HHouse of ChallahContact

Privacy Policy

Last updated: May 7, 2026

1. Introduction

House of Challah ("we," "our," or "us") operates the House of Challah mobile app and website (collectively, the "Platform"). This Privacy Policy explains what personal information we collect, how we use and share it, and the choices you have. By using the Platform you agree to the practices described here.

We are headquartered in New York, NY, USA. If you have any questions, contact us at privacy@houseofchallah.app.

2. Information We Collect

2.1 Account & Profile Information

When you create an account or edit your profile, we collect:

  • Name, email address, and phone number
  • Password (stored as a secure hash — we never see your plaintext password)
  • Profile photo (taken with your camera or chosen from your photo library)
  • Bio and dietary preferences (e.g., kosher, vegan)
  • Any other information you voluntarily add to your profile

Note on dietary preferences: Dietary preferences in the context of this Platform may reflect religious observance (e.g., kosher). We treat this as sensitive information and use it solely to help hosts and guests find compatible events. We do not sell or share it for advertising purposes.

2.2 Face Data & Identity Verification

Users who host paid events must verify their identity through Didit (didit.me), our third-party identity verification partner. The verification flow opens inside a secure WebView session operated entirely by Didit. As part of that process, Didit collects:

  • A selfie photograph used for liveness detection and face matching against the government-issued ID
  • A government-issued ID document (passport, driver’s license, or national ID card)
  • What House of Challah receives: Only the resulting verification status — verified, pending, or rejected. We never receive, store, or process the raw facial image or ID document.
  • Purpose: Solely to confirm the host’s identity before they can receive payments. Face data is never used for advertising, analytics, or any other purpose.
  • Third-party sharing: Face data is shared only with Didit to perform the identity check. It is not sold or shared with any other party.
  • Retention: Didit stores and retains biometric data under their own privacy policy. House of Challah retains only the verification status string.

2.3 Payment & Financial Information

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. We do not store your full card number, CVV, or bank account credentials on our servers.

  • Guest payments: Card details and Apple Pay tokens are transmitted directly to Stripe. We store only a Stripe payment method token and the last four digits of your card for display purposes.
  • Host payouts: To receive payouts, hosts provide bank account and routing information through Stripe Connect. For international payouts, we also use Wise (formerly TransferWise). These details are stored and processed by Stripe and Wise respectively under their privacy policies.
  • Apple Pay: When you pay with Apple Pay, your actual card number is never shared with us or Stripe. Apple provides a device-specific token. Apple’s privacy policy governs the Apple Pay portion of the transaction.
  • Tax information: Hosts who receive payouts above applicable thresholds may be asked to provide tax identification information (e.g., SSN or EIN) through Stripe’s secure forms. We do not store tax IDs on our servers.

2.4 Camera & Photo Library

We request access to your device camera and photo library only when you choose to upload or capture an image — for example, to set a profile photo or add a cover image to an event you are hosting. We do not access your camera or photos in the background, and we do not scan your photo library. Images you upload are stored on our servers (via Supabase Storage) and may be visible to other users.

2.5 Location Data

With your permission, we collect your device’s precise foreground location to show you events near you on the home screen map. Location is collected only while the app is in use — we do not track background location. You can revoke location permission at any time in your device settings, and the Platform will continue to work (you will simply not see location-based event suggestions).

2.6 Messages & User Content

The Platform includes a messaging feature that lets guests and hosts communicate. Message content is stored on our servers (via Supabase) to deliver real-time and asynchronous communication. We do not read your messages except as required to investigate reports of abuse, safety concerns, or violations of our Terms of Service.

Other user content you create — event listings, board posts, RSVPs, and reviews — is stored on our servers and may be visible to other users of the Platform.

2.7 Push Notification Token

With your permission, we collect a push notification token for your device so we can send you event reminders, RSVP updates, message alerts, and important account notifications. You can disable push notifications at any time in your device settings.

2.8 Device & Technical Information

We automatically collect certain technical information when you use the Platform:

  • IP address and approximate location derived from it
  • Device type, operating system, and app version
  • Unique device identifiers
  • Crash reports and error logs, collected through Sentry (our error-monitoring provider), to help us fix bugs and improve stability
  • Feature usage data (e.g., which screens you visit) to understand how the app is used and improve the product

2.9 Authentication Information

You may sign in with your Apple ID via Sign in with Apple. When you do, Apple shares with us only the information you authorize (typically your name and email address, which Apple may relay anonymously at your option). We do not receive your Apple password. Apple’s privacy policy governs their handling of your Apple ID credentials.

3. How We Use Your Information

We use the information we collect to:

  • Create and maintain your account, and authenticate your identity
  • Display your profile to other users and match guests with relevant events and hosts
  • Process payments, issue refunds, and pay out hosts (via Stripe and Wise)
  • Verify host identity before enabling paid events (via Didit)
  • Deliver real-time messages and push notifications about events you’re involved in
  • Show you events near your location (with your permission)
  • Detect and prevent fraud, abuse, and violations of our Terms of Service
  • Diagnose technical problems and monitor app performance (via Sentry)
  • Improve and personalize the Platform
  • Comply with applicable laws and legal obligations
  • Send you transactional emails (booking confirmations, receipts, security alerts). We do not send marketing emails without your explicit consent.

4. How We Share Your Information

4.1 With Other Users

  • Your profile (name, photo, bio, dietary preferences) is visible to other users.
  • When you RSVP to an event, your name and contact information are shared with the host.
  • When you host an event, your profile is visible to attendees.
  • Board posts and community content you create are visible to all users.

4.2 With Third-Party Service Providers

We share limited data with third parties only as necessary to operate the Platform. These providers are contractually bound to protect your data and may not use it for their own purposes.

ProviderPurposeData shared
SupabaseDatabase, authentication, file storage, and backend functionsAll user data stored on the Platform
StripePayment processing, Apple Pay, and host payoutsPayment method details, payout bank account info
WiseInternational host payoutsHost name, bank account details, payout amounts
DiditIdentity verification (face matching + government ID)Selfie photo and ID document (via WebView — we receive only the result)
SentryCrash reporting and error monitoringDevice info, app state at time of error, anonymized user ID
AppleSign in with Apple; Apple Pay; push notifications (APNs)Apple ID token; push notification device token
ExpoOver-the-air app updatesApp version, device platform information

4.3 For Legal Reasons

We may disclose your information if required by law, court order, subpoena, or government request, or to protect the rights, property, or safety of House of Challah, our users, or the public.

4.4 Business Transfers

If House of Challah is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice in the app before your data becomes subject to a different privacy policy.

4.5 What We Do Not Do

  • We do not sell your personal information to third parties.
  • We do not share your data with advertising networks.
  • We do not use data from the Platform to build advertising profiles or track you across other apps and websites.
  • We do not share face data, biometric data, or identity documents with anyone except Didit, solely for the purpose of identity verification.

5. Data Retention & Deletion

We retain your information for as long as your account is active or as needed to provide the Platform and comply with legal obligations (e.g., financial records required by tax law).

  • Account deletion: You can request deletion of your account at any time by emailing privacy@houseofchallah.app or through the account settings in the app. We will delete your personal data within 30 days, except where retention is required by law (e.g., transaction records).
  • Messages: Deleted when your account is deleted or upon request.
  • Payment records: Transaction records are retained for up to 7 years to comply with tax and financial regulations.
  • Face data / identity verification: Retained by Didit per their policy. House of Challah retains only your verification status and does not retain biometric images.
  • Crash & error logs (Sentry): Retained for 90 days.

6. Your Rights & Choices

6.1 Access, Correction & Portability

You can view and update most of your account information directly in the app. To request a copy of all personal data we hold about you, email privacy@houseofchallah.app.

6.2 Deletion

You may request deletion of your account and associated personal data at any time (see §5 above).

6.3 Location

You can disable location access at any time in your device’s Settings app. The Platform will continue to function; you will not see location-based event suggestions.

6.4 Push Notifications

You can disable push notifications at any time in your device’s Settings app or within the Platform’s notification preferences.

6.5 Camera & Photo Library

You can revoke camera or photo library access at any time in your device’s Settings app. You will no longer be able to upload new photos until access is re-granted.

6.6 App Tracking Transparency

House of Challah does not track you across other companies’ apps or websites for advertising purposes. We will never request permission to track via Apple’s App Tracking Transparency framework.

6.7 California Residents (CCPA / CPRA)

California residents have the right to:

  • Know what personal information we collect, use, disclose, or sell
  • Request deletion of personal information
  • Opt out of the sale or sharing of personal information (we do not sell or share your data for advertising)
  • Correct inaccurate personal information
  • Limit the use of sensitive personal information
  • Non-discrimination for exercising any privacy rights

To exercise these rights, email privacy@houseofchallah.app. We will respond within 45 days.

6.8 European Economic Area, UK & Switzerland (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your local supervisory authority

Our lawful bases for processing include performance of a contract (providing the Platform), legitimate interests (fraud prevention, security), compliance with legal obligations, and consent (location, push notifications).

7. Security

We use industry-standard safeguards including encryption in transit (TLS), encryption at rest for sensitive fields, access controls limiting who at House of Challah can view user data, and secure credential storage on-device via the iOS Secure Enclave / Keychain. Payment data is handled by Stripe, a PCI-DSS Level 1 certified processor.

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to privacy@houseofchallah.app.

8. Children’s Privacy

House of Challah is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. Identity verification is required to host paid events, and government-issued ID is required to complete that process. If we learn we have collected personal information from a person under 18 without verifiable parental consent, we will delete it promptly. If you believe we may have collected information from a minor, please contact privacy@houseofchallah.app.

9. International Data Transfers

House of Challah is based in the United States. Your data may be processed in the United States and in other countries where our service providers operate (including the EU for Didit, and the UK for Wise). When we transfer data from the EEA or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses or other approved transfer mechanisms. By using the Platform, you acknowledge that your information may be transferred to and processed in the United States.

10. Third-Party Links & Services

The Platform may contain links to third-party websites or services (e.g., event venue websites, external map applications). We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before sharing any personal information with them.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Platform or by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page shows when the policy was last revised. Continued use of the Platform after changes take effect constitutes your acceptance of the revised policy.

12. Contact Us

Questions, requests, or complaints about this Privacy Policy or our data practices:

For GDPR-related requests, you may also contact our Data Protection representative at the same email address.