Privacy Policy

1. Introduction

This Privacy Policy explains how What'sOnTbilisi ("we," "us," or "our") collects, uses, stores, and shares personal data when you use our web app, mobile app, and related services (the "Service").

2. Data We Collect

We collect the following categories of data depending on your use of the Service:

• Account data: email address, name, encrypted auth credentials managed by Supabase Auth, email verification status, password reset tokens (hashed server-side), and legal acceptance timestamps.
• Profile data: profile photo path, phone (if added), optional profile details, and language preference.
• Activity data: activity title, description, categories, schedule, host details, participation limits, images, and activity location/address including map coordinates.
• Social data: follows, feed posts, comments, reactions (likes/dislikes), participation history, and saved activities/posts.
• Notification data: notification preferences, notification records, device platform, push token, permission status, and token health metadata.
• Location data: location data you provide when creating activities and location access data if you grant device/browser permissions for map features.
• Technical and diagnostics data: IP-derived request metadata, app/browser information, error and performance diagnostics (including Sentry telemetry and session replay where enabled).

3. How We Use Data

• To create and maintain user accounts and profiles.
• To provide core features: activity creation, participation, discovery, social interactions, and saved content.
• To send transactional emails (verification, password reset, password-change alerts).
• To deliver in-app and push notifications based on your preferences.
• To secure the Service, prevent abuse, investigate incidents, and enforce Terms.
• To monitor reliability and improve product quality and performance.

4. Legal Bases (GDPR-style)

We process personal data on one or more of these legal bases:

• Performance of a contract (providing the Service you request).
• Legitimate interests (security, moderation, product stability).
• Consent (for features requiring permission, such as push/location).
• Legal obligations where required by law.

5. Storage, Infrastructure, and Service Providers

We use trusted third-party providers to operate the Service:

• Supabase: authentication, PostgreSQL database, serverless functions, and row-level security-backed data access.
• Cloudflare R2: storage for uploaded media assets.
• Google Maps: map rendering and geolocation/address features.
• Expo push infrastructure: push delivery pipeline for mobile notifications.
• Resend: transactional email delivery for account verification and password flows.
• Sentry: error and performance monitoring.
• Vercel: hosting and delivery of the web application.

6. Push Notifications and Email Communications

If you enable notifications, we store device push tokens and related metadata to deliver activity, social, and reminder notifications. You can disable notifications in device settings or in-app preferences.

We send service emails for account verification, password reset, password-change confirmation, and essential security/account notices.

7. Data Sharing

We do not sell personal data. We share data only with service providers needed to operate the Service, with other users according to your profile/content visibility, or where required by law.

8. Data Retention

We retain personal data for as long as needed to provide the Service, meet legal obligations, resolve disputes, and enforce agreements. Retention periods vary by data category and operational/security needs.

Deleted content or accounts may remain in backups/logs for a limited period before permanent deletion.

9. Your Rights

You may have rights to:

• Access personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your personal data.
• Request portability of certain data.
• Object to or restrict certain processing.
• Withdraw consent where processing is consent-based.

To exercise rights, contact us atsupport@whatsontbilisi.app. We may need to verify your identity before processing requests.

10. Account/Data Deletion Requests

You can request account deletion by contacting support. After identity verification, we will process deletion in line with legal and security retention obligations. Some records may be retained where required by law or legitimate operational needs.

11. Cookies (Web)

On web, we use essential cookies needed for authentication/session management (Supabase auth cookies) and language preference persistence. We do not claim a separate analytics cookie banner in this policy at this time.

12. Security

We implement technical and organizational safeguards, including HTTPS, authentication controls, and database access controls (including row-level security policies). No system is completely secure, and you should protect your credentials and devices.

13. Children's Privacy

The Service is not directed to children under 13. If we learn that we collected personal data from a child under 13 without appropriate authorization, we will take steps to delete that data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date and publish the revised policy. Continued use of the Service after updates means you accept the revised policy.

15. Contact

If you have privacy questions or requests, contact us: