1Who is responsible for your data?
The controller responsible for processing your personal data is:
Kévin Degrune
Operating as a self-employed person in a secondary capacity (natural person).
Rue du Rucquoy 27 boîte 1, 7700 Mouscron, Belgium.
Company number (BCE): 0722.608.032.
Privacy contact: privacy@spotvib.com.
"SpotVib" refers to the mobile application and the related services operated under this name. In this document, "we" refers to the controller identified above, and "you" refers to the SpotVib user.
Given the nature of our processing activities (geolocation at the forefront, not stored on your profile; community content), the appointment of a data protection officer (DPO) is not mandatory. You may nevertheless contact us at any time with any question relating to your data at the address above.
2Scope
This policy explains what data we collect through SpotVib, why, on what legal basis, who we share it with, how long we keep it, and what your rights are. It applies to the mobile application (Android and iOS) and the associated website.
3Data we collect and why
The table below summarises the categories of data, their purpose and their legal basis within the meaning of the GDPR. The most sensitive processing activities are detailed in sections 4 to 9.
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email address, password | Creating and securing your account, signing in | Performance of the contract (art. 6.1.b) |
| Username, avatar, bio | Your public profile within the community | Performance of the contract |
| Date of birth | Verifying that you are at least 16 years old | Performance of the contract — eligibility check (linked to art. 8) |
| Country / region | Filtering the discovery feed and personalising the experience | Legitimate interest (art. 6.1.f) — offering relevant content |
| GPS position (while in use) | Centring the map and showing the places around you | Consent (art. 6.1.a) — via your system permission |
| Places ("spots") you publish, including their location | Populating the community discovery map | Performance of the contract |
| Photos of places and reviews | Community content | Performance of the contract / consent |
| Reviews, ratings, contributions | Community reviews | Performance of the contract |
| Contact details of a business entered on a listing (email, phone, website, social media) | Completing a place's listing | Consent of the listing's author |
| Use of a partner offer (Vibs spent) | Running the partner offers programme | Performance of the contract |
| Notification token (push) | Sending notifications | Consent |
| Preferences (notifications, marketing) | Respecting your communication choices | Consent |
| Virtual currency (Vibs) and associated history | Operation of the internal (free) economy | Performance of the contract |
| Subscriptions, favourites, saved routes | Social and personal features | Performance of the contract |
| Usage and audience-measurement data | Understanding how the app is used, measuring the audience | Consent (measurement) / legitimate interest (security) |
| Advertising identifier and advertising-related signals (Android, when advertising is enabled) | Displaying advertisements (no advertising identifier used on iOS) | Consent (via the dedicated prompt) |
| Email address and request submitted via the web form (deletion / data access) | Handling your rights-exercise request | Legal obligation (art. 12 et seq.) |
| Technical and security logs | Fraud and abuse prevention, security | Legitimate interest / legal obligation |
| Crash reports | Stability and bug fixing | Legitimate interest |
Mandatory nature. Providing your email address and date of birth is necessary to create your account and verify your age: without them, registration is not possible. The other data is optional; not providing it does not prevent you from using the application, but may limit certain features.
4Geolocation
SpotVib uses your location only when the application is open and active. We never track your location in the background, and your device's location is never stored: it is used in the moment to centre the map and show you nearby places, and is then not stored on your profile.
However, when you publish a place ("spot"), its location becomes public: it appears on the discovery map, including for visitors who are not signed in. So only publish places whose location you are happy to have visible to everyone.
You can enable or disable the location permission at any time in your phone's settings.
5Photos and media
When you add a photo (place, review, avatar), we apply several processing steps before any upload, to protect your privacy and that of others:
- Removal of location metadata (EXIF/GPS) from all your photos — including your avatar — on your device and then again on the server side, so that the exact location where the photo was taken is not disclosed.
- On-device face analysis, for photos of places and reviews: selfies are blocked and detected faces are blurred, in order to protect third parties. We neither store nor transmit any biometric data; only a technical flag ("face blurred" / "no face") is kept. This processing does not apply to your avatar, where it is normal to show your own face.
- On-device text recognition (OCR) when you scan a piece of information: the source image is deleted after reading.
- Anti-duplicate fingerprint: for each photo of a place, we compute a technical fingerprint (a non-reversible string of characters that does not allow the image to be reconstructed) used solely to detect duplicates.
Distribution. The photos of places and reviews that you publish are public: they are distributed via a content delivery network (CDN) and accessible to anyone who has their address. Your avatar, on the other hand, is shown to users of the application within your profile.
Face blurring: a protection, not a guarantee. Automatic blurring greatly reduces the risk that a person is recognisable, but cannot be guaranteed at 100%. If a face remains identifiable on a published photo, you can report it to us at privacy@spotvib.com (or via the app's reporting feature): we will remove it as soon as possible.
Respect for third parties and private property. By publishing a photo, you declare that you have the right to distribute it and you undertake not to infringe the privacy, image rights or property of others — for example by photographing a private property, an interior, or identifiable people without their consent. Any content can be reported and removed. The detailed content rules and the resulting responsibilities are set out in our Terms of Use.
6Your profile: what is public and what is private
SpotVib distinguishes two levels:
- Public (visible to other users of the application; for the places you publish, also to visitors of the map who are not signed in): your username, your avatar, your bio, your region, your level, your badges, your "thank-you" counter, your premium or partner status, as well as the places, reviews and contributions you publish.
- Private (accessible only to you and, where necessary, to the app's administration): your email, your date of birth, your city, your Vibs balance, your preferences, your favourites, your subscriptions and your history.
Your email, your date of birth and your city are never made public.
7Advertising
SpotVib may display advertising, including rewarded ads (for example: watching an ad to unlock areas of the map). Advertising is provided by Google AdMob.
Before any ad is displayed, we collect your choice via a dedicated consent prompt (which covers advertising and audience measurement). If you refuse personalised advertising, only non-personalised ads may be displayed. Where consent is legally required (European Economic Area, United Kingdom and Switzerland), you can reopen and change this choice at any time from the app settings ("Privacy settings").
If you are under 18, only non-personalised ads are shown to you.
On iOS, SpotVib does not carry out any cross-app advertising tracking and does not access the advertising identifier (IDFA): ads there are non-personalised. The only measurement performed is an anonymous attribution of installs (via Apple's SKAdNetwork mechanism), which does not identify users. You will therefore not be asked any iOS "tracking" prompt.
8Audience measurement and diagnostics
We use audience-measurement tools to understand how the application is used (for example: the number of views of a place, the journey through the feed). Any measurement that could identify you (for example linked to your account) is enabled only with your consent. Purely aggregated and anonymous statistics — such as the total number of views of a place, computed via our discovery-feed database — can, on the other hand, be established without identifying you. Measurement data relates mainly to content identifiers (places), and not to your email, your username or your location. When you consent to it, a technical account identifier (distinct from your email and your username) is transmitted to Google to carry out these measurements. Your consent to measurement is collected via the same prompt as for advertising (shown at app startup) and remains changeable at any time in Settings → "Privacy settings".
We also use a crash-reporting tool to fix bugs. This tool is configured not to transmit your personal data: emails, identifiers and tokens are masked before being sent.
Automated decisions and profiling. We do not make any decision based solely on automated processing that produces legal effects concerning you or significantly affects you. Automatic face blurring and anti-abuse filters are automated protective processing activities, subject to human review in the event of a dispute. Personalised advertising, when you consent to it, involves profiling carried out by Google; you can refuse it or withdraw it at any time.
9Minors
SpotVib is restricted to people aged at least 16. This age is verified at registration and enforced on the server side. This threshold of 16 is deliberately stricter than the minimum legal age in some countries (15 in France, 13 in Belgium), in order to offer uniform protection.
Your date of birth is used solely for this verification, is not stored on your device, and is deleted after 12 months. We then keep only the proof that the age verification took place, as well as your year of birth, in order to apply age-appropriate settings — for example non-personalised advertising for those under 18.
If we learn that an account has been created by a person under 16, we delete it.
10Who do we share your data with?
We use technical providers (processors) that process data on our behalf, as well as third-party services necessary for the app to function. We do not sell your data.
| Recipient | Role | Data concerned |
|---|---|---|
| Google (Firebase) | Authentication, database, server functions, photo storage, push notifications, anti-abuse protection | Account, profile, content, device tokens |
| Google (audience measurement, AdMob) | Audience measurement and advertising | Usage identifiers; advertising identifier (Android, when advertising is enabled) |
| Supabase | Discovery-feed database, maps, counters, public profiles, aggregated statistics | Places, public locations, public profiles |
| Cloudflare | Delivery of maps and images, technical data-access intermediary | Technical requests, IP address, public images |
| Resend | Sending our emails (verification, inactivity warning, moderation notifications) | Email address, message content |
| Mapbox | Address search and geocoding | Search text, nearby coordinates |
| OpenStreetMap / Nominatim | Identifying the country and city of a place | Coordinates of a published place |
| Sentry | Crash reports | Technical diagnostic data (without personal data) |
| Partner merchants | When you use one of their offers (scanning a QR code) | Your username and the details of the offer used (amount in Vibs) |
Partner merchants. When you use an offer, the partner merchant receives the information above and acts as an independent controller for tracking its offers. We do not pass on your email, your date of birth or your location to it.
11Transfers outside the European Union
Your main structured data is hosted in Europe: our database and our server functions are in Belgium and the Netherlands, and our discovery-feed database is in Switzerland (a country benefiting from an adequacy decision of the European Commission).
Some providers may, however, process data outside the European Economic Area, notably in the United States (Google, Mapbox, Resend services) or via a global network (Cloudflare). Where this is the case, these transfers are governed by appropriate safeguards within the meaning of the GDPR: an adequacy decision, the European Commission's standard contractual clauses, or membership of the EU–U.S. Data Privacy Framework, depending on the provider. You can obtain a copy of these safeguards by writing to us at privacy@spotvib.com.
12How long do we keep your data?
| Data | Retention period |
|---|---|
| Account and profile | For as long as your account is active. An account that has remained inactive for 24 months is deleted, after a prior warning email (around 23 months) allowing you to reactivate it. |
| Date of birth | 12 months. After that, only the age-verification proof and your year of birth are kept (the year is used to offer non-personalised ads to minors). |
| Notifications | Read: 30 days · Unread: 90 days |
| Notification token (push) | For as long as notifications are enabled |
| Technical and security logs | From a few days to 12 months depending on their nature |
| Documents claiming a business | Refused: 30 days · Accepted: 3 years |
| Ad rewards and exploration quotas | From a few minutes to a few days |
| Rights-exercise request (web form) | For the time needed to handle your request, then archived minimally as proof of processing (up to 12 months) |
| Crash reports | Depending on our provider, generally 90 days |
| Audience-measurement data | Kept only in aggregated / anonymous form |
| Community content (places, reviews) after deletion of your account | Anonymised then kept for the community (see section 13) |
| Proof of account deletion | Kept minimally (hashed identifier + date) as proof that your right to erasure has been carried out |
13Your rights
In accordance with the GDPR, you have the following rights over your data:
- Access: obtaining a copy of the data we hold about you.
- Rectification: correcting inaccurate data (largely editable from the app settings).
- Erasure ("right to be forgotten"): see below.
- Restriction of processing and objection to certain processing activities.
- Portability: receiving your data in a reusable format.
- Withdrawal of consent at any time, for processing based on consent (advertising, audience measurement, location, notifications), without affecting the lawfulness of processing already carried out.
Deleting your account. You can delete your account directly in the application: Settings → Delete my account. For your security, the operation requires re-authentication and confirmation. Deletion results in the erasure of your account and your personal data, and the anonymisation of the content you have shared with the community (a published place remains visible but is no longer linked to your identity).
You can also exercise your rights of access and deletion via our online form: spotvib.com/supprimer-mon-compte. For your security, any request sent via this form is subject to verification (email confirmation) before processing.
To exercise a right, write to us at privacy@spotvib.com. We respond within one month.
15Security
We implement technical and organisational measures to protect your data, in particular:
- encryption of all communications (HTTPS);
- encryption at rest by our hosting providers;
- strict access rules on the server side (by default, no data is accessible without explicit authorisation);
- protection against abuse and impersonation (device integrity checks, rate limiting);
- encrypted storage of sensitive information on the device.
As no system is infallible, we cannot guarantee absolute security, but we strive to use means in line with the state of the art.
16Changes to this policy
We may update this policy to reflect changes to the application or to regulations. In the event of a significant change, we will inform you by an appropriate means (notification or information in the app). The date of the last update appears at the top of this document.
17Complaints
If you believe that the processing of your data does not comply with the regulations, you can at any time lodge a complaint with the Belgian supervisory authority:
Autorité de protection des données (APD) (Data Protection Authority)
Rue de la Presse 35, 1000 Brussels, Belgium
Email: contact@apd-gba.be
Website: autoriteprotectiondonnees.be