Privacy Policy

This policy explains what Twonight collects, how we use it, who it's shared with, and the controls you have over your data. If you have questions, email twonight@virtuonweb.com.

1. What we collect

Signup & profile.

• Email address (from your Google account).
• Display name and profile photo (initially from Google; you can change them in Profile → Edit).
• Optional profile details you add: age range, nationality, languages, gender, bio, Instagram handle, additional photos.

Activity on Twonight.

• Plans you host, join, comment on, or review.
• Reviews you submit and receive.
• Beta feedback you submit (linked to your user id).
• Trust score adjustments and moderation history.
• Notifications, login times, and approximate session timestamps.

Technical.

• Session cookies (set by Twonight to keep you signed in).
• A CSRF cookie used to prevent cross-site request forgery.
• IP address and browser user-agent (recorded transiently in server logs for security/debugging).
• If enabled, third-party analytics identifiers (Google Analytics 4) and ad identifiers (Google AdSense).

We do not collect precise GPS location, contact lists, or your browsing outside of Twonight.

2. How we use it

• Operate the Service: show you nearby plans, match you with hosts, send notifications, render your profile to peers on plans you join.
• Trust & safety: compute your private trust score, detect harassment / spam / abuse patterns, enforce soft-bans and the Terms of Service.
• Beta rewards: verify eligibility and assign you a Starbucks coffee coupon if you qualify.
• Product improvement: aggregate usage analytics (e.g. how many people host vs. join) to improve the Service.
• Legal compliance: respond to lawful requests from authorities; investigate Terms violations.

3. Who we share it with

Twonight is operated by a small team. We do not sell your data. We use the following processors to run the Service:

• Google Sign-In — for OAuth authentication.
• Supabase — for database hosting and image storage (Postgres + Storage).
• Render / cloud hosting — for the application servers.
• Google Analytics 4 — privacy-friendly aggregate analytics. Disabled in development.
• Google AdSense — when enabled, displays ads on public pages. AdSense may set its own cookies under Google's policies.

Each processor handles your data only on our instructions and only to deliver the function above.

4. Where it's stored

Database and storage are hosted by Supabase, which may store your data in data centers outside Korea (typically Singapore or the United States). By using Twonight you consent to the transfer of your data to those regions. We use TLS in transit and encryption at rest.

5. How long we keep it

• Active accounts: retained while your account is active.
• Inactive sessions: session rows older than 30 days are pruned automatically.
• Notifications inbox: 30 days.
• Deleted accounts: after you trigger account deletion, your data enters a 7-day grace window during which you can restore. After 7 days, your profile is permanently anonymized (display name becomes "Deleted user", email and photos are wiped). Past comments and reviews are retained in anonymized form so other users' history isn't broken.
• Audit logs: moderation actions and beta feedback are retained for legal and safety purposes for up to 3 years.

6. Your rights

You have the right to access, correct, export, or delete your data. Most actions are self-service:

• Access / view: visit your profile and /profile/edit for the data we hold.
• Correct: edit your profile from /profile/edit.
• Delete: use the "Delete my account" button at the bottom of /profile/edit. Honors the 7-day grace window described above.
• Export: email twonight@virtuonweb.com and we will provide a JSON dump of your account data within 30 days.
• Object / restrict: for any other request under applicable privacy law (Korea PIPA, EU GDPR, California CCPA), contact us at the address above.

7. Cookies

We set the following cookies on twonight.virtuonweb.com:

• Session cookie — keeps you signed in. HttpOnly, SameSite=Lax. Required.
• CSRF cookie — protects against cross-site request forgery on form submits. HttpOnly, SameSite=Lax. Required.
• Google Analytics (when enabled) — aggregate analytics. You can opt out by installing the Google Analytics Opt-Out browser add-on.
• AdSense (when enabled, only on public pages) — ad personalization. You can manage ad preferences in your Google Account.

8. Children's privacy

Twonight is for adults aged 18 and older. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, email twonight@virtuonweb.com and we will remove the account.

9. Security

We use TLS for all traffic, hash session secrets, and isolate user photos in object storage with public read URLs (so coupon images you receive are accessible by anyone with the URL — please do not share them). We will notify affected users without undue delay if we become aware of a confirmed personal-data breach.

10. Changes to this policy

We may update this Privacy Policy. Material changes will be announced in-app or by email; the "Last updated" date at the top will reflect the most recent revision.

11. Contact

Privacy or data-rights requests: twonight@virtuonweb.com