is referenced by URL rather than embedded, and very large accounts export up to a per-section limit — if you need a complete copy beyond that, email us and we'll provide it.
• Rectify inaccurate data (Article 16). Edit your profile in-app.
• Erase your data (Article 17). Settings → Delete account, or email us.
• Restrict or object to processing (Articles 18 + 21). For optional features (notifications, future AI personalization), use the in-app toggles. For other processing, email us.
• Data portability (Article 20) — the export above is machine-readable JSON suitable for moving your data elsewhere.
• Withdraw consentat any time, where consent is the basis. This doesn't affect processing already done.
• Lodge a complaint with your national Data Protection Authority (Article 77). A list is at edpb.europa.eu.

Australia — your privacy rights

Rewire is available in Australia, and we handle Australian users' personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). These rights sit alongside the GDPR rights above — whichever applies to you.

• Access and correction(APP 12 & 13) — you can access and fix your information from Settings in the app, or by emailing us. We respond within a reasonable period.
• How we collect and use it(APP 3, 5 & 6) — we collect only what we need to run the service (see "What we collect and why" above) and use it only for those purposes or as you would reasonably expect.
• Overseas disclosure(APP 8) — your information is stored in Australia. Some providers are overseas: Apple, Google and Cloudflare (United States); and Resend, Sentry and Microsoft 365 (European Union). We take reasonable steps to ensure they handle your information consistently with the APPs, but their countries' privacy laws may differ from the APPs; email us for details about any overseas disclosure.
• Anonymity (APP 2) — you can browse the public website without an account; an account is needed to post or RSVP.
• Security and retention(APP 11) — see "How long we keep it" above; we delete or de-identify information we no longer need.

Data-breach notification. If a data breach is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches (NDB) scheme.

Complaints. If you have a privacy concern, email privacy@rewirecollective.ai first and we'll try to resolve it. If you're not satisfied, you can complain to the OAIC at oaic.gov.au.

Automated decision-making

We do not currently make decisions about you using automated processing in any way that produces legal or similarly significant effects. If we ship AI-assisted feed personalization in the future, it will be opt-in, won't affect your access to the service, and you'll be able to turn it off any time.

Children

Rewire is not intended for anyone under 16. We don't knowingly collect data from users below that age. If you believe a child has signed up, email privacy@rewirecollective.ai and we'll delete the account.

Changes to this notice

If we make substantive changes — adding a new data category, adding a new processor, changing the legal basis — we'll update the date at the top and email anyone who has an account or is on the waitlist. The previous version remains available on request.

Contact

For anything in this notice — including data-access requests and deletions — email privacy@rewirecollective.ai. We respond within 30 days (Article 12(3)).