Last updated: June 17, 2026
ToGathr is a social event discovery platform that helps people find and host events in their city. References to "ToGathr," "we," "us," or "our" in this policy refer to the ToGathr application and its operators.
We collect information you provide directly: your name, email address, city, profile photo, interests, bio, an optional icebreaker prompt and answer (a short conversation-starter shown on your profile and on revealed match cards), and profile mode (Social, Professional, or both). When you use ToGathr, we also collect activity data such as events you create or RSVP to, events you open (we keep an internal record of which events you have viewed, used for product analytics such as gauging interest and surfacing recent activity), organizations you join or manage (see Organization Accounts below), messages you send, connections you make, community groups you join, community group chat messages you send, community posts and photo attachments you share, comments you post on events and community posts, replies to comments you submit, and other content you upload. File attachments in chat are limited to images (JPG, PNG, WebP), PDFs, and plain-text files. We do not accept or store other file types. Community post images must be JPG, PNG, or WebP and may not exceed 5 MB. We also store XP and level milestones derived from your activity, which achievements you have earned, and a list of unique cities where you have physically checked in to events (used to power city-diversity achievements). If you subscribe to ToGathr+, we record your subscription status and billing period. If you receive a level-milestone ToGathr+ preview reward, we record the expiry timestamp of that preview on your profile. Image uploads, public buckets: Profile photos, event covers, community banners, and community post images are stored in Supabase Storage. Each upload is validated for both file type and size before it is accepted. The server also checks the file's content signature (magic bytes), so renaming a non-image file to .jpg does not bypass validation. Storage access is path-scoped: your profile photos and event covers can only be written to a folder that contains your own account ID, ensuring one account cannot overwrite another account's files. Community banner uploads are restricted to confirmed owners and admins of the relevant community. Deleting your account removes your profile photo; community post images are removed only when the associated post or community is deleted. Image and file attachments in direct messages, private bucket: Photos, PDFs, and other files you send in 1:1 conversations are stored in a private bucket. They are not accessible via a guessable public URL. When you or the conversation partner views an attachment, ToGathr issues a short-lived (5-minute) signed URL through an authenticated proxy route. Row-level security restricts read access to the two participants of the thread. Deleting an attachment (long-press to unsend) removes the stored file, not just the message reference. Device-local data: ToGathr stores a small amount of data in your browser's localStorage for convenience features: recent searches, recently viewed events, your display preference, which one-time tips and coachmarks you have already seen, your active posting identity (personal or an organization you manage), dismissed home-screen prompts, and — if you arrived from a referral link — the referral code you came in with (see Referrals below). Some of these keys include your account ID, so they are isolated to your account and cannot be read by another user who signs in on the same device. ToGathr also stores a small outbox in your browser's IndexedDB for any chat messages composed while offline (see Offline Messaging below). All device-local data is removed when you clear your browser data. Offline messaging: If you compose a chat message while your device is offline, ToGathr saves the draft to your browser's IndexedDB (a sandboxed per-origin storage). When connectivity returns, the message is automatically sent in the background. Until that happens, the message sits only in your own browser. It is never transmitted to our servers while offline. Messages that fail to send after reconnection are marked failed and can be retried or discarded. The outbox is cleared automatically as messages succeed. Community moderation: Community owners and admins may delete posts, comments, replies to comments, and chat messages within communities they manage. Deleted content is permanently removed from our systems. Community event linking: Community owners and admins can link any community member's public event to the community. This updates the event's community association; it does not change the event's host, visibility, or any other data. Community ownership transfer: A community owner may transfer ownership to another member or admin of that community. We store a transfer record containing the community, the current owner, the proposed new owner, a status (pending, accepted, declined, or cancelled), and timestamps. The proposed new owner receives an in-app notification and must accept before ownership changes; on acceptance the previous owner is demoted to admin. The transfer record is visible only to the two parties involved, and pending or resolved transfer records are permanently removed if the community is deleted. Organization-attributed communities: An owner or admin of an Organization may create a community on behalf of that Organization. The attribution (which Organization the community belongs to) is stored on the community record and shown on the community; it is managed by the Organization's owners and admins in addition to the community's own owner. Attribution does not change the community's members or its visibility. Community deletion: When a community owner deletes a community, all associated data is permanently removed, including all posts, post comments, comment replies, chat messages, and member records for that community. Check-In Data: When you tap "I'm Here" to check in to an event, ToGathr may request your device's GPS location. If you grant access, we record your approximate latitude/longitude, your distance from the event venue at the moment of check-in, and a verification level indicating how the check-in was confirmed. The verification level is `geo_verified` when GPS confirmed you were within approximately 0.3 miles (500 metres) of the venue at the time of check-in, or `self_attested` when you confirmed attendance without GPS verification (for example because location access was denied or your device couldn't obtain a fix). Check-in data is visible to the event host and is retained until you delete your account. Each check-in also updates the city list on your profile (used for city-diversity achievements); only the city name is stored, not a precise location.
ToGathr supports Organization accounts (including community organizer groups, civic partners, and official ToGathr-operated accounts) that can host events and manage communities on behalf of a group rather than an individual. If you are invited to or create an Organization account, we store: your membership record (which organization you belong to, your role within it (owner, admin, editor, or viewer), the date you were invited, and the date you accepted). Membership records for accepted members are visible to other members of the same organization. Pending invitations (where accepted_at is null) are visible only to you and to the organization's owners and admins. Self-service organization creation: Any signed-in user can create their own organization from /orgs/new. The form collects the organization name, a public URL handle (lowercase letters, numbers, and hyphens; 3–40 characters), an optional tagline, an optional "about" description, an optional city and state, and an optional contact email. All of these fields are public once the organization is saved. Newly created organizations are added at the community tier with a verification status of "pending"; the creator is granted the "owner" role automatically. The fields you submit are sanitized server-side (control characters stripped, length-capped) before insertion. ToGathr maintains a private internal audit log (org_audit_log) that records who created an organization, when, and the values they submitted. This log is visible only to that organization's owners and admins; ToGathr support staff may also access it when investigating a report. Following Organizations: If you choose to follow an Organization, we store your follow record (the organization, your user ID, and the date you followed). Follower counts are shown publicly on organization profile pages. Individual follower identities are accessible only to the organization's owners and admins. You can unfollow at any time (a confirmation prompt is shown to prevent accidental unfollows). Your follow record is then permanently deleted. Following an Organization causes ToGathr to send you a push notification when that Organization posts a new public event or a new Update (see Organization Updates Feed below); you can manage notification preferences in Settings. City-level auto-follow on signup: When a new account is created, ToGathr automatically establishes a follow record from that account to the city-level official ToGathr Organization that matches the new account's city (for example, an account that signs up with city = "Bellingham" is automatically following "ToGathr · Bellingham"). This is the same follow record described above; it can be removed at any time by unfollowing from the organization's profile. The global "@ToGathr" account (which is not tied to any city) is never auto-followed. Organization assets: Organization logos and banners are stored in a dedicated public bucket (org-assets). Files uploaded there are visible to any ToGathr user who views the organization's profile page. Upload access is restricted server-side to confirmed owners and admins of the organization. Images attached to organization Updates (described below) live in the same bucket under {org_id}/posts/{timestamp}.{ext} and are public-readable in the same way; only confirmed members with the owner, admin, or editor role can upload there. Organization focus areas: Organizations may optionally publish up to three short "focus area" tags (e.g. "Local meetups", "Mentorship", "Civic events") that appear as chips on their public profile. These tags are stored as a `focus_areas` text array on the organization row, are public-readable in the same way as the organization name and tagline, and can be edited at any time by organization owners and admins from /org/[slug]/settings. They do not contain personal data. Organization Updates Feed: Organizations have a public "Updates" tab on their profile (visible to anyone signed in). Owners, admins, and editors of the organization can post short text updates (up to 2,000 characters) with an optional link URL and an optional image. We store the post body, link URL, image URL, author user ID, and timestamps in the `org_posts` table. The author user ID of a post is pinned to the signed-in user at insert time by a database trigger so a teammate cannot impersonate another teammate. Posts are publicly readable for verified, active organizations; members can additionally read pending/unverified-org posts to preview the feed internally. The post author may edit or delete their own posts; org owners and admins may edit or delete any post in their org. Deletion is permanent. When a new post is created, ToGathr sends a one-time in-app notification (`org_new_post`) to every follower of that organization other than the author, with a deep link back to the organization page. You can disable push notifications globally in Settings → Push Notifications. If you delete your account, your organization membership records and all follow records are permanently removed. Posts you authored in an organization's Updates feed are also removed (database cascade), but events and communities you posted under an organization you owned or managed are not deleted. The organization record itself persists; only your personal membership is removed. If you were the sole owner of an organization, please transfer ownership before deleting your account. If the organization itself is deleted by its owner, all of its posts, audit-log rows, follow records, and member records are permanently removed via database cascade. Organization contact email addresses (displayed on public organization profiles) are used solely as a point of contact and are not linked to your personal authentication credentials.
ToGathr offers several host-side data tools (most gated behind the Host Pro subscription). The data each one collects is described below. Custom RSVP Questions: Hosts with Host Pro (or organization editors+) may attach up to five short questions to an event (e.g. "Dietary restrictions?", "Experience level?"). Each question has a prompt, a type (short text, long text, or multiple choice), and a required flag. Questions are visible to all signed-in users who can see the event; they are part of the event's public description. RSVP Answers: When you RSVP to an event that has custom questions, your answers are stored alongside your RSVP and are visible only to (a) you, the answer's author, and (b) the event host and any org editor+ for the event's organization. Answers are never displayed publicly. They are also included in the host's per-event attendee CSV export (see Attendee CSV below). If the host deletes a question, your answer to that question is also deleted via database cascade. If you cancel your RSVP, your answers are deleted automatically. Post-Event Feedback (Ratings to Host): After an event ends, attendees who held a "joined" RSVP may submit one event-level rating (1 to 5 stars) and an optional comment (≤1000 characters) directly to the host. Feedback is separate from the peer-to-peer safety reviews described in Section 6. Each (event, user) pair can have at most one feedback row, which the author may edit within 24 hours of submission. Feedback is visible only to (a) the author, (b) the event host, and (c) any org editor+ for the event's organization; non-hosts can see only an aggregate (average rating + count) of the public score, never individual comments or commenter identity. The event id and user id on a feedback row are immutable once written (enforced by a database trigger) so a row cannot be retargeted to a different event after the fact. Feedback Push Reminders: Approximately two hours after an event ends, ToGathr sends a one-time in-app and push notification ("How was {event title}?") to attendees who held a "joined" RSVP and have not yet submitted feedback. The dispatch is fired by a scheduled database job (`event_feedback_prompt` notification type) and is rate-limited at the event level so any given attendee receives at most one prompt per event. You can disable push notifications globally in Settings → Push Notifications. Attendee CSV Export: Hosts of an event (and org editors+ for org-posted events) may export the event's attendee list as a CSV from the Host Insights tab. The CSV includes attendee display name, RSVP timestamp, check-in status, check-in timestamp, and any custom-RSVP-question answers. It does NOT include attendee email addresses or phone numbers; we deliberately omit those PII fields to limit data leakage from a host's account. Hosts who need to contact attendees can do so through ToGathr's in-app direct-message system. Event Templates: Hosts may save the stable slice of an event (title, category, description, venue name, venue street address, map coordinates, city, capacity, ticket type and price, tags, privacy) as a reusable template. Date, time, and cover image are intentionally not saved (each event sets them fresh). Templates are owned by the user who created them; if you save a template while posting as an organization, the template is also visible to that organization's owners, admins, and editors. Templates are private to those parties; no other user can read them. You may delete your own templates at any time from the "Start from a template" sheet on /create. Co-Host Invites: Hosts of an event may invite another ToGathr user as a co-host. When an invite is sent, we store the event id, the invited user id, the inviting user id, the invite timestamp, and the invite status (pending → accepted or declined). The invited user receives an in-app notification with Accept/Decline buttons (notification type `cohost_invite`). On response, the original host receives a confirmation notification (`cohost_accepted` or `cohost_declined`). Status transitions are recorded with a response timestamp; declined invites can be re-sent by the host. Once accepted, the co-host has the same edit access as the host for that event: editing event details, managing the street address, managing custom RSVP questions, and viewing the attendee list and answers. Co-hosts CANNOT delete the event, change the original host, or invite further co-hosts. These restrictions are enforced server-side at the row-level-security layer. Removing a co-host (by either the host or the co-host themselves) permanently deletes the co-host row.
We use your information to operate and improve ToGathr, match you with relevant events and people, send notifications about activity on your account, calculate your safety score (see section 7), and communicate with you about the service. We do not sell your personal information to third parties.
When you RSVP to an event, ToGathr may show your profile to other attendees as a potential match, based on shared interests and profile completeness. By default, matching is enabled. You can turn it off at any time in Settings → Privacy. If matching is disabled, you will not appear in other people's match lists and you will not see matches yourself. Before an event, free users see a limited mystery view: match count and a blurred silhouette. ToGathr+ members see partial names and shared interests even before RSVPing (pre-RSVP preview). Full profile details (name, photo, and bio) reveal at check-in: free users need both an RSVP and a check-in to see a match's full identity, while ToGathr+ subscribers access match previews without checking in. The post-event survey is available to attendees who checked in or RSVPed to the event. Paths Crossed: ToGathr+ members can view a "Paths Crossed" feed showing everyone they have co-attended events with (based on check-in and RSVP records), ordered by most recent shared event. The feed shows first names, shared interests, and a list of the events you attended together. Only users with matching_enabled = true and a non-flagged safety tier appear in the feed. Users you are already connected with are excluded. Co-attendance records used to compute Paths Crossed are derived from the same check-in and RSVP data described in section 2 and are not collected separately.
Curated Experiences are small, ToGathr-organized gatherings that you register for in advance. This section describes the data involved. Registration: When you register for a curated experience, we record which session you registered for, your registration status (registered, waitlisted, seated, cancelled, or attended), your table assignment if one is made, and the relevant timestamps. If a session is full, you may be added to a waitlist. If you cancel, we keep the registration record with a cancelled status (rather than deleting it) so we can manage seat counts and so that repeated late cancellations or no-shows can be taken into account for future eligibility. Eligibility checks: Some curated experiences are open only to members who meet certain conditions — for example, having a profile photo and name, having a particular safety tier, or holding an active ToGathr+ subscription. To check eligibility we evaluate profile information we already hold about you (described elsewhere in this policy); we do not collect new categories of data for this purpose. Withheld venue: To protect the small-group setting, the exact venue of a curated experience is not shown publicly. Before the event you see only a general area, the date, a price range, and the format. The specific address is revealed only to confirmed (seated) guests, shortly before the event. The venue is stored on our systems in order to provide this reveal; it is not exposed through the app to anyone who is not a confirmed guest (platform administrators and the organizing account can see it for operational purposes). How groups are formed and who sees you: Curated experiences use the interests and themes associated with the experience to assemble small, compatible groups. This uses the same interest and profile data described elsewhere in this policy and does not involve any AI processing (see Section 9). The app does not currently reveal the names, photos, or profiles of other guests to you in advance — you meet the other guests in person at the experience. If this ever changes (for example, an in-app introduction to your table before you arrive), we will update this policy first. Location at check-in: If a curated experience uses check-in, your location is handled exactly as described under Check-In Data and Check-In Location elsewhere in this policy. Retention: Curated registration records are retained while your account is active and are removed when you delete your account, except where we need to keep an anonymized count for seat-management integrity.
ToGathr+ members can send a "wave" to a match before an event to signal interest. What free users see: If you receive a wave and are not a ToGathr+ subscriber, you see only the total number of waves you have received for that event. No identity information about who sent them. What ToGathr+ recipients see: If you are a ToGathr+ subscriber, ToGathr reveals the sender's first name, profile photo, and interests you share with them for each incoming wave. This means your first name, photo, and shared interests are disclosed to any ToGathr+ user you wave at. By sending a wave, you acknowledge that the recipient may be a ToGathr+ subscriber and can see this information. Mutual waves: If two users wave at each other for the same event, both see the other's first name regardless of subscription tier. Unsending a wave: You can withdraw a wave at any time by tapping the "Waved ✓" indicator on the event's match list, the incoming-wave row, or the Paths Crossed feed. Unsending deletes the wave row from our database and clears any mutual-wave indicator on the recipient's side. If the recipient is a ToGathr+ subscriber and saw your identity before you unsent, unsending does not retroactively erase the fact that they saw it. We do not provide any mechanism beyond the above for identifying wave senders. Attempting to infer sender identity through coordinated testing, multiple accounts, or social engineering violates our Terms of Service.
After an event ends, you may be invited to submit a short review for people you attended alongside. A prompt may also appear on the home screen for up to 48 hours after an event ends as a reminder. The survey is only available to users who checked in or RSVPed to the event, and only once the event has ended. Reviews consist of a vibe rating (Loved it / Good / Okay / Not great), three yes/no questions (Did they show up? / Were they respectful? / Would you attend another event with them?), and an optional safety flag. Review responses are stored securely and are never shown to the person being reviewed in individual form. Only aggregated scores and a derived safety tier (New, Verified, Trusted, or Flagged) are displayed publicly on a user's profile. Automatic tiering: Tiers are recalculated automatically each time a new review is submitted. Any of the following will automatically promote a profile to the Flagged tier: • A single safety flag of type "threatening" from any reviewer, or • Two or more safety flags of any type from separate reviewers. Flagged accounts are immediately excluded from all pre-event match lists, Paths Crossed, and similar discovery surfaces. No human action is required for this automatic exclusion to take effect. The lower bar for threatening flags reflects the higher cost of leaving someone in matching while a credible safety concern is under review. A manual reviewer can restore the tier if the report is unfounded. Manual moderation review: Designated members of the ToGathr team can access an internal moderation surface that lists flagged users, the categories of flags (uncomfortable, inappropriate, threatening), the distinct reporter count, and per-flag history (event, time, reviewer). This information is used solely to investigate reports, decide on further account action (warning, suspension, termination), and to remove flags that appear to have been submitted in bad faith. Reviewers are not identified to the person being flagged. Bad-faith or coordinated flagging by reviewers is itself grounds for action against the reviewer.
Separate from the peer-to-peer safety reviews described above, ToGathr operates a platform-level moderation tool that lets the ToGathr team take action on individual events or communities when those resources violate our Terms of Service. What actions can be taken: A platform admin (a member of the ToGathr team with the is_gathr_admin flag) can (a) hide an event or community from public feeds and search, or (b) hard-delete an event or community. Hiding is reversible; deletion is permanent and cascades to remove related rows (RSVPs, comments, posts, chat messages) via foreign-key cascade. Editing user-created content directly is NOT a moderation action — admins cannot rewrite the title or description of someone else's event or community. Who can do this: Only accounts that have profiles.is_gathr_admin = true. This flag is restricted to ToGathr staff and trusted operators. Granting or revoking the flag is performed manually by ToGathr operations and is logged separately. What happens when content is hidden: An is_hidden flag is set on the row. The row is removed from public feeds and search results via row-level security. The original author can still see their own row with a banner explaining that it has been hidden by moderation, including the moderator-supplied reason. Other users see "Not found" (we deliberately do not leak the existence of hidden rows). Reposting hidden content to evade moderation is itself a violation. What happens when content is deleted via moderation: The row is permanently removed, just as if the owner had deleted it themselves. Related rows cascade-delete the same way. Reason requirement: Every moderation action requires the admin to type a non-empty reason. This reason is stored alongside the action and is shown to the affected author when their content is hidden. Moderation audit log: Every moderation action (hide, unhide, or delete) writes a row to the moderation_audit_log table capturing: the admin's user ID, the action type, the target event or community ID, the reason text, a metadata snapshot (event title or community name preserved at action time so the row remains interpretable after a delete), and a timestamp. This log is readable only by platform admins via /admin/moderation/log; it is NOT visible to the affected author or the public. The log is retained indefinitely as part of our compliance and accountability record. Scope of admin override on organization content: Platform admins have direct edit access to organization profile settings (name, description, focus areas, logo, banner, contact email) and direct create/edit/delete access to organization Updates posts for every organization on the platform, not just ToGathr-operated ones. This is so the operating team can correct misformatted listings, remove abusive or off-policy Updates posts, and curate official content without routing every action through the moderator-reason flow. Direct edit and delete access to events and communities owned by ToGathr-operated organizations (gathr_internal tier) also remains available to platform admins through the normal management UI. The same direct-edit access does NOT extend to events or communities owned by user-created (community-tier) organizations or by individual users — those resources can only be hidden or removed by platform admins through the moderation tool with a logged reason described above. User search for moderation and support (/admin/users): Platform admins can search the user base by name, email, or user ID prefix through an admin-only interface at /admin/users. The search results include each user's display name, email address, city, avatar, role flags (platform admin, ToGathr Official, Host Pro, ToGathr+), account creation date, and most-recent sign-in timestamp. They do NOT include password hashes, session tokens, raw provider metadata, phone numbers, or the contents of any messages, RSVPs, or events. The query is server-side clamped to at most 200 results per request. Admins use this surface for moderation triage (looking up a flagged user), abuse investigation, and resolving support requests. The route is gated server-side (returns a 404 to non-admins); the underlying SECURITY DEFINER RPC re-checks the admin flag inside its body so a leaked GRANT alone cannot expose it. An audit log of admin search activity is on our roadmap. Appeals: If your content has been hidden or deleted and you believe it was in error, contact safety@joingathr.app with the event or community ID and a brief description. Moderation decisions are reviewed by a different staff member than the one who took the original action wherever possible.
ToGathr calculates a safety score for each user based on the aggregate results of post-event reviews submitted by other members. This score determines a publicly visible tier: New (insufficient review history), Verified (3 or more reviews averaging above 70%), Trusted (10 or more reviews averaging above 85%), or Flagged (one threatening flag, or 2 or more safety flags of any type from separate reviewers; see Section 6). Tiers are recalculated automatically after each new review. You can view your own safety score in your profile.
Your profile name, photo, city, and public events are visible to other ToGathr users. Your email address is never displayed publicly. Safety tier badges are visible on your public profile once you have received reviews. We do not sell or rent your personal data. We share limited operational data with the following service providers as necessary to run the platform: • Supabase: database, authentication, file storage, and serverless functions. All of your account data lives here. • Vercel: hosting and serving the web application. Vercel processes incoming requests but does not retain personal data beyond standard server logs. • Sentry: error and crash reporting. When the app encounters a bug, an error event (including the page URL, browser, a sanitised stack trace, and (when you are signed in) your user ID and email address) is sent to Sentry so we can fix it. Your email address is included solely so we can follow up on reported errors; it is not used for any other purpose. Session replays only fire on errors and are recorded with all visible text masked and all media blocked. • PostHog: product analytics. Pageviews and specific in-app actions (such as creating an event, RSVPing, or joining a community) are sent to PostHog with your user ID once you are signed in. Anonymous visitors do not have person profiles created. Autocapture is disabled; only events we have explicitly named are recorded. • Resend: transactional email delivery. When ToGathr sends you a system email (welcome, event RSVP notification, connection request, connection accepted), the recipient email address and email body are transmitted to Resend for delivery. Resend does not use this data for advertising. Each of these providers acts as a data processor on our behalf and is bound by their own privacy commitments. We do not share personal data with any third party for advertising purposes.
ToGathr does not use artificial intelligence, large language models (LLMs), or machine learning to process the content you create on the platform. Specifically: • Your messages, community posts, post comments, profile bio, and event descriptions are not sent to any AI or LLM service. • Your profile photos, event covers, community banners, and chat image attachments are not analysed by computer vision or generative AI. • Search queries you type are not sent to any third-party AI model. Search is handled by a deterministic keyword and synonym parser that runs against our database. The "Quick filters" panel that appears for phrases like "music thursday night" is rules-based pattern matching, not AI. • People matching and event recommendations are produced by hand-written scoring functions that compare your stated interests, city, and activity to the interests, tags, and categories of events and other users. There is no AI model in the loop. • Safety tier badges (New / Verified / Trusted / Flagged) are computed by averaging post-event review responses with simple arithmetic. No AI ranking is applied. If we ever introduce AI-assisted features in the future (for example, optional content moderation or smarter search), we will update this policy, name the provider, and describe what data is sent before the feature ships.
If you sign in with Google, we receive your name, email address, and profile photo from Google. We do not receive access to your Google contacts, Gmail, or any other Google services. You can revoke this access at any time via your Google account settings.
ToGathr offers two paid subscription tiers. ToGathr+ is the premium attendee tier. It unlocks: pre-RSVP match preview, wave sender identity reveal, unlimited waves, Paths Crossed history, priority matching rank, Open to Dating Mode, and (for the first 1,000 paid subscribers) a permanent Founding Member badge on your profile. Host Pro is the creator tier for power hosts. It unlocks: deep analytics (monthly RSVP trend charts, check-in conversion rate, fill-rate history), attendee CSV export, 5 feature credits per month, custom RSVP questions, co-host invites, and (for the first 500 Host Pro or Bundle subscribers) a permanent Founding Host badge on your profile. The Bundle combines ToGathr+ and Host Pro at a discounted price. Visual identity: Active ToGathr+ subscribers are shown across the app with a subtle gold ring around their avatar wherever the avatar appears (notifications, messages, search results, community member lists, event attendee lists, mystery match cards, and on profile pages). This signals tier status and is visible to all other ToGathr users. You can stop being shown this treatment by allowing your ToGathr+ subscription / preview to lapse. What we record: When you have an active ToGathr+ subscription or trial, we store `gathr_plus = true` and/or `gathr_plus_expires_at` on your profile. If you are among the first 1,000 paid ToGathr+ or Bundle subscribers, we also set `founding_member = true`, a permanent flag that survives subscription cancellation. This status is visible to other users as a ✦ symbol beside your name on your profile, in search results, event attendee lists, community member lists, and on event card host chips. The trial usage flag (`gathr_plus_trial_used`) records that the one-time trial has been claimed. If you subscribe to Host Pro or the Bundle, we store `host_pro = true` and `host_pro_expires_at` on your profile. If you are among the first 500 Host Pro or Bundle subscribers, we also set `founding_host = true`, a permanent badge flag that survives subscription cancellation. This status is visible to other users as a ✦ symbol beside your name on your profile, in search results, event attendee lists, community member lists, and on event card host chips. Pricing: ToGathr+ is $4.99/month or $39.99/year (saving 33%). Host Pro is $9.99/month or $79.99/year. The Bundle (ToGathr+ and Host Pro together) is $12.99/month or $99.99/year. Billing has not yet launched for any paid tier; you will be notified before any charge is made. To be the first to know, join the early-access list at joingathr.app/waitlist. 7-Day Free Trial: Eligible users may claim a one-time 7-day ToGathr+ free trial. No card is required. The trial can only be claimed once per account, enforced server-side. Level-Milestone Previews: Reaching level 5 grants a one-time 48-hour ToGathr+ preview; reaching level 10 grants a one-time 7-day preview. These are automatic, non-repeatable rewards. We store the preview expiry timestamp on your profile. Open to Dating Mode: ToGathr+ members may opt in to Open to Dating Mode in Settings. When enabled, your dating intent (`open_to_dating = true`) is stored on your profile and is visible only to other active ToGathr+ members who have also opted in. It appears in the Paths Crossed feed and pre-event match lists between mutually opted-in members. Non-ToGathr+ users never see this flag. You can toggle this on or off at any time from Settings; changes take effect immediately. We do not share your dating intent with any third party. Paid Plans (when live): If you subscribe, your subscription status and plan type are recorded on your profile. Billing will be handled through our web payment provider. We will not store full payment card details on our servers. You may cancel at any time and features remain active until the end of the billing period. Server-side enforcement: ToGathr+ status, trial flag, expiry timestamp, founding_member flag, host_pro status, host_pro_expires_at, founding_host flag, and open_to_dating flag are protected database columns. They cannot be modified by direct API calls from your client; only ToGathr-controlled server functions can write to them.
ToGathr may offer a referral program. If you arrive from another member's referral link, we store the referral code so we can credit the referrer once you sign up and meet the qualifying conditions (for example, attending your first event). For a referral, we record the link between the referring account and the referred account and the status of the referral (for example, pending, qualified, or rewarded), so we can grant any reward (such as ToGathr+ time) and prevent abuse such as self-referral or duplicate accounts. The referral code captured from the link is stored in your browser until you create your account, at which point the relationship is recorded on your account. We do not share this information with third parties for advertising.
Your data is stored securely using Supabase, hosted on AWS infrastructure. We use row-level security policies to ensure users can only access data they are authorised to see, plus database-level safeguards on sensitive columns (billing status, safety scores, activity counts) that prevent client-side tampering. No system is completely secure, and we encourage you to use a strong, unique password. Session management: You can sign out of the current device from Settings → Sign Out, or revoke every active session on every device you have ever signed in from with Settings → Sign Out Everywhere. The latter is recommended if a device has been lost or if you suspect your account has been used without permission. Private-bucket attachments: Direct-message attachments (photos, PDFs, etc.) live in a private storage bucket. Each request is authorised through a server-side proxy that evaluates the same row-level security policies that protect the underlying message thread before issuing a short-lived (six-minute) signed URL. Only the two participants of the conversation can mint a URL for a given attachment, and the proxy itself never streams the file bytes to anyone outside that pair. The signed URL is rotated each time the redirect cache expires (roughly every four minutes). Direct CDN access to these files is disabled. File types served as downloads: Any attachment whose file type is not a recognised inline-safe image (JPG, PNG, WebP, GIF) is served with a forced-download response header, even when the recipient does have access. This prevents a malicious upload of an HTML or SVG file from executing scripts in your browser when you view the attachment. Event covers remain on a public bucket but are routed through the same proxy so URLs remain stable as we tighten access over time. Rate limits: To protect against automated abuse, the following operations are rate-limited per account: waves sent (30 per hour), event comments posted (30 per hour), RSVPs joined (20 per hour), connection requests sent (15 per hour), community posts (20 per hour), community chat messages (100 per hour), direct messages (200 per hour), post-event reviews (10 per 24 hours), dating-intent toggle (5 per 24 hours), feedback submissions (5 per hour), event geocoding (5 per hour), venue autocomplete (5 per second per IP), subscription checkout sessions (10 per hour), billing portal sessions (10 per hour), free trial claims (5 per hour), level-milestone trial claims (10 per hour), and account deletion attempts (5 per hour). Anonymous waitlist signups are rate-limited per IP at 5 attempts per hour and go through a dedicated server-side endpoint that performs email validation before any row is written. These limits are enforced server-side via database triggers or edge functions before any write completes. Approaching a limit returns an error but does not affect your account standing. Profile column protection: ToGathr stores a number of profile fields that are intentionally not visible to other users, including "looking_for" (matching preferences), "life_stage", "open_to_dating", raw safety_score, RSVP-visibility setting, push-notification preferences, and trial-usage flags. These columns are restricted at the database layer such that other users cannot read them via direct API queries; only the account owner can fetch them through a server-side helper. Exception: the event host of an event you have RSVPed to can view your RSVP-visibility setting (public / connections-only / private) via a server-side-only check that verifies host identity before returning any data. This is used so hosts can see which of their attendees have set private or connections-only visibility on the attendees page. For non-host viewers, the attendees page filters the list server-side based on each attendee's visibility setting: attendees set to public are visible to all authenticated viewers; attendees set to connections-only appear only to their confirmed connections; attendees set to private are not shown to any non-host viewer. The raw rsvp_visibility value is never exposed to non-host viewers — the server returns only the user IDs of attendees the viewer is permitted to see. Public profile fields (name, photo, city, bio, vibe, offering, interests, badges, tier, level, member-since date) remain visible to other authenticated users. Diagnostic policy reports (Content Security Policy): Modern browsers can be configured to report blocked content-loading attempts back to a server. ToGathr sets this report destination to our error-tracking provider (Sentry) when one is configured, so that we can detect compromised devices, malicious browser extensions, or regressions in our security headers. These reports include the URL of the page, the blocked resource, and the violating directive. They do not include personal data or your browsing history. Viewer presence on event pages: When you view an event page, ToGathr uses Supabase Realtime's presence feature to share that you are currently looking at the event. Only your account ID is broadcast. No profile information, location, or device identifier. The page may display "N viewing now" when at least two people are looking at an event whose start time is within 24 hours, as a social-proof signal. Your individual identity is never revealed; only the deduplicated count is displayed. Closing the tab or navigating away removes your presence within a few seconds. Push Notifications: Push notifications are opt-in. We do not request permission until you explicitly enable them from Settings → Push Notifications. If you enable them, we store a subscription record (browser endpoint and encryption keys) so we can send notifications to your device. You can disable them at any time from the same settings page, which removes the subscription record. When a notification is sent, only the title, body, and a link path (e.g. "/events/abc") are included in the push payload. Never your interests, profile data, or message content beyond what is needed to display the notification. Hosts can additionally toggle "Notify me when people RSVP" off if they don't want pushes for new attendees; RSVP-type pushes are rate-limited to once per event every 30 minutes regardless of how many people RSVP, so popular events never spam. In-app notifications (Activity): ToGathr sends in-app notifications for: connection requests and acceptances; waves received; new events posted by organisations you follow; new Updates posted by organisations you follow (see Organization Updates Feed in Section 2a); org verification decisions (org owners are notified when their organisation is approved or rejected by ToGathr); community join request approvals (you are notified when an owner or admin accepts your request to join a private community); moderator role grants (you are notified when you are granted ToGathr moderation access); event reminders (an automated 24-hour advance notification and a 1-hour advance notification sent to all users who hold an active RSVP to an upcoming event — the push alert is suppressed if you have Quiet Hours enabled in Settings, but the in-app notification always appears; reminders are only sent for events that are not hidden); event-feedback prompts (a one-time "How was {event}?" notification fired approximately two hours after an event ends to RSVP'd attendees who have not yet submitted feedback — see Section 2b); event comments (when someone comments on an event you are hosting); community post comments (when someone comments on a post you authored in a community); comment replies (when someone replies to a comment you have left on an event or community post); and co-host invites and responses (when an event host invites you to co-host, and when an invited co-host accepts or declines — see Co-Host Invites in Section 2b). You can view all notifications from the Activity screen. Individual notifications can be dismissed with a swipe; read notifications can be cleared in bulk using the "Clear read" button in the Activity header. Clearing notifications removes them permanently from our records. Activity history: Notification records are retained until you clear them or delete your account. We do not currently auto-expire notifications. Bulk-clearing read notifications permanently deletes those rows from our database. Venue Autocomplete: When you type a venue name while creating an event, ToGathr looks up matching venues and addresses using the OpenStreetMap Nominatim geocoding service. These requests are routed through ToGathr's own servers. Your browser does not contact Nominatim directly, so your IP address is not transmitted to the Nominatim service. We do not store your venue search queries beyond what is saved when you actually create the event. OpenStreetMap's data is published under the Open Database Licence (ODbL). Venue search results are only fetched while you are actively typing in the event creation form and only after you have signed in. Event Location Data: When you publish an event, the address you provide is geocoded into latitude/longitude coordinates so the event can appear on the map. Post-publish geocoding happens server-side via our backend (not your browser), so your IP address is not additionally exposed to third-party services at that step. Coordinates are stored alongside the event and are visible only at the level the event itself is visible (public events show pins to everyone; private events do not appear on the public map). Map Page Location: When you open the Map tab, ToGathr requests your device's GPS location to center the map on your position and show a "you are here" marker. This position is used only in your browser. It is not transmitted to our servers or stored in any way. Declining this request does not affect map functionality; the map will center on events in your city instead. City Auto-Detection (Setup): On the city selection step during account setup, you may tap "Detect my location" to automatically select your nearest city. If you grant access, your GPS coordinates are used only to find the closest city in our supported list. The coordinates are computed in your browser and are not transmitted to our servers. Only the resulting city name is saved to your profile. Check-In Location: When you tap "I'm Here" during an event, ToGathr may request your device's GPS location. If granted, we record your approximate latitude/longitude and your distance from the event venue at the moment of check-in. Distance is displayed to you in miles. This data is visible to the event host for attendance verification and analytics. Hosts see each checked-in attendee's distance from the venue. If you decline location access your GPS coordinates are stored as null. Check-in is still recorded and a soft confirmation prompt is shown instead. Check-in location data is retained until you delete your account. Address Reveal: The full street address of an event is not shown to everyone who views the event page. Only the venue name is visible to all viewers. The full street address is revealed only to (1) users who have RSVPed to the event, and (2) the event host. Calendar exports (Google Calendar and .ics downloads) also reflect this. The street address is included in the calendar entry only for RSVPed users and the host. This protects hosts who prefer not to broadcast a home address or private venue location to the general public. Feedback Submissions: When you send feedback through Settings → Send Feedback, we record the message you wrote, the category you picked, the URL path you were on, your user ID, and your browser user-agent string. This information is only used to help us reproduce bugs and prioritise improvements. Feedback rows are only readable by ToGathr team members and by you (you can request your own feedback history at any time). You can submit up to 5 feedback messages per hour to prevent abuse.
We retain your account data for as long as your account is active. Post-event reviews you have submitted are retained to maintain the integrity of the safety score system. If you delete your account, your personal profile information is removed within 30 days. Submitted reviews are anonymised rather than deleted, as removing them would unfairly alter other users' safety scores. Connection-request decline records: When you decline a connection request, the underlying record is retained (status flips to "declined" with a timestamp) for at least 7 days to enforce a cooldown period during which the same requester cannot send you a new request. After the 7-day cooldown expires, the declined record may be replaced by a fresh request if the requester tries again. During the cooldown, the requester is not informed that their request was declined. Legacy direct-message threads with ToGathr Official accounts (one-time cleanup, 2026-05-26): Before our 2026-05-25 product update, individual ToGathr users could open direct-message conversations with ToGathr Official organization accounts. We have since restricted those accounts to read-only outbound communication and reposting through the Updates feed (see Organization Accounts in Section 2a). On 2026-05-26 we ran a one-time database cleanup that hard-deleted the legacy connection rows and any direct-message threads between individual users and ToGathr Official accounts that were created before that gate landed, along with marking any related unread notifications as read. The cleanup affected a small number of internal test threads and dead-end conversations; we are documenting it here for transparency. New direct messages to ToGathr Official accounts are now blocked at the server level.
You have the right to access, correct, or delete your personal information at any time. You can update your profile in Settings. You can disable people matching and control your RSVP visibility in Settings → Privacy. To delete your account, go to Settings → Danger Zone. Deletion confirmation: For accounts that sign in with an email and password, deletion requires you to type the word "DELETE" AND re-enter your password in the confirmation dialog. The password re-check is enforced server-side; a leaked or borrowed session token alone is not enough to delete the account. Accounts that sign in only with Google rely on the freshly issued OAuth session for the same purpose; you may be asked to sign in again before the action completes. What is removed: When you delete your account, any active ToGathr+ subscription is cancelled with our payment processor at the same time, so you will not be charged again after deletion. Your customer record at the payment processor (which contains personally identifying details such as email and partial card information) is also deleted at the same time, leaving only the historical charge entries that we are legally required to retain for refunds, disputes, and tax records. Your profile, RSVPs, connections, messages, community memberships, and all personal data we hold for you is permanently removed within 30 days. Events you have hosted are preserved. Your name is removed as host but the event record remains so that attendees are not left without context; if you wish to remove your hosted events entirely, please delete them from the event management page before deleting your account. Anonymised post-event reviews you submitted may be retained to preserve the integrity of other users' safety scores; nothing in those rows links back to you after deletion. For a data export prior to deletion, contact us at the address below.
ToGathr is intended only for adults aged 18 and older. It is not directed to anyone under 18, and we do not knowingly collect personal information from anyone under 18. If we become aware that someone under 18 has created an account or provided us with personal information, we will terminate the account and delete the information promptly. See also Section 2 (Eligibility) of our Terms of Service.
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy in the app. Your continued use of ToGathr after changes are posted constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy, your personal data, or a safety concern, please contact us at: privacy@joingathr.app