Privacy Policy

Last updated: [Effective Date]

Who We Are

Poop Advisor is a web application that lets users review public toilets in restaurants, pubs, hotels, and public spaces. We are based in Romania, EU, and operate as [Company Name].

For any questions about this Privacy Policy or how we handle your data, contact us at [Contact Email].

As the data controller, we are responsible for deciding how your personal data is collected, used, and protected.

What Data We Collect and Why

Account Data

When you create an account, we collect your name, email address, and avatar image. If you sign in via Google OAuth, this information is provided by Google during the authentication process. If you sign up with email and password, you provide this directly.

Legal basis: Contractual necessity — we need this data to create and maintain your account.

Review Content

When you leave a review, we collect your category scores (cleanliness, facilities, smell, vibe), feature tags (e.g., no toilet paper, broken lock), and any photos you upload. Reviews are associated with a location and your user account.

Legal basis: Contractual necessity — reviews are the core function of the service you are using.

Location Data

Reviews are tagged to locations sourced from the Google Places API. This includes the location's name, address, coordinates, and place type. We do not collect or track your live GPS position.

Legal basis: Contractual necessity — location data is required to associate reviews with real-world places.

Technical and Security Data

We collect IP addresses for rate limiting purposes to protect the platform from abuse. These are stored in a dedicated rate-limiting table and cleaned up periodically. Standard server logs (IP address, user agent, timestamps) are also collected by our hosting provider, Vercel.

Legal basis: Legitimate interest — protecting the platform and its users from abuse and ensuring service reliability.

How We Use Your Data

We use your data to provide and operate the Poop Advisor service: creating accounts, publishing and displaying reviews, rendering location pins on the map, and protecting the platform from abuse. We do not use your data for advertising, profiling, automated decision-making, or any purpose beyond operating the service.

Third-Party Services

We use the following third-party services, each of which may receive certain data as part of normal platform operation:

Supabase (database, authentication, file storage) receives your account data, review content, uploaded photos, and IP addresses used for rate limiting. Supabase handles authentication sessions and stores all persistent application data.

Vercel (hosting) receives standard server logs including your IP address, user agent, and request timestamps as part of serving the application.

Mapbox (map rendering) receives requests from your browser to load map tiles. Your IP address is visible to Mapbox as part of these requests. We do not send Mapbox any personal data directly.

Google Places API (location search) receives search queries when you search for a location within the app. These requests are made server-side where possible.

Google OAuth (authentication) receives and exchanges authentication data when you sign in with your Google account.

We do not sell, rent, or trade your personal data to any third party. We do not use any analytics tools, advertising SDKs, or third-party tracking services.

International Data Transfers

Some of our third-party service providers (Supabase, Vercel, Google, Mapbox) process data in the United States or other countries outside the European Economic Area. Where applicable, these providers rely on EU Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure an adequate level of data protection. You can request more information about these safeguards by contacting us at [Contact Email].

Data Retention

We retain your account data and review content for as long as your account is active.

When you delete your account, you have two options: delete all your reviews entirely, or anonymize them. If you choose anonymization, your reviews are preserved under a randomly generated anonymous name, and all personal data (name, email, avatar) is permanently removed. In both cases, your account data is deleted immediately and cannot be recovered.

You can also delete individual reviews at any time, which permanently removes the review and any associated photos.

IP addresses stored for rate limiting are cleaned up periodically and are not retained longer than necessary for abuse prevention.

Cookies

We use only essential authentication cookies provided by Supabase. These cookies are strictly necessary for the service to function — they maintain your logged-in session and do not track you across other websites.

We do not use any analytics, advertising, or third-party tracking cookies. Because these cookies are strictly necessary under GDPR, no consent banner is required.

Your Privacy Rights

You have rights over your personal data under applicable privacy laws.

If you are located in the EU/EEA, please see our GDPR — Your Rights page for a full explanation of your rights under the General Data Protection Regulation.

If you are located in the United States, the following rights may apply to you depending on your state of residence (including under the CCPA/CPRA and similar state privacy laws): the right to know what personal data we collect and how we use it, the right to request deletion of your personal data, and the right to opt out of the sale of personal data. We do not sell your personal data, so the right to opt-out does not apply in practice. To exercise any of these rights, contact us at [Contact Email].

Children

Poop Advisor is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under the age of 16. If you believe a user under 16 has created an account, please contact us at [Contact Email] and we will delete the account promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify users via the app or by email where possible. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy or your personal data, contact us at:

[Company Name] [Contact Email] Romania, EU