Privacy Policy

Effective Date: March 22, 2026

Bunk Labs, Inc.

1. Introduction

Bunk Labs, Inc. ("we," "us," "our," or "Company") operates Trick Dash, an LGBTQ+-focused social and cruising application. We recognize the sensitive nature of our users' data and are deeply committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, your rights, and our safeguards.

2. Information We Collect

2.1 Information You Provide

When you create an account and use the App, you may provide:

Profile Information: Name, birth date, bio, headline, body type, ethnicity, height, weight, gender identity, relationship status, known languages, identity tags, position preferences
Photos: Profile photos, album photos, Flashes, Dark Room photos
Dark Room Information (web only): Dark Room nickname, Dark Room profile, anonymous persona data. Dark Room is available only on the web version of Trick Dash; iOS, Android, and lite web builds do not collect this data.
Messages and Communications: Text messages, location shares, photos, albums sent through the App
Events and Groups: Events you create, groups you join, shouts you post
Optional Email: If you provide an email for account recovery, we hash it with SHA-256

2.2 Information Collected Automatically

The App automatically collects:

Device Information: Device type, OS version, browser type, unique device identifiers
Location: GPS coordinates with intentional 50–200 meter jitter for privacy; fuzzy distance buckets shown to other users
Usage Data: Features accessed, time spent, swipe patterns, conversation data
IP Address: Used for rate limiting and abuse prevention; not stored long-term
Push Notification Tokens: To send Web Push notifications

2.3 Information We Do NOT Collect

        Email addresses in plain text (only SHA-256 hashes if provided)
Tracking cookies or third-party analytics trackers
Facial recognition data or biometric information
Payment card information (handled by third-party processors)
Health or medical information (beyond general body metrics)

      

3. How We Use Your Information

Core Features: Matching, profiles, messaging, event discovery, groups
Safety and Moderation: Abuse detection, content moderation, fraud prevention, law enforcement cooperation
Improvement: Aggregate analytics (anonymous, non-identifying) to improve the App
Legal: Compliance with legal obligations, court orders, and safety concerns

4. Storage and Protection

4.1 Infrastructure

Database: Neon Postgres (AWS us-east-1, Postgres 17) with encryption at rest
Storage: Cloudflare R2 for photos and Flashes
Transmission: All data encrypted in transit with TLS 1.3
Connection Pooling: Cloudflare Hyperdrive for secure edge connection pooling; caching intentionally disabled for real-time messaging accuracy
Photo URLs: Signed with HMAC-SHA256, valid for 1 hour

4.2 Location Privacy

We do not store or share your precise GPS coordinates with other users. Instead:

Your location is intentionally jittered 50–200 meters deterministically
Users see fuzzy distance buckets ("Steps Away," "< 1 km," "3 km") instead of exact distances
Roam locations (when exploring a different city) are temporary and expire after 3 hours
Nearby search uses PostGIS geographic queries for privacy-preserving radius filtering

4.3 Message Retention

You control how long your messages are retained on our servers (1–14 days, default 7). After the retention period expires, messages and any photos attached to them are permanently deleted from both our database and storage and cannot be recovered. We do not maintain backups of deleted messages. Cleanup runs both inline (on conversation access) and via a nightly scheduled sweep so messages in inactive conversations are also removed on schedule. Retention is set per-sender: the messages you send are retained according to your setting, regardless of the recipient's setting.

4.4 Photo Metadata

Photos uploaded to Trick Dash—profile photos, album photos, Flashes, and chat photos—are stripped of EXIF metadata before transmission to our servers. EXIF data on phone photos commonly includes precise GPS coordinates (often the user's home address), camera model and serial number, and capture timestamp. We re-encode every uploaded image client-side via canvas to produce a fresh JPEG with no metadata, ensuring this information is never transmitted to us or to other users.

4.5 Vanity Usernames

You may optionally choose a vanity username (e.g., trickdash.com/@yourname) to share your profile. On the web version, each persona has an independent vanity handle: your Gallery handle and your Dark Room handle are stored as separate values with no derivable relationship. Knowing one handle reveals nothing about the other. Vanity usernames are public identifiers by design. Anyone with the URL can view the corresponding profile.

4.6 Dark Room Privacy (web only)

Availability note. Dark Room is currently available only on the web version of Trick Dash at app.trickdash.com. It is not included in the App Store version on iOS, the Google Play Store version on Android, or the lite web build at lite.trickdash.com. The privacy details below apply only to web users who have opted into Dark Room.

Dark Room provides technical and design safeguards for user privacy: separate account personas, anonymous identities, browser-only accessibility, and NSFW-tolerant moderation. Dark Room shares are reachable only via the user's chosen Dark Room vanity URL or short share code, never via the underlying user ID, ensuring there is no derivable bridge between a user's Gallery and Dark Room identities. However, no system is perfectly private. Use Dark Room responsibly and do not share intimate content you do not wish to be seen.

4.7 Authentication Audit Log

Authentication events—successful logins, failed login attempts, passkey registration and revocation, and transfer code use—are recorded in an append-only audit log with the request IP and user agent. The log is retained for 12 months for security investigation, abuse detection, and SOC 2 audit-readiness purposes. The log cannot be edited or deleted by application code; integrity is enforced at the database layer.

5. Information Sharing

We do not sell user data to advertisers. Information is shared only in these cases:

Other Users: Your public profile, messages, photos, and activity (as core App functionality)
Service Providers: Cloudflare, Neon, Resend, and payment processors under Data Processing Agreements
Legal Obligations: Valid subpoenas, court orders, or warrants from law enforcement
Safety: If we believe disclosure is necessary to prevent imminent harm, illegal activity, or violate others' rights

6. Your Rights

6.1 All Users

Access: Request a copy of your data
Correction: Correct inaccurate information
Deletion: Delete your account and all associated data (cascade delete)
Export: Download your data in machine-readable format

6.2 European Union (GDPR)

If you are in the EEA, you have additional rights:

Right to Access (Art. 15)
Right to Rectification (Art. 16)
Right to Erasure (Art. 17)
Right to Restrict Processing (Art. 18)
Right to Data Portability (Art. 20)
Right to Object (Art. 21)
Right to Withdraw Consent (Art. 7)
Right to Lodge a Complaint with Your Data Protection Authority

Legal Basis: We process data based on contract (core features), legitimate interests (fraud prevention, safety), and consent (optional features).

6.3 California (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act:

Right to Know what personal information is collected
Right to Delete personal information
Right to Opt-Out of selling or sharing information (we do not sell)
Right to Non-Discrimination for exercising CCPA rights

6.4 Canada (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act:

Right to Access your personal information
Right to Correct your personal information
Right to Withdraw Consent

7. Children's Privacy

The App is intended for users 18 and older. We do not knowingly collect data from children under 18. If we discover a user is under 18, we immediately terminate the account and delete all associated data. If you are aware of a minor using the App, please report to safety@trickdash.com immediately.

8. International Data Transfers

Your data is processed and stored in the United States (AWS us-east-1). If you are outside the United States, your data will be transferred to the U.S. for processing. We comply with GDPR and other laws through Standard Contractual Clauses where applicable.

9. Data Breach Notification

In the unlikely event of a data breach, we will notify affected users within 72 hours and notify relevant data protection authorities as required by law. Notifications will include details of the breach, affected data, and recommended actions.

10. Changes to This Policy

We may update this Privacy Policy at any time. Material changes will be notified through the App or email. Your continued use after notification constitutes acceptance of updated terms.

11. Contact

For privacy questions, data subject requests, or concerns:

Privacy Contact: legal@trickdash.com
Data Protection Officer: legal@trickdash.com
Mailing Address: Bunk Labs, Inc.