Privacy Policy

ShowSherpa ("the app") is a movie and TV recommendation app for iPhone. This policy describes what data the app collects, what it does with it, and what it never does.

Summary

What the app collects

If you create an account

Account creation is optional. Everything you can do in the app — picking a show, searching, trivia, favorites — works without signing in. When you do sign in (via Firebase Authentication), we store the following, linked to your user ID, on Google Firestore:

• Email address — used as your sign-in credential.
• Display name — shown on your profile; you can leave it blank or change it anytime.
• Phone number (optional) — only if you choose to add one to your profile. The raw number stays on your device for editing. If you turn the Phone toggle on under Profile → Privacy & Security → How others find you, a one-way SHA-256 hash of the number is published to our contact directory so friends who already have you in their address book can find you on ShowSherpa. The raw number is never uploaded, and turning the toggle off deletes the hash from our server immediately.
• User ID — an opaque identifier assigned by Firebase Authentication.
• Your content — the titles on your watchlist and library, your favorites, your ratings, your friends list, and recommendations you send or receive.

All of this is used solely to let you sync your data across devices and share recommendations with friends. None of it is used for analytics, advertising, or profiling.

Contacts and friend discovery (opt-in)

If you tap Invite Friends and grant the Contacts permission, the app can help you see which of your contacts already use ShowSherpa and text an invite to the rest. This feature is strictly opt-in and is designed so that raw contact information never leaves your device.

• We do not use your email for friend discovery. ShowSherpa matches friends by phone number and by profile name / handle only. The friend-discovery flow never asks you for an email address, and no email hash is ever published to our directory. (The email you use to sign in to Firebase Authentication is a separate piece of data, described in the section above.)
• Your address book is read on-device only. When you open the invite list, the app asks iOS for your contacts. The names and phone numbers are held in app memory while you're using the screen and are never uploaded in readable form.
• Matching uses one-way hashes. To tell you which contacts already use ShowSherpa, the app takes each contact's phone number, normalizes it (for example, to E.164), and runs it through SHA-256 — a one-way cryptographic hash. Only those hashes are sent to our server for lookup. A hash cannot be reversed to recover the original phone number.
• You choose how others can find you. In Profile → Privacy & Security → How others find you, you decide which of your own fields — display name and/or phone number — get hashed and published so that friends who have you in their contacts can find you on ShowSherpa. Each toggle is yours to enable or disable. When a toggle is off, no hash for that field is stored on our server.
• Nothing is published if the master switch is off. A single Sync Contacts toggle in Profile Settings controls the whole feature. Turning it off immediately deletes every directory hash associated with your account on our server and clears the local match cache.
• Invites go through iOS Messages. When you tap Invite on a contact, iOS's share sheet opens with a prefilled text message. ShowSherpa does not send messages on your behalf — you send them through your own Messages app, to the recipients you choose.
• We never upload raw phone numbers or names. Only the SHA-256 hashes of the fields you explicitly opted into sharing are stored, keyed against your Firebase User ID and your public @handle.

On your device only (never uploaded)

Some data stays on your iPhone and is never sent to our servers:

• Location (when in use) — if you grant location permission, your approximate coordinates are used on-device to build a Google Showtimes URL for nearby theaters and to query Wikidata for filming locations near you. Location is never stored on our servers and never leaves the app except as part of the query URLs you tap through to.
• App preferences and caches — things like your chosen streaming platforms, content filters, biometric-lock preference, and a cache of poster URLs are stored in your device's local database and UserDefaults.

What we do not collect

For clarity, ShowSherpa does not collect or store: photos, audio, health or financial data, physical address, browsing or search history outside the app, device identifiers for advertising (IDFA), or any behavioral/analytics data. Firebase Analytics and IDFA collection are explicitly disabled. Raw contact information (names, phone numbers, emails) from your address book is never uploaded — the friend-discovery feature above only ever transmits one-way SHA-256 hashes of phone numbers and profile names / handles you explicitly opt into. The only email we store is the one you voluntarily supply to Firebase Authentication when you create an account; the friend-discovery flow never asks for an email.

Third-party services

ShowSherpa uses the following external services:

• Google Firebase (Authentication, Firestore, Remote Config) — hosts your account and synced data when you sign in. Firebase Analytics is disabled. See Google's privacy policy.
• The Movie Database (TMDB) — public movie/TV metadata and posters. Queries include the title you searched or were recommended.
• OMDb API — Rotten Tomatoes and IMDb ratings for titles you view.
• Open Library — book-to-screen metadata.
• Wikidata — filming location data for the location-aware discovery features.

These services receive only the query (e.g., a title or a coordinate) needed to answer the lookup. None of them receive your account identifier or email from ShowSherpa.

Tracking

ShowSherpa does not perform Apple-defined tracking. We do not link the data we collect to third-party advertising networks or data brokers, and we do not request your Advertising Identifier (IDFA).

Your choices

• Delete your account: open Profile → Account & Cloud → Delete Account. After a two-step confirmation, ShowSherpa permanently removes your profile document, your recommendations, your claimed @handle, and every contact-directory hash tied to your account, then deletes your Firebase Authentication record. Deletion is immediate and irreversible. If you haven't signed in recently, iOS may ask you to sign in again first so Firebase can verify it's really you.
• Read this policy in the app: open Profile → Privacy & Security → Privacy Policy to view the current version on showsherpa.tv.
• Use without an account: every core feature works without signing in. In that mode nothing about you leaves your device.
• Revoke location, contacts, or notification permissions: iOS Settings → ShowSherpa → toggle off. The app continues to work.
• Turn off contact sync entirely: Profile → Privacy & Security → toggle off Sync Contacts. This deletes every hash tied to your account from our server immediately.
• Adjust how others find you: Profile → Privacy & Security → How others find you. Display name and phone number each have their own toggle, and turning a toggle off deletes the corresponding hash from the server. ShowSherpa does not use email for friend discovery.
• Disable biometric app lock: iOS Settings → ShowSherpa, or in-app Privacy & Security settings.

Children

ShowSherpa is not directed at children under 13 and does not knowingly collect data from them. Contact us if you believe a child has created an account.

Changes to this policy

We'll update this page when our practices change. Material changes will be announced in the app's release notes.

Contact

Questions, data-deletion requests, or concerns: privacy@showsherpa.tv.