Effective date: 17 February 2026
This Privacy Policy explains how personal data is collected, used and disclosed by UrbexGo.
Privacy Policy — UrbexGo Controller This Privacy Policy explains how personal data is collected, used and disclosed by UrbexGo (Inh. Yannick Meyer), a sole proprietorship registered in Germany (hereinafter “we”, “us”, “UrbexGo”). Registered address: Sudetenstraße 7, Gefrees, Germany. Contact: urbexgo.business@gmail.com. If you have questions about this Policy or wish to exercise your legal rights, contact us at urbexgo.business@gmail.com. 1. Scope & Purpose This Policy applies to personal data processed in connection with the UrbexGo mobile application (“App”), including user accounts, location features, group chat, user-generated content, premium subscriptions and analytics. It describes what data we collect, why we process it, with whom we share it, how long we keep it, and the rights you can exercise under applicable data protection law, including the EU General Data Protection Regulation (GDPR). 2. Data We Collect We collect the following categories of personal data: Account & identity data ● Email address, display name, profile picture (if uploaded). ● Hashed or encrypted password stored via our authentication provider (we do not store plaintext passwords). Contact & transactional data ● Payment receipts and minimal transactional metadata required for subscriptions when processed via RevenueCat / App Stores. (We do not directly process credit card details — those are processed by the App Store / Google Play or the third-party payment processor.) Location & geodata ● Address input / geocoding results (coordinates) when you explicitly enter an address. ● Cached approximate location data stored locally in the app cache for map display and UX purposes. We do not continuously transmit a live precise GPS stream to our servers. Location data may be shared with mapping/tiles providers as needed to render map tiles and static images. User content ● Photos and videos you upload (profile photos, place photos), textual posts, comments, and reports about locations, including hazard warnings. ● Group memberships, group chat messages and related metadata (sender, timestamp). Group chats and posted content are stored on our backend (Firestore) to provide the service. Device & usage data ● Device identifiers, operating system version, app version, crash reports, usage metrics and analytics data (events, feature usage, errors). We use these data to operate and improve the App. Advertising & campaign data ● Data necessary for ad delivery or ad measurement where you consent (AdMob). This may include device identifiers and non-identifying advertising attributes. 3. Sources of Data ● Data you provide directly (e.g., during registration, profile setup, uploads, or support requests). ● Data generated by your use of the App (chats, posts, group activity, location inputs, analytics). ● Third parties: Google (Firebase, Firestore, Google Analytics, AdMob), Mapbox (static images; may receive certain request data), MapLibre (client-side), RevenueCat (subscription management), App Stores (payment processing). See Section 6 for details. 4. Legal Bases for Processing We rely on the following legal bases under Article 6 GDPR: ● Performance of a contract (Art. 6(1)(b)) — to provide the App, create and manage your account, deliver subscription services, process payments and fulfill contractual obligations. ● Consent (Art. 6(1)(a)) — for optional processing such as analytics tracking, personalized advertising, and certain non-essential cookies. Where consent is required, we will obtain it prior to processing. You may withdraw consent at any time. ● Legitimate interests (Art. 6(1)(f)) — to the extent necessary for fraud prevention, platform security, abuse prevention, and to improve and analyze the App (subject to balancing of interests). We will not rely on legitimate interests where your fundamental rights override such interests. ● Legal obligations (Art. 6(1)(c)) — to comply with statutory retention obligations (e.g., accounting or tax laws). 5. Purposes of Processing We process personal data for the following purposes: ● To register and manage your account and provide core App functionality (groups, chats, map features, content uploads). ● To display and store user-generated content (posts, photos, reviews) and enable interactions (comments, chat). ● To enable mapping features (geocoding, tile rendering, static map images) and to cache map/relevant location data for performance. ● To process subscription payments and subscription state via RevenueCat and the platform stores. We may store minimal transactional metadata necessary for refunds, billing, or compliance. Payment card data is handled by the stores / payment providers. ● To provide, secure and improve the App (analytics, crash reporting, feature usage). ● To serve advertisements if you opt in (AdMob) and for measurement of ad performance. ● To comply with legal obligations, enforce our Terms of Service, and respond to lawful requests by public authorities. 6. Recipients / Third Parties We share personal data with the following categories of recipients: ● Service providers: Firebase / Google (Firestore, Authentication, Cloud Functions, Analytics, Crashlytics), RevenueCat (subscription & entitlement management), Mapbox (static map images, geocoding where used), MapLibre (client-side mapping), AdMob (ads). These providers act as processors or independent controllers in respect of their services. ● App Stores / Payment processors: Apple App Store and Google Play handle payment card data and provide transaction records. We receive receipts/transaction metadata through RevenueCat or the stores. ● Legal & regulatory authorities: where required by law or to respond to valid legal requests. ● Other users: content you post publicly (posts, place photos, public location markers) will be visible to other users depending on visibility settings (public, group-only, premium-only). Be cautious when posting sensitive information. We require third-party service providers to implement appropriate technical and organisational measures and process data only in accordance with our instructions or their own privacy policies. 7. International Data Transfers Some service providers (including Google, Mapbox, RevenueCat) may transfer or process personal data outside the European Economic Area (EEA), including in the United States. Where data transfers occur to jurisdictions without an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms. You may request further details by contacting us at urbexgo.business@gmail.com. 8. Data Retention We retain personal data for the minimum period necessary for the purposes set out above, subject to applicable law: ● Account data (profile, email): retained until you delete your account and for a commercially reasonable period thereafter to allow for recovery and to comply with legal obligations. ● User-generated content (posts, photos, location reports, chat messages): retained until you delete it. We may retain backup copies for a limited period (up to 3 years) for the purpose of meeting legal obligations or resolving disputes, unless a different statutory period applies. ● Transactional/payment metadata: retained as required by law for tax and accounting purposes (up to 10 years under German commercial law where applicable). ● Analytics and logs: retained in anonymized or aggregated form where possible. Raw analytics data is retained for [24–36 months] (replace with your chosen period) unless you have consented otherwise. ● Legal hold: data necessary for pending legal claims or investigations may be retained for longer. If you wish to request deletion of your personal data, see Section 10 (Your Rights). 9. Security We implement reasonable technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or access. Measures include: ● HTTPS/TLS for network communications; ● Use of industry-standard authentication; ● Hashed/encrypted storage of passwords using the authentication provider; ● Access controls and role-based access to production systems; ● Firebase Security Rules and similar server-side access restrictions where applicable; ● Regular security assessments and patching. While we strive to protect your data, no system is 100% secure. If a data breach occurs that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority where required by law, typically within 72 hours of becoming aware of the breach. 10. Your Rights (Under GDPR) If you are in the EU/EEA, you have the following rights regarding your personal data subject to applicable legal limitations: ● Right of access — request a copy of personal data we hold about you. ● Right to rectification — correct inaccurate or incomplete data. ● Right to erasure (“right to be forgotten”) — request deletion where there is no lawful ground for retention. ● Right to restriction — request restriction of processing in certain circumstances. ● Right to data portability — receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract. ● Right to withdraw consent — where processing is based on consent, you may withdraw consent at any time (withdrawal does not affect the lawfulness of processing before withdrawal). ● Right to object — to processing based on legitimate interests or for direct marketing. ● Right to lodge a complaint — with a supervisory authority (in Germany: the data protection authority of the relevant federal state or the Federal Commissioner for Data Protection and Freedom of Information (BfDI)). To exercise your rights, contact us at urbexgo.business@gmail.com. We will respond without undue delay and in accordance with applicable law. 11. Children Our App is intended for persons aged 16 or older. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under the applicable minimum age without parental consent, we will delete that data. If you believe we have collected data of a child under the applicable age, contact us at urbexgo.business@gmail.com. 12. Cookies, Tracking & Advertising We and our service providers use cookies and similar technologies for analytics, performance, functional purposes and (where you consent) personalized advertising. Collection and use of tracking data will be subject to your consent where required. You may manage cookie and tracking preferences via the settings provided in the App. 13. User-Provided Content & Public Visibility Content you post (photos, location markers, posts, comments) that you designate as public or share within groups will be visible to other users in the App. You are responsible for the content you post and must ensure you have the necessary rights (copyright, third-party consent). We may remove content that violates our Terms of Service or applicable law. Sensitive locations & premium places: Certain places marked as premium or otherwise sensitive will be restricted in visibility to authorised users only. However, the designation and protection of such locations is managed by us and may not prevent misuse outside the App. We strongly encourage users not to share precise access instructions for private property or otherwise unlawful acts. 14. Enforcement & Legal Requests We may disclose personal data to comply with legal obligations, enforce our Terms of Service, or protect the rights, property or safety of our users, the public or UrbexGo. Valid law enforcement requests will be complied with to the extent required by law. 15. Changes to this Policy We may update this Policy when we change how we process personal data or to reflect legal or operational changes. Material changes will be communicated via the App or by other appropriate means. The “Effective date” at the top will be updated. 16. Contact Details & Data Protection Officer Controller: UrbexGo (Inh. Yannick Meyer), Sudetenstraße 7, Gefrees, Germany. Contact: urbexgo.business@gmail.com. We have not appointed a Data Protection Officer (DPO). If you need to contact our data protection point of contact, use urbexgo.business@gmail.com.