Legal

Privacy Policy

Last updated 11 June 2026

This policy explains what personal data Recsy collects, why, and what rights you have. Recsy is the data controller for the personal data we process about you. We are based in Glasgow, United Kingdom.

1. What we collect

You give us

  • Account info — email, password (hashed), username, display name, date of birth, optional avatar and bio.
  • Content — recommendations, photos, comments, likes, bookmarks, direct messages, board contents.
  • Location — your home city if you choose to set one (place name and optional coordinates from Google Places), and the place attached to a rec when you tag one. Both are optional.
  • Device location — only if you opt in via the "Use my current location" setting and grant your operating system's location permission when prompted. We use it in-session to rank nearby recs in your feed and to power the "Near me" button on the map. Coordinates are held in memory for a few minutes and are never stored on our servers. You can turn the setting off at any time in Profile → Edit, and you can also revoke the OS-level permission in your device settings.
  • Reports and support — anything you tell us when reporting content or contacting us.

Collected automatically

  • Device + log data — IP address, browser/device type, timestamps, error logs, pages visited.
  • Cookies and local storage — to keep you signed in and remember preferences. See Cookies.
  • Ad metrics — which promoted recs were shown and clicked (with your user id, so we can cap frequency and report to advertisers in aggregate).

From third parties

  • Google — if you sign in with Google, your name, email and avatar.
  • Google Places — when you pick a location, the place details are returned from Google.

2. Why we use it (and our legal basis under UK GDPR)

  • To run the Service (accounts, posts, messages) — performance of our contract with you.
  • To keep Recsy safe (moderation, abuse prevention, security) — legitimate interests and legal obligations.
  • To improve Recsy (aggregated analytics, fixing bugs) — legitimate interests.
  • To show and measure ads — legitimate interests; you can opt out of personalised targeting in Settings.
  • To comply with law (tax, response to lawful requests) — legal obligation.

3. Who we share it with

We use carefully chosen service providers ("processors") that act on our instructions:

  • Lovable Cloud (database, file storage, authentication, edge compute) — EU hosting.
  • Cloudflare — content delivery and bot/DDoS protection.
  • Google Maps Platform — places autocomplete and geocoding (only when you use location).
  • Lovable AI Gateway — to generate suggested subtitles/tags for recs.
  • Stripe (advertisers only) — billing.
  • Email provider — transactional emails (verification, password reset).

We do not sell your personal data. We may disclose information to law-enforcement when legally required, and to acquirers in a corporate transaction (you'll be notified).

4. International transfers

Some processors are based outside the UK/EEA. Where data is transferred outside, we rely on UK Addendum / Standard Contractual Clauses approved by the ICO, plus additional safeguards.

5. How long we keep it

  • Account data and content: until you delete your account. We may keep backups for up to 30 days after deletion.
  • Server logs: typically 30 days.
  • Moderation and safety records: up to 2 years.
  • Financial records (advertisers): 6 years (UK tax law).

6. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of your data ("Download my data" in Settings).
  • Rectify — correct inaccurate data (most can be edited in your profile).
  • Erase — delete your account from Settings, or email us.
  • Restrict or object to certain processing, including direct marketing.
  • Portability — the data export is provided in machine-readable JSON.
  • Withdraw consent where we relied on it.
  • Complain to the UK Information Commissioner's Office (or your local authority).

7. Children

Recsy is not for under-16s. If you believe a child has created an account, contact us and we'll remove it.

8. Security

We use TLS in transit and at-rest encryption, role-based access, and routine security review. No system is perfectly secure — please use a strong, unique password.

9. Changes

Material changes will be notified in-app or by email at least 14 days before they take effect.

10. Contact

Data Protection contact: privacy@recsysocial.app.