Bridgit

Privacy Policy

Last updated: May 7, 2026

Your Privacy Matters

This Privacy Policy describes how Bridgit collects, uses, and protects your information when you use our social activity platform at settledbybridgit.com. It covers our consumer app, our partner-facing surfaces (including the SF Chamber × Bridgit program), and the public-event pages we host.

Information We Collect

Profile information

Name, age, city, interests, languages, and preferences you provide when creating your profile. Optional fields stay optional.

Activity and event data

Activities you create or join (private), public events you host or express interest in, and interactions with other users through the platform.

Usage information

How you use the app, pages visited, and features accessed to improve our service and detect abuse.

Location data

We display your city to other users. We also store precise coordinates derived from your declared city or from a venue you select, and use them server-side for distance-based matching. Precise coordinates are never shown to other users.

Communication data

Messages sent through our in-app chat (per-activity, group, or direct). Content is private to the chat participants.

Authentication data

When you sign in with Google or LinkedIn, we receive your name, email address, and profile picture from those providers. LinkedIn-verified users also receive a verification flag based on the OIDC claims. We do not request or store any other data from your Google or LinkedIn accounts.

Anonymous feedback

When you submit feedback while signed out, we still capture the page you were on and a coarse device fingerprint (user agent, screen size) so we can triage the report. No persistent identifier is set.

Profile Photo Moderation

Profile photos are scanned by an automated image-moderation service (AWS Rekognition) beforethey are stored. The service returns a verdict (approve / review / reject) and a list of moderation labels. We log the verdict, label list, latency, and your user id in an audit table to support trust & safety review and to detect repeated abuse.

If the moderation service is unavailable we fail-open and queue the photo for human review rather than block legitimate uploads.

AI-assisted Matching

Bridgit uses two third-party AI providers to help rank matches and explain why an activity might suit you:

  • OpenAI — receives a structured snippet of your profile and the activity profile to generate a one-sentence match explanation. Explanations are cached for up to 7 days.
  • Mistral (with OpenAI as a fallback) — receives interest text, profile blurbs, and activity descriptions to generate vector embeddings used for semantic ranking.

Neither provider trains on your data; both are bound by their own data processing agreements. AI features have a limited opt-out at MVP — a full preference toggle is on the roadmap.

Cookies and Similar Technologies
Strictly necessary

Supabase auth-session cookies. Without these you cannot stay signed in.

Attribution

bridgit_aid (1-year, anonymous visitor id) and bridgit_attr (90-day, first-touch campaign snapshot — only set when missing). When you arrive via a campaign QR or short link we hash your IP with a daily-rotated salt to deduplicate visits without tracking you across days. Raw IPs are not stored.

PWA storage

localStorage for client-side preferences and a service worker for push and install support. We do not run third-party advertising or cross-site tracking cookies.

Push Notifications

If you opt in to push notifications, your browser issues a VAPID subscription endpoint plus auth keys, which we store so we can deliver match, message, and event alerts. Delivery is brokered by your browser vendor's push service (Apple / Google / Mozilla). You can revoke push consent at any time from your device settings or from your Bridgit notification preferences.

Email Communications

Transactional emails (sign-in links, claim confirmations, weekly digests, unread-chat reminders) are sent through an infrastructure email provider (AWS SES). Send, bounce, and open events are logged so we can detect delivery problems and respect unsubscribes. A self-service preference center is on the roadmap; until then, replying with "unsubscribe" or writing to privacy@settledbybridgit.com opts you out.

Public Events vs. Private Activities

Activities (under /activity/*) are row-level-locked to the host and matched users. There is no public browsing, no shareable preview, and no search-engine indexing.

Public events (under /events/*) are world-readable. They have shareable QR posters and Open Graph metadata. If you create or host a public event, its title, description, location, and host display name are public. Companion-matching for public events runs on a separate ledger and only surfaces opt-in participants to each other.

How We Protect Your Data
Privacy-First Design

Activities are only visible to matched users. No public browsing or endless scrolling on the consumer side.

Data Encryption

All data is encrypted in transit and at rest using industry-standard security measures.

Location Privacy

Other users only see your city. Precise coordinates stay server-side and are used only for distance-based matching.

Controlled Visibility

Your private profile and activities are only shown to algorithmically matched users, never publicly browsable.

How We Use Your Information
  • • Match you with relevant activities and users based on interests, languages, and location
  • • Generate AI-assisted ranking and one-sentence match explanations
  • • Facilitate communication between activity participants
  • • Send notifications and digests about matches, messages, and events
  • • Measure first-touch attribution for campaigns we run
  • • Deliver push notifications you have opted in to
  • • Detect and prevent fraud, abuse, and harmful imagery via moderation logs
  • • Operate our partner programs (e.g. SF Chamber × Bridgit) — partner-side data only
  • • Improve our matching algorithms and user experience
  • • Comply with legal requirements and enforce our terms
Data Sharing & Sub-processors

We do not sell or rent your personal information. We share it with the following categories of processors, each bound by a written DPA and instructed to process data only on our behalf:

  • Hosting, storage, and database — an infrastructure cloud provider (Supabase / Vercel) processes data on our behalf.
  • AI processorsOpenAI for match explanations and Mistral for embeddings.
  • Image moderation — an automated moderation provider scans uploaded photos before storage.
  • Email delivery — a transactional email provider sends notifications and digests.
  • Maps / venue lookup — Google Places receives venue search queries (not your identity).
  • Telemetry — error and operations logs go to a logging provider (Better Stack); secondary error reporting via Sentry.
  • Other matched users — only as necessary for activity coordination (display name, city, avatar, opt-in availability).
  • Law and safety — when required by law or to protect our rights, our users, or the public.
  • Aggregate research — anonymized, aggregated form for product research and improvement.
Reports, Ratings, and Trust

Reports you submit (about other users, photos, or activities) retain a link to your user id even if the reported user later deletes their account, so we can investigate patterns. Ratings exchanged between participants of a completed activity are private; when both sides leave a rating of 4 stars or higher, a private group may be auto-created with co-participants — at that point first names and avatars become visible to the group.

Data We Receive From Third Parties

For programs like SF Chamber × Bridgit, your business contact email may be imported by Bridgit administrators from a partner-supplied member list. If we contact you on that basis, the email will say so explicitly. You can decline to claim the venue and request deletion of the imported record at any time by writing to privacy@settledbybridgit.com.

Your Rights
  • • Access and download your personal data
  • • Correct inaccurate information in your profile
  • • Delete your account and associated data
  • • Control notification and sharing preferences
  • • Withdraw consent for data processing
  • • Request data portability in a structured format
  • • Object to processing of your personal data
Data Retention

We retain your data only as long as necessary to provide our services and comply with legal obligations. When you delete your account, we remove your personal information within 30 days, except where required for legal compliance, dispute resolution, or trust & safety. Reports and ratings you submitted may be retained pursuant to the "Reports, Ratings, and Trust" section above. Backups roll off on the standard backup-rotation cadence.

Children's Privacy

Bridgit is intended for users aged 16 and older. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us so we can remove it.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes through the platform. Continued use after changes indicates acceptance of the updated policy.

Contact Us

Questions about privacy? Email us at privacy@settledbybridgit.com.

See also our Terms of Service.

© 2026 Bridgit. All rights reserved.