Privacy Policy

Last updated: May 19, 2026

SoKal is a service operated by JAMES B FLORENCE. References in this Privacy Policy to "SoKal," "we," "our," or "us" refer to JAMES B FLORENCE, the legal operator of the SoKal service. We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our mobile application and related services.

Information We Collect

We collect information you provide directly to us, including:

• Account information (phone number, name, username, profile photo)
• Calendar events and availability you choose to share
• Connections and friend relationships
• City-level location (your current city, never your precise GPS location)
• Device information and push notification tokens
• Contacts (phone number hashes for friend discovery; see "Contact Discovery" below)
• Photos you upload to shared photo dumps (see "Photo Dumps" below)

Device Permissions

SoKal may request the following device permissions:

• Camera: Used to scan QR codes to connect with friends and to take profile pictures. We do not record or store any camera footage beyond the photos you choose to upload as your profile picture.
• Contacts: Used to help you find friends already on SoKal and to invite others to events. When you grant contacts permission, your contacts' phone numbers and names are sent to our servers over an encrypted (TLS) connection. Phone numbers are then converted into one-way cryptographic hashes (SHA-256) on the server before being stored — we do not retain the raw phone numbers from your contacts. These hashes are used to match against other SoKal users for friend discovery and to notify you when a contact joins. See the "Contact Discovery" section below for full details.
• Push Notifications: Used to notify you about event invitations, friend requests, and activity from your connections. You can disable notifications at any time in your device settings.
• Calendar: Used to sync your device calendar with SoKal so you can see all your events in one place. See the "Third-Party Calendar Access" section below for full details.
• Photo Library (read): Used to let you choose a profile picture and to upload photos to a shared photo dump from your existing photos. We only access the specific photos you select.
• Photo Library (save): Used to save photos from a shared photo dump to your device's Photos library when you tap the download button in the photo viewer. We only write the specific photo you choose to download — we do not read your existing library with this permission.

Third-Party Calendar Access

SoKal offers optional integration with third-party calendar services, including Google Calendar, Apple Calendar, and Microsoft Outlook Calendar. These integrations are entirely opt-in — we never access your external calendars unless you explicitly connect them.

What We Access

When you connect a third-party calendar, we access:

• Event data: Event titles, start/end times, locations, descriptions, all-day status, and recurrence rules from your connected calendars.
• Calendar list: The names and identifiers of your calendars so you can choose which ones to sync.

Why We Access It

We use your third-party calendar data to:

• Display your schedule: Show your existing events alongside SoKal events in a unified calendar view, so you can see your full availability in one place.
• Two-way sync: Keep events synchronized between SoKal and your external calendar. Events you create in SoKal can appear in your Google/Apple/Microsoft calendar, and vice versa, so you never have to manage events in two places.
• Availability detection: Understand when you are free or busy so we can suggest social activities at times that work for you and your friends.

How We Handle It

• Imported calendar events are stored on our servers to enable syncing and the social features described below. Visibility of these events to your connections is controlled by the rules in the "Event Classification & Visibility" section.
• We do not use your calendar data for advertising, marketing, or any purpose unrelated to providing the SoKal service.
• We do not sell, share, or transfer your calendar data to third parties, except as necessary to provide the sync functionality (i.e., writing events back to your connected calendar service via their API).
• You can disconnect a third-party calendar at any time from the app settings. When you disconnect, we stop syncing and delete the imported event data from our servers.

Event Classification & Visibility

When you sync a calendar from any provider (Google, Apple, or Microsoft), SoKal processes your events in the same way regardless of the source. We analyze event titles and details to classify each event into a category such as travel, outing, exercise, errand, online, or work. When we are unsure, the event remains unclassified. You can review or change the classification of any event at any time.

Unclassified events are completely private. Events without a confirmed type are never visible to anyone other than you. They are used only internally to determine whether you are free or busy.

For classified events, SoKal gives you two independent privacy controls:

• Activity feed visibility (which event types appear in your friends' feeds). By default, your travel and outing events appear in your connections' activity feeds. All other classified types — work, errands, exercise, online, blocked time, and life moments such as birthdays — are hidden from feeds by default. You can change which types are visible in your privacy settings, override the list on a per-connection basis (for example, sharing exercise events only with a workout partner), or remove all types to disappear from every feed entirely.
• Calendar detail level (what friends see when they look at your calendar directly). Three levels are available:
  • Just busy — Friends see only that you are busy at a given time. No titles, types, or locations.
  • Title only (the default) — Friends see the title, time, and event type. Exact locations are hidden, with one exception: for travel events, the destination city is shown, since the city is the entire point of a travel event.
  • Full details — Friends see all event details, including descriptions and exact addresses.
  You can change the default that applies to all connections, and you can override the level on a per-connection basis (for example, granting full details to a partner or close family member).

Per-event control. When you create or edit an event, you can override these defaults for that specific event — for example, hiding a single outing from everyone, hiding it from one specific friend, or sharing an otherwise-private errand with one specific connection.

Conservative by design. Our classification system errs on the side of privacy: we would rather leave an event unclassified (and therefore completely hidden) than risk classifying a private event. You can always adjust the classification of any event, change your privacy settings at any time, or disconnect your calendar entirely to remove all synced data.

Google Calendar — Limited Use Disclosure

SoKal's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google Calendar data to provide and improve the calendar features described above.
• We do not use Google Calendar data for serving advertisements.
• We do not allow humans to read your Google Calendar data unless (a) we have your explicit consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.
• We do not transfer Google Calendar data to other apps or services except as necessary to provide the SoKal service or as required by law.

Microsoft Outlook Calendar — Data Use Disclosure

SoKal's use of information received from Microsoft APIs complies with the Microsoft APIs Terms of Use. Specifically:

• We only use Microsoft Calendar data to provide and improve the calendar features described above.
• We do not use Microsoft Calendar data for serving advertisements.
• We do not allow humans to read your Microsoft Calendar data unless (a) we have your explicit consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.
• We do not transfer Microsoft Calendar data to other apps or services except as necessary to provide the SoKal service or as required by law.

Apple Calendar — Data Use Disclosure

SoKal's use of information from Apple Calendar complies with the Apple App Store Review Guidelines and Apple's privacy requirements. Specifically:

• We only use Apple Calendar data to provide and improve the calendar features described above.
• We do not use Apple Calendar data for serving advertisements.
• We do not allow humans to read your Apple Calendar data unless (a) we have your explicit consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.
• We do not transfer Apple Calendar data to other apps or services except as necessary to provide the SoKal service or as required by law.

SMS Messaging

SMS messages for the SoKal service are sent by JAMES B FLORENCE (the registered brand and legal operator of SoKal). SoKal may send SMS text messages to phone numbers provided by our users for the purpose of friend and event invitations. When a SoKal user invites a contact to join the app or attend an event, we send a one-time SMS message to that contact on behalf of the inviting user. This is the only purpose for which we send SMS messages.

Opt-In

SMS messages are only sent when an existing SoKal user takes an explicit action to invite a specific person by selecting that person's phone number from their device contacts within the SoKal app. We do not send unsolicited messages, and we never send SMS messages to phone numbers that have not been explicitly selected by an existing user for the purpose of an invitation.

Message Frequency

One-time invitation messages only. No recurring, promotional, or marketing SMS messages are sent by SoKal. If an invited recipient downloads the app and creates an account, any further notifications occur through in-app push notifications or email — not SMS — unless they separately opt into SMS-based notifications within the app.

Opt-Out & Help

Recipients can opt out of SMS messages at any time by replying STOP to any message. Once a phone number has opted out, no further SMS messages will be sent to that number. Recipients can reply HELP for assistance, or contact us at support@sokal.app with any questions. Message and data rates may apply.

Data We Collect for SMS

• Phone numbers: Collected from the inviting user's device contacts at the time of invitation. We store the recipient phone number only as needed to deliver the invitation and track RSVP status.
• Opt-out preferences: If a recipient replies STOP, we record their opt-out status to ensure no further messages are sent.

How We Use SMS Data

• Phone numbers are used only to deliver event invitation SMS messages. We do not use phone numbers for marketing, advertising, promotional messages, or any other purpose.
• We do not sell, rent, loan, trade, lease, or otherwise share phone numbers or SMS data with any third parties for their marketing or promotional purposes.
• We do not share phone numbers or SMS data with third parties except as necessary to deliver SMS messages (i.e., our SMS delivery provider, Twilio) or as required by law.

SMS Opt-Out & Contact

Recipients can opt out of SMS messages at any time by replying STOP. For help, reply HELP or contact us at team@sokal.app. Message and data rates may apply. See our Terms of Service for full SMS terms.

Contact Discovery

SoKal offers a contact-based friend discovery feature. When you grant contacts permission, the app periodically uploads your contacts' phone numbers to our servers in a privacy-preserving way.

How We Protect Contact Data

• Hashing: Phone numbers from your contacts are converted into one-way cryptographic hashes (SHA-256) on our servers before storage. We do not store raw phone numbers from your contacts.
• No reverse lookup: SHA-256 hashes are one-way — they cannot be directly converted back into phone numbers. However, because phone numbers have limited combinations, we acknowledge a theoretical reverse-lookup risk. We mitigate this by restricting database access and never exposing hashes externally.
• Contact names: We store the display name associated with each contact (e.g., "Mom", "John") solely to personalize notifications (e.g., "John just joined SoKal"). Contact names are never shared with other users.

What We Use Contact Data For

• Friend discovery: We match your contact hashes against the hashed phone numbers of verified SoKal users to show you "People you know on SoKal" — helping you find friends who are already on the platform.
• Join notifications: When a new user verifies their phone number, we check if any existing users have that number in their contacts and send a push notification ("John just joined SoKal") so they can connect.

Your Control

• Contact discovery requires the Contacts permission. If you deny or revoke this permission, no contact data is uploaded or stored.
• You can dismiss the discovery card, and it will not reappear for 30 days.
• You can disable "Contact joined" push notifications in your notification settings.
• Deleting your account permanently removes all stored contact hashes associated with you.

Photo Dumps

SoKal includes a "photo dump" feature that lets you create a shared photo collection tied to a travel event. Membership of a photo dump is limited to people who were on the same trip — either as a co-participant on the event itself, or by having an overlapping travel event to the same destination within the same dates.

How We Handle Photo Dump Photos

• Storage: Photos you upload are stored on our cloud storage provider (Amazon Web Services S3) with server-side encryption. Photos are served to other dump members through short-lived signed URLs.
• EXIF metadata stripped: When we process an uploaded photo, we re-encode it and discard EXIF metadata (camera model, GPS coordinates, capture timestamp, etc.) before storing it. The location and dates of the trip itself live on the parent travel event; per-photo metadata is removed.
• Automated content moderation: Before a photo is added to a dump, we send it to an automated moderation service (Amazon Web Services Rekognition) to detect prohibited content such as explicit nudity, sexual activity, graphic violence, or visually disturbing imagery. Photos that fail moderation are rejected at upload time and not stored. The moderation result for the rejected upload is logged for safety review and is never shown to other users.
• Visibility: Photos in a dump are visible only to other members of that dump. They are not used in friends' activity feeds, not used for recommendations, and not shown anywhere outside the dump.
• Limits: Each user can upload up to 10 photos to a given dump.
• Deletion: You can delete photos you have uploaded. Deleting your account permanently removes all photos you uploaded across every dump.

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Connect you with friends and facilitate social planning
• Send push notifications about events and friend activity
• Suggest activities based on your calendar and interests
• Respond to your comments, questions, and support requests

Information Sharing

We do not sell your personal information. We share your information only:

• With your friends and connections, as you choose to share
• With service providers who assist in our operations
• When required by law or to protect rights and safety

Data Security

We implement appropriate security measures to protect your personal information. Your data is encrypted in transit and at rest. We use industry-standard practices to secure our systems.

Data Retention

We retain your information for as long as your account is active or as needed to provide you services. You can delete your account at any time from within the app, which will permanently remove your data from our servers.

Your Rights

You have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and data
• Opt out of push notifications
• Disconnect third-party calendar integrations at any time

Children's Privacy

SoKal is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@sokal.app