Privacy Policy

1. Who is responsible for your data

hengspot ("we", "us", "our") is the data controller for the personal data described in this policy. hengspot is operated from Slovenia. For any privacy question or to exercise your rights, contact us at info@hengspot.com.

2. Data we collect

Information you give us

• Account details: your email address and a password (which we store only in hashed form).
• Profile: your username, display name, date of birth, and bio. We use your date of birth to confirm you meet our minimum age (16).
• Content you create: activities you post or join (including the time, location, and any participant limit), messages you send, friend requests and connections, and spots you suggest.
• Communications: if you email us or join the waitlist, we keep your email and the contents of your message.

Information we collect automatically

• Location: with your permission, your device's location, used to show the map, nearby spots, and nearby activities. See Location data.
• Technical & usage data: basic device and app information needed to deliver and secure the Service, and privacy-friendly, aggregated analytics about how the website and app are used (see Cookies & analytics).

We do not ask for or intend to collect special categories of data (such as health data). Please don't put sensitive information in your bio, messages, or activity descriptions.

3. How & why we use your data (legal bases)

Under the GDPR we only process your data where we have a legal basis to do so:

• To provide the Service (contract): creating and managing your account, showing the map, letting you post and join activities, message, and add friends.
• With your consent: accessing your device location, and sending you the waitlist / beta emails you signed up for. You can withdraw consent at any time (for example, by turning off location permission in your device settings or unsubscribing).
• Legitimate interests: keeping the Service secure, preventing abuse and fraud, understanding usage through aggregated analytics, and improving hengspot — balanced against your rights.
• Legal obligation: where we must keep or disclose data to comply with the law.
• Age verification: we use your date of birth to enforce our 16+ minimum age.

4. Location data

hengspot uses your device location to center the map on you, find spots near you, and surface nearby activities. We only access location when you grant the permission, and you can revoke it at any time in your device settings — the public map still works without it. We use your location to provide these features in the moment; we do not build a continuous history of your movements for advertising or sell your location to anyone.

Note that when you create an activity, the activity's location and time are shown to other users so they can join — that is the point of the feature. Choose meetup points you're comfortable sharing.

5. What other users can see

hengspot is a social, meet-up service, so some information is visible to others by design:

• Public to other users: your username, display name, and bio, and the activities you host or join (including their location and time) and who else is attending.
• Visible only to you: your email, your password, and your date of birth. Your bio is shown to other users on your profile; your date of birth is not shown to anyone — we use it only to verify your age.
• Friends & messages: friend requests are visible to the person you send them to; messages are visible to the people in that conversation.

Think of anything you'd consider public the way you would on any social app. Don't share information in your profile or activities that you wouldn't want other users to see.

6. Sharing & service providers

We don't sell your personal data. We share it only:

• With other users, as described in What other users can see.
• With service providers (processors) who help us run hengspot under contract and on our instructions — for example cloud hosting, map-tile delivery, email delivery, and privacy-friendly analytics. Map and spot data is based on OpenStreetMap (© OpenStreetMap contributors); spots you suggest may be contributed back to OpenStreetMap, where they become part of an open dataset.
• For legal reasons, where we must to comply with the law, enforce our Terms, or protect the rights, safety, and security of our users or others.
• In a business transfer, if hengspot is involved in a merger, acquisition, or sale of assets — we'll notify you and any new owner must honour this policy.

7. How long we keep your data

We keep your account data for as long as your account is active. When your account is deleted (you can request this at any time — see Your GDPR rights), we delete or anonymise your personal data within a reasonable period, except where we need to keep some information to comply with the law, resolve disputes, or enforce our agreements. Content you shared with others (such as messages) may remain visible to those users. Aggregated analytics that can no longer identify you may be kept.

8. Security

We take reasonable technical and organisational measures to protect your data. Passwords are stored hashed, your session token is stored in your device's secure keystore (iOS Keychain / Android Keystore / encrypted storage on web) rather than in plain text, and traffic is encrypted in transit. No service can be completely secure, but we work to protect your information and to respond promptly to any incident.

9. Your rights under the GDPR

If you are in the EU/EEA, you have the right to:

• Access the personal data we hold about you, and get a copy;
• Rectify data that is inaccurate or incomplete;
• Erase your data ("right to be forgotten");
• Restrict or object to certain processing;
• Data portability — receive your data in a portable format;
• Withdraw consent at any time, where we rely on consent (this doesn't affect processing already carried out).

To exercise any of these — including having your account and data deleted — email info@hengspot.com. (Self-service account deletion in the app isn't available yet, so we handle deletion requests by email for now.) If you believe we've mishandled your data, you have the right to complain to your local data-protection authority — in Slovenia, the Information Commissioner (Informacijski pooblaščenec).

10. Children

hengspot is not intended for anyone under 16. We don't knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at info@hengspot.com and we'll delete it.

11. International transfers

We aim to keep data within the EU/EEA. If any of our service providers process data outside the EEA, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses or an adequacy decision — to protect it.

12. Cookies & analytics

Our website uses Umami, a privacy-friendly analytics tool that measures aggregate usage without cookies and without tracking you across other sites or building a profile of you. We use a small amount of local storage to remember your theme preference, and the app stores your session token in your device's secure storage so you stay logged in. We don't use advertising or cross-site tracking cookies.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we'll update the "Last updated" date above and, where appropriate, notify you in the app or by email. Please check back periodically.

14. Contact

Questions about your privacy or this policy? Email us at info@hengspot.com.