Privacy Policy

Last updated: November 17, 2025

1. Introduction

Welcome to ACTIVA ("we", "us" or "our"), a service offered by By Wolff. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store and protect your personal information when you use our service.

2. Information We Collect

2.1 Account Information

When you register via Google Sign-In, we collect:

• Unique user ID (UID) - For identification within our system
• Email address - For communication, account management, and B2B notifications
• Display name - For personalization of your experience (editable by user)
• Profile photo URL - For visual identification in the app
• Account type - Free, B2B (Business), Admin1 or Admin2 status
• Language preference - Selected interface language for personalized email communication
• Creation date and last login - For account management and statistics

2.2 Usage Data & Saved Content

We collect information about how you use the application and what content you save:

• Saved items - POIs and events you bookmark, including item name, category, date saved, and event times for auto-expiration
• Events Explorer usage - Active event category filters and time-based filter selections
• View mode preference - Toggle between Explore (map view) and Events (calendar view)
• Filter preferences - Selected categories and display settings
• Theme preference - Light or dark mode setting

Privacy Note on Saved Items: Your saved POIs and events are completely private and only accessible to you. They are NOT visible to other users, venue owners, or admins.

2.3 B2B Account Specific Data

For users with a Business (B2B) account, we collect additional information:

• B2B request data:
  • First name and last name
  • Company name
  • Chosen venue/location (linked POI ID)
  • Request status (pending, approved, rejected)
  • Request date
• Venue management data:
  • Linked venue information (name, primary category, optional secondary category, location)
  • Venue content modified by B2B user (description, phone number, opening hours)
  • Uploaded photos (maximum 4 photos per venue)
  • Last update timestamp

2.4 Event Creation Data (B2B & Admin)

B2B and Admin users who create events:

• Event metadata:
  • Event name, description (multi-language via auto-translation) and category
  • Start and end time (stored in UTC, displayed in Curaçao time America/Curacao)
  • Location data (coordinates and address)
  • Access information (free or paid)
  • Linked venue (if applicable)
  • Creator ID (for audit trail)
  • Recurring event data (optional) - Recurrence pattern, frequency, and optional end date
  • Promoted event flag (optional) - For featured events in calendar view

How recurring events work: Recurring events use real-time calculation to determine the next occurrence based on the current date/time in Curaçao timezone.

2.5 Location Data (Optional)

ACTIVA uses your device's location ONLY with your explicit permission. We request location access to provide enhanced map functionality:

• Real-time GPS location - Your current latitude and longitude coordinates
• Location accuracy - Accuracy radius in meters (for visual display)
• Continuous tracking - Live position updates while using the app (can be disabled)

How we use your location:

• Display "You are here" marker on the map (blue pulsing dot)
• Auto-zoom to your location when in Curaçao (zoom level 15)
• Stay zoomed out if outside Curaçao (zoom level 10)
• Update marker position as you move (live tracking for locals)
• We NEVER store your location history
• We NEVER share your location with third parties
• We NEVER track you when the app is closed

Location Permission Details:

• When requested: Automatically on first app load (browser prompt)
• Your choice: Allow, Deny or Ask Later (completely optional)
• If denied: App works perfectly without location - starts zoomed out on Curaçao
• Precision: High accuracy GPS (enableHighAccuracy: true) for best results
• Update frequency: Maximum every 1 second (battery-friendly)
• Auto-stop: Location tracking stops when you close the browser tab

Technical Implementation:

• Browser Geolocation API (navigator.geolocation)
• No Google Location Services or third-party tracking
• Curaçao boundary detection (client-side calculation)
• Automatic marker cleanup when leaving Curaçao

2.6 Technical Data & Analytics

• Browser type and version - For compatibility and responsive design optimization
• Device information - For user experience optimization (desktop vs mobile)
• Screen resolution - For responsive design optimization
• Interaction data:
  • Opened venue/event details
  • Used filters and categories
  • Map zoom level and navigation
  • Click and scroll behavior (anonymous, for UX improvement)

2.7 Admin Specific Data

For admin accounts we collect:

• Scan logs - POI update activities for audit trail
• POI changes - Modified venue information and location updates
• Bot activities - AI research findings and event discoveries
• B2B request reviews - Approvals, rejections, assigned venues

3. How We Use Your Information

3.1 Service Delivery & Core Functionality

• Delivering and maintaining the ACTIVA map interface and all features
• Dual view modes - Toggle between Explore (map view) and Events (calendar view) for different browsing experiences
• Personalizing your experience based on preferences and saved items
• Synchronizing your saved spots and events between sessions and devices
• Displaying relevant activities, venues and events on the map
• Live location tracking - Showing your current position on the map with "You are here" marker (only if permission granted)
• Smart map initialization - Auto-zoom to your location if in Curaçao (zoom 15), or stay zoomed out if outside/no permission (zoom 10)
• Location-based features - Nearby venue suggestions, distance calculation (future feature, opt-in)
• Real-time calculation of opening hours and "open/closed" status (based on Curaçao timezone UTC-4)
• Clustering of map markers for better performance and overview
• Automatic dark mode activation between 18:30-06:30 (Curaçao time)

3.2 B2B Service Delivery

For Business accounts, we use data to:

• Show venue dashboards with management tools for linked locations
• Process updates to venue information (description, opening hours, photos)
• Provide event creation and management functionality
• Process B2B requests and assign venues to businesses
• Automated email notifications - Send confirmation emails upon B2B registration and acceptance emails when requests are approved, in your preferred language

3.3 Event Management & Discovery

• Display events on the map with real-time status indicators (ongoing, upcoming, recurring)
• Events Explorer (calendar view) - Calendar interface with event filtering by category and time, search functionality, and event statistics
• Recurring events - Real-time calculation for repeating events
• Saved Items modal - View saved POIs and events with filtering and navigation
• Automatically remove events after end date plus retention period
• Use AI bots to discover new events in Curaçao from online sources
• Maintain event blacklist to prevent repeated invalid findings
• Auto-translation of event descriptions to multiple languages

3.4 Communication

• Email notifications (B2B) - Automated emails for B2B account registration confirmation and request approvals, sent in user's selected language (Dutch, English, Papiamento, Spanish)
• Service updates and important announcements
• Responding to support requests and inquiries
• Marketing communications (only with explicit consent, opt-in required)

Email Service Details:

• Emails are sent from a verified sender address
• You can opt-out of non-essential emails via your account settings
• B2B notification emails (registration, approval) cannot be disabled as they are essential for account functionality
• All emails are HTML-formatted with responsive design for mobile devices

3.5 Service Improvement & Optimization

• Analyzing usage patterns to improve the app (anonymous where possible)
• Identifying and resolving technical issues and crashes
• Developing new features based on user behavior
• Performance optimization (viewport-based rendering, debounced handlers, performance mode)
• A/B testing of new UI elements and features (anonymous)

3.6 Admin & Moderation Purposes

• POI data scanning and updates via Google Places API
• Manual venue editing and location corrections (drag-to-move functionality)
• Bot management and monitoring (Research Bot, Party Bot)
• B2B request review and venue assignment
• Content moderation and quality control
• Fraud prevention and abuse detection

4. Data Storage and Security

4.1 Where We Store Your Data

Your data is securely stored in Google Cloud infrastructure:

• Firebase Firestore - Google Cloud Platform (Europe region) for all database data
• Firebase Authentication - For secure Google OAuth authentication
• Firebase Storage - For venue photo uploads (B2B accounts)
• Firebase App Hosting - For Next.js backend hosting

4.2 Data Retention & Automatic Cleanup

• User accounts - Retained as long as account is active
• Saved spots/events - Retained until user manually deletes or closes account
• Events - Automatically deleted after end date plus retention period
• B2B venue data - Permanently retained, linked to venue (not user)
• Scan logs - Retained for audit purposes
• Bot findings - Retained then archived according to data lifecycle policy

4.3 Security Measures

• Firebase Security Rules - Strict read/write permissions per collection
• API Key security - Endpoint authentication and domain restrictions
• Encryption:
  • Data in transit: TLS encryption
  • Data at rest: Google Cloud encryption
• Authentication:
  • Google OAuth 2.0 for user authentication
  • Firebase Auth tokens with expiration
  • Server-side session validation
• Access control:
  • Role-based access (Free, B2B, Admin levels)
  • Elevated permissions for server-side operations only
• Email security:
  • Secure SMTP connection with TLS encryption
  • HTML escaping to prevent XSS attacks in email content
  • Rate limiting to prevent email spam abuse
  • Server-side credential storage (never exposed to client)
• Monitoring & Auditing:
  • Activity logging with timestamp tracking
  • POI update tracking
  • Performance monitoring for anomaly detection
  • Email delivery logging for troubleshooting

4.4 Backups & Disaster Recovery

• Automatic daily database backups (Google Cloud managed)
• Point-in-time recovery capabilities
• Storage redundancy with multi-region replication
• Auto-scaling infrastructure for high availability

5. Data Sharing

5.1 We NEVER Share Your Personal Data with Third Parties for Marketing Purposes

5.2 Data Sharing with Service Providers

We share minimal data with the following trusted third-party services for technical functionality:

• Google Maps Platform:
  • Map display and interaction (anonymous)
  • Google Places API for POI data (admin scans only, no user data)
  • Geocoding API for address conversion
  • Advanced Markers for pin rendering
• Firebase/Google Cloud:
  • Hosting and database storage (Google Cloud Europe)
  • Authentication services (Google OAuth)
  • File storage for venue photos
  • Backend hosting infrastructure
• Email Service Provider:
  • SMTP email delivery for B2B notifications
  • Only recipient email address and name are shared
  • No email content is stored by third parties
  • Secure encrypted connection for all email transmissions
• Wise (Business Accounts):
  • Business verification for international payment compliance
  • Data shared: Company name, email address, business registration number
  • Purpose: KYC/AML compliance required for Stripe Connect in Curaçao
  • Wise acts as data processor under GDPR Art. 28
  • Privacy Policy: https://wise.com/privacy-policy
• Stripe (Payment Processing):
  • Payment processing for ACTIVA Gold account holders
  • Data shared: Email address, Stripe account ID, business information
  • Purpose: Facilitate payments between customers and venue owners
  • ACTIVA does NOT store payment card details (Stripe handles all payment data)
  • Stripe is PCI-DSS Level 1 certified for payment security
  • Privacy Policy: https://stripe.com/privacy

5.3 Legally Required Data Sharing

We may share your data with:

• Law enforcement agencies - Only if legally required via court order
• Government agencies - For mandatory reporting according to Curaçao legislation
• Legal proceedings - If necessary for lawsuits or legal claims

We will inform you of such requests unless legally prohibited.

5.4 Public Information

The following data is publicly visible on the map for all users:

• Venue names, addresses and categories
• Opening hours of venues (if available)
• Event details (name, location, time, description)
• Venue photos (uploaded by B2B accounts)
• Ratings (if available)

Your personal saved spots, events and notes are ALWAYS private and only visible to you.

5.5 Aggregated & Anonymous Data

We may share anonymized, aggregated data for:

• Statistics about popular venues and events in Curaçao
• General usage trends (without personal identification)
• Research on tourism and nightlife behavior (academic or commercial)

This data can never be traced back to individual users.

6. Your Rights

Under the GDPR (General Data Protection Regulation) and Curaçao privacy legislation, you have the following rights:

6.1 Right of Access (Art. 15 GDPR)

You can request what data we have stored about you. We will provide a complete overview within 30 days, including:

• Your account information and profile data
• All saved spots and events with timestamps
• Personal notes linked to items
• B2B venue data (if applicable)
• Scan logs and admin actions (for admin accounts)

6.2 Right to Rectification (Art. 16 GDPR)

You can modify your account data at any time:

• Via the app: My Portal → Settings → Edit Profile
• Change display name: Directly in the app (save button appears on change)
• Venue information (B2B): Via the Venues Dashboard (/venues route)
• Other data: Contact us via info@bywolff.dev

6.3 Right to Erasure - "Right to be Forgotten" (Art. 17 GDPR)

You can request complete deletion of your account and data:

• Via the app: My Portal → Settings → Delete Account
• Via email: info@bywolff.dev with your account email

What will be deleted:

• Account profile (name, email, photo)
• All saved spots and events
• Personal notes
• Preferences and settings
• B2B request (if pending)

What remains stored (if applicable):

• Venue data uploaded by B2B accounts (public content, linked to venue not account)
• Events created by B2B/Admin (public events remain visible, anonymized creator)
• Anonymized activity logs (for audit trail, no personally identifiable information)

6.4 Right to Data Portability (Art. 20 GDPR)

You can request your data in a structured, machine-readable format:

• Format: JSON export of your complete user data
• Content: Account info, saved spots/events, notes, preferences
• Request: info@bywolff.dev
• Delivery time: Within 14 days

6.5 Right to Object (Art. 21 GDPR)

You can object to processing of your data for:

• Marketing - Opt-out via settings or email footer links
• Analytics - Request exclusion via info@bywolff.dev
• Profiling - We do not perform automated decision-making

6.6 Right to Restriction of Processing (Art. 18 GDPR)

You can request temporary restriction of data processing during:

• Investigation into data accuracy
• Objection procedures
• Legal proceedings

6.7 Account Type Changes

• Free → B2B: Submit request via Login Modal → Business Account → Fill request form
• B2B → Free (downgrade): Contact info@bywolff.dev (venue link will be removed)
• Admin rights: Only assigned by Admin2 accounts (not publicly requestable)

7. Cookies and Tracking

7.1 Essential Cookies (Functional - Always Active)

We only use essential cookies that are necessary for the service to function:

• Firebase Authentication cookies:
  • __session - Firebase Auth session token
  • Purpose: To keep you logged in between sessions
  • Retention: Until logout or 30 days of inactivity
• Preference cookies (localStorage):
  • activa_theme - Light/dark mode preference
  • activa_filter - Last used category filter
  • activa_show_open_only - "Open venues only" toggle status
  • Retention: Permanent (until manual browser cache clearing)
• Map state cookies (sessionStorage):
  • map_center - Last map position (lat/lng)
  • map_zoom - Last zoom level
  • Retention: Session (cleared when closing browser tab)

7.2 Analytics & Tracking

We do NOT use third-party analytics like Google Analytics, Facebook Pixel, or other trackers.

All analytics are:

• Internal (self-hosted)
• Anonymized (no individual user tracking)
• Aggregated (only totals, no individual patterns)
• Privacy-first (no cross-site tracking)

We only track:

• Total number of visitors (daily/monthly)
• Most popular venues and events (anonymous)
• Used category filters (anonymous)
• System performance metrics (anonymous)

7.3 Social Media & External Embeds

ACTIVA does NOT use social media tracking pixels or third-party embeds:

• No Facebook/Instagram embeds
• No Twitter/X trackers
• No YouTube embeds (unless explicitly opened by user)
• Only Google Maps embed (essential for functionality)

7.4 Cookie Management

You can manage cookies via your browser settings:

• Clear all cookies: Browser settings → Privacy → Clear cookies
• Block cookies: Note - essential cookies are needed for login functionality
• Block third-party cookies: Recommended (ACTIVA only uses first-party cookies)

When blocking essential cookies, the following features will not work:

• Login and account management
• Saving spots and events
• Theme and filter preferences

8. Children

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and you discover that your child has provided us with personal data, please contact us.

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of changes by posting the new privacy policy on this page and updating the "last updated" date.

Significant changes will be announced via:

• Email notification to your registered email address
• A prominent notice in the application

10. Data Retention

We retain your data according to the following schedules:

Active Accounts

• User profile - Retained as long as your account is active
• Saved spots/events - Retained until manual deletion by user
• Preferences - Permanent (until cache clearing)
• Login history - Last 12 months

After Account Deletion

• Immediately (within 24 hours):
  • Personal account data (name, email, photo)
  • Saved spots and events
  • Personal notes
  • Preferences and settings
  • B2B request (if pending)
• Within 30 days:
  • Backups containing your data will be overwritten
  • Firebase Auth tokens will be revoked
  • Cache will be cleared
• Remains stored (anonymized):
  • Venue content (B2B uploads, linked to venue not account)
  • Public events (creator info will be removed)
  • Aggregated analytics (no personal identification)
  • Scan logs (user ID will be anonymized after 90 days)

Inactive Accounts

• After 24 months of inactivity:
  • We will send a warning email (30 days before deletion)
  • After no response: automatic account deletion according to above schedule
• B2B accounts exception:
  • B2B accounts with active venues remain stored
  • Warning at 12 months of inactivity
  • Venue remains public, account can be deactivated

Specific Data Retention

• Events - 7 days after end date (automatic cleanup)
• Bot findings - 6 months, then archived or deleted
• Scan logs - 12 months for audit trail
• B2B requests (rejected) - 3 months for statistics
• Venue photos - Permanent (linked to venue, not account)

Legal Obligation

In some cases, we are legally required to retain data longer:

• Tax administration - 7 years (for B2B transactions if applicable)
• Fraud prevention - Up to 5 years after incident
• Legal proceedings - Until completion of proceedings + 1 year

11. International Data Transfers

ACTIVA is a Curaçao-based service, but uses Google Cloud infrastructure for hosting. Your data may be transferred outside Curaçao:

11.1 Primary Data Location

• Firebase Firestore - Europe multi-region (eur3):
  • Primary location: Belgium and Netherlands datacenters
  • Backup location: Finland datacenter
  • Complies with EU GDPR requirements
• Firebase Storage - Europe multi-region
• Cloud Run backend - europe-west1 (Belgium)

11.2 Google Cloud Appropriate Safeguards

• EU Standard Contractual Clauses (SCCs) - Google Cloud complies with EU SCCs for international data transfers
• ISO 27001, 27017, 27018 certification - Recognized information security standards
• SOC 2/3 compliance - Regular third-party audits
• EU-US Data Privacy Framework - Google is a certified participant

11.3 Third-Party Services Outside EU

• Google Maps API:
  • Map tiles may be delivered via US/Asia servers (CDN)
  • Only anonymous map data, no user identification
  • Complies with Google's Privacy Shield certification

11.4 Data Residency Commitments

We commit to:

• ✅ Personal data remains within EU datacenters (Firebase Europe region)
• ✅ No data storage in countries without adequate protection level
• ✅ Transparency about all data transfers
• ⚠️ CDN caching may temporarily place data outside EU (max 24 hours, anonymous)

11.5 Your Rights Regarding International Transfers

You have the right to:

• Object to transfers outside EU/Curaçao
• Request a copy of the SCCs (available via privacy email)
• Get insight into what data is stored where

12. Contact

Privacy Officer

For complex privacy issues or escalation of requests, you can directly contact our Privacy Officer via info@bywolff.dev with subject "Privacy Officer - [your question]".

Submitting a Request

When submitting a privacy request, always include:

• Your account email address (as used during registration)
• Type of request (access, rectification, deletion, etc.)
• Specification of requested data (if applicable)
• Communication preference (email or phone)

We may ask for additional identification to secure your account.

13. Complaints

If you are not satisfied with how we handle your data, you have the right to file a complaint with the supervisory authority:

Complaints Procedure at By Wolff:

1. Submit complaint via info@bywolff.dev
2. We confirm receipt within 72 hours
3. Internal investigation (max 14 days)
4. Written response with proposed solution
5. If not satisfied: escalation to Privacy Officer
6. If still not satisfied: right to complaint with Data Protection Authority

14. AI & Automated Processing

14.1 Research Bot & Party Bot

ACTIVA uses AI-powered bots for content discovery in Curaçao:

• Research Bot:
  • Purpose: Finding new venues, restaurants and activities
  • Method: Web scraping of public sources, social media monitoring (anonymous)
  • Data storage: Findings stored in bots/researchbot/findings collection
  • Verification: All findings are manually verified by admins before publication
• Party Bot:
  • Purpose: Event discovery for nightlife, festivals and parties
  • Method: Facebook Events API, Instagram scraping (public posts), website monitoring
  • Data storage: Event findings in bots/partybot/findings
  • Blacklist: Rejected events stored to prevent duplicates

14.2 Bot Data Processing

Important safeguards:

• Bots do NOT process personal user data of ACTIVA users
• Only public data from external sources (websites, social media)
• Findings contain no personally identifiable information
• Automatic filtering of privacy-sensitive content
• Bot findings may contain public social media posts (source always mentioned)

14.3 No Automated Decision-Making

We do NOT use AI for automated decisions that have legal consequences or significantly affect you:

• No automatic B2B request approval/rejection
• No AI-based account suspensions
• No personalized pricing based on profiling
• All moderation decisions are made by human admins

14.4 Right to Human Intervention

For all automated processes, you have the right to:

• Explanation of how a decision was made
• Object to automated processing
• Human review of your request

15. Specific Functionalities & Privacy

15.1 Drag-to-Move (Admin Feature)

Admin accounts can adjust venue locations via drag-to-move:

• Changes are logged with admin user ID and timestamp
• Old and new coordinates are stored (audit trail)
• Changes are visible to all users (public data)

15.2 Real-Time Opening Hours

Opening hours are calculated in real-time based on:

• Venue data from Firestore (stored opening hours structure)
• Current time in Curaçao timezone (America/Curacao, UTC-4)
• No tracking of when you view opening hours

15.3 Performance Optimization

For better app performance, we use:

• Viewport-based rendering - Only markers in visible area are loaded
• Category cycling - At low zoom, categories are rotated (to prevent overload)
• Debounced handlers - Map events are delayed to reduce server load
• Caching - Venue data is cached in browser (max 24 hours)

These optimizations do NOT collect tracking data - only technical performance metrics (anonymous).

15.4 Photo Uploads (B2B)

B2B accounts can upload venue photos:

• Maximum limit: 4 photos per venue
• Storage: Firebase Storage
• Metadata: Upload date, file size, uploader ID (for audit trail)
• Privacy: Photos are publicly visible after upload
• Rights: By uploading, you declare you have legal rights to the photo and permission to publish it
• Deletion: B2B users can delete their own uploads via dashboard
• EXIF data stripping: GPS coordinates and camera metadata are automatically removed for privacy protection

15.5 Event Creation (B2B & Admin)

Events created via ACTIVA:

• Are publicly shared on the map
• Contain creator user ID (for admin audit, not publicly visible)
• Are automatically deleted 7 days after end date
• Upon account deletion: events remain, creator info is anonymized

15.6 Live Location Feature

How the live location feature works and protects your privacy:

• Client-side only:
  • Your location is processed entirely in your browser
  • No API calls to our servers containing your coordinates
  • No database storage of location data
  • No logs or analytics tracking your movements
• Permission flow:
  • Browser prompt on first app load: "Allow korsou.org to access your location?"
  • Options: Allow, Block, or Ask Later
  • Permission can be revoked anytime via browser settings
  • No repeated prompts if denied
• Location processing:
  • Geolocation API request with timeout
  • If granted: Location boundary check (client-side calculation)
  • If in Curaçao: map centers at your position with appropriate zoom
  • If outside: map stays at default center with lower zoom
  • Blue "You are here" marker rendered only if in Curaçao
• Continuous tracking (optional):
  • Only active if initial permission granted AND you're in Curaçao
  • Position API updates at regular intervals
  • Marker moves as you walk/drive
  • Automatic cleanup when tab is closed or you leave Curaçao
  • Battery-efficient implementation
• Privacy guarantees:
  • No location history stored anywhere
  • No server-side logging of coordinates
  • No sharing with third-party services
  • No background tracking when app is not open
  • No cross-device location synchronization
  • Complete transparency: source code is auditable
• Technical safeguards:
  • Boundary check prevents accidental tracking outside service area
  • Marker auto-removes if you cross boundary
  • Proper cleanup prevents memory leaks
  • High accuracy GPS for best user experience

How to disable live location:

1. Chrome/Edge: Click padlock icon → Site settings → Location → Block
2. Safari: Preferences → Websites → Location → korsou.org → Deny
3. Firefox: Address bar icon → Permissions → Location → Block
4. Mobile: System settings → Apps → Browser → Permissions → Location → Deny for korsou.org

After blocking, refresh the page - the app will start zoomed out on Curaçao without your location marker.

16. Changes to This Policy

16.1 Version History

• v3.4 - November 7, 2025 - Added B2B email notification system (registration confirmation, approval notifications), enhanced security measures (email HTML escaping, rate limiting, secure SMTP), added language preference collection for personalized emails, updated third-party data sharing with email service provider details
• v3.3 - November 5, 2025 - Added comprehensive documentation for: Events Explorer with calendar view, recurring events system, promoted events feature, Saved Items modal with auto-expiration, view mode toggle (Explore/Events), corrected photo upload limit to 4, multi-language event auto-translation
• v3.2 - November 4, 2025 - Updated with AI data accuracy disclaimers, venue owner responsibility clarifications, removed non-essential technical details, removed emojis for professional tone
• v3.1 - October 27, 2025 - Added live location feature with privacy-first implementation (client-side only, no storage)
• v3.0 - October 27, 2025 - Comprehensive update with all new functionalities (B2B features, AI bots, venue dashboards, event management)
• v2.0 - October 21, 2025 - Initial comprehensive privacy policy
• v1.0 - May 2025 - First version at launch

16.2 Notification of Changes

We may update this privacy policy from time to time to reflect new features, legal requirements or security improvements.

For significant changes, we will send you a notification via:

• Email notification to your registered email address (at least 14 days before effective date)
• Prominent notice in the application at next login
• Push notification (if you have enabled these)
• Announcement on homepage and in app footer

What are "significant changes"?

• New categories of collected data
• Changes in purpose of data processing
• Sharing data with new third parties
• Extension of retention periods
• Changes to your rights
• New international data transfers

For minor changes (non-material):

• Update of "Last updated" date at top of this document
• No separate notification, but you can always consult version history
• Examples: typo corrections, clarifications, contact details updates

16.3 Opt-Out for Changes

If you do not agree with significant changes:

• You have 30 days to object or delete your account
• During this period, the old policy remains in effect for your account
• After 30 days, the new policy automatically takes effect
• Account deletion during opt-out period is free and without consequences

16.4 Archive of Old Policies

All previous versions of this privacy policy are available upon request via info@bywolff.dev. We retain old versions for at least 7 years (legal obligation).

17. Minors

17.1 Age Limit

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

17.2 Parental Supervision

If you are a parent or guardian and you discover that your child has provided us with personal data:

• Contact us immediately via info@bywolff.dev
• Mention "MINOR - [child name] - [date of birth]" in subject
• We will delete all data within 24 hours
• The account will be permanently blocked to prevent re-registration

17.3 Verification for B2B Requests

B2B accounts require adult age (18+):

• Age is verified during request based on company data
• Chamber of Commerce registration required (companies cannot be established by minors)
• In case of doubt, we may ask for ID verification

17.4 Content Suitable for All Ages

Although the app is 16+, we ensure content remains appropriate:

• Nightlife events are tagged with 18+ indication
• Alcohol-related content is filtered when necessary
• User-generated content is moderated

18. Updates & New Features

18.1 Beta Features & Privacy

We sometimes test new features in beta form:

• Opt-in only - Beta features are always optional
• Separate consent - Extra permission required if new data is collected
• Transparency - Clear explanation of what data beta features collect
• Opt-out - You can always disable beta features without consequences

18.2 Future Features in Development

Features that may come in the future (not active, informational):

• B2B Analytics Dashboard - Venue statistics (views, saves, clicks) - anonymously aggregated
• User reviews - Optional venue reviews - public but anonymous possible
• Social sharing - Share spots with friends - opt-in, no automatic post
• Push notifications - Event reminders - opt-in, with granular control

These features will only be activated after updating this privacy policy with specific details.

19. Privacy by Design

19.1 Our Privacy Principles

ACTIVA is built according to "Privacy by Design" principles:

• Data minimization - We only collect what is necessary
• Default privacy - Most privacy-friendly settings are default
• Transparency - Clear communication about data use
• User control - You have control over your data
• Security first - Security is built-in, not added
• End-to-end respect - Privacy in every phase of development

19.2 Concrete Examples

• Saved spots are default private, not public
• Location permission is opt-in, not default on
• Account deletion is 1-click, not a complex process
• Marketing emails are opt-in, not opt-out
• Data export is free, no cost for your own data
• Third-party tracking is not present, no hidden trackers

19.3 Privacy Audits

We regularly conduct privacy audits:

• Quarterly review - Internal privacy assessment
• Annual audit - Third-party security & privacy audit (from 2026)
• Code reviews - Every new feature is screened for privacy risks
• Data mapping - We track where all data is stored and why

20. Final Note

This privacy policy is drafted in English as the international standard. A Dutch version may be available upon request.

Last full review: November 4, 2025
Next scheduled review: February 4, 2026 (quarterly cycle)