Privacy Policy

This Privacy Policy explains how H2H ("H2H," "we," "us") collects, uses, discloses, and protects information when you use the H2H Proximity mobile application and related services (the "Service").

H2H Proximity is a nearby discovery and communication service built around Bluetooth Low Energy ("BLE") discovery, short-lived nearby announcements, private 1-to-1 chat, attachments, and voice or video calling. Depending on connectivity and device support, the Service may use direct local device communication, Wi‑Fi Direct, WebSocket relay, and call signaling or relay infrastructure.

If you do not agree with this Privacy Policy, do not use the Service.

1. What we collect and process

1.1 Local and account identifiers

We collect and process identifiers needed to operate Proximity, which may include:

• A device-generated Proximity identity created locally on first use.
• Cryptographic keys associated with that identity and stored in protected device storage.
• An anonymous backend account identifier created in the background to support limited network services, integrity features, optional display metadata, or notification delivery.
• Optional profile metadata, such as a display name or profile photo, if you add it or if it is otherwise available to the Proximity experience.

You are not required to provide your real name to use core Proximity features.

1.2 Device, app, and network information

We collect and process technical information needed to operate, secure, and troubleshoot the Service, such as:

• App version, device model, operating system version, language, and related technical configuration.
• Installation identifiers, push-notification token(s), and app-check or integrity tokens where used.
• IP address, connection metadata, relay session metadata, and other network information necessarily processed when your device communicates with our infrastructure or service providers. IP addresses processed by our relay and signaling infrastructure are not stored long-term in association with message content; they are used for connection routing and abuse prevention and are retained only for the periods described in Section 6.

1.3 Nearby discovery and radio data

If you enable Proximity and grant the required permissions, we process information involved in nearby discovery and matching, including:

• BLE advertising and scanning data.
• Pseudonymous nearby identifiers or hashes used for short-range visibility. These identifiers are designed to limit long-term tracking by external observers and are not your account identifier.
• Signal strength readings (RSSI), timestamps, and derived approximate distance indicators.
• Selected keywords and role labels you choose for matching.
• Announcement metadata such as announcement text, voice-clip availability, and expiration timing.

BLE is used for nearby discovery and lightweight visibility signaling. Ordinary chat, file, and call traffic use separate communication paths.

Approximate nearby indicators are not precise measurements and may be affected by radio conditions, device differences, obstructions, interference, spoofing, replay, or relay behavior.

Important: Proximity does not use GPS coordinates to place people on the radar. On some Android versions, however, nearby discovery frameworks may still require location permission or active location services for BLE or nearby connectivity to function.

1.4 Communications and user content

We process content you create or exchange through Proximity, including:

• Text messages.
• Voice notes.
• Images and other file attachments.
• Short-lived announcement text and announcement voice clips.
• Pulses content: when you set a Pulse, your selected emotional state and chosen invitation phrase are processed to enable matching with nearby users in similar states. This information is visible to matched users in the Pulses interaction.
• Call signaling data and session metadata needed to establish voice or video calls.
• Media connection metadata produced by calling components.

Important note on Pulses: Pulses involves users sharing emotional states (such as feeling lonely, heavy, or lost). We treat this content with the same care as other communications data, but we want you to be aware that emotional states you share through Pulses are visible to matched users and, if you choose to chat, to the person you talk with. As with any other content shared with another user, the recipient may copy, screenshot, or re-share it.

Important note on Announcements: Announcements are broadcast to all nearby users with the app, not directed at any specific recipient. The text and voice content you include in an announcement is visible to every nearby person who receives it for the duration of the announcement's expiry.

Call media may travel by direct or relay-assisted network paths depending on connectivity, device support, and runtime configuration.

1.5 On-device storage and caches

Proximity stores substantial working data on your device. That may include:

• Local chat database records, message states, unread counters, and thread metadata.
• Blocked-peer records.
• Attachments copied into app-private storage.
• Temporary recordings and cached announcement voice files.
• Peer profile cache entries, selected keywords, Proximity on/off state, and other local preferences.
• Security material stored in secure storage.

This local storage supports offline continuity, retry behavior, delivery tracking, and faster reopening of the Proximity experience.

1.6 Diagnostics, integrity, and abuse prevention

We collect and process information needed to maintain reliability and integrity, such as:

• Crash reports, performance signals, and structured diagnostics.
• Event timing, state transitions, transfer outcomes, and error categories.
• Integrity and trust signals, including public-key material, signature verification outcomes, replay-detection data, and quarantined peer-key events.
• Block status and related enforcement data.

Our diagnostic systems are intended to avoid raw message text, raw media, and full file paths where possible, and may use shortened or sanitized identifiers instead. No diagnostic redaction process is perfect.

1.7 What we do not require as part of core Proximity

• We do not require your real name, government ID, or payment card information to use core Proximity features.
• We do not use precise GPS coordinates to place you on the Proximity radar.
• We do not sell personal information for cross-context behavioral advertising.

2. How we use information

We use information to:

• Provide and operate Proximity, including generating local identities, enabling nearby discovery, running keyword matching, publishing announcements, routing chats, supporting attachments, and setting up calls.
• Maintain continuity when the Service changes connection paths between direct local transport, Wi‑Fi Direct, relay, or call infrastructure.
• Store and restore local history, media, and preferences on your device.
• Display optional name or photo metadata to you or nearby users where available.
• Maintain reliability, security, and abuse prevention, including enforcing blocks, detecting suspicious activity, checking message integrity, troubleshooting failures, and improving service stability.
• Send notifications about chats, announcements, or calls if notifications are enabled in your build and on your device.
• Comply with legal obligations and respond to lawful requests.

3. Legal bases for processing (EEA/UK and similar jurisdictions)

Where GDPR, UK GDPR, or similar law applies, we rely on:

• Performance of a contract, to provide the Service you request.
• Consent, for permissions such as Bluetooth, nearby devices, microphone, camera, photos/files, notifications, and location access where the operating system requires it.
• Legitimate interests, to secure the Service, prevent abuse, maintain reliability, and improve performance, balanced against your rights.
• Legal obligation, where we must retain or disclose information to comply with law.

You may withdraw consent by changing device permissions or app settings, although some Proximity features may not work without the required access.

4. How information is shared

4.1 Shared with other users

Depending on what you choose to do in Proximity, other users may receive or see:

• Your nearby presence signals and pseudonymous discovery identifiers.
• Your selected keywords and role labels when the matching flow requires them.
• Your active announcement text, announcement voice availability, and related expiration state.
• Your messages, voice notes, images, files, and call signaling sent to the person you interact with.
• Optional display metadata such as your display name or photo, when available to the Proximity experience.

H2H cannot control what other users do with information you share with them. They may copy, record, screenshot, export, or re-share it.

4.2 Shared with service providers and infrastructure partners

H2H Proximity functions locally on your device for nearby discovery, chat, and calls — these features do not require backend services to operate. We do, however, use third-party providers for supporting infrastructure including online relay (when peers are not within local-radio range), call networking, anonymous identity, and crash diagnostics. These providers process information on our behalf under contractual data-processing agreements and only for the purposes described below. The current providers are:

• Cloudflare, Inc. — relay-server hosting (Cloudflare Workers + Durable Objects), WebSocket infrastructure, signaling support, and TURN/STUN service for voice and video calls. Data is processed on Cloudflare's globally distributed edge network, with relay sessions pinned to regional data centers near the participating users.
• Google Firebase (operated by Google LLC) — Firebase Authentication, for the anonymous backend account identifier; Firebase Crashlytics, for crash reporting and diagnostics; Firebase App Check, for app integrity verification; and Cloud Firestore, for optional profile metadata storage.

Each provider receives only the information needed to perform its specific function. We update this list when our infrastructure changes; please check the "Last updated" date for the current version. If you require the full subprocessor list with corporate addresses for compliance purposes, contact us at the address in Section 13.

4.3 Shared for legal, safety, and compliance reasons

We may disclose information:

• To comply with law, regulation, legal process, or lawful government request.
• To protect the rights, safety, and security of H2H, our users, or the public.
• To investigate fraud, abuse, threats, unlawful conduct, or violations of our Terms.
• In connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.

5. Permissions and device access

Depending on your device and operating system, the Service may request or depend on:

• Bluetooth scanning, advertising, or connection access.
• Nearby device or nearby Wi‑Fi access for local link operation.
• Location permission or location services on some Android versions, because the operating system may tie nearby discovery to those controls.
• Microphone access for voice notes and calls.
• Camera, photos, or file access when you choose to capture or attach media.
• Notifications permission to alert you about messages or calls.

You can manage these permissions in your device settings. Disabling them may prevent Proximity from discovering nearby users, exchanging media, or supporting calls.

6. Retention and deletion

We use a combination of local persistence, automatic expiry, operational retention, and user controls.

6.1 Local retention

Chat history, message state, blocked-peer records, copied attachments, cached profile metadata, local preferences, and security material may remain on your device until you delete them, clear app data, uninstall the app, or use a full-reset feature if one is available in your build.

Removing a thread from the inbox may hide it locally, but new activity from the same peer may cause the thread to appear again.

6.2 Automatic expiry

Nearby announcements are intended to expire after their selected time limit. Expired announcements should no longer be actively shown as current nearby broadcasts, although related local caches, diagnostics, or temporary files may persist briefly until cleanup routines run.

6.3 Operational and provider retention

When relay, signaling, diagnostics, or notification services are used, those systems retain certain data for the periods needed to deliver the service, prevent abuse, and meet legal and provider requirements. Specific retention periods are:

• Relay-server message buffers: the H2H relay does not buffer messages. Messages are routed in real time between connected peers; if a recipient is offline, the message is not delivered through our relay and is not stored on our infrastructure.
• Push-notification delivery records: up to 30 days.
• Crash reports and diagnostic logs: up to 90 days.
• Server-side abuse-prevention records (block events, rate-limit triggers, integrity violations): up to 6 months.
• Operational backups of relay infrastructure: up to 30 days, after which they are overwritten in normal rotation.
• Audit and security records required for legal compliance: retained for the period required by applicable law, typically up to 7 years.

Specific retention periods may vary slightly by service provider; the figures above reflect H2H's policies and the contractual limits we set with our providers.

6.4 Residual copies

Backups, cached copies, or recovered transfer fragments may persist temporarily as part of routine operation, retry behavior, or security handling.

7. Security and important limitations

We use administrative, technical, and organizational measures intended to protect information, including access controls, signed or verified protocol elements, integrity checks for transferred files, and transport protections where supported.

7.1 What is protected

• Media attachments and call media use authenticated encryption for confidentiality and integrity during transit between you and the person you are communicating with.
• Chat messages, signaling, and announcement payloads are cryptographically signed using device-bound keys, so the recipient can verify they originated from the sender and were not altered in transit.
• Cryptographic keys associated with your device identity are stored in protected device storage.
• File transfers include integrity checks designed to detect tampering or corruption.

7.2 Important limitations

• No method of storage, radio communication, or internet transmission is completely secure.
• BLE-based proximity can be inaccurate and can be affected by walls, reflections, interference, device differences, spoofing, replay, relay behavior, or malicious actors.
• We do not guarantee that a nearby signal represents a person's exact location, identity, truthfulness, or safety.
• We do not represent that every communication path in Proximity uses end-to-end encryption in every circumstance — please do not assume otherwise for the most sensitive content.

8. International data transfers

H2H processes data in the following regions:

• Primary infrastructure (relay servers, signaling, WebSocket transport, TURN/STUN): globally distributed via Cloudflare's edge network, with relay sessions pinned to regional data centers near the participating users.
• Crash reporting (Crashlytics), anonymous authentication (Firebase Auth), and app integrity verification (App Check), provided by Google Firebase: processed in regions designated by Google, which may include the United States and European Union.
• Profile metadata storage (Cloud Firestore, provided by Google Firebase): stored in us-central1 (Iowa, United States).

If you are located in the European Economic Area, the United Kingdom, or another region with cross-border data protection requirements, transfers of your personal data outside that region rely on:

• The Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
• Adequacy decisions issued by the European Commission, where applicable.
• Additional technical and organizational safeguards consistent with applicable law.

You may request more information about the specific transfer mechanisms in use by contacting us at the address in Section 13.

9. Your privacy rights

9.1 GDPR/UK GDPR and similar rights

Depending on your location, you may have rights to access, correct, delete, restrict, object to, or port personal data, and to withdraw consent where consent is the basis for processing.

9.2 U.S. state privacy rights

Depending on your state of residence, you may have rights to know what personal information we collect, request deletion, correct inaccurate information, and receive non-discriminatory treatment for exercising privacy rights.

We will verify requests as required by law and may ask for information needed to confirm your identity.

How to exercise your rights: contact us at privacy@h2hprotocol.com. We aim to respond within 30 days of receiving a verifiable request. If we cannot fulfill your request within that time, we will tell you why and provide an updated timeline.

Right to lodge a complaint: if you are in the European Economic Area, the United Kingdom, or a similar jurisdiction, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your personal data lawfully. You can find your local authority through the European Data Protection Board (edpb.europa.eu) or your country's regulator.

10. Children and minors

The Service is intended for users aged 16 and over. H2H Proximity supports communication and broadcasts between strangers in nearby physical spaces, including features that involve emotional disclosure (Pulses) and direct messaging, voice, and video with people not previously known to the user. These features are not appropriate for children.

We do not knowingly collect personal data from users under 16. If we learn that we have collected personal data from a person under 16 without verified parental consent (where local law permits processing on that basis), we will take steps to delete the information.

If you believe a child under 16 is using the Service, please contact us at the address in Section 13 so we can take appropriate action.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version at the same public URL and revise the "Last updated" date.

For material changes — changes that meaningfully affect what data is collected, how it is used, who it is shared with, or your rights regarding it — we will provide reasonable advance notice through an in-app notice that requires acknowledgment before continuing to use the Service. Continued use of the Service after the effective date of the updated version constitutes acceptance of the updated Privacy Policy.

12. Special care for sensitive features

Certain features in H2H Proximity involve content that may be more sensitive than ordinary communications:

• Pulses allows you to share an emotional state (such as feeling lonely, heavy, or lost) with nearby users. Because this involves emotional vulnerability, we apply additional care: Pulses content is held to the same encryption and integrity protections as other communications, and our internal diagnostic systems are designed to never log Pulses content in plain text.
• Announcements are broadcast to all nearby users with the app for the duration of the announcement's expiry. Because this is a 1-to-many disclosure, we recommend exercising caution about identifying details included in announcement text or voice clips.

If you choose to use these features, the protections described elsewhere in this Privacy Policy apply, but the inherently social nature of the features means that the people who receive your content may, like any human recipient of any communication, retain or re-share it.

13. Contact us

Data controller: H2H Protocol, established in the Sultanate of Oman.

• Privacy and data-protection enquiries: privacy@h2hprotocol.com
• General support: support@h2hprotocol.com
• Legal notices: legal@h2hprotocol.com

For users in jurisdictions requiring an EU representative or UK representative under GDPR, please contact privacy@h2hprotocol.com and we will provide the appropriate representative's details.

This Privacy Policy should be read together with our Terms of Use. The plain-language summary of how we handle data is available in the Privacy & Data page within the app. To delete your account, see our account deletion guide.