Privacy Policy

Last updated: March 23, 2026

Data Controller

Been ("we", "us", "our") is the data controller responsible for your personal data. If you have questions about this policy or your data, contact us at soa.app.social@gmail.com.

What We Collect

When you use Been, we collect the following information:

• Account information: Username, email address, and an encrypted password.
• Profile photo: If you choose to upload one.
• Location data: Your approximate location (city-level) to show nearby recommendations. We do not continuously track your location.
• Place tags: The places you save, your ratings, vibe tags, notes, and categories.
• Social connections: Who you follow and who follows you, place shares, reactions, and recommendation requests.
• Gatekeep places: Your curated private place lists and who you grant access to.

Lawful Basis for Processing

Under UK GDPR, we process your data on the following legal bases:

Processing Activity	Lawful Basis
Account data, place tags, social features (follows, shares, reactions, gatekeep)	Contract performance — necessary to provide the Been service (Art. 6(1)(b))
Weekly digest emails	Consent — you choose to opt in (Art. 6(1)(a))
Transactional emails (verification, password reset)	Contract performance (Art. 6(1)(b))
Abuse detection and service security	Legitimate interest (Art. 6(1)(f))

How We Use Your Data

• To provide and operate the Been service.
• To show you recommendations from people you follow.
• To send transactional emails (verification, password reset) via Resend.
• To send weekly digest emails if you opt in.
• To detect and prevent abuse of the service.

Third-Party Services

We share limited data with the following third-party services to operate Been:

• Resend (US): Transactional and digest emails. Your email address is shared. See Resend's Privacy Policy.
• Google Places API (US): Place search and enrichment. Search queries and location coordinates are sent. See Google's Privacy Policy.
• OpenStreetMap / Nominatim: Reverse geocoding for city detection. Coordinates are sent. See OSM's Privacy Policy.
• Instagram oEmbed API: Metadata extraction from Instagram URLs you share. The URL is sent to Instagram's servers.
• TikTok oEmbed API: Metadata extraction from TikTok URLs you share. The URL is sent to TikTok's servers.

We do not sell your personal data to anyone.

International Data Transfers

Your data is stored in a PostgreSQL database hosted on Replit's infrastructure in the United States. Our third-party processors (Resend, Google) also process data in the US. These transfers are protected by appropriate safeguards as required by UK GDPR, including the processors' compliance with applicable data protection standards. You can contact us for more information about the specific safeguards in place.

Data Storage & Security

• Passwords are hashed using bcrypt and never stored in plain text.
• Sessions use secure, HttpOnly cookies with a 30-day expiry.
• All API communications use HTTPS encryption.
• Database queries use parameterised queries to prevent SQL injection.

Data Retention

Data	Retention Period
Account data, place tags, social data	Until you delete your account
In-app notifications	90 days, then automatically deleted
Recommendation request tokens	7 days after expiry
Unverified accounts	30 days, then automatically deleted
Sessions	30 days

Cookies

We use a single, strictly necessary session cookie to keep you logged in. This cookie is HttpOnly (not accessible to JavaScript), secure, and contains only a session identifier. We do not use any tracking, analytics, or advertising cookies. As this cookie is strictly necessary for the service to function, no cookie consent banner is required under PECR.

Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: You can download a copy of all your data from the Profile screen ("Download My Data").
• Right to rectification: You can update your profile photo and tags at any time within the app.
• Right to erasure: You can delete your account and all associated data at any time from the Profile screen.
• Right to data portability: You can export your data in JSON format via the "Download My Data" feature.
• Right to restrict processing: Contact us at soa.app.social@gmail.com to request restriction of processing.
• Right to object: Contact us to object to processing based on legitimate interest.
• Right to withdraw consent: You can withdraw consent for digest emails at any time via the app settings or the unsubscribe link in digest emails.
• Right to lodge a complaint: You have the right to complain to the Information Commissioner's Office (ICO) if you believe your data rights have been violated.

Children's Privacy

Been is not intended for children under 13. We require age confirmation at registration and do not knowingly collect data from children under 13. If we discover such data has been collected, we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. We will notify users of significant changes via email or in-app notice. The "Last updated" date at the top of this page indicates when this policy was last revised.

Contact & Complaints

If you have questions about this privacy policy or wish to exercise your rights, contact us at:
soa.app.social@gmail.com

You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
https://ico.org.uk
Helpline: 0303 123 1113