Privacy Policy

1. Introduction

Flock Together ("we," "us," or "our") operates the website flocktogether.ai and the application at app.flocktogether.ai (collectively, the "Service"). We are based in Montreal, Quebec, Canada.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting your privacy and handling your data transparently. Please read this policy carefully. By using Flock Together, you consent to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and authentication credentials through our authentication provider. You may also provide a display name and avatar image. If you sign in using a third-party provider (such as Google), we receive your name, email address, and profile picture from that provider.

2.2 AI-Generated Personality Profiles

Flock Together asks you to paste a prompt into your AI assistant (such as ChatGPT, Claude, or Gemini) and share the resulting personality description with us. We want to be clear: we never see your actual AI conversations. We only receive the personality description your AI generates about you. This description typically includes information about your personality traits, interests, communication style, values, and what makes you unique.

2.3 Profile and Search Information

You provide additional information when setting up your profile and creating searches. This includes your general location, the types of connections you are seeking (friendship, romantic, cofounder, mentor, debate partner, hobby buddy, penpal, or other), descriptions of what you are looking for, and your anonymity preferences.

2.4 Vector Embeddings

We use AI technology (Google Gemini) to convert your personality profile into mathematical representations called vector embeddings. These embeddings are numerical arrays that capture the semantic meaning of your profile in a format that allows us to calculate compatibility with other users. Embeddings are stored in our database using pgvector and are used solely for the purpose of matching you with compatible people.

2.5 Chat and Messaging Data

When you communicate through Flock Together, we collect and store the content of your messages, including text, images you upload, GIF selections, and emoji reactions. We also collect metadata such as timestamps, read receipts, and typing indicators (typing indicators are transmitted in real time and not permanently stored).

2.6 Automatically Collected Information

When you access our Service, we automatically collect certain technical information, including your IP address, browser type and version, device type, operating system, referring URLs, and pages visited. We use cookies and similar technologies for authentication, session management, and remembering your locale preferences.

3. How We Use Your Information

We use the information we collect to:

• Provide the matching service: We process your personality profile through AI to generate embeddings and find compatible matches based on personality similarity and complementary traits.
• Facilitate communication: We deliver messages, images, GIFs, reactions, and notifications between matched users.
• Moderate content: Our AI moderation system reviews reported content and user behavior to maintain community safety. This includes analyzing reported messages and proposing moderation actions.
• Send notifications: We send email notifications about new matches, messages, and moderation decisions. You can manage your notification preferences in your account settings.
• Manage anonymity: We enforce the three-stage identity reveal system (anonymous, public profile, full identity) to ensure that your identifying information is only shared when you explicitly choose to reveal it.
• Improve the service: We analyze aggregate, de-identified usage patterns to improve matching accuracy, platform features, and user experience.
• Ensure security: We use your information to detect and prevent fraud, abuse, and violations of our Terms of Service.

4. AI Processing and Automated Decision-Making

Flock Together relies on AI technology at several stages of the service. We believe in being transparent about how AI is used with your data:

4.1 Profile Analysis

When you submit your AI-generated personality description, we use Google Gemini to analyze it and generate a structured profile that includes personality traits, interests, values, communication style, and other characteristics. This processed profile is what other users may see (subject to your anonymity settings).

4.2 Embedding Generation and Matching

We generate vector embeddings from your profile using Google Gemini. These embeddings are compared against those of other users to identify potential matches. The matching algorithm considers personality compatibility, shared interests, complementary traits, and your search preferences. Matching is fully automated, but you always choose whether to accept or decline a match.

4.3 AI Moderation

Our AI moderation system reviews reported content and user behavior. The AI can propose moderation actions such as warnings, content removal, or temporary restrictions. Significant moderation decisions (such as account suspension) involve human review.

4.4 Conversation Openers

When a match is created, our AI generates a personalized conversation opener based on the shared traits and interests between the two matched users. This uses data from both users' profiles but does not expose raw profile data that either user has chosen to keep anonymous.

5. Data Sharing and Third-Party Services

We do not sell your personal data to third parties. We share your information only in the following limited circumstances:

5.1 Service Providers

We use the following third-party service providers who process data on our behalf:

• Supabase: Provides our database, authentication, real-time messaging infrastructure, and file storage. Your account data, messages, profiles, and uploaded images are stored on Supabase infrastructure. Supabase processes data in accordance with their privacy policy and applicable data protection agreements.
• Google (Gemini AI): We send your personality descriptions and profile data to Google Gemini for AI analysis, embedding generation, moderation review, and conversation opener generation. Google processes this data according to their AI data usage policies. We use the Gemini API, which has different data handling practices than consumer Google products.
• Vercel: Hosts our web application and processes HTTP requests. Vercel may collect standard server logs including IP addresses and request metadata.

5.2 Other Users

When you are matched with another user, certain information is shared according to your visibility settings. In anonymous mode, only your AI-generated personality summary and conversation opener are visible. When you reveal your public profile, your interests, description, and general location become visible. When you reveal your full identity, your name and avatar are shared.

5.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.

6. Cookies and Local Storage

We use cookies and similar technologies for the following purposes:

• Authentication: Session cookies managed by Supabase to keep you logged in and verify your identity across requests.
• Locale preferences: A cookie to remember your preferred language (English or French) so we can serve content in your language.
• Security: Cookies that help protect against cross-site request forgery and other security threats.

We do not use advertising or tracking cookies. We do not use third-party analytics cookies. You can configure your browser to refuse cookies, but this may prevent you from using certain features of the Service, particularly authentication.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account and profile data: Retained while your account is active. When you delete your account, your data is retained for 90 days for safety, legal compliance, and law enforcement purposes, then permanently deleted.
• Vector embeddings: Deleted when your account is permanently purged (90 days after deletion). Embeddings are regenerated if you update your personality profile.
• Chat messages: Retained while your account is active. After account deletion, messages are retained for the 90-day safety period and then permanently deleted. This retention period exists to support potential law enforcement requests or safety investigations involving inappropriate content.
• Moderation records: Records of moderation actions may be retained for up to 12 months after the action for safety and audit purposes, even if the associated account is deleted.
• Server logs: Automatically collected technical data is retained for up to 90 days.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS
• Encryption of data at rest in our database
• Row-level security policies in our database to ensure users can only access data they are authorized to see
• Secure authentication through Supabase with support for email/password and OAuth providers
• Regular security reviews of our infrastructure and codebase

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: You can request a copy of the personal data we hold about you.
• Correction: You can update or correct your personal data at any time through your account settings. You can regenerate your personality profile by submitting a new AI-generated description.
• Deletion: You can delete your account at any time through your account settings. Upon deletion, your account is immediately deactivated and your data is permanently erased after a 90-day retention period as described in the Data Retention section.
• Data portability: You can request your personal data in a structured, commonly used, machine-readable format.
• Objection to automated processing: You can object to decisions made solely through automated processing, including AI-based matching and moderation. However, since automated matching is a core function of the Service, objecting to all automated processing may limit your ability to use the Service.
• Withdrawal of consent: Where we rely on your consent to process personal data, you can withdraw consent at any time by deleting your account or contacting us.

To exercise any of these rights, please contact us at the email address provided below. We will respond to your request within 30 days.

10. Canadian Privacy Law

As a Canadian company based in Quebec, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). Under these laws, you have the right to access, correct, and delete your personal information. We obtain meaningful consent before collecting, using, or disclosing your personal information and limit collection to what is necessary for the purposes identified.

11. International Data Transfers

Our service providers (Supabase, Google, and Vercel) may process your data in the United States or other jurisdictions outside of Canada. When your data is transferred internationally, it is subject to the privacy laws and practices of those jurisdictions. We ensure that our service providers maintain appropriate data protection measures through contractual obligations and by selecting providers that adhere to recognized privacy frameworks.

12. Children's Privacy

Flock Together is not intended for use by anyone under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our website with a new "Last updated" date and, where appropriate, notifying you by email. We encourage you to review this policy periodically.