GeoFavs
Privacy Policy
Last updated: July 2026
1. Data controller
The data controller for the GeoFavs app is {{COMPANY_LEGAL_NAME}}, registered in Spain, with address at {{COMPANY_REGISTERED_ADDRESS}}. Contact: hello@geofavs.com.
2. Data we collect
We collect the following categories of personal data:
- Account data: email address, username, birth year, gender (optional), and account privacy preference (public or private). Birth year and gender are used solely to compute generation and affinity signals — they are never displayed to other users directly.
- Waitlist data: email address, city, neighbourhood, referral code, invite count and queue position. We also process IP-derived hashes and user agent data to prevent abuse of the waitlist and referral mechanic.
- Profile data: profile photo, Instagram username and TikTok username, if you choose to add them.
- Recommendation data: the places you recommend (❤️) or mark as not recommended (👎), the tags you attach to recommendations, and the timestamp of each action. Saved places (bookmarks) are also stored and are private.
- Location data: your approximate GPS coordinates at the time of creating a recommendation, used to verify physical presence within 30 metres of the place. We also store your last confirmed location for notification relevance (see section 4).
- Social data: the users you follow and who follow you, including pending follow requests.
- Device and usage data: your device's push notification token (if you grant permission), IP address, device type and app interaction logs retained for up to 30 days for security and debugging.
- Google review data (AI analysis): if you request an AI analysis of a place's reviews, GeoFavs fetches that place's public Google reviews and sends them to an AI provider for processing. No personal data from your account is included in that request.
3. Legal basis for processing
- Performance of a contract (Article 6(1)(b) GDPR): processing your account, recommendations, location verification and social data is necessary to provide the GeoFavs service.
- Consent (Article 6(1)(a) GDPR): push notifications and storage of your last location for notification relevance are based on your explicit in-app consent, which you can withdraw at any time.
- Legitimate interests (Article 6(1)(f) GDPR): security logs, fraud prevention, abuse detection and waitlist ranking integrity.
- Legal obligation (Article 6(1)(c) GDPR): retention of data required by applicable law.
4. How we use your data
- Show you nearby places and sort them by distance.
- Display social signals: which places your followers or affinity matches have recommended.
- Calculate affinity between users based on places recommended in common, generation (birth year ± 3–5 years) and gender. Affinity scores are computed server-side and are never shown as a raw number to other users.
- Verify physical proximity (30 m) when you create a recommendation.
- Send push notifications about activity relevant to you (e.g. a new follower, a new recommendation near your saved location), if you have granted permission.
- Deliver AI-powered analysis of a place's Google reviews when you request it.
- Operate the public waitlist, rank neighbourhood demand and attribute referrals.
- Prevent abuse, fraudulent recommendations and manipulation of ranking signals.
We do not sell your data. We do not use your data for advertising or for profiling unrelated to the GeoFavs service.
5. Affinity and social signals
GeoFavs calculates an affinity score between you and other public users based on places you have both recommended. This score determines whether another user appears as an "affinity match" in your feed. The calculation also considers whether you share a similar generation and gender, but these attributes are never disclosed individually to other users.
If your account is private, your recommendations are only visible to users who follow you and to affinity calculations involving users you have approved as followers.
6. Third-party processors
- Xano (Xano Inc., USA): backend database and API hosting. Covered by a Data Processing Agreement and Standard Contractual Clauses (SCCs) for transfers outside the EEA.
- Google Places API (Google LLC, USA): provides place data, ratings and review counts displayed in the app. GeoFavs fetches this data server-side. Google's privacy policy applies to its own services. See policies.google.com/privacy.
- Anthropic (Anthropic PBC, USA): AI provider used to analyse public Google reviews when you request it. Only the text of public reviews is sent — no personal data from your GeoFavs account. Covered by SCCs. See anthropic.com/privacy.
- Expo / EAS (Expo Inc., USA): push notification infrastructure. Your device push token is sent to Expo to deliver notifications you have enabled. Covered by SCCs.
- Vercel (Vercel Inc., USA): hosting for the GeoFavs web landing and owner portal. Covered by SCCs.
- Postmark (ActiveCampaign, LLC, USA): transactional email delivery for verification codes, owner claim links and billing lifecycle messages. Covered by SCCs.
7. Location data
Location is accessed only while the app is in the foreground and only with your permission. It is used to:
- Show and sort nearby places by distance.
- Verify you are within 30 metres of a place when creating a recommendation.
- Optionally store your confirmed location to send you notifications about places near where you live or work, if you enable this feature.
We do not share your real-time location with other users. Other users only see distance information derived from your location (e.g. "200 m away"), never your exact coordinates.
8. Push notifications
If you grant notification permission, we store your device's push token to send you relevant notifications. You can revoke this permission at any time from your device settings. Revoking permission stops future notifications but does not delete previously stored token data immediately — token data is purged when it becomes invalid or upon account deletion.
9. Data retention
- Account and profile data: retained while your account is active.
- Waitlist data: retained until it is no longer needed for launch access and neighbourhood demand measurement, or until you request deletion.
- Recommendations and social data: retained while your account is active. Upon deletion, recommendations are anonymised rather than deleted, so aggregate place signals remain accurate.
- Location verification logs: retained for 30 days.
- Push tokens: retained until invalidated by the device OS or until your account is deleted.
- Server logs: retained for up to 30 days.
10. Your rights under the GDPR
You have the following rights regarding your personal data. Contact us at hello@geofavs.com to exercise them. We will respond within 30 days.
- Access: request a copy of the data we hold about you.
- Rectification: request correction of inaccurate data.
- Erasure: request deletion of your account and personal data. Anonymised recommendation signals may be retained.
- Restriction: request that we limit processing in certain circumstances.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests.
- Withdrawal of consent: withdraw consent for push notifications or location storage at any time via your device or app settings.
11. Account deletion
You can delete your account from the app settings. When you do, GeoFavs deletes your account record, push tokens, saved places, follow relationships, shares, notification preferences, location preferences, personal AI analysis cache and active flash reservations. Historical recommendations and impact signals are anonymised as deleted_user records so place-level counts and aggregate ranking signals do not break.
12. International data transfers
Some of our sub-processors are based outside the EEA, including in the USA. All such transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, or by an adequacy decision.
13. Children
GeoFavs is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has registered, contact us at hello@geofavs.com and we will delete the account.
14. Security
We apply industry-standard technical and organisational measures including TLS encryption in transit, JWT-based authentication stored in the device's secure enclave, server-side distance validation and access controls on all API endpoints. No system is 100% secure; we cannot guarantee absolute security.
15. Changes to this policy
We may update this Privacy Policy periodically. Material changes will be communicated via the app or by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
16. Supervisory authority
If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with the Spanish data protection authority:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
www.aepd.es
17. Contact
For any privacy-related questions or to exercise your rights, contact us at hello@geofavs.com.