LyPinnLyPinnHome

Privacy Policy

The short version

LyPinn is a tiny 3 km neighbourhood notice-board. You drop a card, your neighbours pick it up, you chat once, then it's gone. We collect the bare minimum to make that work: an email address, a one-line name, a self-declaration that you are 18+, your location *only while the app is open* (unless you opt in to background mode), and the text of cards you choose to publish. We do not sell, rent or share your data with advertisers — there isn't an ad model on LyPinn and there won't be one.

1. Who runs LyPinn

LyPinn is operated by an individual maker based in Ahmedabad, India. The Data Fiduciary for the purposes of the Digital Personal Data Protection Act, 2023 (DPDP) and the Grievance Officer under the Information Technology Act, 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 is:

> Bhavik Patel · Grievance Officer > Email: contact@lypinn.com > Ahmedabad, Gujarat, India

We are a free-to-use service — there is no paid tier, no payment gateway, no subscription, and no in-app purchase. The service is offered as-is with no obligation of continuous operation, although we'll do our best to keep it running well.

2. What we collect

You give us, when you sign up

  • Email address (used as your login + for service emails).
  • Display name (one line, shown only on cards you choose to attribute; anonymous mode is the default).
  • A self-declaration that you are 18 years or older (we no longer store a date of birth).
  • A hashed password (we store the hash, never the plain text).
  • Account type — `individual` or `business`. Business profiles get a small `Business` tag on their cards; nothing else.

You may add, optionally

  • A profile picture or avatar slug, a one-line bio.
  • A LyPinn ID — a short public handle (e.g. `@meera_99`) that you choose once and that becomes permanent. It is the *only* identifier shown to people you share GNotes with via LyPinn Connect; your email is never revealed to them.
  • Your preferred interface language (12 supported; persists across devices on login).
  • Apple, Google or Facebook identity tokens (we keep the stable identifier each provider returns; never your provider password).
  • A device-only 4-digit PIN for the My Cards screen (stored hashed in your browser/device storage only — never on our servers).

The platform produces, when you use the app

  • Card content (≤140 characters), its category and the coordinates it was pinned to. Cards live 24 hours then auto-expire.
  • Connect + reply history (one connect → one reply, then locked).
  • LyPinn Connect entries — the trusted-contact graph you explicitly opt into by sending or accepting a Connect request. We store both sides of the trust relation by `id`, the optional short note attached to the request, and the date/time of the decision. You can pause incoming requests at any time from *Profile → Allow connect requests*.
  • NLocal ideas + votes — when you post or upvote a community feature suggestion. We keep the idea text, the neighbourhood it was filed under, your `user_id` (so you can edit / remove your own post), and the vote tally. Idea text is publicly visible inside the same 3 km neighbourhood. NLocal moderators (sub- admins with the `nlocal.moderate` permission) can take down ideas that breach the Terms.
  • GNote attachments you choose to attach — a recorded voice clip ≤15 s (stored as audio inside your account), a Spotify track id + cached title/artist/artwork, a YouTube video id + cached title/channel/thumbnail, a sticker code, a one-line lyric quoted next to its track id, or a Strava route id. We never store the original Strava URL — only the numeric id the recipient's browser uses to render the official Strava embed. Each attachment is held alongside the GNote and deleted with it.
  • Physical-gift QR unlocks — when a sender prints a GNote QR and the recipient scans it on a phone *without* the LyPinn app, we collect a compliance trail to prove the unlock was legitimate: the recipient's email, the 6-digit one-time code attempts (only the hash is kept), the IP and user-agent of the browser, and the *single* GPS reading sampled at the moment the recipient taps Share my location. We use that reading only to compute the distance to the pin (in or out of the unlock radius) — it is never combined with other readings, shared with the sender, or used for any other purpose. We keep this audit row for two years for fraud-defence and DPDP Act compliance and then auto-purge it.
  • In-app notifications — a private feed of events meant for you (incoming Connect request, GNote delivered, GNote daily-limit decision, NLocal idea status change, etc.). Notifications are tied to your account, never shared, and purged when you delete the account.
  • Notify Me preferences — when you opt into the *Notify Me* feature (Profile → Notify Me), we store the single pinned coordinate you chose (current location or a custom pin), an optional human-readable label (e.g. `Home`, `Office`), your optional category filter, the up-to-5 short keywords you typed, and for each keyword a derived bundle: a 12-language translation set, 8-12 short synonym / transliteration terms generated by our LLM provider (see § 5 vendors), and a 384- dimensional semantic embedding vector computed locally on our own server by an open-source multilingual model. The derived bundle exists solely so a card you might like — written in any of the 12 supported languages, or in a domain synonym you didn't think to type — can still trigger your notification. Notify Me is OFF by default for every new account; enabling it is an explicit opt-in toggle. When matches fire we also store an audit log row (`notify_me_matches`) with the matched keyword and the card id, kept for 60 days for abuse-defence and analytics, then purged.
  • Push-notification device tokens (Apple APNs / Google FCM / web push), used purely to deliver pings.
  • Network metadata captured at signup and at each login: IP address, user agent, approximate country (looked up against a public IP geo database). We use this only for fraud and abuse scoring.
  • A risk score and risk-flag list computed by our automated abuse-detection rules.

We never collect

  • Phone numbers. We don't have an SMS provider and never send SMS.
  • Government IDs, payment cards, or any banking details.
  • Biometric templates — biometric sign-in uses your device's built-in unlock (Touch ID / Face ID / fingerprint) which never leaves your phone.
  • Continuous background location (unless you explicitly opt in to the Reminder background mode in Settings — see §3).

3. How location works

Foreground only by default. When the app is open we ask the OS for your current coordinates so we can (a) show you what's within 3 km and (b) pin any card you drop. We do not store a trail of where you've been — only the single coordinate of each card you publish.

Discovery is opt-in. As of our 2026-05 release, *using your live location for Discovery* is a per-user opt-in (Settings → Features → Discovery — current location). When you turn it off you can pin a single custom location for the Discover feed instead. We lock the custom pin for 24 hours after you set it so it stays a deliberate choice — switching the live-location toggle back on at any time is free, but changing the custom pin is rate-limited. When the 24-hour lock expires we send a single, polite push notification reminding you that you can change the pin if you'd like — we don't spam.

Background opt-in (Reminders only). If you turn on *Background location* under Settings → Notifications, we enable a low-power geofence watcher for Reminders: when you cross within ~200 m of a place you've set a reminder for, your phone fires a local notification — even when LyPinn is closed.

GNotes are foreground-only. As of v1.0.97 (June 2026), GNotes no longer use background location. They unlock the moment you open LyPinn (or scan the QR / open the share link) while you're within ~500 m of the pinned spot. Recipients without the LyPinn app can also unlock GNotes directly in their phone's browser at lypinn.com/g/<token> — the page asks for your browser's location *only at that single moment of unlock* and never stores your coordinates beyond a one-line compliance log.

Notify Me pin (opt-in). When you enable Notify Me you can ask the OS for a fresh GPS reading to seed your pinned 3 km centre. We use that single coordinate only as the geofence for matching cards against your keywords — it never appears on any feed and is never shared with another user. You can change or delete the pin from Profile → Notify Me at any time. Notify Me itself is OFF by default and stays off until you save your first keyword + pin.

You can revoke any location permission at any time from your OS settings or by toggling the in-app switch off. Disabling it stops the corresponding watcher immediately.

Reliability disclosure. Reminders are designed as a fun, convenient nudge — not a guaranteed alarm. Because we do not maintain a continuously-running foreground location service (which would drain battery and trigger an always-visible system notification), the OS decides when to wake LyPinn and check your location. On devices with aggressive battery savers (MIUI, ColorOS, Funtouch OS, OxygenOS, EMUI, One UI) or when the OS has force-closed the app, notifications may be delayed by several minutes or skipped entirely. Treat them as helpful nudges rather than a primary tool — set a separate phone alarm for any time-critical task.

4. How we use your data

  • Run the service. Deliver the cards-and-connects loop, authenticate logins, send transactional emails (verify email, reset password, OTP for unlock), route push notifications, and — for users who have opted into Notify Me — match newly- dropped cards against their saved keywords (substring + synonym + local semantic embedding) so we can ping them when something they care about lands inside their pinned 3 km. The embedding model runs on our own server; card text is never sent to a third-party LLM for matching.
  • Keep the community safe. Apply the abuse heuristics, run the per-language profanity filter at card-create time, honour Reports and Block lists, take down content that violates the Terms, and store a minimum of evidence to defend a takedown if challenged.
  • Improve the product. Aggregate, anonymous usage trends — how many cards drop in a city, how many connects close, which categories are popular, which NLocal ideas reach the upvote threshold. We do not profile individuals.
  • Comply with the law. Respond to lawful requests from Indian or other competent authorities, and to honour your privacy-rights requests under the DPDP Act and analogous laws.

We do not: profile you for advertising, sell or rent data to third parties, share your location with other users (only the approximate distance bucket appears on a card), or train any third-party AI model on your private content.

5. Service providers we rely on

  • MongoDB Atlas — database hosting.
  • SendGrid — transactional email delivery.
  • Firebase Cloud Messaging + Apple Push Notification service — delivery of push notifications.
  • Cloudflare Turnstile — bot-protection CAPTCHA at signup.
  • OpenStreetMap / Nominatim — optional reverse-geocoding when you choose to pin a card to a specific address.
  • ip-api.com — IP → country lookup for the abuse-detection engine.
  • Spotify Web API + Apple iTunes Search — looking up the title, artist and artwork for a song the *sender* chose to attach to a GNote. We send Spotify only the search query and the track id; no listener-identifying information leaves our servers.
  • YouTube Data API v3 — fetching the title, channel and thumbnail for a video the *sender* chose to attach. The recipient's eventual playback happens inside YouTube's embedded player.
  • Strava — when the *sender* attaches a Strava route, the recipient's browser loads Strava's official embed at `https://www.strava.com/routes/{id}/embed` inside a sandboxed iframe. We never call Strava ourselves and never share any LyPinn user data with Strava. Strava may set its own cookies inside that iframe under Strava's own privacy policy.
  • MyMemory Translated.net — an admin-only "translate to English" tool used by moderators to review non-English cards. We send MyMemory only the card text and the source/target language codes — never your account email, IP, or any other identifying detail. MyMemory's free tier is rate-limited and we throttle it on our side to stay within the cap.
  • Emergent LLM proxy (Google Gemini 2.5 Flash) — when you add a keyword to *Notify Me*, the short keyword string you typed is sent to our LLM provider so it can return: (a) the 12 LyPinn-supported language translations, and (b) 8-12 domain synonyms / common transliterations a fellow neighbour might use for the same thing. The keyword is sent *without* your name, email, IP, location or any other identifier — only a session-id randomly generated per request. We do not send any card text, profile field, message thread, or notification content to this provider, ever. The translated bundle is then cached on our servers under a hash of the normalised keyword and reused for every future LyPinn user who types the same word — so most keyword saves never reach the LLM at all. Calls to the LLM are batched in 30-second windows across all users, deduplicated by hash, and rate-limited globally — a single neighbour can add at most 5 keywords and 10 new keywords per rolling hour, and candidate keywords that look like keyboard-mashing (e.g. `asd`, `qwerty`, all-digits) are rejected locally before any network call is made.
  • Local semantic embedding model — the open-source `sentence-transformers/paraphrase-multilingual-MiniLM-L12-v2` model runs on our own server, never leaves it, and is used to convert each dropped card's text and each Notify Me keyword into a 384-dimensional vector so the matcher can recognise meaning-equivalent phrases across languages (e.g. `gym partner` ↔ `fitness buddy`). No card text or keyword text reaches any external service through this path.

Each vendor processes only the slice of data they need to perform the listed function, under their own privacy commitments.

6. How long we keep things

  • Cards — exactly 24 hours from publish, then automatically expired. Reminder cards (private to the dropper) follow your configured lifetime, up to 30 days.
  • Connect threads — kept for the lifetime of the cards they reference (i.e. typically ≤24 hours), then archived for 30 days for moderation appeals, then permanently deleted.
  • GNotes — 24 hours from publish (delivered or not), then automatically expired. Attachments are deleted with the GNote. Physical-gift QR unlock audit rows are kept for two years for DPDP / fraud-defence compliance.
  • LyPinn ID — permanent while your account exists. When you delete your account we move your handle into a reserved list so it can never be claimed by another person impersonating you. The reserved entry holds only the lowercased handle and the original claim date — no other personal data.
  • LyPinn Connect graph — kept while both sides keep their accounts open. Either party can sever a trusted connection at any time; the row is deleted within 24 hours of removal.
  • NLocal ideas — kept while you keep your account. Closed ideas (shipped or rejected) move into a read-only archive for one year and are then purged.
  • In-app notifications — 60 days, then aggregated or purged.
  • Notify Me preferences — kept while your account exists and you keep the feature on. Turning Notify Me off in-app preserves your keywords + pin so you can re-enable later; full deletion happens when you delete the account or remove the keyword in- app. The Notify Me match audit log (`notify_me_matches`) is retained for 60 days then purged. The global keyword-translation cache is content-only (no user IDs) and survives indefinitely as a shared resource.
  • Account record — kept while your account is open. Delete your account from Settings → Account → Delete and we remove the record within 30 days. Some backups may take up to 60 additional days to roll over.
  • Login/IP logs — 90 days, then aggregated or purged.

7. Your rights

Under the DPDP Act, 2023 and analogous laws you can, at any time:

  • Access and export your data (email `contact@lypinn.com`).
  • Correct anything in your profile from the app.
  • Delete your account end-to-end (Settings → Account → Delete).
  • Withdraw consent for optional features (background location, push notifications, marketing emails — although we currently send no marketing emails).
  • Nominate another individual to exercise these rights on your behalf if you become incapacitated (DPDP §14).
  • Lodge a complaint with the Data Protection Board of India or your local supervisory authority.

7a. Selective deletion (keep account, delete specific items)

Sometimes you'll want to clean up *part* of your LyPinn footprint without nuking the whole account. We support these targeted deletions on request — most are handled within 7 working days:

  • One or more cards you've published (we'll soft-delete and purge within 14 days).
  • One or more GNotes you've sent (we'll mark them `revoked` so the recipient can no longer claim them; already-delivered attachments are removed from our object store).
  • Reminders you've set (instantly removable in-app under Reminders → tap → Delete; the email path is only for batch removals of >50 items).
  • Connect-history entries with a specific neighbour (we'll soft-delete the thread on both sides if both parties consent, otherwise just on yours).
  • Login / IP history entries older than a given date.
  • Profile photo, display name, bio (or set them back to defaults). The in-app Profile editor handles these instantly; email us only if the editor refuses (rare).
  • Custom Discover pin (we'll wipe the pin and clear the 24- hour lock so you're free to set a new one immediately).
  • Notify Me preferences — your saved keywords, pin and match history (instantly removable in-app under Profile → Notify Me; email us only if you need a bulk wipe across all your keywords and the audit log in one shot).
  • Device-linked FCM tokens for a lost or sold phone (we'll unregister the device).

How to ask:

  • Email `contact@lypinn.com` from the address tied to your LyPinn account (we use this for identity verification — replies from other addresses get a polite prompt to verify ownership).
  • Mention "Selective deletion request" in the subject.
  • Briefly list what you want removed (card IDs / GNote IDs / date ranges — paste from the app's Activity tab if it's easier). The more specific, the faster.
  • We confirm receipt within 2 working days and complete most deletions within 7 working days. Court-mandated holds or live abuse investigations may extend this; we'll always tell you honestly if that's the case.

If you'd rather delete *everything*, the in-app Settings → Account → Delete flow is faster and doesn't require an email round-trip.

8. Security

Passwords are hashed with bcrypt. Sessions are JWT-signed and expire after 24 hours (refresh tokens after 14 days). The mobile app stores its session token inside the device's secure preferences store — biometric unlock is your device's native feature and never sees the network. We use HTTPS exclusively. Despite our best efforts, no internet service is invulnerable — if we detect a breach affecting your data we'll notify you and the Data Protection Board of India within the timelines required by §8(6) of the DPDP Act, 2023.

9. Minors

LyPinn is strictly 18+. Age verification is a binding self-declaration users accept at registration (see Terms §1). If we discover an under-18 account we'll terminate it immediately. Parents who believe their child holds an account can email `contact@lypinn.com` and we'll delete it within 24 hours of verification.

10. Feature flags + regional availability

Some features can be turned on or off per device family (LyPinn mobile app, mobile browser, desktop browser) or per content type (card category, GNote attachment kind). We use this for staged rollouts, store-review compliance, and incident response. When a feature is off on your device you'll see a clear "Not available on this device" badge — never a silent failure. Admins can grant per-user overrides to enable a feature for specific users (VIP testers, incident escalations); when an override is set on your account it is visible to LyPinn moderators and auditable.

10a. Per-feature opt-in (Reminders + GNotes + Discovery location + Notify Me)

Four of LyPinn's location-aware features are opt-in: Reminders, GNotes, Discovery — current location, and Notify Me. All four default to OFF for every new sign-up; the *Discovery — current location* toggle was grandfathered to ON for users who were already on LyPinn before 2026-05, since you were actively using location-based discovery; the other three (including Notify Me) default to OFF for every account regardless of when you joined. You can turn any of the four on or off any time from Settings → Features (Reminders / GNotes / Discovery) or from Profile → Notify Me.

  • When a feature is OFF, the related UI is hidden across LyPinn: no Reminder category in Drop, no GNote button in Discover, no incoming GNote notifications, the Discover screen prompts you for a custom pin instead of using live GPS, etc.
  • Past data is preserved when you toggle off. Your historical Reminders, GNote inbox and last-known Discover pin remain available read-only. You just can't add new ones or accept new incoming GNotes until you turn the feature back on.
  • If you have GNotes OFF and someone tries to send you one, the sender is told politely that you haven't enabled GNotes — they can't burn a daily-quota slot on a delivery that won't trigger.
  • If you switch GNotes OFF while an in-flight GNote is waiting for you, it is paused (not deleted). Turning GNotes back on restores it to your inbox.
  • If you opt out of *Discovery — current location*, the Discover feed switches to a custom map pin you choose. We lock the pin for 24 hours so it stays a deliberate choice; when the lock expires we send a single polite push notification ("Your Discover pin is unlocked — change it if you'd like") and that's the only nudge we'll send.
  • When Notify Me is OFF, we never run keyword matching for your account and no Notify Me push can fire. Your saved keywords + pin are preserved so a future re-enable picks up exactly where you left off; full deletion happens in-app from the same Profile → Notify Me screen or with account deletion.
  • The choices themselves (opted-in vs opted-out) are stored on your user record. They are never shared with other users, partners or advertisers — only your sender sees a generic "recipient hasn't enabled GNotes" message when they try to drop you one.

11. Changes to this policy

When we update this policy materially we'll show an in-app banner and require a fresh acceptance before you continue. Smaller edits (typos, clarifications) are versioned silently at the footer of this page.

12. Contact

Email contact@lypinn.com with any privacy question, rights request, data-access request, or grievance under the IT Act 2000 / DPDP Act 2023. The Grievance Officer (Bhavik Patel) responds within seven days, and within the 30-day statutory window for formal grievances.

v1.1.19 — Trending Keywords surface & B2B partner sharing

Trending Keywords surface. The LyPinn homepage and a new internal Trending dashboard publish an aggregate cloud of the most-saved Notify Me keywords across the platform — at three scopes: global, per-country (ISO-3166 alpha-2), and within ad-hoc 3 km neighbourhoods. Each keyword is subject to a strict k-anonymity floor of 3 distinct users before it can appear on any surface; no personal name or single user's private keyword can ever surface as 'trending'. The score is a simple weighted popularity count — `unique_users + 0.3 × card_matches` — over a rolling 7-day window. The list never carries user IDs, card IDs, or coordinates.

IP-based city label on lypinn.com. The public-website trending cloud derives a coarse city name from the visitor's IP address via the same `ip-api.com` provider already disclosed for abuse detection. The IP itself is never written to our database; only the city/country label is used, and only to caption the cloud (e.g. 'Trending in Ahmedabad'). No geolocation prompt is shown to website visitors.

B2B Integrations API. A new `/api/v1/trending` endpoint exposes the same aggregate trending list to vetted partner businesses under a per-key rate limit. API keys are issued manually after a partner emails `developer@lypinn.com` — there is no self-serve issuance and no SDK. Partners only see the same aggregate, k-anonymised feed every other surface uses; the API never exposes user identifiers, card identifiers, exact coordinates, or any field that could re-identify a person. Partners are bound by the LyPinn Business Terms § 9 (Partner API access) which restricts onward sharing.

_Last updated: 13 February 2026 — v19._

Last updated: 6/9/2026