← back to bump

privacy policy

last updated: april 2, 2026

bump is designed to share as little data as possible. we built it this way on purpose. here's exactly what happens with your information.

what we don't collect

we do not collect, store, or have access to:

• your name, email, or any account information (there are no accounts)
• phone numbers or social media handles exchanged between users
• your location (gps, ip-based, or otherwise)
• your contacts, photos, or any other personal data on your device
• the content of any interaction between users

what we do process

to make bump work and prevent abuse, our server processes:

• a one-way device hash — derived from your android id with an app-specific salt. we cannot reverse this to identify you or your device.
• timestamps — when you request a session token. used for rate limiting (max 10 per hour) and abuse detection.
• abuse reports — if someone reports a user, we store the reporter's device hash, the reported device hash, and a reason category. no personal information is included.

how bluetooth works in bump

all data exchange happens directly between two phones over bluetooth low energy (BLE). your information never passes through our servers. the data is encrypted end-to-end using AES-256-GCM with keys derived via HKDF from one-time session tokens.

received information is displayed for 15 seconds, then permanently erased from memory. screenshots and screen recording are blocked during this window.

data retention

• session logs (device hash + timestamp only) are automatically deleted after 7 days
• abuse reports are retained until resolved
• no personal data is ever written to our database because we don't have any

third-party services

• google play billing — if you purchase additional bumps, the transaction is handled entirely by google. we receive a purchase token to verify validity but no payment details.
• google play integrity — used to verify your device hasn't been tampered with. the attestation result is not stored.
• google phone number hint api — when you choose to share your phone number, it's read from your sim card via google's api. the number is sent directly to the other person over bluetooth. it never reaches our servers.

children's privacy

bump is intended for users 18 years of age and older. we do not knowingly collect any information from minors.

your rights

since we don't collect personal data, there's nothing to request, correct, or delete. if you believe we have information about you in error, contact us and we'll investigate.

law enforcement

if we receive a lawful request for data, we can only provide what we have: anonymous device hashes and timestamps. we have no way to identify individual users, and we have no access to any content exchanged between users.

changes to this policy

if we change this policy, we'll update the date at the top. for significant changes, we'll notify users through the app.

contact

questions about this policy? reach us at privacy@bumpnow.app