Privacy Policy
1. What Help Her Take Photo Is
Help Her Take Photo (HHTP) is a free mobile + web app that lets two paired phones share a live camera feed so one partner can direct the other while taking a photo. It is built and maintained as an open-source side project.
2. Data We Collect
We try to collect as little as possible. Specifically:
- Private device account ID — when you open the app we automatically create a private, device-bound account via Supabase Auth so we can scope your pairing sessions and saved photos. No name, email, phone number, or social login is collected or required.
- Pairing session metadata — the temporary 6-digit pair code, the device IDs of the two paired phones, and timestamps. Used only to route the live video and commands between you.
- Photos you choose to save — when you tap capture, the photo is uploaded to Supabase Storage scoped to your private device account. Only you and your paired partner can access it.
- Diagnostic logs and crash reports — sent to Sentry to help us fix bugs. We strip auth tokens, cookies, and request bodies before sending. We do NOT log photo contents or pair codes.
- Device profile — optional display name + emoji you set yourself. Stored in Supabase scoped to your private device account.
3. Data We Do NOT Collect
- No name, email, phone number, or contact list.
- No location data.
- No advertising identifiers (IDFA / GAID).
- No analytics tracking of which screens you visit beyond app-version/crash data.
- Live camera frames are streamed peer-to-peer (WebRTC) — they do NOT pass through our servers and are not recorded.
4. Third-Party Services
HHTP relies on a small set of third-party services to function. Each handles a specific task and is governed by its own privacy policy:
- Supabase — passwordless device-bound sign-in, pairing-session storage, photo storage. https://supabase.com/privacy
- Metered.ca — TURN server for WebRTC NAT traversal when both phones are on restrictive networks. https://www.metered.ca/privacy
- Sentry — crash + error reporting. https://sentry.io/privacy/
- Expo / EAS — build, OTA-update, and push-notification infrastructure. https://expo.dev/privacy
- App-store distribution — the platform you installed the app from handles install analytics on its own. We do not see install events.
- Mushi Mushi — in-app feedback / bug reports when you choose to send them. https://mushi-mushi.dev (see in-app feedback privacy notes)
5. Live Video & Photos
Live camera frames stream peer-to-peer over WebRTC, encrypted with DTLS-SRTP. We never store these frames. When a direct connection is not possible, frames may relay through a TURN server (Metered); TURN does not store frames.
Photos you explicitly capture are uploaded to Supabase Storage and visible only to you and the partner you are paired with at the time. You can delete any saved photo from the gallery at any time.
6. Data Retention
- Pairing sessions auto-expire and are removed within 24 hours of the session ending.
- Photos remain until you delete them, or until you delete your private device account from Settings.
- Crash reports are retained for 90 days by Sentry, then purged.
- You can clear local connection state any time via Settings → Reset Connection State, or wipe everything (server-side included) via Settings → Delete Account & All Data, or simply uninstall the app to remove the local copy.
7. Your Rights
Because we do not collect identifying information, requests under GDPR / CCPA / Thai PDPA are limited to the data tied to your private device account ID. You have two options to delete or export that data:
- In-app: open Settings → Delete Account & All Data. One tap permanently removes your photos, pairing history, profile, settings, and the underlying private device account from our servers (it cannot be undone).
- Or by email: open a GitHub issue with your private device account ID and we will export everything we hold tied to that ID, or permanently delete it within 30 days.
8. Children
HHTP is not directed to children under 13. We do not knowingly collect data from children under 13. If you believe a child has used the app, contact us and we will delete any associated data.
9. Security
All network traffic is TLS-encrypted in transit. Supabase data is protected by Row-Level-Security policies that scope every row to your private device account ID. WebRTC media uses DTLS-SRTP. We do not have access to plaintext credentials because we never collect them.
10. Changes
We may update this policy as the app evolves. Material changes will be announced in the in-app changelog. Continued use after a change constitutes acceptance.
Contact
Questions about this policy: open an issue at github.com/kensaurus/help-her-take-photo/issues — we respond within 7 days.