← Back to Squash the Beef
Privacy Policy
Last updated: May 12, 2026
This Privacy Policy explains what information Squash the Beef ("we," "us") collects, how we use it, and the choices you have. We try to be plain about this because we think you should actually understand it.
1. What we collect
Account information
- Name — the one you set at signup, shown to friends.
- Apple ID identifier — a stable, anonymous ID returned by Sign in with Apple.
- Email relay address — if Apple provides one. We use it only for account-related notices, never marketing.
- Phone number — legacy accounts only. Current versions of Squash do not ask for or collect phone numbers; friends connect through invite links instead. If you added a number in an earlier version it remains on your profile until you delete your account (or email support to remove just the number).
Usage information
- Beefs you file and receive — reason, amount, counterparties, timestamps, status.
- Friend connections — the list of accounts you've added as friends.
- Device push notification token — so we can alert you when something happens.
- Audit log entries — security-relevant events (logins, account deletions, refund actions) retained for fraud prevention.
Payment information (paying with a card)
When you send money, the actual card details are handled by Stripe via Apple Pay. We never see, store, or log your card number. We receive only the transaction ID, amount, status, and a Stripe customer reference.
Payment information (receiving money — Stripe Connect)
To accept money from a squashed beef, Stripe (our payments processor) requires us to collect identity information from you to comply with U.S. financial-services regulations. The first time you go to collect a payment, we collect, transmit to Stripe, and then forget:
- Your legal first and last name
- Your date of birth
- Your residential address
- The last 4 digits of your Social Security Number
- Your bank account routing and account numbers (entered on a Stripe-hosted screen inside the app)
This information is sent directly to Stripe over an encrypted connection. We do not store it on our servers and we do not log it. Stripe stores and verifies it under Stripe's own privacy policy. We receive back only a "Stripe account ID" reference and whether your account is verified.
What we do not collect
- Your contacts. When you tap "pick from contacts" we read the one contact you select; we never upload your address book.
- Location data. We don't ask for it and don't use it.
- Cross-app tracking. We don't use Apple's AppTrackingTransparency framework and we don't use third-party advertising SDKs.
- Your messages or anything outside the app.
2. How we use what we collect
- To provide the core service — let you add friends, file beefs, send and receive payments.
- To send push notifications about activity on your account.
- To detect and prevent abuse, fraud, and policy violations.
- To comply with legal obligations.
We do not sell your data. We don't share it with advertisers. We don't use it to profile you across other apps or sites.
3. Third parties we use
We use a small set of service providers. They process data only on our behalf and under contract.
- Apple — Sign in with Apple, Push Notifications, App Store billing.
- Stripe — payment processing and recipient identity verification (Stripe Connect). Subject to Stripe's privacy policy.
- Cloudflare — edge proxy and DDoS protection. Cloudflare sees the IP address and request metadata of every API call our app makes; it does not see request bodies or response contents in plaintext.
- Railway — application hosting and managed PostgreSQL.
- Sentry — error monitoring. Crash reports include your account ID for triage; we do not send phone numbers, emails, SSNs, payment details, or other sensitive fields (these are redacted at the logging layer).
- Mixpanel — product analytics. We send two kinds of events: server-side action events (e.g. "beef created", "beef squashed", "signed in") and client-side engagement events from the iOS app (app opened, intro screen viewed, paywall viewed, push notification opened). Both kinds carry only our internal user identifier and event metadata; we do not send your name, phone number, email, address, payment information, or the text of push notifications. Subject to Mixpanel's privacy policy.
4. Inviting friends
When you invite a friend who isn't yet on Squash, your iPhone opens its standard share sheet so you can send them a message yourself via iMessage, SMS, or any other app you choose. Squash does not send the message — it comes from you, on your account, and we never see your friend's phone number unless they later install the app and create their own account.
5. Data retention
- Account and beef history: retained while your account is active.
- Audit log: retained for up to 12 months after the event.
- Phone verification records: retained for 7 days, then deleted.
- Abuse reports: retained while the reported account is active so admins can review and unsuspend. Resolved reports are aggregated and the free-text notes purged after 90 days.
- Deleted accounts: personal data is purged within 30 days. Financial records that we're legally required to retain (for tax and anti-fraud purposes) are kept for the legally required period and then deleted.
5a. Moderation and account suspension
To keep the platform safe, we operate two moderation mechanisms:
- User reports: anyone can report a beef or another user from within the app. Reports include a category and an optional free-text note. Reports are reviewed by our team.
- Automatic suspension: if three or more distinct users file open reports against the same account, that account is automatically suspended pending review. The suspended user can still sign in but cannot file beefs, accept payments, or use other features until a human reviewer unsuspends the account. Suspended users see an in-app screen explaining the suspension and can email support to appeal.
Suspension is reversible. If a moderator concludes the suspension was unwarranted, the account is restored and the open reports are resolved.
6. Your rights
- Access your data — email support@squashthebeef.net.
- Delete your account — in-app: Settings → Delete Account. This is immediate and irreversible.
- Correct information — update your name in Settings; email support to correct or remove a legacy phone number.
- Export your data — email support and we'll send you a machine-readable copy within 30 days.
California residents: You have the right to know what personal information we collect, to request deletion, and to not be discriminated against for exercising those rights. Squash the Beef does not sell personal information.
EU/UK residents: We process personal data on the legal basis of contract (providing the service you signed up for) and legitimate interest (security, fraud prevention). You have the rights of access, rectification, erasure, restriction, portability, and objection under GDPR/UK GDPR. Contact us at support@squashthebeef.net.
7. Children
Squash the Beef is rated 17+. It is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If we learn we have, we will delete it.
8. Security
We encrypt data in transit (TLS). Payment data is handled exclusively by Stripe on PCI-compliant infrastructure. We don't store card numbers. Access to production systems is restricted and logged.
No system is perfectly secure. If you suspect your account has been compromised, email support@squashthebeef.net.
9. Changes
If we materially change this policy, we'll notify you in the app and update the "Last updated" date above. Continued use after a change means you accept the revised policy.
10. Contact
Questions, data requests, or concerns: support@squashthebeef.net