Privacy Policy

Last updated: February 21, 2026

1. Introduction

Climby ("we," "us," or "our") is a social media platform where users create and participate in content-based competitions called "mountains." This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Climby mobile application (the "App").

By creating an account and using Climby, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the App.

2. Data Controller

The data controller responsible for your personal data is:

Alessio Bocchicchio operates as an individual developer (persona fisica) under Italian and European Union law.

3. Data We Collect

3.1 Account Information

When you create an account, we collect: your email address (used for authentication via one-time passcodes), your username (handle), your display name, your country of residence (used to determine applicable age requirements and to display your nationality flag), your date of birth or age confirmation, and your selected interests/categories.

3.2 Profile Information

You may optionally provide: a profile photo (avatar), a biography, and a referral code. This information is visible to other users.

3.3 User-Generated Content

When you use the App, you create and upload content including: mountains (challenges with titles, descriptions, categories, colors, duration, featured content, and submission type settings), submissions (photos, videos, audio recordings, or text posted within mountains), votes (upvotes and downvotes on other users' submissions), chat messages (text, images, videos, and audio sent in private or group conversations), and comments or reactions.

3.4 Social Data

We collect data about your social interactions: your friends list and friend requests, users you have blocked, reports you have submitted about content or users, and your online/offline presence status (including last seen timestamp).

3.5 Engagement and Gamification Data

We track your engagement within the App: Aura points (earned through actions such as creating mountains, submitting content, receiving upvotes, and completing the onboarding tutorial; deducted for actions such as receiving downvotes), your Aura level and journey progress, badges earned (based on achievements, milestones, and special actions), profile frames unlocked through Aura progression, achievements from completed mountains, and leaderboard rankings (local and global).

3.6 Technical Data

We automatically collect: device type and operating system, push notification tokens (for delivering notifications), app version, session data, and screen time analytics (aggregated, used to improve the App experience).

3.7 Data We Do NOT Collect

We do not collect: precise geolocation (GPS coordinates), contacts from your phone, financial or payment information, browsing history, or data from other apps on your device.

4. How We Use Your Data

We use your personal data for the following purposes:

Account Management: To create and maintain your account, authenticate you via email one-time passcodes, and enforce age requirements based on your country.

Core App Functionality: To enable you to create mountains, submit content, vote, chat with other users, manage friendships, and participate in competitions.

Gamification: To calculate and display your Aura points, level progression, badges, frames, achievements, and leaderboard rankings.

Personalization: To show your nationality flag, tailor your feed based on your selected interests and country, and display content in your preferred language (the App supports English, Italian, Spanish, French, German, and Portuguese).

Notifications: To send you push notifications about new upvotes, friend requests, messages, mountain activity, and Aura milestones.

Safety and Moderation: To process reports of inappropriate content or behavior, enforce community guidelines, and maintain a safe environment.

Onboarding: To provide an interactive tutorial for new users and award completion bonuses.

App Improvement: To analyze aggregated usage patterns and improve the App experience.

5. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

Contract Performance (Article 6(1)(b)): Processing necessary to provide the App's core services, including account creation, mountains, submissions, voting, chat, and social features.

Legitimate Interest (Article 6(1)(f)): Processing for App improvement, analytics, fraud prevention, and safety moderation.

Consent (Article 6(1)(a)): Push notifications (you can disable these at any time in the App settings or your device settings).

Legal Obligation (Article 6(1)(c)): Where required to comply with applicable laws.

6. Third-Party Services

We use the following third-party services to operate the App:

6.1 Supabase (Database, Authentication, and Storage)

Purpose: Stores all your data (profile, content, messages, social data, Aura points). Handles email authentication via one-time passcodes. Hosts uploaded media files (avatars, photos, videos, audio). Server location: Frankfurt, Germany (European Union). Privacy policy: https://supabase.com/privacy

6.2 Firebase Cloud Messaging (Google)

Purpose: Delivers push notifications to your device. Data shared: An anonymous device token (not linked to your identity) and notification content. Privacy policy: https://firebase.google.com/support/privacy

6.3 Resend

Purpose: Sends authentication emails containing one-time passcodes for login. Data shared: Your email address and the authentication code. Privacy policy: https://resend.com/legal/privacy-policy

We do not sell, rent, or trade your personal data to any third party. Data shared with the services above is strictly limited to what is necessary for their stated purpose.

7. Data Storage and Retention

Your data is primarily stored on Supabase servers located in the European Union (Frankfurt, Germany).

Active Accounts: We retain your data for as long as your account is active.

Deactivated Accounts: If you deactivate your account (Settings > Deactivate Account), your profile is hidden from other users but your data is preserved. You can reactivate at any time by logging back in. Your username remains reserved during deactivation.

Deleted Accounts: If you permanently delete your account (Settings > Delete Account), we immediately delete your profile information, personal data, and authentication credentials. Mountains you created and messages you sent are preserved but anonymized (displayed as "Deleted User"). Your media files (avatar, submission content, chat media) are deleted from our storage servers. Your username becomes available for other users.

We may retain anonymized, aggregated data indefinitely for analytical and improvement purposes.

8. International Data Transfers

Your data is primarily stored within the European Union (Supabase, Frankfurt, Germany). Some data may be processed by US-based services (Firebase/Google for push notifications, Resend for authentication emails). These transfers are protected by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework to ensure adequate data protection in compliance with GDPR.

9. Your Rights

Under GDPR and applicable data protection laws, you have the following rights:

Right of Access: You can request a copy of the personal data we hold about you.

Right to Rectification: You can update your profile data directly in the App (Profile > Edit Profile) at any time.

Right to Erasure: You can permanently delete your account and all associated data through Settings > Delete Account. This action is immediate and irreversible.

Right to Restriction: You can deactivate your account through Settings > Deactivate Account, which restricts processing while preserving your data.

Right to Data Portability: You can request your data in a structured, commonly used, machine-readable format.

Right to Object: You can object to processing based on legitimate interest.

Right to Withdraw Consent: You can disable push notifications at any time in Settings or in your device settings.

To exercise any of these rights, contact us at climbysocial@gmail.com. We will respond within 30 days as required by GDPR.

10. Children's Privacy

Climby enforces minimum age requirements based on the user's country of residence:

United States: 13 years old (in compliance with the Children's Online Privacy Protection Act, COPPA).

European Economic Area (EEA) and United Kingdom: 14 years old (in compliance with GDPR, Article 8).

All other regions: 18 years old.

During account creation, users must confirm they meet the minimum age requirement for their country. The App enforces this through the onboarding process. If we become aware that we have collected personal data from a user below the applicable minimum age, we will take steps to delete that account and associated data promptly.

If you are a parent or guardian and believe your child has created an account on Climby without meeting the age requirement, please contact us at climbysocial@gmail.com and we will delete the account.

11. Data Security

We implement industry-standard security measures to protect your data, including: encrypted connections (TLS/SSL) for all data transmission, secure email-based authentication with one-time passcodes (no passwords stored), Row Level Security (RLS) policies on our database ensuring users can only access their own data, and secure media storage with access controls.

However, no method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

12. Cookies and Tracking

Climby is a mobile application and does not use browser cookies. We do not use advertising trackers, third-party analytics SDKs that track you across apps, or any form of cross-app or cross-site tracking.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of significant changes through in-app notifications or by email. Your continued use of the App after changes are posted constitutes acceptance of the updated Privacy Policy.

We recommend reviewing this policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: