BANDRY

Privacy Policy

Last updated: May 22, 2026

Bandry (“we,” “us”) helps musicians and music-industry people find each other and link up for projects. This page explains what we collect, how we use it, and the choices you have.

We wrote it in plain English. If anything is unclear, write us at support@bandry.app.

What we collect

Account.When you sign in with Apple, we receive an Apple ID identifier and — if you choose to share it — your name and email. If you use Apple’s “Hide My Email” option, we never see your real email; we only see the relay address Apple provides.

Profile.Whatever you fill in: display name, avatar, the music-industry roles you select (drummer, producer, mixing engineer, etc.), and the city label and approximate location you set. Your “approximate location” is rounded on your device to roughly a one-kilometer grid before it ever reaches our servers; we never receive your precise GPS coordinates.

Contact methods. Phone, email, Instagram, Spotify, YouTube, website — whichever you add. These are private by default. Other users do not see them, ever, unless you link up with them — see Your contact info stays private below.

Posts you create. Title, body, intent (seeking or offering), local-or-remote scope, radius preference, your approximate location for local posts, and any showcase links you attach (a Spotify track, a YouTube video, a portfolio site).

Showcase-link previews.When you attach a link to a post, our server fetches the linked page to pull a preview image, title, and favicon (the same kind of preview iMessage and Discord show). We store the preview metadata on your post; we don’t store anything else from the page.

Endorsements and link-ups.Which posts you’ve tapped 🔥 on (visible to everyone, like an upvote), and which posts you’ve tapped 🔗 on to link up (visible only to you and to the poster you connected with).

Blocks and reports. If you block someone, we record that to filter their content from your view; only you can see your block list. If you report someone, the report goes to our moderation queue.

Subscription state.Whether you’re on the free trial, an active subscription, or expired. When in-app subscriptions launch, Apple handles the payment; we never receive your card number.

Device info.Standard technical data that any iOS app receives — your iOS version, device model, app version. We don’t use a third-party analytics SDK and we don’t track you across other apps.

How we use it

To run the service:

  • Show you a feed of relevant posts (local posts get a two-sided radius check so you only see roles near you).
  • Let you create posts, endorse posts, and link up with people you want to reach.
  • Let posters and linkers exchange contact information at the moment a link-up happens — and only then.
  • Moderate the community when someone reports content.
  • Keep your subscription state in sync with Apple’s billing.

We don’t sell your data. We don’t use it for advertising. We don’t share it with third-party brokers.

Your contact info stays private

This part is the load-bearing rule of Bandry. Your phone, email, Instagram, Spotify, YouTube, and website handles are never displayed on your profile, in posts, or anywhere in the feed.

The only way someone receives your contact methods is if you tap 🔗 on a post they wrote. At that moment — and only at that moment — your contact methods are revealed to that poster, so they can reach you off-platform. The poster cannot mass-broadcast their contact info to people who haven’t actively reached out.

This rule is enforced in our database, not just the app. Even an unauthorized request to our API for someone else’s contact methods will be refused unless a link-up between the requester and that user exists.

Approximate location, never precise

For local posts to work — “drummer wanted within 25 miles” — we need to know roughly where you are. We use the lowest accuracy iOS offers (kCLLocationAccuracyReduced), and we round your coordinates further on your device, so what we receive is approximately a one-kilometer grid square. We never store fine-grained GPS.

You can deny location permission entirely. If you do, the feed shows only remote posts (mixing, mastering, design — work that happens anywhere).

Who we share with

We use a small set of vendors to run the service. Each receives only what it needs to do its job:

  • Apple — Sign in with Apple identity verification; App Store handling of any future subscription.
  • Supabase (data hosting, US region) — stores everything in the What we collect list above on secure, access-controlled databases.
  • Cloudflare — DNS, edge caching, the small services that send your moderation reports and unfurl link previews. Cloudflare receives the same data Supabase does, briefly, while requests are in flight.
  • Resend (transactional email) — when a user reports content, we use Resend to email the report to our moderation inbox. No other emails go through Resend right now.

We do not share your data with advertisers, data brokers, or any party not listed above.

Your choices

  • Edit your profile — Settings → Profile.
  • Change your local radius — Settings → Distance.
  • Block someone — long-press their post → Block. They disappear from your feed and link-ups; you disappear from theirs.
  • Report someone — long-press their post → Report. Reviewed within 24 hours.
  • Delete your account — Settings → Account → Delete Account. This permanently removes your profile, posts, link-ups, contact methods, endorsements, blocks, reports, and subscription state from our databases. The deletion is immediate and cannot be undone.

If you signed in with Apple, deleting your account in Bandry will also revoke our access to your Apple ID token, so we can no longer authenticate as you.

To request a copy of your data, write us at support@bandry.app with the subject line “Data Request.” We’ll respond within thirty days.

Children

Bandry is not for users under 13. We don’t knowingly collect information from children under 13, and we don’t market to them. If we discover an account belongs to a child under 13, we delete it.

Data retention

We keep your data while your account exists. When you delete your account, your data is removed within minutes — there is no soft-delete or grace period. Some operational logs (e.g., a record that a deletion took place) may persist for up to 30 days for security and audit purposes; these contain no personal content.

Security

Data in transit is encrypted via TLS. Data at rest is held in Supabase’s encrypted Postgres. Access to user data is gated by row-level security policies that enforce our privacy rules at the database layer — meaning even a bug in our app code cannot expose another user’s private data.

Links to other services

Posts can include showcase links to other services (Spotify, YouTube, Instagram, etc.). When you tap one of those links from inside Bandry, you’re leaving us and entering that other service, which has its own privacy practices. We don’t control them.

International users

Bandry’s servers are in the United States. If you use Bandry from outside the US, your data will be transferred to and stored on US-based servers. By using Bandry you consent to that transfer.

If you’re in the EU, UK, or California, you have rights under GDPR, UK-GDPR, and CCPA respectively — including the rights of access, correction, deletion, and (where applicable) data portability. To exercise any of those, write us at support@bandry.app.

Changes to this policy

When we change anything material in this policy, we’ll update the “Last updated” date at the top and — for changes that affect your privacy meaningfully — announce them on bandry.app. Your continued use after a change means you’ve accepted the new version.

Contact

For any privacy question, write us at support@bandry.app.