← Back to CityPirate

Privacy Policy

Last updated: March 24, 2026

1. Data Controller

CityPirate is operated by Florian Pascal Abel, Barcelona, Spain ("we", "us", "our"). We are the data controller responsible for your personal data under the General Data Protection Regulation (GDPR).

For privacy-related inquiries, contact us at privacy@citypirate.app.

2. Information We Collect and Legal Basis

Account information (email address, display name, profile photo): collected when you create an account or sign in via Apple or Google. Legal basis: contract performance — this data is necessary to provide the CityPirate service.

Location data (precise GPS coordinates): collected when you use the nearby places feature or check in at a place. Location is collected only while the app is in use (not in the background) and only with your explicit permission. Legal basis: consent — you grant permission via the device location dialog.

Photos: collected when you upload photos of places. We access your camera or photo library only when you choose to take or select a photo. Legal basis: consent — you choose to upload each photo.

User-generated content (tips, check-ins, saves, reactions): created by you within the app. Legal basis: contract performance — these features are core to the service.

Usage analytics (screens viewed, features used): anonymized data sent to our own servers to help us improve the app. We do not use any third-party analytics services. Legal basis: legitimate interest — improving service quality. You can opt out at any time in Settings.

Push notification tokens: your device token is stored if you enable push notifications, so we can notify you about activity from people you follow. Legal basis: consent — you enable notifications via the device notification dialog.

3. How We Use Your Information

• To provide and improve the CityPirate service
• To show you nearby places and personalized recommendations
• To display social features (activity feed, friend saves, tips from people you follow)
• To send push notifications about relevant activity
• To verify check-in locations
• To prevent abuse and enforce our Terms of Service

4. Data Retention

• Account data (email, name, profile photo): retained while your account is active.
• User-generated content (tips, photos, check-ins): retained while your account is active. Upon account deletion, this content is anonymized (your name and profile are removed) but may remain on the platform to benefit the community, as described in our Terms of Service.
• Usage analytics: retained for 12 months, then deleted.
• Push notification tokens: deleted when you disable notifications or delete your account.
• Deleted accounts: after you request deletion, your personal data is retained for a 90-day grace period (during which you can cancel). After 90 days, personal data (email, name, profile) is permanently deleted. Anonymized content may remain.

5. Information Sharing

We do not sell your personal information. We share information only in these cases:

• With other users: your profile, tips, photos, and check-ins are visible to other users according to your visibility settings. You control who can see your saves and check-ins.
• Service providers: we use third-party services to operate CityPirate (see Section 8). These providers process your data on our behalf under Data Processing Agreements.
• Legal requirements: we may disclose information if required by applicable law or in response to valid legal process.

6. International Data Transfers

Your data is primarily stored on servers in the European Union (AWS eu-central-1, Frankfurt). However, some of our third-party service providers may process data in the United States:

• Auth0 (Okta): authentication — transfers covered by the EU-US Data Privacy Framework and Standard Contractual Clauses.
• Firebase Cloud Messaging (Google): push notifications — transfers covered by the EU-US Data Privacy Framework and Standard Contractual Clauses.

We ensure that all international transfers have appropriate safeguards in place as required by GDPR Chapter V.

7. Data Storage and Security

We use HTTPS encryption for all data in transit and follow industry-standard security practices for data at rest. Access to production systems is restricted and authenticated.

8. Third-Party Services

CityPirate uses the following third-party services:

• Auth0 (Okta): authentication and account management — privacy policy
• Amazon Web Services: server hosting and image storage (S3/CloudFront, EU region) — privacy policy
• Firebase Cloud Messaging (Google): push notifications — privacy policy
• Mapbox: map display — privacy policy

We do not use any advertising networks, third-party analytics services, or cross-app tracking SDKs.

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete personal data.
• Right to erasure: request deletion of your personal data. You can delete your account from within the app (Settings).
• Right to restrict processing: request that we limit how we use your data.
• Right to data portability: request your data in a structured, machine-readable format. You can export your data from within the app (Settings).
• Right to object: object to processing based on legitimate interest (e.g., analytics).
• Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing. You can withdraw consent by revoking permissions in your device settings or by contacting us.

To exercise any of these rights, contact us at privacy@citypirate.app. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.

10. Age Requirement

CityPirate is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will promptly delete the associated account and data.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes through the app or via email. The "Last updated" date at the top of this page indicates when the policy was last revised.