App Privacy Policy.
Last updated July 13, 2026.
This policy explains what data the Fellowing app handles, what we can and cannot see, and the choices you have. It covers the Fellowing app and the services behind it. Our website has its own, shorter policy.
Fellowing is made by Fellowing PBC, a Delaware public benefit corporation. We’ve written this policy to be read. If anything is unclear, email legal@fellowing.com and we’ll explain it plainly.
-
The short version
- Everything your group shares in Fellowing is end-to-end encrypted. We store it, but we cannot read it.
- We never ask for your email address or phone number. You sign in with a passkey. There is no password, and no record on our servers linking your account to your name or contact details.
- We don’t sell data, we don’t show ads, and we don’t track you across other apps.
- What we can see is limited to what running the service requires: technical metadata, anonymous usage counts, and crash reports.
- You can delete your account in the app at any time.
The rest of this policy is the detail behind those five sentences.
-
What your group shares stays between you
Everything you and your group create in Fellowing is end-to-end encrypted: group names, messages, reactions, commitments, check-ins, events and RSVPs, profile names, and profile photos.
End-to-end encrypted means the data is encrypted on your device before it leaves, and only members of your group hold the keys to read it. Our servers store and deliver it as ciphertext. We can’t read any of it, even if we wanted to (we don’t), and neither can the companies that host our servers. Our encryption page explains how this works.
One consequence to know: what you share with a group becomes part of that group’s shared record. If you leave a group, are removed from one, or delete your account, the messages and check-ins you already shared stay with the group, without your name attached.
-
Your passkey
You sign in with a passkey instead of a password. Your device creates it, protects it with Face ID, fingerprint, or your device PIN, and syncs it through iCloud Keychain or your password manager if you use one. Your passkey never touches our servers.
That also means we can’t reset it. If you lose your passkey and have no synced copy, we cannot recover your account or your data. Nobody can, including us.
-
What we don’t collect
- No email address or phone number.
- No contacts, no location, no advertising identifiers.
- No account database: there is no record on our servers connecting your account to your name or any contact detail.
- No ads, no data sales, no tracking across other apps or websites.
-
What our servers can see
Running a sync service requires some technical metadata. Here’s the honest list of what our servers handle in readable form:
- Random account and record identifiers (machine-generated strings, not names). We can see that an account exists and which encrypted records it syncs, and when.
- Which account identifiers belong to which group identifiers, so we can route notifications. Not group names, and not member names.
- Device push tokens: the address Apple and Google use to deliver notifications to your phone.
- Connection data: your IP address when your device connects, used for rate limiting and abuse protection, and short-lived operational logs kept for a few days.
- App version and platform (iOS or Android).
None of this tells us who you are or what your group is about.
-
Push notifications
Notification content is encrypted too. The notification our servers send through Apple and Google is generic (it says "Fellowing" and "New activity") plus an encrypted preview. Your phone decrypts the real preview, like the sender’s name and a summary, locally, just before showing it to you.
Apple, Google, and Expo (the delivery service we use) see your device’s push token and a group identifier, never the content or the group’s name. You can turn notifications off in your device settings at any time.
-
Usage analytics
We count how features get used so we can tell what’s working. These events are counts and categories only, never content. For example, when you check in, we record that a check-in happened and whether it included a note. Never the note itself.
Before an event is stored, your account and group identifiers are scrambled with a secret key (a keyed hash), so the stored data can’t be traced back to you. It contains no IP address, no device identifier, and no content. We built this pipeline ourselves to protect privacy; there is no third-party analytics SDK in the app.
-
Crash and performance reports
When the app crashes or something breaks, a report goes to Sentry, a crash-reporting service. We’ve configured it not to collect personal information: your IP address is replaced with zeroes, and reports contain technical details (device model, OS version, what the app was doing) rather than anything you wrote. A small sample of sessions also sends performance timings, like how long screens take to load.
Reports can include internal record identifiers; they never include your content. Sentry keeps reports for about 90 days.
-
Invite links
Groups are invite-only and aren’t listed or discoverable anywhere. Invite links are unguessable. Anyone who has a group’s invite link can see the group’s name and how many members it has, and can ask to join; a group admin has to approve them before they see anything else. Treat an invite link like a key: share it only with people you’d welcome into the group.
-
Who helps us run Fellowing
A few companies process data on our behalf, each bound by contract to handle it only to provide its service to us:
- Cloudflare hosts our servers, stores your group’s encrypted data (as ciphertext it cannot read), and stores our pseudonymized usage analytics.
- Expo relays push notifications to Apple and Google and delivers app updates.
- Apple and Google carry push notifications the last mile to your device.
- Sentry receives crash and performance reports, as described above.
That’s the whole list. No data brokers, no ad networks.
-
Where your data lives
Our providers are US companies, and our servers run on Cloudflare’s global network. Wherever you use Fellowing from, the protections in this policy apply. If you’re in the EEA, the UK, or another region with data-transfer rules, we rely on our providers’ standard contractual protections for any transfer.
-
How long we keep things
- Group content: as long as the group exists. It’s the group’s shared record.
- Encrypted backups: our storage keeps encrypted point-in-time backups for up to 30 days.
- Push tokens: removed when you delete your account, and pruned automatically when they go stale.
- Usage analytics: kept as aggregate statistics that aren’t tied to your identity.
- Crash reports: about 90 days, at Sentry.
- Operational logs: a few days.
During the beta, data may also be reset as we iterate; the Terms of Service explain this.
-
Deleting your account
You can delete your account in the app: Account settings, then Delete account. Deleting your account permanently deletes your profile and your commitments, removes you from all of your groups, and removes your push tokens.
Messages and check-ins you already shared stay in your groups, without your name on them. Your passkey stays in your device’s password settings; you can remove it there. There is no account record on our side to delete, because we never had one.
-
Your rights
You can ask us what information we have about you, ask us to correct or delete it, or ask for a copy. For most of Fellowing, the honest answer is that your data lives on your device and sits encrypted on our servers, so we couldn’t produce a readable copy even if you asked. Viewing and deleting your data is self-serve in the app. For the little we can read, like the metadata and crash reports above, email legal@fellowing.com and we’ll respond within 30 days.
If you’re in the EEA, the UK, California, or another place with data-protection laws, these are your legal rights there. We honor them regardless of where you live, and we’ll never treat you differently for exercising them. We don’t sell personal information, and we don’t share it for cross-context behavioral advertising.
Where the GDPR applies: Fellowing PBC is the data controller. We process the data described here to provide the service you signed up for, and, for analytics and crash reports, in our legitimate interest to keep Fellowing working and improving.
-
Children
Fellowing isn’t directed at children under 13 (under 16 in the EU), and we don’t knowingly collect information from anyone in those age brackets. If you believe a child is using Fellowing, email legal@fellowing.com and we’ll act on it.
-
If we’re required to disclose data
If a legal request compels us to hand over data, what we hold is encrypted content we cannot decrypt, plus the limited metadata described above. Where the law allows, we’ll tell you about a request for your data.
-
Security
Fellowing’s encryption is built on Jazz, an open-source sync engine that uses proven cryptographic primitives. Our encryption page explains the architecture. If you find a vulnerability, email security@fellowing.com.
-
Changes to this policy
We’ll update this policy as Fellowing evolves. When we do, we’ll post the new version here and change the date at the top. If a change meaningfully reduces your privacy, we’ll say so in the app before it takes effect.
-
Contact us
For any privacy questions or requests, email legal@fellowing.com. By postal mail: Fellowing PBC, 251 Little Falls Drive, Wilmington, DE 19808.