Your privacy,
our foundation.

This Privacy Policy describes how Vismu LLC (referred to as "we", "us", or "Knock") collects, uses, shares, and protects information when you use the Knock mobile application (the "Service"). It applies to all users of the Service, regardless of where you are located.

By using Knock, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

Knock is a proximity-chat app for in-person spaces. At a coffee shop, a concert, an intermission, or wherever you find yourself: join a room, see who else is there, send a knock, and chat if they accept. You appear as a signal, not a profile, and only to people in the same room as you.

Knock is intended for users aged 18 and older. By using the app, you confirm that you are at least 18 years old.

Your privacy is the foundation of how we've designed this.

Knock collects only what's needed to make the app work. Here's exactly what that means:

• Auto-generated user ID. Created automatically via Supabase Auth when you first open the app. Used for authentication, syncing, and chat delivery. Linked to your identity within the app, but not tied to your real name, email, or phone number.
• Nickname and hints. A self-chosen nickname (not your real name) and optional hints like "Ask me about" and "Feeling." These are not contact information.
• Signal color. A visual identifier you pick to represent yourself in a room. Has no personal meaning attached to it.
• Room presence. Which room you've joined, and when.
• Knocks and messages. The prompts you send when knocking on someone and the messages exchanged in chat. Linked to your app user ID and the knock/chat context.
• Location. Your device's location is used to show nearby rooms when you join. We do not store your raw GPS coordinates on Knock's servers.
• Push notification token. If you enable notifications, your device generates a push token that we store with your user ID so we can deliver knocks and chat messages even when the app is closed. The token is provided by your device's operating system (Apple Push Notification service on iOS, Firebase Cloud Messaging on Android). You can revoke it at any time by disabling notifications for Knock in your device settings.

Your device's precise location is read once when you join a room to look up nearby places. It is sent directly from your device to Google Places. Knock's own servers never receive or store your raw GPS coordinates.

• We do not track your location in the background
• We do not store your raw GPS coordinates on Knock's servers
• We do not track your movement over time
• We do not use location for advertising or cross-app tracking

The room you select (its name, place ID, and the time you joined) is linked to your auto-generated user ID inside the app. This is so we can show other people in the same room that you're there.

We use data only to make the app work:

• Let you join a room and appear to others in the same place
• Show you signals in the same room
• Deliver knocks and messages between matched users
• Support moderation and safety features
• Keep the app functioning and improve reliability

We do not use your data for advertising, profiling, or any purpose outside of operating the app.

Knock uses Supabase for passwordless authentication, data storage, and real-time messaging. Supabase may process your auto-generated user ID, nickname, signal color, room presence, knocks, and messages. Data is hosted on AWS infrastructure.

Data is transmitted over encrypted HTTPS. Authentication tokens are stored locally on your device. No passwords, emails, or phone numbers are required.

Messages and knock prompts are stored on our backend so chats can function in real time. Knock applies a static block-list filter to messages and knock prompts before they are delivered. Messages flagged by the filter or reported by another user may be reviewed by our safety team to enforce the community guidelines.

We do not read your messages unless flagged by our automated safety tools or reported by another user.

Mystery Bot. During the beta, a built-in chatbot called Mystery Bot is always present in the Beta Lounge so testers can knock and chat even when no other humans are around. Mystery Bot's replies are produced by a hybrid of two systems: an on-device rule-based conversation engine that never sends your messages anywhere, and a server-side call to Anthropic's Claude for most conversational replies. Which system handles any given message depends on what you typed. Safety-critical, moderation, and specific signature replies always stay on-device; most other replies are generated by Claude.

When Claude is used, your message and a small amount of recent chat context (no more than the last few turns) are sent through Knock's server to Anthropic's Claude API to generate a single reply. We do not send Anthropic your user ID, nickname, signal color, location, or any other profile data. Anthropic processes this data only to return a reply and, per their commercial terms, does not use it to train their models. If you'd rather not have any of your messages processed this way, simply don't knock on Mystery Bot — the rest of the app does not send any of your data to Anthropic.

Mystery Bot conversations are retained for up to 30 days under the same retention policy as any other chat, then deleted. Mystery Bot's replies are not human-reviewed.

We do not sell your personal information.

We share limited data only with service providers that help us operate the app:

• Supabase (hosted on Amazon Web Services, US): authentication, backend data storage, and real-time messaging. Processes your user ID, nickname, signal color, room presence, knocks, and messages.
• Google Places: nearby room lookup when you join. Your device sends precise location data directly to Google. Knock's servers never receive it.
• Apple Push Notification service (iOS only) and Firebase Cloud Messaging (Android only): push notification delivery. We send your push token plus the notification payload (a short string such as "Someone knocked on you") to the appropriate service so it can wake your device. Both services are operated by Apple and Google respectively under their own privacy policies.
• Anthropic: used for most of Mystery Bot's replies. When you chat with Mystery Bot, unless your message matches a safety, moderation, or signature pattern that stays on-device, your message and a few recent turns of chat context are sent through Knock's server to Anthropic's Claude API to generate a single reply. No profile information is included. Anthropic does not use this data to train models per their commercial terms. The rest of the app (the lobby, check-in, your chats with other humans) does not send any data to Anthropic.

We do not share your data with advertisers, data brokers, or any third party for marketing.

Knock's backend is operated by Supabase on Amazon Web Services in the United States. If you use Knock from outside the United States, your information will be transferred to, stored in, and processed in the United States, which may have data protection laws that differ from those in your country.

By using Knock, you consent to the transfer of your information to the United States and its processing there. Where required by law, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers of personal data from the European Economic Area, the United Kingdom, and Switzerland.

• Sell, rent, or share your data for marketing
• Collect your real name, email, phone number, or contact information
• Collect advertising identifiers or use any ad SDKs
• Collect diagnostics, analytics, or crash reports (production builds do not log to any remote analytics service)
• Use Bluetooth or QR codes to identify or track you
• Track your location in the background
• Show your profile to anyone outside your current room
• Use cross-app tracking

Room presence is cleared when you leave a room or close the app.

Knock and message records are retained for the duration of the session and for up to 30 days afterward for safety review, then deleted.

Your auto-generated user ID and profile (nickname, signal color, hints) persist between sessions so you don't have to set them up every time. You can delete your account and all associated data at any time.

• Whether to join a room at all
• What nickname and hints to display
• Whether to accept or pass on any Knock
• Whether to reveal your name, photo, or contact. Always optional, always mutual
• To leave a room or end a chat at any time

You can delete your account directly inside the app: tap Safety & Support, then Account & Privacy, then Delete my account. Deletion is immediate and permanent. Your profile, signals, knocks, chat history, and push tokens are removed from our servers right away. You can also email info@knockapp.app to request deletion. Some safety records (such as reports filed against an account) may be retained in de-identified form for up to 30 days for safety, fraud, or abuse review, as described in the Data Retention section above.

Depending on where you live, you may have the following rights with respect to the personal information Knock holds about you:

• Access. You can request a copy of the personal information we hold about you.
• Correction. You can ask us to correct inaccurate information.
• Deletion. You can delete your account and all associated data at any time, either directly in the app or by contacting us.
• Objection and restriction. You can object to or ask us to restrict certain types of processing.
• Portability. You can request a copy of your data in a portable format.
• Withdraw consent. Where we rely on consent to process your data, you can withdraw that consent at any time.
• Lodge a complaint. If you live in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at info@knockapp.app. We will respond within a reasonable time and within the period required by applicable law.

California residents: Under the California Consumer Privacy Act (CCPA), you have additional rights, including the right to know what personal information we collect and how it is used, the right to delete your personal information, and the right not to be discriminated against for exercising your rights. Knock does not sell personal information.

For transparency, here is a summary of the data Knock collects and how it is used:

We take reasonable steps to protect the data Knock collects:

• In transit: all communication between the app and Knock's backend uses encrypted HTTPS (TLS).
• At rest: data stored by Supabase on AWS is encrypted at rest using AWS-managed keys.
• Authentication: Knock does not store passwords. Authentication tokens are kept on your device in secure storage and can be revoked by deleting your account or signing out.
• Access: only Vismu LLC personnel who need access to operate the service or respond to safety reports can access user data, and only for those purposes.

No system can be completely secure. If you become aware of a security issue with Knock, please contact us at info@knockapp.app.

Knock is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under the age of 18. By using the app, you confirm that you are at least 18 years old.

If we learn that we have collected personal information from someone under 18, we will delete it. If you believe a child has provided us with personal information, please contact us at info@knockapp.app and we will remove it promptly.

If we make meaningful changes, we'll update this page and the effective date above. We encourage you to review this policy periodically.

Questions about this policy? Reach us at info@knockapp.app.

Knock is operated by Vismu LLC, a Delaware limited liability company. Mailing address: 262 Chapman Rd, Ste 240, Newark, DE 19702.