Privacy Policy

ShowSherpa ("the app") is a movie and TV recommendation app for iPhone. This policy describes what data the app collects, what it does with it, and what it never does.

Summary

What the app collects

If you create an account

Account creation is optional. Everything you can do in the app — picking a show, searching, trivia, favorites — works without signing in. When you do sign in (via Firebase Authentication), we store the following, linked to your user ID, on Google Firestore:

• Email address — used as your sign-in credential.
• Display name — shown on your profile; you can leave it blank or change it anytime.
• Phone number (optional) — only if you choose to add one to your profile. The raw number stays on your device for editing. If you turn the Phone toggle on under Profile → Privacy & Security → How others find you, a one-way SHA-256 hash of the number is published to our contact directory so friends who already have you in their address book can find you on ShowSherpa. The raw number is never uploaded, and turning the toggle off deletes the hash from our server immediately.
• User ID — an opaque identifier assigned by Firebase Authentication.
• Your content — the titles on your watchlist and library, your favorites, your ratings, your friends list, and recommendations you send or receive.

All of this is used solely to let you sync your data across devices and share recommendations with friends. None of it is used for analytics, advertising, or profiling.

Social features and friend-visible data

ShowSherpa is built around shared discovery. Several features need to publish a copy of your in-app data to our servers so people you have accepted as friends can read it on their devices. Each flow below is gated by mutual friendship at the database-rule level — only people you have both confirmed as friends can read the data, and the visibility ends the moment either person removes the other.

You can opt out of every social-data flow individually. Default visibility is friends-only for all of them; nothing in this section is ever published to the public internet, to non-friends, or to advertisers.

The full list of friend-visible data:

• Watchlist titles — when on, the titles on your watchlist are published to a friend-readable mirror so the Match Maker feature can find shows you and a friend both want to see. Toggle: Profile → Privacy & Security → Share Watchlist With Friends. When off, no copy of your watchlist is stored on our servers and any prior copy is deleted. Default on.
• Top genres, actors, directors, writers, and studios + simple counts — when on, the favorites you tap to follow are published to a friend-readable mirror so the Friend Profile page can show your top genres + actors and compute a "% taste overlap" meter for each friend. Counts of "ratings you've given" and "watchlist size" are also published as part of this mirror. Individual ratings, the titles you've watched, your viewing history, and your platform subscriptions are NOT published. Toggle: Profile → Privacy & Security → Share Profile With Friends. When off, no copy of your favorites is stored on our servers and any prior copy is deleted. Default on.
• Reviews you write — when you write a review of a movie or TV show, you choose at write time whether the review is private (your eyes only) or visible to friends. The text of friends-visible reviews and the star rating you paired with them are published to a friend-readable mirror. Toggle: a per-review Visible to friends switch in the review composer. When off, the review stays on your device only.
• Curated lists you create — when you build a curated list (e.g., "My Best of 2024"), you choose whether each list is private or visible to friends. Friends-visible lists are published with their name, optional description, the titles in the list, and any per-title notes you add. Each list has its own visibility — you can keep some lists private and others friends-visible. Toggle: a per-list Visible to friends switch in the list editor. When off, the list stays on your device only.
• Friend activity events — when you rate a title, add to your watchlist, or recommend a show, a small event ("you rated Severance", "you added Dune to your watchlist") fans out to your friends' inbox feeds so they can see what you're watching. Toggle: Profile → Privacy & Security → Share Activity With Friends. When off, no events are written to friends' devices. Activity events are short-lived (deleted from each friend's inbox after 30 days). Default on.
• Reactions to friends' activity — when a friend sees a friend-activity event from you and taps an emoji to react, that reaction (a single emoji choice plus the reactor's name) is published so other friends viewing the same event can see who reacted. Reactions are tied to the specific activity event and disappear when the event ages out. There is no separate toggle for reactions because the activity feed itself is the visibility surface — turning Share Activity With Friends off prevents new events that could attract reactions.
• Trivia challenge data — when you start a trivia challenge with a friend, the challenge document (the question set, both players' display names, both players' scores and completion times) is stored on our servers so both participants can see the result. The challenge is visible only to the two people in it, not to other friends. Stored for ~2 weeks then deleted.

Across all of these, the data shared is only the in-app content you create (favorites, watchlist titles, reviews, lists, scores, reactions). We never share your email, your phone number, your raw contact list, your viewing history (the specific titles you've watched), your individual star ratings on titles, your platform subscriptions, your location, or any cross-app identifier with anyone — friend or otherwise.

Contacts and friend discovery (opt-in)

If you tap Invite Friends and grant the Contacts permission, the app can help you see which of your contacts already use ShowSherpa and text an invite to the rest. This feature is strictly opt-in and is designed so that raw contact information never leaves your device.

• We do not use your email for friend discovery. ShowSherpa matches friends by phone number and by profile name / handle only. The friend-discovery flow never asks you for an email address, and no email hash is ever published to our directory. (The email you use to sign in to Firebase Authentication is a separate piece of data, described in the section above.)
• Your address book is read on-device only. When you open the invite list, the app asks iOS for your contacts. The names and phone numbers are held in app memory while you're using the screen and are never uploaded in readable form.
• Matching uses one-way hashes. To tell you which contacts already use ShowSherpa, the app takes each contact's phone number, normalizes it (for example, to E.164), and runs it through SHA-256 — a one-way cryptographic hash. Only those hashes are sent to our server for lookup. A hash cannot be reversed to recover the original phone number.
• You choose how others can find you. In Profile → Privacy & Security → How others find you, you decide which of your own fields — display name and/or phone number — get hashed and published so that friends who have you in their contacts can find you on ShowSherpa. Each toggle is yours to enable or disable. When a toggle is off, no hash for that field is stored on our server.
• Nothing is published if the master switch is off. A single Sync Contacts toggle in Profile Settings controls the whole feature. Turning it off immediately deletes every directory hash associated with your account on our server and clears the local match cache.
• Invites go through iOS Messages. When you tap Invite on a contact, iOS's share sheet opens with a prefilled text message. ShowSherpa does not send messages on your behalf — you send them through your own Messages app, to the recipients you choose.
• We never upload raw phone numbers or names. Only the SHA-256 hashes of the fields you explicitly opted into sharing are stored, keyed against your Firebase User ID and your public @handle.

On your device only (never uploaded)

Some data stays on your iPhone and is never sent to our servers:

• Location (when in use) — if you grant location permission, your approximate coordinates are used on-device to build a Google Showtimes URL for nearby theaters and to query Wikidata for filming locations near you. Location is never stored on our servers and never leaves the app except as part of the query URLs you tap through to.
• App preferences and caches — things like your chosen streaming platforms, content filters, biometric-lock preference, and a cache of poster URLs are stored in your device's local database and UserDefaults.

What we do not collect

For clarity, ShowSherpa does not collect or store: photos, audio, health or financial data, physical address, browsing or search history outside the app, device identifiers for advertising (IDFA), or any behavioral/analytics data. Firebase Analytics and IDFA collection are explicitly disabled. Raw contact information (names, phone numbers, emails) from your address book is never uploaded — the friend-discovery feature above only ever transmits one-way SHA-256 hashes of phone numbers and profile names / handles you explicitly opt into. The only email we store is the one you voluntarily supply to Firebase Authentication when you create an account; the friend-discovery flow never asks for an email.

Third-party services

ShowSherpa uses the following external services:

• Google Firebase (Authentication, Firestore, Remote Config) — hosts your account and synced data when you sign in. Firebase Analytics is disabled. See Google's privacy policy.
• The Movie Database (TMDB) — public movie/TV metadata and posters. Queries include the title you searched or were recommended.
• OMDb API — Rotten Tomatoes and IMDb ratings for titles you view.
• Open Library — book-to-screen metadata.
• Wikidata — filming location data for the location-aware discovery features.

These services receive only the query (e.g., a title or a coordinate) needed to answer the lookup. None of them receive your account identifier or email from ShowSherpa.

Tracking

ShowSherpa does not perform Apple-defined tracking. We do not link the data we collect to third-party advertising networks or data brokers, and we do not request your Advertising Identifier (IDFA).

Your choices

• Delete your account: open Profile → Account & Cloud → Delete Account. After a two-step confirmation, ShowSherpa permanently removes your profile document, your recommendations, your claimed @handle, your watchlist mirror, your profile favorites mirror, your shared lists, your reviews, your reactions, your trivia challenges, and every contact-directory hash tied to your account, then deletes your Firebase Authentication record. Deletion is immediate and irreversible. If you haven't signed in recently, iOS may ask you to sign in again first so Firebase can verify it's really you.
• Read this policy in the app: open Profile → Privacy & Security → Privacy Policy to view the current version on showsherpa.tv.
• Use without an account: every core feature works without signing in. In that mode nothing about you leaves your device.
• Revoke location, contacts, or notification permissions: iOS Settings → ShowSherpa → toggle off. The app continues to work.
• Turn off contact sync entirely: Profile → Privacy & Security → toggle off Sync Contacts. This deletes every hash tied to your account from our server immediately.
• Adjust how others find you: Profile → Privacy & Security → How others find you. Display name and phone number each have their own toggle, and turning a toggle off deletes the corresponding hash from the server. ShowSherpa does not use email for friend discovery.
• Control which in-app data your friends can see: Profile → Privacy & Security has individual toggles for Share Activity With Friends (the rate / watchlist / recommend events that appear in your friends' feeds), Share Watchlist With Friends (powers Match Maker), and Share Profile With Friends (powers the Friend Profile page's top-genres / top-actors / overlap meter). Each toggle is independent. Turning any of them off immediately deletes the corresponding mirror from our servers.
• Make a specific review private: each review you write has a Visible to friends switch in the composer. Turn it off when writing or editing a review and the text stays on your device only; if you flip a previously-friends-visible review to private, the public copy is deleted from our servers immediately.
• Make a specific list private: each curated list has a Visible to friends switch in the list editor. Same private-flip semantics as reviews — flipping a list private deletes the public copy from our servers immediately.
• Remove a friend: Friends → tap the friend → Remove. After confirmation, the mutual-friendship record is deleted, which immediately ends visibility of all friend-gated data flows in both directions (your watchlist mirror, your profile mirror, your reviews, your lists, your activity events, and your reactions are no longer readable by them, and theirs are no longer readable by you).
• Disable biometric app lock: iOS Settings → ShowSherpa, or in-app Privacy & Security settings.

Children

ShowSherpa is not directed at children under 13 and does not knowingly collect data from them. Contact us if you believe a child has created an account.

Changes to this policy

We'll update this page when our practices change. Material changes will be announced in the app's release notes.

Contact

Questions, data-deletion requests, or concerns: privacy@showsherpa.tv.