Privacy Policy

1. Data Controller and Contact

• Entity: Gatherly Ltd
• Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
• Email: [email protected]

2. Categories of Data We Collect

We process the following data to provide our matching and dinner group services:

• Identity & Profile Data: Name, gender, date of birth (to verify you are 18+), biography, occupation, nationality, and profile photo.
• Contact Data: Phone number (verified via SMS) and optional email address.
• Special Category / Sensitive Data: Dietary restrictions (which may reveal health or religious data) and personality profiles derived from assessments.
• Location Data: Precise GPS coordinates and your chosen "Max Distance" radius.
• Preference & Interest Data: Cuisine, alcohol, and smoking preferences; dinner length; available dates; and questionnaire responses.
• Technical Data: IP address, device type, app version, time zone, and system logs.
• Match & Event Data: Match history, dinner dates, restaurant details, and cancellation status.

3. Legal Bases for Processing

Where applicable (e.g., EEA/UK), we rely on the following legal bases:

• Contractual Necessity (Art. 6(1)(b)): To create your account, manage your queue status, and facilitate dinner groups.
• Explicit Consent (Art. 9(2)(a)): For processing Special Category Data (dietary needs and personality profiles) and accessing device-level permissions (Location/Camera).
• Legitimate Interest (Art. 6(1)(f)): For service security, fraud prevention, calculating queue fairness, and improving internal operations.
• Legal Obligation (Art. 6(1)(c)): To comply with tax, safety, or law enforcement requirements.

4. The Matching Algorithm & Automated Decision-Making

As required by Art. 22 of the GDPR, we disclose the logic behind our automated matching:

• Distance Calculation: We use the Haversine formula to ensure matches are within the ≤ limits set by all participants.
• Personality Cohesion: We use Cosine Similarity to compare personality vectors. For a group of 5, we calculate the similarity of every pair. The "weakest link" (lowest score) must be ≥ 0.75 for immediate matching.
• Soft Deferral: If cohesion is below 0.75, a "soft hold" is triggered for up to 24 hours to wait for better candidates before matching with the best available group.
• Fairness & Atomic Finalization: If candidates are identical, the longest wait time is prioritized. Transitions from LOCKED to MATCHED occur in one atomic database step to prevent duplicate records.

5. Data Sharing & Recipients

We do not sell your personal data. We share it only with:

• Other Users: Once matched, your photo, first name, and dietary preferences are shared with your 4 group members.
• Technical Processors: Hosting providers (e.g., AWS/Google Cloud), SMS verification services, and mapping providers (using geographic masking to protect your exact home address).
• Professional Advisers: Insurers, auditors, or legal counsel where necessary.
• Law Enforcement: Only if required by a binding legal order.

6. International Transfers

We ensure a level of protection essentially equivalent to the GDPR when transferring data outside the EEA/UK through:

• Adequacy Decisions by the European Commission.
• Standard Contractual Clauses (SCCs) and relevant supplemental measures.

7. Your Rights

Depending on your location, you may have the following rights:

• Access & Portability: Request a copy of your data in a machine-readable format.
• Rectification & Erasure: Correct inaccurate data or request the "Right to be Forgotten."
• Object to Automated Processing: Request a human review of your matching status.
• Withdraw Consent: At any time for optional data or device permissions.
• Lodge a Complaint: With your local Data Protection Authority (DPA).

To exercise these rights, email [email protected].

8. Data Retention

• Active Accounts: Data is kept while your account is active.
• Inactivity: Accounts inactive for 24 months are automatically anonymized or deleted.
• Match Records: Transactional records are kept for 3 years for safety and dispute resolution.
• Short-term Data: SMS codes expire after 10 minutes; technical caches are cleared within 48 hours.

9. Security Measures

We implement state-of-the-art technical measures:

• Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
• Atomic Locking: Ensures data integrity during group formation.
• Access Control: Strict "need-to-know" internal access for administrative reviews.

10. Children's Privacy

Gatherly is strictly for individuals aged 18 and older. If we discover we have collected data from a minor, we will delete it immediately and terminate the account.

11. Changes to this Policy

Material changes will be notified via in-app alerts. Your continued use of the app after the effective date constitutes acknowledgment of the updated policy.