Privacy Policy

1. Who we are

whatnightout is a nightlife and music event discovery platform operating in the UK. We operate the website at whatnightout.uk and the whatnightout mobile application (together, the “Service”), covering cities across the United Kingdom.

In this policy, “we”, “us”, and “our” refer to whatnightout. “You” and “your” refer to you as a user of the Service.

2. What data we collect

We collect the following categories of personal data:

Account data

When you create an account, we collect your email address, display name, and authentication provider details. You may sign in using Google, Apple, or an email and password. Authentication is handled by Google Firebase, which stores your credentials securely. We receive your email address, display name, and a unique user identifier from Firebase. We do not receive or store your password.

Preferences and activity

When you use the Service, we store your preferences and activity to personalise your experience. This includes your selected city, genre preferences (up to 10), saved events, followed venues, and recently viewed events. This data is associated with your account and stored on our servers. Saved events made before signing in are stored only in your browser’s local storage on this device, until you create an account — at which point they are migrated to your account so you can access them across devices.

User-submitted content

If you submit an event for inclusion on the platform, we collect the event details you provide (name, date, venue, description, genres, ticket link, and price). If you upload an event image, it is stored by Cloudinary, a third-party image hosting service.

Usage and analytics data

We collect anonymised analytics about how the Service is used — pages visited, features used, search queries, filter interactions, and general engagement patterns — so we can understand which areas to improve. If you sign in, this data is associated with your account so we can build personalised recommendations and measure retention. Analytics are processed by PostHog on EU servers in Frankfurt, Germany.

Following the UK Data (Use and Access) Act 2025, this kind of statistical, service-improvement analytics no longer requires your consent on UK websites. We rely on the analytics exemption under PECR for the cookie storage itself, and on legitimate interests (UK GDPR Article 6(1)(f)) for processing your data once you sign in. We do not use analytics for advertising, do not sell or share it with third parties, and you can opt out at any time.

Separately, with your explicit opt-in (via the on-site banner or your profile settings), we collect richer signal — for example detailed interaction recordings used to debug bugs and improve usability. This is off by default and only enabled if you actively choose to help us improve.

Technical data

When you access the Service, our servers automatically collect standard technical data including your IP address, browser type and version, operating system, device type, referring URL, and pages visited. This data is used for security, abuse prevention, and to ensure the Service functions correctly.

Cookies and local storage

The website uses cookies and browser local storage. See Section 6 below for a detailed breakdown of the cookies we use.

3. Legal basis for processing

Under the UK General Data Protection Regulation (UK GDPR), we process your personal data on the following lawful bases:

• Contract: Processing your account data, preferences, and activity is necessary to provide you with the features of the Service you have signed up for (saved events, follows, personalised recommendations, event submissions).
• Legitimate interest: We process technical data (IP address, browser type) for security, abuse prevention, and to maintain the performance and reliability of the Service. We also process anonymised and identified analytics data to understand usage patterns and improve the platform — this is permitted under the UK Data (Use and Access) Act 2025’s statistical-purposes exemption to PECR, and under UK GDPR Article 6(1)(f). You can object at any time.
• Consent: Richer optional features — for example detailed interaction recordings used to debug usability issues — are only activated when you opt in via the on-site banner or your profile settings. You may withdraw consent at any time without affecting prior processing.

4. How we use your data

We use your data for the following purposes:

• To provide and operate the Service, including displaying events, venues, and search results
• To personalise your experience, showing relevant weekend picks based on your genre preferences, city selection, and activity
• To maintain your saved events, followed venues, and other saved preferences
• To process and display event submissions you make
• To send push notifications about new events at venues you follow (mobile app only, with your permission)
• To understand how the Service is used and to improve it (with your analytics consent)
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

5. Data sharing and third parties

We never sell your personal data. We share data with the following third-party services solely to operate the Service:

• Google Firebase (Google LLC, USA): provides user authentication. Firebase receives your email address, display name, and authentication credentials. Google’s privacy policy applies to data processed by Firebase.
• PostHog (EU, Frankfurt, Germany): provides analytics. Acts as our data processor — PostHog cannot reuse your data for any purpose other than running analytics for whatnightout. Data is processed exclusively on EU servers. We do not feed analytics into advertising or share it with third parties.
• Cloudinary (Cloudinary Ltd): hosts images uploaded with event submissions. Image files are stored on Cloudinary’s servers.
• Vercel (Vercel Inc., USA): hosts our website. Page requests pass through Vercel’s edge infrastructure.
• Render (Render Services Inc., USA): hosts our backend API. Data submitted through the Service is processed and stored on Render’s infrastructure.
• Apple & Google: distribute the mobile app via the App Store and Google Play. Push notifications on the mobile app are delivered via Apple Push Notification Service and Google Firebase Cloud Messaging.

We may also disclose your data if required by law, regulation, or legal process, or to protect the rights, safety, or property of whatnightout, our users, or the public.

6. Cookies and local storage

Our website uses cookies and browser local storage. The mobile app does not use cookies.

Strictly necessary

• Authentication cookies: Set by Firebase to maintain your signed-in session. Without these, you would need to log in on every page visit.
• Admin session: A short-lived cookie used solely on admin tooling, scoped to /admin.

Preferences (appearance exception)

• City preference: Remembers the city you last selected so you land on the right page next visit.
• UI state: Local storage holds your view mode (map/list), recently viewed events, and similar UI choices. This data stays in your browser and is not sent to our servers.

Analytics (statistical-purposes exception)

• PostHog cookies: Used to measure how the site is used and improve it. Under the UK Data (Use and Access) Act 2025, statistical analytics that is not used for advertising is exempt from cookie consent — we rely on that exemption combined with legitimate interests (UK GDPR Article 6(1)(f)). PostHog runs on EU servers (Frankfurt), acts only as our data processor, and we never feed this data into advertising or share it with third parties. You can opt out at any time.

Optional (your opt-in)

• Improvement opt-in: If you accept the on-site banner (or turn on the “Help improve whatnightout” toggle in settings), we record additional detail about your interactions to help us debug usability issues. This is off by default and only enabled when you actively opt in.

You can also manage cookies through your browser settings. Note that blocking strictly necessary cookies may prevent parts of the Service from functioning correctly.

7. Data retention

• Account data: Retained for as long as your account is active. When you delete your account (via profile settings), all personal data (including your email, preferences, saved events, follows, and submissions) is permanently deleted from our servers.
• Analytics data: Anonymised analytics data may be retained for up to 12 months after collection. This data cannot be linked back to you.
• Technical logs: Server logs containing IP addresses and request data are retained for up to 30 days for security and debugging purposes, then automatically deleted.

8. Your rights under UK GDPR

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct any inaccurate or incomplete personal data.
• Right to erasure: You can ask us to delete your personal data. You can also delete your account directly from your profile settings at any time.
• Right to restriction: You can ask us to restrict the processing of your data in certain circumstances.
• Right to data portability: You can request your data in a structured, commonly used, machine-readable format.
• Right to object: You can object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent (the “Help improve whatnightout” opt-in), you can withdraw consent at any time from your profile settings without affecting the lawfulness of prior processing.

To exercise any of these rights, please email privacy@whatnightout.uk. We will respond within one month as required by law. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

9. Children’s privacy

The Service is a nightlife and event discovery platform intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will delete it promptly. If you believe a child under 18 has provided us with personal data, please contact us at privacy@whatnightout.uk.

10. International data transfers

Some of our third-party service providers process data outside the United Kingdom:

• Google Firebase may process authentication data in the United States. Google provides appropriate safeguards through Standard Contractual Clauses (SCCs) and its data processing terms.
• PostHog processes analytics data exclusively within the EU (Frankfurt, Germany), which is covered by the UK adequacy decision.
• Vercel hosts our website infrastructure on EU-region servers.
• Render hosts our backend API infrastructure on EU-region servers.
• Cloudinary may process uploaded images in various locations. Transfers are covered by Standard Contractual Clauses.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place as required by UK data protection law.

11. Data security

We take reasonable technical and organisational measures to protect your personal data. All data transmitted between your device and our servers is encrypted using TLS (HTTPS). Authentication is handled by Google Firebase, which provides industry-standard security including secure credential storage and token-based authentication. Access to our backend systems and database is restricted to authorised personnel only.

While we take security seriously, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

12. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The “Last updated” date at the top of this page indicates when the policy was last revised. For material changes that significantly affect how we process your data, we will make reasonable efforts to notify you, for example via a notice on the website or mobile app. Continued use of the Service after changes constitutes your acknowledgement of the updated policy.

13. Contact us

If you have any questions about this privacy policy or how we handle your data, please contact us:

• Email: privacy@whatnightout.uk
• General enquiries: hello@whatnightout.uk

You can also review our Terms of Use for the rules and conditions governing your use of the Service.