WhereTo (“WhereTo,” “we,” “our,” or “us”) operates the WhereTo mobile application (the “App”) and the website at wheretotpa.com (the “Site,” and together with the App, the “Service”). This Privacy Policy explains what information we collect, how we use and share it, and the choices and rights you have. By using the Service you agree to this Policy and to our Terms of Service.
1. Who this policy covers
This Policy covers everyone who uses the Service. WhereTo is offered only to adults aged 21 and older, and we age-gate every sign-up. We do not knowingly collect information from anyone under 21. If you believe someone under 21 has provided us information, email support@wheretotpa.com and we will delete it. For privacy-law purposes, WhereTo is the “controller” (or “business”) responsible for your information.
2. Information we collect
2.1 Information you provide
- Account and identity: when you sign in with Apple or Google, we receive your email and, optionally, your name and profile image from that provider.
- Profile: display name, username, optional avatar, bio, and preferences you choose to add.
- Age verification: you confirm you are 21 or older at sign-up. We retain a verification timestamp, not your date of birth.
- Content you create: posts, photos, videos, comments, stories, events, votes, reactions, mentions, reports, and any other content you submit.
- Communications: information you send us (support requests, feedback, survey responses).
- Business and payment information: if you are a bar owner or manager, business/contact details and subscription information. Card payments are processed by Stripe; we do not receive or store full card numbers.
2.2 Information we collect automatically
- Location: with your permission, coarse and/or precise device location, used to show nearby bars, power the map and heat features, and let you submit crowd and wait/cover/vibe reports and check-ins. You can turn location off; the App still works, though nearby features are limited.
- Device and technical data: device model, OS and version, app version, language/region, time zone, general network information, and diagnostic identifiers.
- Usage data: screens viewed, features used, taps, and sessions, stored in our own systems.
- Notifications: if enabled, a randomly generated push token used solely to deliver notifications.
- Crash and performance logs: captured through Apple's and Google's standard developer tools.
2.3 Information from third parties
- Sign-in providers (Apple, Google): the account details above.
- Payment processor (Stripe): subscription status, payment outcomes, and limited transaction metadata for bar-owner billing.
- Event and venue data providers (such as Ticketmaster): public event listings shown in the App. This is public data and does not include your personal information.
2.4 What we do not collect
- No third-party advertising identifiers (IDFA / Google Advertising ID).
- No advertising or social-media tracking SDKs (no Facebook SDK, no TikTok pixel).
- No browsing activity outside the Service.
- No access to your contacts, calendar, or microphone unless you explicitly record a video.
3. How we use your information
- Provide, operate, secure, and improve the Service and your account.
- Show relevant content (nearby bars, live wait/cover/vibe data, posts from people you follow, events, sports affiliations).
- Process, display, and distribute content you choose to publish.
- Enforce our Terms and community standards, including automated and human moderation, blocking, and removing content.
- Detect, prevent, and investigate fraud, abuse, safety issues, and violations of law or our Terms.
- Send transactional and service messages, and, where permitted, product updates you can opt out of.
- Process bar-owner subscription payments through Stripe (consumers never pay us).
- Comply with legal obligations and enforce our agreements and rights.
Legal bases (EEA/UK): performance of our contract (Art. 6(1)(b)); legitimate interests in operating and securing the Service and preventing abuse (Art. 6(1)(f)); consent where required, e.g., precise location and notifications (Art. 6(1)(a)); and compliance with legal obligations (Art. 6(1)(c)).
4. How we share information
We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising. We disclose information only:
- Service providers / processors that run the Service under contract and may use your data only to provide services to us: Supabase (database, authentication, storage), Stripe (bar-owner payments), Apple and Google (sign-in, maps, and push delivery if enabled), OpenAI (automated content moderation), and Expo (app build and delivery).
- Other users: anything you publish is visible to others. Your precise coordinates are never shown to other users.
- Legal, safety, and rights: to comply with law, subpoenas, warrants, or court orders; to respond to lawful requests; and to protect the rights, property, safety, or security of WhereTo, our users, or the public.
- Business transfers: in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to this Policy.
- Aggregated or de-identified data that cannot reasonably identify you, and disclosures with your direction or consent.
5. Cookies, analytics, and tracking
The App does not use third-party advertising cookies or trackers, and the Site uses only what is necessary to serve the pages. We use first-party, in-app analytics stored in our own systems. Because we do not track you across third-party sites or apps, we treat Global Privacy Control and “Do Not Track” signals consistently with not selling or sharing your data.
6. Data retention
- Account and profile: while active; deleted within 30 days of account deletion, subject to the exceptions below.
- Age verification: only the verification timestamp is kept.
- Content you create: until you or we delete it, or you delete your account.
- Crash/diagnostic logs: typically up to 90 days.
- Safety, fraud, moderation, and audit records: typically up to 12 months, or longer where required for legal, security, or dispute-resolution purposes.
7. Security
We use administrative, technical, and organizational safeguards, including TLS encryption in transit, encrypted storage of authentication tokens and media, row-level security so users access only their own rows, and OAuth sign-in (we never store your password). No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If you believe your account has been compromised, email support@wheretotpa.com immediately. Where required by law, we will notify you and/or regulators of a data breach.
8. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, and port your information; to opt out of any sale or sharing (we do not sell or share); to withdraw consent (e.g., location, notifications); and to appeal a decision on your request. Exercise these in the App or by emailing support@wheretotpa.com. We will verify your request and respond within the time required by law, and we will not discriminate against you for exercising your rights.
United States state rights
- California (CCPA/CPRA): rights to know, access, correct, and delete, and to limit use of sensitive information. We do not sell or share personal information as defined, and do not use or disclose sensitive information for purposes requiring an opt-out. Authorized agents permitted.
- Virginia, Colorado, Connecticut, Utah, Texas, and other comprehensive-privacy states: access, correction, deletion, portability, and opt-out rights, and (where applicable) a right to appeal.
- Florida: access and deletion rights consistent with applicable Florida law.
EEA / UK
You have rights of access, rectification, erasure, restriction, portability, objection, and to withdraw consent, and you may lodge a complaint with your local supervisory authority.
9. International transfers
We operate the Service from the United States, and your information will be processed there. Where required for transfers from the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses.
10. Third-party services and links
The Service integrates with and links to third-party services (for example, Apple, Google, Stripe, Ticketmaster, and venue or ticketing sites). Their handling of your information is governed by their own privacy policies, not this one. We are not responsible for third parties' practices, and you should review their policies.
11. Children
The Service is strictly for adults 21 and older. We do not knowingly collect information from anyone under 21. If you believe a minor has used the Service, email support@wheretotpa.com and we will delete the account.
12. Changes to this policy
We may update this Policy from time to time. If we make material changes, we will provide notice in the App or by other reasonable means before they take effect. Your continued use after an update means you accept the updated Policy.
13. Contact
WhereTo
[Business mailing address]
support@wheretotpa.com