MYSOVA

Privacy Policy

Version 1.0 — Last updated: 17 April 2026 — Effective: 17 April 2026

1. Controller & Contact

The data controller for personal data processed through our services is:

MYSOVA LTD

Company number: 17154283

Registered in England and Wales

Registered office: London, United Kingdom (provided by our company secretary service; full address available on the Companies House public register)

Data protection enquiries: privacy@mysova.co.uk

Designated data protection contact: Pavel Vassiltsenko (Director)

ICO registration: Filed April 2026 (registration number to be added once issued)

Throughout this policy, "MYSOVA", "we", "us", and "our" refer to MYSOVA LTD. "You" and "your" refer to the individual using our services, whether as a consumer or venue owner.

Data Protection Officer. MYSOVA LTD has fewer than 250 employees and does not carry out large-scale processing of special-category data or systematic monitoring on a scale that triggers the statutory obligation under UK GDPR Article 37 to appoint a Data Protection Officer. The Director acts as the accountable owner for data protection and is the contact point for all enquiries.

2. Scope

This privacy policy applies to all personal data processed through:

  • MYSOVA App — our consumer mobile application for nightlife discovery, check-ins, and social features (iOS and Android)
  • MYSOVA Business — our web-based dashboard for venue owners to manage analytics, events, promotions, and operations
  • mysova.co.uk — our marketing website and landing pages
  • Support channels — email, in-app support, and any other channels through which you contact us

This policy does not cover third-party websites or services linked from our platform. We encourage you to review the privacy policies of any third party you interact with.

3. Eligibility

MYSOVA is a nightlife platform. All users must be aged 18 or over to create an account or use our services. We enforce this through an age gate at signup and reserve the right to verify your age at any time. If we discover that an account belongs to someone under 18, we will terminate it immediately and delete all associated personal data.

4. Data We Collect

We collect the following categories of personal data, depending on how you use our services:

Account Data

Full name, email address, phone number, date of birth, profile photo, and authentication credentials. Collected at registration and maintained throughout your account lifecycle.

Location Data

Precise GPS coordinates when you perform check-ins at venues, and approximate location for venue discovery. Dwell time at venues is calculated from check-in/check-out events. Location data is collected only when the app is in active use and you have granted location permission.

Social & Activity Data

Check-in history, Paths connections (mutual opt-in social connections), direct messages between connected users, block/report actions, XP and level progression, and achievements.

Payment Data

Payment processing is handled entirely by Stripe. We receive confirmation of payment status, subscription tier, and transaction identifiers. We do not store credit card numbers, CVVs, or full bank details on our servers.

Device & Technical Data

IP address, device type, operating system, app version, browser type (B2B dashboard), crash reports and performance diagnostics (via Sentry), and session identifiers.

Venue Owner Data

In addition to account data, venue owners provide: business name, business address, role/position, venue details (type, capacity, operating hours), and proof of ownership or authority documents (e.g., license, lease, or utility bill).

5. Purposes & Lawful Basis

Under UK GDPR, we must have a lawful basis for each purpose we process your data. The table below sets out each processing activity, its purpose, and the lawful basis we rely on.

PurposeData UsedLawful Basis
Account creation and authenticationName, email, phone, DOBContract
Venue check-ins, XP, levelling, and gamificationLocation, activity dataContract
Paths social connections and messagingSocial data, messagesContract
Venue analytics and insights for venue ownersAnonymised/aggregated check-in and activity dataContract
Payment processing and subscription managementPayment data, subscription tierContract
Venue owner onboarding and claim verificationBusiness details, proof documentsContract
Fraud prevention, abuse detection, and platform safetyAccount, device, location, activity dataLegitimate Interest
Service improvement and product analyticsAnonymised usage patterns, device dataLegitimate Interest
Error monitoring and crash reportingDevice data, IP, crash logsLegitimate Interest
Precise location for check-ins and discoveryGPS coordinatesConsent
Marketing communications and promotional offersEmail, name, preferencesConsent
AI-powered recommendations and matchingActivity data, preferencesConsent
Tax, accounting, and legal obligationsPayment records, account dataLegal Obligation

Where we rely on consent, you may withdraw it at any time by adjusting your settings in the app or contacting us at privacy@mysova.co.uk. Withdrawal does not affect processing carried out before you withdrew consent.

6. Social & Location Disclosures

What other users can see

When you check in to a venue, other users at the same venue may see your first name and profile photo. Paths connections (mutual opt-in) can see your check-in history and send you direct messages. Your XP level and achievements are visible on your profile.

What venues see

Venue owners receive anonymised and aggregated analytics only: total check-ins, footfall trends, peak hours, demographic breakdowns (age ranges, not individual ages), and dwell time averages. Venue owners cannot see individual user identities, precise locations within their venue, or private social activity.

Phantom Mode

Users can enable Phantom Mode to check in privately. When active, your check-in is recorded for your own history and XP, but you become invisible to other users at the venue. Venue analytics still receive your visit as an anonymous data point. You can toggle Phantom Mode on or off at any time from your profile settings.

7. AI Processing

MYSOVA uses artificial intelligence to enhance your experience. We are transparent about how AI is used and what safeguards are in place.

Provider

We use Anthropic's Claude models for AI-powered features. Anthropic is a US-based AI safety company. Data sent to Anthropic is processed under our data processing agreement and is not used to train their models.

What AI processes

  • Venue recommendations based on your check-in history and preferences
  • Social matching suggestions for Paths connections
  • Venue insights and trend analysis for venue owners
  • Content moderation assistance

Inputs and outputs

AI inputs include anonymised activity patterns, venue categories, and user preferences. AI outputs are recommendations, scores, and text summaries. No raw personal data (names, emails, phone numbers) is sent to AI processors.

Safeguards

  • No solely automated decisions with legal or significant effects are made by AI
  • All AI recommendations can be ignored — they do not restrict your access to features
  • You can opt out of AI-personalised recommendations at any time
  • AI outputs are logged for quality assurance and bias monitoring
  • Human review is available upon request for any AI-influenced decision

8. Third-Party Processors

We share personal data with the following third-party processors, solely to provide and operate our services. Each processor is bound by a data processing agreement.

ProcessorPurposeData Location
SupabaseDatabase hosting, authentication, real-time dataEU (Frankfurt)
StripePayment processing, subscription billingUS / EU
SentryError tracking, crash reporting, performance monitoringUS
MapboxMap rendering, venue location display, geocodingUS
AnthropicAI recommendations, matching, content moderationUS
ResendTransactional and marketing email deliveryUS
VercelWeb hosting, edge functions, serverless computeUS / EU (edge)
Twilio (planned)SMS one-time passwords for venue owner verification — not yet wiredUS / EU
Upstash (planned)Distributed rate limiting (Redis) — not yet wiredEU

We do not sell your personal data to any third party. Data is shared with processors only as strictly necessary to deliver our services. We maintain a current internal subprocessor register and will update this policy when new processors are added or removed. Each processor operates under a written data processing agreement (typically the processor's standard DPA, accepted electronically). Copies are available on request.

9. International Transfers

MYSOVA is a UK-based company and our primary database is hosted in the EU (Frankfurt). However, some of our third-party processors operate in the United States, as indicated in the table above.

Where personal data is transferred from the UK to countries without an adequacy decision, we implement appropriate safeguards including:

  • UK International Data Transfer Agreement (IDTA) — the post-Brexit transfer mechanism issued by the Information Commissioner's Office
  • EU Standard Contractual Clauses (SCCs) with the UK Addendum — used in the alternative where a processor's template DPA is built around the EU SCCs
  • Data processing agreements with each processor, specifying security measures and data handling obligations
  • Transfer risk assessments where required, evaluating the legal framework of the recipient country and supplementary measures (e.g. encryption, pseudonymisation)

You may request a copy of the relevant transfer safeguards by contacting privacy@mysova.co.uk.

10. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law. The table below sets out our specific retention periods.

Data CategoryRetention PeriodReason
Account data (name, email, phone, DOB)While account is active + 30 days after deletionService delivery; grace period for account recovery
Payment and billing records6 years after transactionHMRC tax record-keeping requirements
Raw location data (GPS coordinates)90 daysAggregated after 90 days; raw data deleted
Check-in history (anonymised)While account is active + 30 daysCore service feature; XP and level history
Direct messages1 year after account closureSafety investigations; regulatory compliance
Verification documents (venue ownership)30 days after approvalDeleted once venue claim is verified
Crash reports and error logs90 daysDebugging and service stability
Marketing consent recordsDuration of consent + 2 yearsEvidence of consent under PECR
Block/report records3 yearsPlatform safety and abuse prevention

When retention periods expire, data is securely deleted or irreversibly anonymised. Aggregated, anonymised data (which cannot identify you) may be retained indefinitely for statistical and research purposes.

11. Cookies & Similar Technologies

We use a small number of cookies and similar browser storage technologies. Under the UK Privacy and Electronic Communications Regulations (PECR), we ask for your explicit consent before setting any non-essential cookies. You will see a cookie banner the first time you visit a public page; your choice is remembered in your browser.

Essential cookies (always on)

These are strictly necessary to deliver the service you have requested. They do not require consent under PECR.

  • Supabase authentication cookies (sb-*-auth-token) — keep you signed in and manage your session securely
  • Venue selection cookie — remembers which venue you selected across page navigations
  • CSRF protection — prevents cross-site request forgery attacks on form submissions
  • Cookie consent record (mysova-cookie-consent-v1, localStorage) — remembers your cookie choices so we don't ask again on every visit

Analytics cookies (consent required)

Set only if you accept Analytics in the cookie banner. Used to understand which pages are visited and how the site performs in aggregate.

  • Vercel Analytics (_vercel_analytics, page-view counters) — anonymous usage stats. No cross-site tracking; no advertising profile.
  • Vercel Speed Insights — collects Core Web Vitals (LCP, FID, CLS) so we can fix slow pages.

Performance / debugging cookies (consent required)

Set only if you accept Performance Replay in the cookie banner. Used to reconstruct error sessions so engineers can fix bugs.

  • Sentry Session Replay — records a masked playback of pages where an error occurred. All text is masked, all media blocked, and the recording is sent only to our error-tracking provider (Sentry GmbH).

Changing or revoking your choice

You can change your mind at any time:

  • If you are signed in, open Settings → Privacy in the dashboard and adjust your cookie preferences.
  • If you are not signed in, clear the mysova-cookie-consent-v1 entry from your browser's site data (DevTools → Application → Local Storage), then reload the page — the consent banner will reappear.
  • You can also block cookies entirely via your browser settings; essential features that depend on cookies (e.g. staying signed in) will not work in that case.

We do not use advertising cookies, ad-network tracking pixels, or any third-party cookies that build a profile across other sites. The MYSOVA mobile app does not use cookies (it uses secure token-based authentication).

12. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

AccessRequest a copy of the personal data we hold about you, along with information about how it is processed.
RectificationRequest correction of inaccurate or incomplete personal data.
ErasureRequest deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
RestrictionRequest that we limit how we process your data in certain circumstances (e.g., while a dispute is resolved).
PortabilityReceive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
ObjectionObject to processing based on legitimate interest. We will stop unless we can demonstrate compelling legitimate grounds.
Automated decisionsUnder Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not make such decisions: all enforcement actions and tier changes are subject to human review.
Withdraw consentWhere processing is based on consent, withdraw it at any time via app settings or by contacting us.
ICO complaintLodge a complaint with the Information Commissioner's Office if you are unsatisfied with our response — see ico.org.uk/make-a-complaint.

To exercise any right, email privacy@mysova.co.uk. We will respond within one calendar month of receipt, in line with our obligation under UK GDPR Article 12(3). We may ask for proof of identity before processing your request. There is no fee unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse the request (in which case we will tell you why and how to complain).

13. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encryption at rest — all personal data stored in our database is encrypted at rest using AES-256
  • Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
  • Least privilege access — database access is restricted through Row Level Security (RLS) policies, ensuring users can only access their own data
  • Authentication security — passwords are hashed using bcrypt; session tokens are rotated regularly
  • Audit logging — access to sensitive data and administrative actions are logged for security review
  • Rate limiting — API endpoints are rate-limited to prevent brute force and denial-of-service attacks
  • Vulnerability monitoring — we use automated tools to detect and remediate security vulnerabilities in our dependencies

No system is completely secure. If you believe your account has been compromised, contact us immediately at privacy@mysova.co.uk.

14. Age Restrictions

MYSOVA is a nightlife platform and our services are intended exclusively for individuals aged 18 and over. We implement the following measures:

  • An age gate at account registration requiring date of birth confirmation
  • Accounts created by individuals under 18 are terminated and data is deleted
  • We reserve the right to request additional age verification at any time
  • Venue owners are required to be at least 18 and authorised to represent their business

If you believe someone under 18 is using MYSOVA, please report it to privacy@mysova.co.uk and we will investigate promptly.

15. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or operational practices. When we make changes:

  • The version number and effective date at the top of this page will be updated
  • For material changes, we will notify you via email and/or an in-app notification at least 14 days before the changes take effect
  • Previous versions of this policy will be available upon request
  • Continued use of our services after the effective date constitutes acceptance of the updated policy

16. Contact & Complaints

If you have any questions, concerns, or requests regarding this privacy policy or our data practices, contact us:

MYSOVA LTD — Data Protection

Email: privacy@mysova.co.uk

Response time: Within one calendar month of receipt

If you are not satisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)

Make a complaint: ico.org.uk/make-a-complaint

Website: ico.org.uk

Helpline: 0303 123 1113

Live chat: ico.org.uk/global/contact-us/live-chat

We encourage you to contact us first so we can try to resolve your concern directly.

MYSOVA and the owl device are trademarks of MYSOVA LTD, registered with the UK Intellectual Property Office (UK00004373417 / UK00004373474).