Who we are &
what this covers.
AWNIL ("All We Need Is Love") is a phygital social experiment that connects people through NFC-enabled cards carrying emotional messages. This Privacy Policy explains how we collect, use, protect, and respect the personal information you share with us when you use the AWNIL mobile application, website, and related services (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this policy. We believe in collecting only what is necessary — the less data we hold, the less there is to protect, and the more you can trust us.
Plain language summary: We collect your email to create your account, your scan history to build your card collection, and anonymous location data only when you choose to share it. We don't sell your data. We never will.
This policy applies to all users worldwide. If you are located in the European Union or the United Kingdom, additional rights apply to you under the GDPR and UK GDPR respectively — these are described in the "Your Rights" section.
Data we
collect.
We collect information in two ways: information you give us directly, and information generated automatically as you use the Service.
Email address, display name, and optional profile photo. Required to create and maintain your account.
Records of which NFC cards you have scanned, including card ID, timestamp, and your position in the card's ownership chain.
Your collection of owned cards, archive entries, and vault items, along with any notes or reactions you attach to them.
Device type, operating system, app version, crash reports, and anonymised usage patterns to improve the Service.
Approximate location at scan time, only if you explicitly grant permission. Used to power the global feed map. You can revoke this at any time.
If you contact us via email or support, we retain the contents of that correspondence to help resolve your request.
We do not collect payment information directly — all purchases are processed through Apple App Store or Google Play. We do not have access to your payment card details.
How we use
your data.
We use the information we collect strictly to operate, maintain, and improve the AWNIL experience. Specifically:
- To operate your account — authenticate your identity, maintain your card collection, and sync data across devices.
- To power the global feed — display anonymised scan activity across the network in real time, so you can feel the heartbeat of the system.
- To build card histories — construct the ownership chain for each card so every holder can see the journey it has taken.
- To send essential notifications — inform you when a card you own has been scanned by another person, or when system updates affect your experience.
- To improve the Service — analyse aggregated, anonymised usage data to understand how people interact with AWNIL and fix what isn't working.
- To respond to support requests — use your contact history to resolve problems you bring to our attention.
- To comply with legal obligations — retain records where required by applicable law.
We do not use your data to serve advertising, train commercial AI models, or build psychological profiles. Your emotional interactions with AWNIL cards are yours.
NFC cards
& messages.
Each AWNIL card carries a message type — Amor, Gratitud, Esperanza, or Desafío — chosen at the moment the card is created. The content of messages associated with a card is visible to all current and future owners of that card. This is a core and intentional feature of the experiment.
When you scan a card, your display name and the timestamp of your scan are added to that card's public ownership chain. Other users who hold or scan the same card will be able to see that you were one of its owners.
Before you scan: understand that your participation in a card's history becomes part of its permanent, shared record. You can delete your account at any time, which will anonymise your entries in card histories — but the scan events themselves will remain as anonymous entries to preserve the integrity of each card's journey.
If a card carries a text message written by its creator, that message is stored encrypted on our servers and is only decrypted on the devices of verified card owners. We do not read the content of individual card messages.
Sharing
& disclosure.
We do not sell, rent, or trade your personal information to third parties. We share data only in the following limited circumstances:
- With other AWNIL users — your display name and scan history are visible to co-owners of shared cards, as described in Section 04.
- With service providers — we work with trusted third parties (cloud hosting, analytics, push notifications) who process data on our behalf and are contractually bound to protect it and use it only for the services they provide to us.
- In the global feed — scan events are displayed in the feed in aggregated, anonymised form. No personally identifiable information is displayed without your explicit consent.
- For legal compliance — we may disclose information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights or the safety of our users.
- In a business transfer — if AWNIL is acquired or merges with another entity, your data may be transferred. We will notify you before your information becomes subject to a different privacy policy.
Data
retention.
We keep your personal data for as long as your account is active, or as long as necessary to provide the Service to you. Specific retention periods:
- Account data — retained until you delete your account. Upon deletion, your email and display name are permanently erased within 30 days.
- Card scan history — upon account deletion, your name is removed from all card histories and replaced with "Anonymous owner." The scan event itself remains to preserve card integrity.
- Location data — if you have granted location permission, precise coordinates are never stored. Only the city-level location at scan time is retained, for up to 12 months.
- Support communications — retained for 2 years from the date of last contact, then permanently deleted.
- Anonymised analytics — may be retained indefinitely as they cannot be linked back to any individual.
How we protect
your data.
We take the security of your information seriously. Our technical and organisational measures include:
- All data transmitted between your device and our servers is encrypted using TLS 1.3.
- Card message content is encrypted at rest using AES-256 and is only decrypted on verified owner devices.
- Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.
- We conduct regular security reviews and vulnerability assessments.
- Passwords are hashed using bcrypt and are never stored in plain text.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant authorities within 72 hours of becoming aware of it.
Your
rights.
Depending on where you live, you have the following rights regarding your personal data. You can exercise any of these by contacting us at the address in Section 11.
Request a copy of all personal data we hold about you.
Correct inaccurate or incomplete personal data we hold.
Request deletion of your personal data ("right to be forgotten").
Receive your data in a structured, machine-readable format.
Object to processing of your data for direct marketing or legitimate interests.
Ask us to restrict processing of your data in certain circumstances.
If you are located in the EU or UK, you also have the right to lodge a complaint with your local data protection authority. We would, however, appreciate the opportunity to address your concerns directly before you approach a regulator.
Children
& minors.
The AWNIL Service is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately and we will take steps to delete that information from our servers.
Users between the ages of 16 and 18 may use the Service with parental or guardian consent where required by local law.
Changes to
this policy.
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we do:
- We will update the "Last updated" date at the top of this page.
- For material changes, we will notify you via email or via a prominent notice in the app at least 14 days before the changes take effect.
- Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
- If you do not agree to the updated policy, you may delete your account before the effective date.
We encourage you to review this policy periodically. Past versions of this policy are available upon request.
Contact
us.
If you have any questions about this Privacy Policy, wish to exercise your rights, or want to report a privacy concern, please reach out. We aim to respond to all requests within 30 days.
For privacy requests, data deletion, or general questions about how we handle your information.
privacy@awnil.com