outside

Privacy Policy

Last updated: 16 April 2026

Who we are

Outside Group ("Outside", "we", "us") operates the Outside mobile app (iOS and Android) and website at roamer.global. We are a community events marketplace based in the United Kingdom. If you have questions about this policy, contact us at [email protected].

What data we collect

  • Account information — name, email address, username, profile photo, avatar emoji, bio, and any other customisation you add to your profile (including background colour or background image).
  • Authentication data — credentials managed via Google or Apple sign-in, or email and password. We store only hashed passwords and short-lived session tokens. Tokens are stored securely on your device using encrypted storage (Keychain on iOS, Keystore on Android).
  • Contacts — if you grant permission, we access your device contacts (names and phone numbers) to help you invite friends to private events. Contact data is read on-device only and is not uploaded to or stored on our servers. If you choose to send SMS invitations, the message is composed on your device using your native SMS app — we do not send messages on your behalf or store the content.
  • Camera — if you grant camera permission, you can take photos for your profile, posts, or event photo albums. Photos are processed on-device (e.g. cropped or resized) before being uploaded.
  • Photos and media — photos you upload for profile posts, event cover images, profile pictures, or event photo albums are stored securely in our cloud storage (Amazon S3, EU London region). Photos may be processed server-side to extract dominant colours for display purposes.
  • Event photo albums — when you take photos at an event using the in-app camera (disposable camera feature), those photos are uploaded and stored on our servers. Album photos are visible to other attendees of that event. Organisers can moderate album content. Other attendees can react to your photos. You can flag inappropriate photos for review.
  • Push notification tokens — your device push token so we can send you event updates, broadcast messages from organisers, chat notifications, and connection requests. You can disable push notifications at any time in your device settings.
  • Payment information — payment details are collected and processed directly by Stripe. We do not see or store your full card number, Apple Pay details, Google Pay details, or PayPal credentials. We do store order records including amounts, ticket types, and transaction status.
  • Ticket and order data — records of events you have purchased tickets for, order IDs, ticket quantities, QR codes for entry, and refund requests.
  • Chat and messaging data — messages you send in event chat rooms (including real-time WebSocket messages), direct messages (DMs) to other users, and group chat messages. Message content is stored on our servers and visible to the other participants in the conversation.
  • Social and connection data — your follower/following relationships, friend requests (sent, received, accepted, declined), blocked users, and your social graph. This data is used to show your connections and enable social features.
  • Posts and feed content — posts you create on your profile (including text and photos) are stored on our servers and visible to other users.
  • Private events — if you create or are invited to a private event, we store event details (title, description, date, venue), guest lists, RSVP status, and invite codes. Guest lists are visible to the event host and other guests.
  • Organiser data — if you create events, we store your organiser profile (company name, description), event analytics (ticket sales, revenue), broadcast messages you send to attendees, and activity logs.
  • Reports and moderation — if you report a user, post, comment, or photo, we store the report details (target, reason, and any additional context you provide) for moderation purposes.
  • In-app notifications — we store a log of notifications sent to you (e.g. connection requests, event updates, broadcast alerts) so they can be displayed in your notification feed.
  • Usage and diagnostic data — we collect crash reports, error logs, and basic performance metrics via Sentry to improve app stability. This may include device type, OS version, and app version. We also collect anonymous session replays when errors occur — these are screen recordings with all text and input fields automatically masked, used solely to diagnose and fix bugs.

Data we do not collect

  • We do not track your location in the background. The app does not request background location permissions.
  • We do not access your device microphone.
  • We do not read or store your device contacts on our servers.
  • We do not sell your personal data to third parties.
  • We do not use your data for targeted advertising.
  • We do not use automated decision-making or profiling that produces legal effects.

How we use your data

  • To create and manage your account.
  • To let you discover, book, and manage event tickets.
  • To process payments for ticket purchases via Stripe.
  • To send push notifications about events, broadcasts, chat messages, and connection requests.
  • To display your profile, posts, and social connections to other users on the platform.
  • To enable event chat rooms, direct messaging, and group chats.
  • To operate the event photo album feature, including storage, display, reactions, and moderation of photos.
  • To facilitate private event creation, invitations, RSVP tracking, and guest lists.
  • To provide event organisers with analytics on their events (ticket sales, attendance).
  • To enable you to invite friends via your device contacts and SMS.
  • To process reports and enforce our community guidelines.
  • To diagnose crashes, monitor errors, and improve app performance.

Data visible to other users

Outside is a social platform. Some of your data is visible to other users by design:

  • Your profile — your name, username, avatar, bio, and profile posts are visible to other users.
  • Event chat messages — messages you send in an event chat room are visible to all attendees of that event.
  • Direct messages — messages you send in a DM or group chat are visible to the other participants.
  • Album photos — photos you take at an event are visible to all attendees once the album is released. Other attendees can react to your photos.
  • Private event guest lists — if you RSVP to a private event, your name may be visible to the host and other guests.
  • Connections — your follower and following lists may be visible to other users.

Third-party services

We share data with the following third parties only as needed to provide our services:

  • Stripe — payment processing (card details, Apple Pay, Google Pay, PayPal). Stripe's privacy policy applies to payment data.
  • Expo (Expo Push Service) — delivering push notifications to your device. Your device push token is shared with Expo to route notifications.
  • Supabase — authentication and user identity management (including Google and Apple OAuth sign-in flows).
  • Amazon Web Services (S3) — secure storage of uploaded photos and media in the EU (London, eu-west-2) region. Media is stored in a private bucket and accessed via time-limited signed URLs.
  • Sentry — crash reporting, error monitoring, and anonymous session replay (with all text and inputs masked) for error diagnosis.

We do not share your personal data with any other third parties for marketing or advertising purposes.

Device permissions

The app may request the following device permissions. All are optional and you can deny or revoke them at any time in your device settings:

  • Camera — to take photos for event albums, profile posts, and profile pictures.
  • Photo library — to select existing photos for uploads.
  • Contacts — to invite friends to private events. Contact data stays on your device.
  • Notifications — to receive push notifications about events, messages, and updates.

Local storage

The app stores data locally on your device to improve performance. This includes cached API responses, your theme preference, checkout selections, and authentication tokens (stored in encrypted device storage). The website uses browser local storage and httpOnly cookies for authentication sessions, CSRF protection, and preferences. These are essential for the service to function and are not used for tracking.

Data retention

We keep your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal or financial record-keeping purposes (e.g. transaction records required by UK law). Chat messages, album photos, and posts associated with your account will also be deleted. Reports you have filed may be retained in anonymised form for moderation purposes.

Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and personal data.
  • Object to or restrict processing of your data.
  • Data portability — receive your data in a structured format.
  • Withdraw consent for optional data processing (e.g. contacts, camera, push notifications) at any time via your device settings.
  • Lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data rights have been violated.

To exercise any of these rights, email us at [email protected] or use the in-app features described below.

Deleting your account

You can delete your account directly within the app by going to your Profile and selecting "Delete Account" at the bottom of the page. You will be asked to type "DELETE ACCOUNT" to confirm. Alternatively, you can request deletion by emailing [email protected]. In both cases, your account and associated personal data will be deleted within 30 days. This includes your profile, posts, photos, messages, connections, and notification history.

Children

Outside is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

Security

We use encryption in transit (HTTPS/TLS) for all communications, including real-time WebSocket connections for chat. Authentication tokens are stored in encrypted device storage (Keychain on iOS, Keystore on Android). The website uses httpOnly cookies for session management with CSRF protection. Payment data is handled entirely by Stripe and never touches our servers. Uploaded media is stored in a private S3 bucket with time-limited access URLs. Login attempts are rate-limited to prevent abuse.

Changes to this policy

We may update this policy from time to time. We will notify you of significant changes via the app or email. Continued use of Outside after changes constitutes acceptance of the updated policy.

Outside Group
United Kingdom
[email protected]