Privacy policy
Effective date: 27 May 2026
Who we are
BigBio is operated by MP Labs Ltd, a UK-registered company. We make BigBio, a Gen Z identity platform where you write short bio blocks that build into your authentic online identity.
For privacy questions or to exercise any of the rights listed below, email privacy@bigbio.com.
The short version
- We collect the data you give us (your account, your bio blocks) and the data we need to make the product work (logs, basic device info, analytics).
- We do not sell your data and we don't run ad networks against you.
- We use a small number of named processors to operate the service. They are listed below.
- You can delete your account and your data at any time from in-app settings.
What we collect
| Category | Examples | Why |
|---|---|---|
| Account data | Email address, OAuth provider ID (Apple / Google), username, display name, avatar URL | Required to create and authenticate your account. |
| Profile content | Bio blocks, skin choice, friends, comments, reactions | The core of the product — what you write is the product. |
| Device & usage | IP address (transient — used for security, not stored long-term), browser type, screen size, OS, page-view events, in-app interaction events | Reliability, abuse prevention, and product analytics. |
| Authentication & security | Session tokens, sign-in timestamps, OAuth refresh tokens | Keeps you signed in and lets us detect suspicious sign-ins. |
We do not capture form-field text, biometric data, or precise location. We do not currently use session replay.
Lawful bases (UK / EU GDPR)
- Contract— account, profile content, and authentication data, because you can't use the service without them.
- Legitimate interests— security logs, abuse prevention, basic device + usage analytics (see "Analytics" below), product improvement.
- Consent— where required by law for specific cookies or third-party tools, we will ask. Today the product runs without an advertising cookie layer; if that ever changes you'll see a consent banner before it does.
Analytics
We use Amplitude (Amplitude Inc., based in the United States) for product analytics. Amplitude helps us understand which parts of BigBio people use and where things break.
When you sign in, we share with Amplitude your authenticated user ID and a small set of non-sensitive profile attributes (e.g. username, avatar status, app preferences) used to segment usage analytics. We also send the behavioural events defined in our internal tracking plan plus standard device metadata (browser, OS, screen size, locale) and Amplitude's default session / page-view signals.
We do not share with Amplitude the contents of your bio blocks, messages, comments, or DMs; form input text; your email address; or your OAuth provider ID (the Apple / Google subject identifier). Amplitude Session Replay is off. Frustration / element-interaction / network / file-download autocapture is all switched off in code at src/lib/analytics.ts.
International transfer.
Amplitude is a US company and your event data is processed in the United States. We rely on the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-U.S. Data Privacy Framework as the standing legal transfer mechanisms — Amplitude self-certifies under all three; you can verify the current status at amplitude.com/security-and-privacy. The operative Data Processing Addendum (DPA) is attached to Amplitude's Terms of Service (available at amplitude.com/terms/dpa) and incorporates the EU Standard Contractual Clauses (SCCs).
Error monitoring
We use Sentry (Functional Software Inc., based in the United States) to capture errors and surface bugs we'd otherwise miss. Sentry receives JavaScript exception payloads, stack traces, browser / device metadata, and your BigBio user ID — enough to reproduce the error, not your activity.
We do not currently use Sentry Session Replay. Both session-rate and error-rate replay sampling are set to zero in src/instrumentation-client.ts. If we ever turn replay back on, we will update this policy first and gate it behind your consent.
Sentry is a US company; the same DPF + SCCs apply (see the processor table below).
Processors we use
| Processor | Purpose | Where data is processed |
|---|---|---|
| SupabaseSupabase Inc., infrastructure in the EU | Database, authentication, storage, realtime | EU |
| RenderRender Services, Inc., US | Application hosting | US — DPF + SCCs |
| AmplitudeAmplitude Inc., US | Product analytics (events, sessions, page views) | US — DPF + signed DPA + SCCs |
| SentryFunctional Software Inc., US | Error monitoring (session replay disabled) | US — DPF + SCCs |
| Apple / Google | OAuth sign-in | Apple: US / Ireland; Google: US |
We update this table when a processor is added or removed.
Discord linking
If you choose to link your Discord account, we use Discord's Linked Roles feature so Discord servers you're in can grant roles based on your real BigBio activity. Linking is optional and you can unlink any time.
While linked, we store:
- Your Discord user ID.
- Your Discord OAuth access and refresh tokens, encrypted at rest with AES-256-GCM — the encryption key lives in our infrastructure environment, not the database.
- Five metadata values derived from your BigBio account that we push to Discord on your behalf: your friends count, stars earned, templates published, whether you have BigBio Labs access, and whether you're a BigBio admin.
We do not read your Discord messages, your servers, or your friends list. We only push metadata about your BigBio activityso a server you're in can grant you a role.
You can unlink Discord from your BigBio settings (rolling out alongside Linked Roles), or remove BigBio yourself from your Discord account at any time at discord.com/settings/authorized-apps. When you unlink or delete your BigBio account, we delete your link record and attempt to revoke your Discord OAuth tokens and clear the Linked Roles metadata on Discord's side. Deleting your account waits for that Discord-side cleanup to succeed; a standalone unlink removes your local link even if Discord is briefly unreachable, so the authorized-apps link above is the reliable belt-and-braces.
Cookies and similar technologies
- Strictly necessary — Supabase authentication cookies (
sb-*), session cookies, CSRF protection. The product does not function without these. - Analytics — Amplitude sets a device-ID cookie (used to stitch sessions before sign-in). Today this is on by legitimate-interest. A dedicated cookie-consent surface is planned; until it ships, this notice and the in-app account-deletion control are how you exercise your rights.
- Advertising / cross-site tracking — none.
How long we keep your data
- Account + profile content: while your account is active. If you delete your account, your bio blocks, comments, friendships, and skin selection are removed; an anonymised tombstone may persist where required to maintain referential integrity (e.g. a deleted user's comment shows as "deleted user").
- Authentication logs: 90 days.
- Analytics events in Amplitude: 24 months, then Amplitude rolls them off per their retention policy.
Your rights
Under UK / EU GDPR (and the US state-law equivalents where they apply) you can:
- Access a copy of your data.
- Correct anything that's wrong.
- Delete your account and your data (in-app: Settings → Delete account; or email privacy@bigbio.com).
- Object to processing based on legitimate interests.
- Withdraw consent for any processing that depends on it.
- Lodge a complaint with the UK ICO (ico.org.uk) or your local supervisory authority.
We respond to rights requests within one calendar month.
Children
BigBio is not designed for children under 13. If you believe a child under 13 has created an account, email privacy@bigbio.com and we will remove the account.
Changes
If we change this policy in a material way, we will surface the change in-app and update the effective date at the top. Minor wording and routine processor-table updates land without a banner.
Contact
MP Labs Ltd
Email: privacy@bigbio.com