Account credentials — email address and hashed password — used to authenticate you and provide the service.
Lawful basis: Performance of contract (Art. 6(1)(b)) · Retention: Lifetime of your account + 30-day grace period
Legal
What data gæther processes about you, why, on what lawful basis, and how to exercise your rights.
gæther is operated as a sole proprietorship registered in Switzerland. The data controller for the processing described below is:
We have not designated a Data Protection Officer (Art. 37 GDPR does not require one at our current scale). Direct any data-protection request to the contact above.
This notice describes how we process personal data when you use gaether.app, visit our marketing pages, or correspond with us. It applies to all features and pages under the gaether.app domain. Other domains we link to are governed by their own notices.
These rules predate any specific implementation choice and constrain every decision we make about your data. They are documented in our internal data-protection reference and enforced through automated checks in our codebase.
Sexuality, religion, ethnicity, race, health, disability, neurodivergence, political opinions, trade-union membership, and genetic or biometric data — none of these become columns, enum values, or filter parameters in our system. They may surface only through the free-form tag taxonomy users attach to events and groups; we do not aggregate those tags into inferred categories about individual users.
We enforce an 18+ age floor at signup. Your date of birth is computed against the floor server-side and discarded — only a timestamp indicating that the attestation took place is stored against your account.
For forensic and security logging, identifiers like your IP address, User-Agent, and (in some audit-log contexts) your email address are hashed with a server-side secret before insert. The hashes are non-reversible without that secret. Raw values are dropped at the application boundary.
All primary processing happens in EU jurisdictions — Frankfurt for our database, authentication, and analytics; Paris for transactional email; Tallinn for marketing-site analytics. Sub-processors incorporated outside the EU operate EU infrastructure under Standard Contractual Clauses.
Every consent decision you record is stored with the version of the policy text that was in force at the time, the timestamp, and a hash of your IP and User-Agent. The append-only ledger means we can demonstrate exactly what you agreed to and when.
Article 6(1) of the GDPR requires a documented lawful basis for every processing activity. Ours, by data category:
Account credentials — email address and hashed password — used to authenticate you and provide the service.
Lawful basis: Performance of contract (Art. 6(1)(b)) · Retention: Lifetime of your account + 30-day grace period
An '18+ confirmed at' timestamp on your account, recorded at signup to satisfy the age-floor obligation.
Lawful basis: Legal obligation (Art. 6(1)(c)) · Retention: Lifetime of your account
Your preferred language so we can deliver the interface and emails in it.
Lawful basis: Performance of contract (Art. 6(1)(b)) · Retention: Lifetime of your account
An append-only ledger of identity-relevant events (login, signup, password reset, etc.) for security, fraud detection, and incident investigation. Email, IP, and User-Agent are stored only as salted hashes.
Lawful basis: Legitimate interest (Art. 6(1)(f)) · Retention: 2 years
A record of every consent decision you make, with the version of the policy text in force at the time, so we can demonstrate Art. 7(1) compliance.
Lawful basis: Legal obligation (Art. 6(1)(c)) · Retention: 7 years
Outbound transactional email metadata (recipient, message kind, send status) required to operate signup confirmation, password reset, and similar essential flows.
Lawful basis: Performance of contract (Art. 6(1)(b)) · Retention: 90 days
Aggregated product-usage events (page views, feature interactions) we capture to understand how the product is used and what to improve. Only fires after you grant consent in the cookie banner.
Lawful basis: Consent (Art. 6(1)(a)) · Retention: 2 years
Browser exceptions and stack traces from gaether.app so we can identify and fix software defects affecting users. Cookieless and memory-only — no information is stored on your device. IP addresses are suppressed at ingest.
Lawful basis: Legitimate interest (Art. 6(1)(f)) · Retention: Per the sub-processor's stated retention
Aggregate, cookieless page-view counts on our marketing pages, with no per-user identity. Permitted under the ePrivacy Directive's strict-necessity carve-out for aggregate measurement.
Lawful basis: Legitimate interest (Art. 6(1)(f)) · Retention: Per the sub-processor's stated retention
Tags you choose to add to your own profile or to a group. Some tags reveal special-category data under Art. 9 GDPR (for example faith, sexuality, ethnicity, health or neurodivergence). We process these only on your explicit consent (Art. 9(2)(a)), recorded against the policy version in force when you add the tag, and use them to match you to relevant communities. You decide per tag whether it is shown on your public profile — choosing to show it additionally makes it information you have manifestly made public (Art. 9(2)(e)). Removing a tag withdraws consent immediately and deletes the row.
Lawful basis: Consent (Art. 6(1)(a)) · Retention: Lifetime of your account
An optional phone-verification signal — you choose to verify a phone number to raise your account's trust level and join groups that require it. We store a keyed, irreversible hash of the number (never the number itself) so one person can't hold many accounts and to resist ban-evasion. Processed on our legitimate interest in platform safety and abuse prevention (Recital 47); deleting your account removes it and releases the number.
Lawful basis: Legitimate interest (Art. 6(1)(f)) · Retention: Lifetime of your account
A pseudonymous cookie (`gaether_consent_session_id`) we set before you have an account so your consent choices can be remembered across sessions. Strictly necessary under ePrivacy Art. 5(3).
Lawful basis: Legal obligation (Art. 6(1)(c)) · Retention: 1 year
We engage the following sub-processors. Each operates under a Data Processing Agreement (DPA). Where the entity is incorporated outside the EU but operates EU infrastructure, the transfer is covered by Standard Contractual Clauses (SCCs) under Chapter V of the GDPR.
Frankfurt, Germany (eu-central-1)
Database, authentication, and storage
Hosts our Postgres database, the Supabase Auth identity provider, and binary storage (when used). Holds account credentials, the hashed audit ledger, your consent records, and the transactional-email outbox.
Lawful basis: Performance of contract (Art. 6(1)(b)) · Retention: Lifetime of your account + 30-day grace period
EU edge regions (Frankfurt primary)
Application hosting, edge runtime, scheduled jobs
Serves gaether.app from EU edge regions, runs our scheduled jobs, and aggregates request logs (minimised — no request bodies, IPs hashed). Hosts only the application surface; user-data storage lives at Supabase.
Lawful basis: Performance of contract (Art. 6(1)(b)) · Retention: Per the sub-processor's stated retention
Frankfurt, Germany (EU region)
Error tracking (legitimate interest)
Captures uncaught exceptions and stack traces in Sentry's EU (Frankfurt) region so we can identify and fix software defects affecting users. We send no user identity, suppress IP addresses, disable tracing and session replay, and run a server-side scrubber that removes any personal data from the payload before it leaves us. Cookieless — nothing is stored on your device. You may object to this processing at any time by contacting us using the address above.
Lawful basis: Legitimate interest (Art. 6(1)(f)) · Retention: Per the sub-processor's stated retention
Italy (EU)
Cookie banner and consent UI
Renders the cookie banner you saw on first visit and brokers your per-purpose consent choices. We store the resulting decisions in our own append-only ledger; Iubenda's role is the banner UI and the legal-text infrastructure.
Lawful basis: Legal obligation (Art. 6(1)(c)) · Retention: Per the sub-processor's stated retention
Paris, France
Transactional email delivery
Delivers the essential transactional emails we send you (signup confirmation, password reset, email change, magic-link sign-in, account notifications). Receives the recipient address and the rendered message body.
Lawful basis: Performance of contract (Art. 6(1)(b)) · Retention: 90 days
European Union
Phone-number verification (one-time codes)
When you choose to verify a phone number, we ask Sinch to send you a one-time code and to confirm the code you enter. Sinch operates the verification exchange, so it — not we — holds your raw number, and only for as long as the check takes. We store only a keyed, irreversible hash of the number, never the number itself. Sinch processes in the EU (headquartered in Sweden).
Lawful basis: Legitimate interest (Art. 6(1)(f)) · Retention: Per the sub-processor's stated retention
Tallinn, Estonia
Marketing-site aggregate analytics
Provides cookieless, aggregate page-view counts on our marketing pages. No per-user identity, no IP storage, no cross-site tracking. Permitted under the ePrivacy Directive's measurement carve-out.
Lawful basis: Legitimate interest (Art. 6(1)(f)) · Retention: Per the sub-processor's stated retention
France (EU)
Venue geocoding (address → map point)
When you search for an event venue, we send your search text to MapTiler to turn it into a map point. We don't send your account identity. The point is then matched to a public administrative area in our own data.
Lawful basis: Legitimate interest (Art. 6(1)(f)) · Retention: Per the sub-processor's stated retention
Germany (EU)
UI string machine translation
Machine-translates the platform's own interface text (buttons, labels, messages) into your language. In v1 we send only our own UI strings — never your messages, posts, or profile. DeepL processes in the EU (Germany).
Lawful basis: Legitimate interest (Art. 6(1)(f)) · Retention: Per the sub-processor's stated retention
France (EU)
UI translation review (and fallback translation)
Reviews — and, as a fallback, produces — the machine translation of our interface text, checking it against our glossary and brand voice. Like DeepL, only the platform's own UI strings are sent in v1, never your content. Mistral processes in the EU (France).
Lawful basis: Legitimate interest (Art. 6(1)(f)) · Retention: Per the sub-processor's stated retention
Luxembourg
Public geographic taxonomy (data source)
Maintains the NUTS/LAU geographic taxonomy we use as a reference dataset for region selection within Europe. Eurostat receives no user data from us — we ingest their public open data.
Public data source (not a processor)
United States (public open-data hosting)
Global place data (data source)
Publishes the Overture Maps Divisions dataset under an open licence. We import a snapshot quarterly. Overture receives no user data from us — we read their public open data.
Public data source (not a processor)
All primary processing happens in EU jurisdictions (Frankfurt for our database, Paris for email, Tallinn for marketing analytics, Italy for the cookie banner). Some of our sub-processors are incorporated in the United States but operate EU infrastructure. Where that's the case, transfers between the EU-based processor infrastructure and the US-incorporated parent are covered by Standard Contractual Clauses under each vendor's DPA. The sub-processor list above marks which entries this applies to.
Standard Contractual Clauses are the European Commission's standard-form contract for international data transfers under Chapter V of the GDPR. They impose enforceable data-protection obligations on the non-EU recipient.
We set a small number of cookies ourselves and load a few from the sub-processors above. Only the strictly necessary cookies (authentication session, consent-banner state) are set without consent. We set no analytics cookie — in-house product analytics is consent-gated but introduces no new cookie, and error-tracking is cookieless, so nothing is written to your device for either. The full inventory, including vendor-set cookies, is at our cookie policy.
sb-*
Strictly necessaryMaintains your authenticated session after sign-in. Set by Supabase Auth.
Lifetime: Per session token expiry · Flags: HttpOnly, Secure, SameSite=Lax
gaether_consent_session_id
Strictly necessaryA pseudonymous identifier joining your consent decisions to your browser before you have an account. Strictly necessary for consent management to function.
Lifetime: 1 year · Flags: HttpOnly, Secure, SameSite=Lax
_iub_cs_*
Strictly necessaryStores your cookie-banner preference state so you don't see the banner on every page load.
Lifetime: Per the sub-processor's stated retention · Flags: Per vendor configuration
Under the GDPR you have a number of rights against us as the data controller. To exercise any of them, email hi@gaether.app from the address associated with your account. We will respond within one month (Art. 12(3) GDPR), or tell you why we need an extension. Below is what each right means and how we handle it today; some of these will move from email-based handling to in-product UI in a future release.
Art. 15
Email us asking for a copy of the personal data we hold about you. We will provide a structured export covering your account, your audit-log presence (as hashes), your consent records, and your outbox history.
Art. 16
If any of your personal data is inaccurate, email us with the correction. Profile-editing UI ships in a future release; until then we make the change manually.
Art. 17
Email us to request deletion of your account. We will erase your account credentials, your consent records, the outbox history, and your in-house product-analytics events within 30 days. The hashed audit ledger may be retained for its 2-year forensic window under Art. 17(3)(b) (legal claims / fraud detection); raw identifiers are not present in it.
Art. 18
Email us. We will flag your account as restricted and stop active processing pending resolution.
Art. 20
Email us to request a machine-readable export of your account data. We will provide it in JSON within one month.
Art. 21
For processing based on legitimate interest (error tracking, marketing analytics): the cookie-banner Measurement toggle doubles as the global objection signal — turning it off opts you out. You may also email us at any time to object explicitly; we will scope your account out of the legitimate-interest paths.
Art. 22
We do not make decisions about you based solely on automated processing. There is nothing to opt out of here today; if that changes we will update this notice.
Art. 7(3)
Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal. Open the cookie banner from any page (the small consent icon at the bottom-left) to revise your choices.
Art. 77
You can lodge a complaint with the supervisory authority in your country of residence. Two relevant authorities for our processing surface are listed below.
If you believe our processing infringes the GDPR or Swiss data-protection law, you have the right to lodge a complaint with a supervisory authority. EU residents may complain in their member state of residence. The two authorities most directly relevant to our processing surface are:
Most of our personal-data processing happens via EU-based sub-processors operating from Frankfurt.
The data controller is established in Switzerland (Basel); the Swiss FDPIC supervises our processing under the revised Swiss FADP.
For any privacy or data-protection question — exercising a right above, reporting a concern, asking for clarification — email hi@gaether.app. We respond within one month, usually sooner.
We update this notice when our processing surface changes (new sub-processor, changed retention, new feature with privacy implications). When the change materially affects you, we update the version number and the last-updated date at the top, and where the change requires renewed consent under Art. 7(1) we will re-prompt you via the cookie banner. The version + date pair is also stored in our consent ledger so we can demonstrate which version of this notice was in force when you recorded each consent decision.