Last updated: May 4, 2026

Privacy Policy

We collect only what we need to run Soyo. We do not sell your data. This policy applies to users in Canada and the United States.

1. Who We Are

Soyo is a local community event platform operated by StarsUp Canada Corporation, a corporation registered in British Columbia, Canada. References to “Soyo,” “we,” “us,” or “our” in this policy mean both the platform and its operating company.

For all privacy questions, contact team@joinsoyo.com.

2. Information We Collect

We collect three categories of information:

You give us directly

  • Name, email, and password (or Google/Apple sign-in identifier)
  • Profile details: bio, avatar, neighborhood, interests, languages, relationship status (optional)
  • Phone number (organizers only — used for identity verification, never shown to other users)
  • Venue details if you are a venue owner: photos, address, partnership preferences
  • Event proposals, RSVPs, and messages you send through the platform

Created automatically

  • Connection requests, follows, and event invitations between users
  • In-app notifications (e.g. proposal approved, new RSVP)
  • Activity timestamps used for daily/weekly active user counts
  • Device + browser metadata sent automatically by your client (IP address, user agent, approximate location based on IP)
  • Cookies and local-storage tokens for authentication and UI preferences

From third-party services

  • Stripe — payment status and Stripe Connect account state. Card details never touch our servers.
  • Google / Apple Sign-In — name, email, and avatar when you choose those sign-in options.

3. Categories of Personal Information We Collect (CCPA)

For California residents, the following table categorizes our data collection per the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). We collect categories A, B, D, F, G, and K below; we do not collect biometric identifiers or precise geolocation data.

  • (A) Identifiers — name, email, phone, IP address, account ID
  • (B) Customer records — payment-related metadata via Stripe (no card details on our servers)
  • (D) Commercial information — RSVPs, event purchases, ticket history
  • (F) Internet activity — pages viewed within Soyo, in-app actions
  • (G) Geolocation — neighborhood (self-selected, city-level only — never device GPS)
  • (K) Inferences — interests, preferences derived from your profile and activity

Sensitive personal information: we do not knowingly collect or process sensitive personal information as defined by the CPRA (e.g. precise geolocation, racial/ethnic origin, religious beliefs, sexual orientation, health data, login credentials of other accounts). Relationship status is collected only with your opt-in consent and is visible only to you.

4. How We Use Your Information

  • Run the core product: create accounts, list venues, submit proposals, sell tickets, send notifications.
  • Match organizers, venue owners, and explorers based on neighborhood and interests.
  • Process payments and payouts via Stripe.
  • Detect and prevent fraud, spam, chargebacks, and platform abuse.
  • Improve the product through aggregated, non-identifying usage statistics.
  • Send transactional emails (sign-in, RSVP confirmations, proposal updates).
  • Comply with legal obligations and enforce our Terms.

We do not sell your personal data. We do not share personal information for cross-context behavioural advertising. We do not run third-party advertising on Soyo.

5. Who Sees What

  • Public: your name (or community name), avatar, bio, neighborhood, and any events you host.
  • Connections only: direct messages and event invitations.
  • Organizer ↔ venue: proposal contents and partnership thread messages, visible only to the two parties.
  • You only: phone number, email address, payment status, relationship status (if set).

6. Service Providers We Use

We rely on a small number of third parties to operate the platform under contracts that limit them to processing data on our behalf:

  • Supabase — database, authentication, file storage. Hosted in the United States.
  • Stripe — payment processing, Stripe Connect for organizer payouts. Hosted in the United States and other regions.
  • Vercel — web hosting and edge content delivery. Hosted in the United States and edge regions globally.
  • Expo / Apple / Google — mobile app delivery and (when enabled) push notifications.

These providers process data on our behalf and are not permitted to use it for their own purposes. They have their own privacy policies, which we encourage you to review.

7. International Data Transfers

Soyo is operated from Canada, but our infrastructure providers (Supabase, Stripe, Vercel) primarily host data in the United States. By using Soyo, you understand and consent to your personal information being transferred to and processed in the United States and other countries that may have data-protection laws different from your home jurisdiction.

We use providers that maintain industry-standard safeguards (encryption in transit, access controls, audited compliance certifications). For Quebec residents, this disclosure is made in accordance with Section 17 of Quebec's Act respecting the protection of personal information in the private sector (Law 25).

8. Cookies & Local Storage

Soyo uses cookies and browser local storage for two purposes only: keeping you signed in and remembering UI preferences (e.g. last visited messages tab, theme). We do not use third-party advertising cookies, cross-site tracking pixels, or analytics cookies that identify individual users.

We honour the Global Privacy Control (GPC) browser signal where applicable. Because we do not sell or share personal information for advertising, no opt-out action is necessary.

9. Your Rights

You can, at any time:

  • View and edit your profile from your account settings.
  • Cancel an RSVP from the Journal page in the app or web dashboard.
  • Delete your account from Account Settings → Delete Account. Deletion has a 30-day grace period during which it can be reversed by emailing us.
  • Export your data by emailing us; we will provide a machine-readable copy of your personal data within 30 days (or 45 days where law allows extension).
  • Object to processing, request correction of inaccurate data, or restrict certain uses.
  • Withdraw consent at any time for processing based on consent (does not affect lawfulness of prior processing).

We do not discriminate against users who exercise privacy rights. You may designate an authorized agent to make a request on your behalf — agent must provide proof of authorization and your identity.

To exercise any right above, email team@joinsoyo.com with the subject line “Privacy Request.”

10. Region-Specific Rights

California Residents (CCPA / CPRA)

You have the right to know, delete, correct, and opt out of sale or sharing of your personal information. As stated above, Soyo does not sell or share personal information for cross-context behavioural advertising, so no separate “Do Not Sell or Share” mechanism is needed; you may still submit a request to confirm this. You can designate an authorized agent and have the right to non-discrimination for exercising your rights.

Virginia, Colorado, Connecticut, Utah, and other US states

Residents of states with comprehensive privacy laws (VCDPA, CPA, CTDPA, UCPA, plus Iowa, Indiana, Tennessee, Texas, Oregon, Florida, Delaware, and others as enacted) have rights similar to California: access, deletion, correction, portability, and opt-out of targeted advertising / sale where applicable. We honour these rights for any qualifying request.

Canadian Residents (PIPEDA, BC PIPA, Alberta PIPA)

Your rights to access, correction, and withdrawal of consent under federal PIPEDA and provincial laws are honoured globally across our user base. You have the right to file a complaint with the Office of the Privacy Commissioner of Canada or your provincial commissioner.

Quebec Residents (Law 25)

Quebec residents have additional rights under Law 25: data portability, right to be forgotten, automated decision-making disclosure, and the right to object to certain processing. Soyo does not use automated decision-making to produce legal or similarly significant effects. Our designated person in charge of personal information is reachable at team@joinsoyo.com. A French-language version of this policy is available on request.

11. How Long We Keep Data

  • Account profile: until you delete the account.
  • Proposals, RSVPs, messages: kept while the account is active so the venue↔organizer history remains intact for both parties.
  • Payment records (transaction logs, payouts): retained for 7 years to meet Canadian and US tax + accounting requirements.
  • Backups: rolling 30-day window of encrypted Supabase backups.
  • Server logs (IP, request metadata): up to 90 days for security and abuse prevention.

12. Security

We use industry-standard practices to protect your data: TLS in transit, encrypted backups at rest, row-level security on the database, and column-level restrictions on sensitive fields like phone numbers. Authentication and password storage is delegated to Supabase Auth (bcrypt). Payment data is delegated to Stripe (PCI-DSS Level 1).

No system is perfect. If you discover a security issue, please email team@joinsoyo.com with the subject line “Security Report” so we can address it promptly.

13. Data Breach Notification

In the event of a data breach involving your personal information that creates a real risk of significant harm, we will:

  • Notify the Privacy Commissioner of Canada (and applicable provincial commissioners) without undue delay, as required by PIPEDA and provincial law.
  • Notify affected users by email within 72 hours of confirming the scope of the breach, where feasible.
  • Comply with breach-notification requirements of US state laws applicable to affected residents (e.g. CCPA, NY SHIELD Act, state attorneys general thresholds).
  • Maintain an internal record of breaches as required by PIPEDA Section 10.3.

14. Children's Privacy (COPPA)

Soyo is intended for adults aged 18 and older. We do not knowingly collect data from anyone under 18. We do not knowingly collect personal information from children under 13 in compliance with the U.S. Children's Online Privacy Protection Act (COPPA).

If you believe a minor has created an account, please email team@joinsoyo.com. We will remove the account and associated data promptly upon verification.

15. Changes to This Policy

We may update this Privacy Policy as Soyo evolves. Material changes will be announced in-app or by email at least 30 days before they take effect, where feasible. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of Soyo after the effective date constitutes acceptance of the revised policy.

16. Contact

For privacy questions, data export requests, or to exercise any rights described above, contact:

StarsUp Canada Corporation (operating as Soyo)
Metro Vancouver, British Columbia, Canada
📧 team@joinsoyo.com

You may also file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the privacy regulator in your jurisdiction.

← Back to Soyo