Privacy Policy
Last updated: 2 May 2026 · Effective: from launch
This policy explains what data Gavera collects, why, and what rights you have over it. We've tried to write it in plain English. If anything's unclear, email us at hello@gavera.uk and we'll explain it properly.
Who we are
Gavera is operated by Mark Martin, a sole trader based in the United Kingdom. For the purposes of UK GDPR, Mark Martin is the data controller. Contact: hello@gavera.uk.
What we collect and why
Account information
- Email and name — provided by Apple or Google when you sign in. Needed to identify your account.
- Username, display name, profile photo, bio — chosen by you. Visible to friends you've connected with on Gavera.
Preferences and dietary requirements
- Preference swipes — the food and activity tags you've marked as interested / not interested / strongly interested. Used to find venues your group will enjoy.
- Dietary requirements — vegan, vegetarian, halal, kosher, allergies, etc. Used as hard filters in the recommendation engine. We never share your dietary requirements outside the venue-filtering use case.
Location
- Precise location — only when you actively use the app to plan a meet-up, and only with your explicit permission via iOS. Used to find nearby venues. Not stored permanently — only the centroid of the group event you create.
- Optional home location — if you set one in Settings, used as a default for event creation.
Social graph
- Your friends list — the Gavera users you've added as friends. Visible only to you.
- Group event participation — events you've created or been added to.
What your friends can see about you
When someone is on your accepted-friends list, they can see:
- Your display name, username, avatar, and bio.
- The group events you've created or been invited to that they're also part of.
They cannot see:
- Your home location (only used server-side as a default centroid for events you create).
- Your dietary requirements (used only as a hard filter in the recommendation engine, never exposed to other users).
- Your phone number (used only to match you when a contact is imported on someone else's device — match returns your username, not your number).
- Your push notification token.
- Your email address.
Device and diagnostic data
- Push notification token — to send you alerts when friends invite you to events.
- Crash logs and performance data — via Sentry, to fix bugs. Personally identifying information is scrubbed before upload.
- Anonymous usage analytics — via PostHog, to understand which features are actually used. No precise location or message contents.
Lawful basis
We process your personal data on two legal bases under UK GDPR:
- Contract necessity — for the data needed to actually provide the service (your account, preferences, friends, events).
- Consent — for analytics, optional features like contacts-based friend discovery, and any future marketing communications. You can withdraw consent at any time in Settings.
Who we share data with (subprocessors)
We use a small number of third-party services to run Gavera. Each handles your data only on our instructions and under a Data Processing Agreement.
| Subprocessor | What they do | Where |
|---|---|---|
| Supabase | Database, authentication, server functions, file storage | EU (eu-west) |
| Apple | Sign in with Apple, push notifications | Global |
| Sign-In, Places API for venue search | Global | |
| Eventbrite | Public events search | USA / UK |
| Sentry | Crash reporting (PII-scrubbed) | EU |
| PostHog | Anonymous product analytics | EU |
We do not sell your personal data. We do not run third-party advertising. We do not share your data for purposes other than running Gavera itself.
How long we keep data
- Profile, preferences, friends, events — until you delete your account.
- Cached venue data (from Google Places / Eventbrite) — up to 30 days.
- Server logs — 30 days.
- Analytics events — up to 13 months.
- Backups — up to 30 days after deletion before being permanently purged.
Your rights
Under UK GDPR you have the right to:
- Access — request a copy of your data. Settings → "Download my data" (or email us).
- Erasure — delete your account. Settings → "Delete account" cascades immediately. Backups containing your data are purged within 30 days.
- Rectification — fix inaccurate data. Edit in Settings or email us.
- Portability — get your data in a machine-readable format (JSON).
- Restriction and objection — limit how we use your data, or object to processing.
- Withdraw consent — turn off analytics or revoke any consent at any time in Settings.
To exercise any of these rights, email privacy@gavera.uk. We respond within 30 days.
If you're unhappy with how we've handled your data, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
Children
Gavera is not intended for users under 16. We don't knowingly collect data from anyone under 16. If you believe a minor has signed up, contact us and we'll delete the account.
International transfers
Most of your data stays in the EU. Some of our subprocessors (notably Apple, Google, Eventbrite) operate globally and may transfer data to other regions including the USA. Where this happens, transfers rely on UK-approved safeguards including the UK International Data Transfer Agreement and the EU Standard Contractual Clauses.
Changes to this policy
If we make material changes, we'll notify you in the app and update the "Last updated" date above. Continued use of Gavera means you accept the updated policy.
Contact
General questions: hello@gavera.uk
Privacy / data requests: privacy@gavera.uk