Privacy Policy · Version 2026-05-09
We save your data. We don't sell it.
Plain language first. The full legal version follows.
The short version
Youconic is a taste engine. It helps you find places, films, music, and experiences calibrated to your actual taste. To do that, we need to know a few things about you. This page explains exactly what we ask for, why, where it lives, and how to get rid of it.
- We never sell your data. Not to advertisers, not to data brokers, not to anyone.
- We don't track you across the web. No third-party analytics, no ad pixels, no fingerprinting.
- You can leave at any timeand your rows go with you. One button. We don't make you write to ask.
- You can connect things granularly — Spotify, calendar, location, Gmail (read-only) — and disconnect each one independently.
- Aggregate, anonymised trends may be licensed to partners as the company grows; your individual data never leaves Youconic in identifiable form.
That is the spirit. The rest of this page is the full legal version we're held to.
1. Who we are
Youconic Ltd("Youconic", "we", "us") is the controller of your personal data under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA").
Registered office: [Registered office address — street, city, postcode, country]. Registration number: [Registration number]. Country of incorporation: United Kingdom.
For any privacy matter, write to privacy@youconic.com. We have not appointed a Data Protection Officer at this time; appointing one is not required for our current scale of processing under GDPR Art. 37, but we will appoint and disclose a DPO if and when our processing activities cross that threshold.
2. What we collect, why, and how long we keep it
The table below lists every category of personal data we collect, why we collect it, the legal basis for processing under GDPR, and how long we keep it. If a category does not appear here, we do not collect it.
| Category | Purpose | Legal basis | Retention |
|---|---|---|---|
| Account: name, email, date of birth, account UUID, hashed password. | Account creation, authentication, addressing you correctly, age verification. | Contract (GDPR Art. 6(1)(b)). | Life of account; deleted within 7 days of account closure (35 days from backups). |
| Onboarding answers (the five taste-architecture questions and any free-text anchors). | Provisional Taste DNA at sign-up so the first week of recommendations is plausible. | Contract (GDPR Art. 6(1)(b)). | Life of account. |
| Behavioural events: which recommendations you save, dismiss, visit, return to, ignore; mood taps; brief generations; errors. | Refining your Taste DNA, generating cohort signal, debugging, abuse prevention. | Contract (delivering recommendations) + legitimate interest (debugging and abuse prevention) — GDPR Art. 6(1)(b) and (f). | Life of account; aggregated, anonymised data may persist longer. |
| Approximate location (IP-derived) — required to recommend in your city. | Local recommendations. | Legitimate interest — without the city, the product cannot function. (GDPR Art. 6(1)(f).) | Replaced on each visit; not retained beyond the latest fix. |
| Precise location (browser GPS) — only when you grant browser permission. | Walking-distance recommendations, neighbourhood inference. (Sensitive PI under CPRA — see §10.) | Consent (GDPR Art. 6(1)(a) + Art. 9 by analogy). | Replaced on each fix; never written to backups beyond 24 hours. |
| Spotify connector data: top artists/tracks, recent plays, saved tracks, country, display name, OAuth tokens (encrypted). | Music taste signal feeding Taste DNA and recommendations. | Consent (GDPR Art. 6(1)(a)). | Tokens encrypted at rest, deleted within 24h of disconnect. Raw history purged after 90 days; derived signal kept for life of account. |
| Calendar connector data: event titles, locations, times for next 14 days. | Calendar-aware brief (don't recommend Brooklyn during a Manhattan meeting). | Consent. | Read fresh each brief; derived context cached up to 24h. |
| Gmail connector data: structured bookings extracted from a curated allowlist of senders. | Booking history feeds taste signal; reminders for upcoming events. | Consent. | Until event date + 30 days. |
| Letterboxd export (CSV uploaded by you): film ratings. | Film taste signal. | Consent. | Life of account. |
| Saved venues, ratings, notes, photos uploaded by you. | Personal record; taste signal. | Contract. | Life of account. |
| Inferred Taste DNA (the derived vector itself). | The substrate of every recommendation. | Contract. | Life of account; rebuilt continuously from underlying signal. |
| Server logs: IP address, user-agent, route accessed, timestamp. | Debugging, abuse prevention, security incident response. | Legitimate interest (GDPR Art. 6(1)(f)). | 30 days at our hosting provider. |
| Consent log: which version of which policy you accepted, when, hashed IP, truncated user-agent. | Demonstrating lawful basis for processing (GDPR Art. 7(1)). | Legal obligation + legitimate interest. | 6 years from acceptance. |
When the legal basis is "consent", you can withdraw at any time without affecting earlier processing. When the basis is contract, the processing is needed to deliver the service you signed up for. When the basis is legitimate interest, the interest is the one stated in the table — you can object on grounds relating to your particular situation, and we will weigh your objection against our interest as the law requires.
3. Connectors — third-party accounts you link to Youconic
Youconic improves substantially when you connect external accounts. Each connector is opt-in, granular, and revocable. Below, for each connector, is exactly what we read, what we never write, how long we keep the data, and the legal basis. Disconnecting a connector removes the live access immediately and triggers deletion of any retained raw history within the windows below.
| Connector | What we read | What we write | Retention | Legal basis |
|---|---|---|---|---|
| Spotify user-read-recently-played, user-top-read, user-library-read, user-read-email, user-read-private | Top artists and tracks (short, medium, long term), recently played tracks, saved tracks, country and display name. We do not read playlists you have not saved. | Nothing. We never modify your Spotify account. | OAuth tokens stored encrypted while the connection is active; deleted within 24 hours of disconnect. Listening signals are summarised into your Taste DNA and the raw history is purged after 90 days. | Consent — you explicitly connect Spotify. You can disconnect at any time from /account. |
| Calendar (Google or Apple) calendar.events.readonly | Event titles, locations, start/end times, attendee count for the next 14 days. Used to generate calendar-aware recommendations (e.g. don't recommend Brooklyn dinner during a Manhattan meeting). | Nothing. We never create, modify, or delete calendar events. | Events are read fresh on each brief — we do not store calendar bodies. We retain only the derived context (e.g. 'busy 6-8pm in zip 10003') for 24 hours. | Consent. Required Google API Services User Data Policy 'Limited Use' disclosure: our use of Calendar data adheres to Google's Limited Use requirements; we do not transfer this data, do not use it for ads, do not allow humans to read it (except with your explicit case-by-case consent for support), and do not use it to train ML models. |
| Gmail (read-only) gmail.readonly with restricted-scope verification | Confirmation emails from a curated allowlist of senders only — restaurant reservations (OpenTable, Resy, SevenRooms), event tickets (DICE, RA, AXS, Eventbrite, Ticketmaster), travel bookings. We do not read messages from senders outside that allowlist. | Nothing. We never send, modify, or delete email. | We extract the structured booking (venue, date, time) and discard the message body. Bookings are retained until the event date + 30 days for context. | Consent. Google API Services User Data Policy 'Limited Use' disclosure: our use of Gmail data adheres to Google's Limited Use requirements; we do not transfer this data, do not use it for advertising, no human reads your messages without your explicit per-message agreement (used only for support troubleshooting on request), and we do not use this data to train ML models. |
| Location Browser geolocation API or coarse IP-based fallback. | Latitude / longitude when you grant the browser permission. Otherwise, an approximate city derived from your IP address. | Nothing. | Last known coordinates are stored on your profile so we can recommend places near you when you re-open the app. Replaced on each new fix. | Consent for precise GPS location (treated as 'Sensitive Personal Information' under CPRA — see §10 of the Privacy Policy). Legitimate interest for coarse IP-derived city (recommendations cannot work without knowing the city). |
| Letterboxd (CSV upload) Manual export upload. No live API. | Films you have rated and the ratings themselves, when you upload the CSV. | Nothing. | Stored against your profile until you delete the account or the connector. | Consent — you upload the file yourself. |
Spotify. Our use of data received from the Spotify Web API complies with the Spotify Developer Terms. We do not transfer Spotify data to any third party (including ad networks, ad exchanges, or data brokers), we do not sell it, and we do not use it to train any machine-learning model.
Google APIs (Gmail and Calendar).Youconic's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not use this data to develop, improve, or train generalised AI/ML models; we do not transfer it for advertising; humans do not read your messages or events except where you provide explicit, per-message consent for support troubleshooting; and we use it solely to deliver the user-facing features described in §3 above.
4. Automated decision-making and profiling
Youconic is, at its core, a profiling system. We construct an inferred "Taste DNA" for you and use it — together with your explicit context (the city, the hour, the mood you tap, the calendar context if connected) — to choose which three recommendations to show you each day. Under GDPR Art. 22 you have the right to meaningful information about the logic involved.
The logic, in plain terms: we maintain a curated repository of authoritative cultural sources (critics, specialist publications, editorial outlets) per city. For each candidate venue we compute (a) whether at least two independent authoritative sources recommend it, (b) the strength of the match between the venue and your inferred taste vector, and (c) signals from a behavioural cohort of users with similar taste. The model that synthesises these signals into a rank-ordered list is Claude, an AI model provided by Anthropic. The outputs of this process are recommendations only — none of them produce legal or similarly significant effects on you within the meaning of GDPR Art. 22(1).
You may request human review of any specific recommendation, ask us to explain it in greater detail, contest it, or ask us to stop generating personalised recommendations for you (which will reduce the product to a generic editorial feed). Write to privacy@youconic.com.
5. Who else processes your data — sub-processors
We rely on a small number of third-party processors. They process your data on our behalf, only on our documented instructions, under written agreements that comply with GDPR Art. 28. The current list:
| Sub-processor | Purpose | Data types | Region | Their privacy policy |
|---|---|---|---|---|
| Supabase | Authentication, Postgres database hosting, file storage. The primary place your account and behavioural data lives. | Account fields, profile, onboarding answers, saves, ratings, notes, briefs, exemplars, connector tokens (encrypted at rest), event log. | EU (Frankfurt) — region selectable; we use EU. | link |
| Vercel | Hosts and serves the Youconic web app and edge functions. | Request logs (IP, user-agent, route) for up to 30 days. No application data is stored at Vercel. | Global edge — primary region EU/US. | link |
| Anthropic | Claude (the AI model) generates recommendations and answers your questions. We send prompts containing relevant context (your taste signals, the city, the mood, the candidate venues from our curated source library) and receive synthesised text in return. | Prompt content (which may include taste signals and saved-item summaries), model output. Anthropic does not train on data sent through the API. | United States. | link |
| Spotify | When you connect Spotify, we read your listening data (top artists, recent plays, saved tracks) to build your taste signal. We never write to your Spotify account. | Spotify user ID, display name, country, listening history, top artists/tracks, audio features. | Global. Governed by Spotify's own privacy policy. | link |
| Open-Meteo | Looks up the local weather forecast (used to colour daily-brief recommendations — e.g. avoid the rooftop on a rainy night). | Latitude/longitude (no identifier). | Germany. | link |
| OpenStreetMap / Nominatim | Reverse geocodes coordinates into neighbourhood names. | Latitude/longitude (no identifier). | Germany / United Kingdom. | link |
| Foursquare | Looks up venue metadata (address, hours, photos) when we surface a recommendation. | Venue name and city (no user identifier sent). | United States. | link |
| Google (Maps Platform) | Place photos and venue details on recommendation cards. | Venue name (no user identifier sent). | United States. Governed by Google's privacy policy. | link |
We will update this list when we add or change a sub-processor and notify you (typically by email) before the change takes effect, in line with §15.
6. International data transfers
Some of our sub-processors are based outside the United Kingdom and the European Economic Area — most notably Anthropic, in the United States. Where transfers occur, we rely on the European Commission's Standard Contractual Clauses (and the UK Information Commissioner's International Data Transfer Addendum where applicable) as the safeguard required by GDPR Chapter V, supplemented by appropriate technical and organisational measures (including encryption in transit and at rest). Where Anthropic is certified under the EU-US Data Privacy Framework and the UK Extension thereto, we additionally rely on those adequacy decisions.
For users in Japan, where we transfer personal data outside Japan we provide, in line with the amended Act on the Protection of Personal Information (effective April 2026): (i) the country to which data is transferred, (ii) information about the data protection regime of that country, and (iii) the protective measures the recipient implements. The country list mirrors the sub-processor table in §5; details of the protective measures (SCCs, encryption, access controls) are available on request to privacy@youconic.com.
7. Sharing your data
We share personal data only in these specific cases:
- Sub-processors listed in §5, acting on our documented instructions.
- Booking partners you choose to transact with. When you tap "Book" on a recommendation, we hand the booking off to the relevant partner (e.g. OpenTable, Resy, DICE). At that point you are interacting directly with that partner under their privacy policy, not ours.
- Legal compulsion. If a binding court order or equivalent legal process compels us to disclose information, we will, after pushing back where lawful and notifying you unless prohibited from doing so.
- A merger, acquisition, or asset sale of the company. In that event, we will require the acquirer to honour this Privacy Policy at least to the same standard, and notify you at least 30 days before any change.
We do not sell your personal data.We do not "share" your personal data for cross-context behavioural advertising as that term is defined under the CCPA. We have not done so in the preceding 12 months.
Aggregate, de-identified trend data(e.g. "the top 20 venues for users with our taste-cohort X in Tokyo last month") may, in future, be licensed to partners such as cultural publications or hospitality groups. This data is aggregated to a level at which no individual is identifiable, and re-identification is contractually prohibited. If you object to your behaviour contributing to such aggregates, write to privacy@youconic.com.
8. Your rights
You have all of the following rights, regardless of where you live. We honour them globally as a matter of policy. Where the law requires us to act faster than our default 30 days (e.g. CCPA: 45 days, extendable once), we follow the shorter clock.
- Access — a copy of the data we hold on you, in a portable format. (GDPR Arts. 15 & 20; CCPA right to know.)
- Correction — fix inaccuracies. (GDPR Art. 16; CCPA right to correct.)
- Erasure — delete the account and all rows attached to it. (GDPR Art. 17; CCPA right to delete.) Within our infrastructure, deletion is irreversible after a 7-day grace period; backups roll off within 35 days.
- Restriction of processing in disputed cases. (GDPR Art. 18.)
- Objection to processing based on legitimate interests, including objection to profiling. (GDPR Art. 21.)
- Withdrawal of consent at any time, without affecting earlier processing. (GDPR Art. 7(3).)
- Opt-out of sale or sharing for cross-context behavioural advertising (CCPA). We do not sell or share your personal data, but the right is yours nonetheless.
- Limit the use of sensitive personal information beyond what is necessary to provide the service (CPRA). See §10 below for the Notice of Right to Limit.
- Non-discrimination — exercising any right does not change the price or quality of the service.
- Authorised agent — a Californian may designate an authorised agent to make a request on their behalf. We require a written, signed authorisation and reasonable identity verification of both parties.
To exercise any right, you can either use the in-app Data Rights request form, or email privacy@youconic.com. We may need to verify your identity (typically by confirming control of the email on file) before acting.
If you believe we have not handled a request properly, you may complain to the Information Commissioner's Office (ICO) (UK), to your local data-protection authority (EU), to the California Privacy Protection Agency (CPPA) (California), or to the Personal Information Protection Commission (PPC) (Japan). We'd rather you wrote to us first; we read every complaint personally.
9. CCPA / CPRA — categories of personal information collected and shared (California disclosure)
The table below lists the categories of personal information enumerated in California Civil Code §1798.140, indicates which we collect, the sources, and the purposes. We have not sold or shared (as those terms are defined under the CCPA/CPRA) any personal information in the preceding 12 months.
| Cat. | Category | Collected? | Examples / sources / purpose |
|---|---|---|---|
| A | Identifiers | Yes | Examples: Name, email, account UUID, IP address (transient), Spotify user ID. Sources: Directly from you (sign-up); from Spotify when you connect it. Purpose: Account creation, authentication, communications, taste signal. |
| B | Personal information categories listed in the California Customer Records statute | Yes | Examples: Name, email. Sources: Directly from you. Purpose: Account creation and communications. |
| C | Protected classification characteristics | Yes | Examples: Date of birth (used only for age verification). Sources: Directly from you. Purpose: Age gate (Youconic is for adults 18+) and age-appropriate recommendations. |
| D | Commercial information | Yes | Examples: Records of bookings made through Youconic (e.g. reservations confirmed via integrated partners), saved venues. Sources: Generated by your use of the app; from booking partners' confirmations. Purpose: Service delivery, taste signal, booking history. |
| E | Biometric information | No | We do not collect biometric information. |
| F | Internet or other electronic network activity | Yes | Examples: Pages viewed, recommendations saved/dismissed/visited/booked, mood taps, briefs generated, errors encountered. Sources: Generated by your use of the app. Purpose: Service delivery, taste signal, debugging, abuse prevention. |
| G | Geolocation data | Yes | Examples: Approximate city (IP-derived) or precise GPS coordinates if you grant permission. Sources: Browser geolocation when permitted; otherwise IP. Purpose: Local recommendations, travel-aware briefs. |
| H | Sensory data | No | We do not collect audio, visual, or similar sensory data. |
| I | Professional or employment-related information | No | We do not collect professional/employment information. |
| J | Education information | No | We do not collect education information. |
| K | Inferences | Yes | Examples: Your Taste DNA — a derived vector of cultural affinities (cuisine, design, music, mood) inferred from your behaviour. Sources: Inferred by Youconic from the data above. Purpose: Personalised recommendations and serendipity discovery. |
| L | Sensitive personal information (CPRA) | Yes | Examples: Precise GPS geolocation (only when you grant browser permission). The contents of mail and email if you connect Gmail (read only, allowlist-restricted). Sources: Browser geolocation; Gmail connector when authorised. Purpose: Local recommendations and structured booking extraction. Used only as necessary to provide the service requested. We do not use sensitive PI to infer characteristics. |
10. Notice of Right to Limit Use of Sensitive Personal Information (California)
California residents have the right under CPRA to limit our use of their Sensitive Personal Information to what is reasonably necessary to provide the service.
We collect the following Sensitive Personal Information, all only with your consent and only for the purposes stated:
- Precise geolocation — when you grant browser geolocation permission. Used solely to recommend places near where you are. Not retained beyond the latest fix.
- Contents of mail — only if you connect Gmail. Read only against an allowlist of booking-confirmation senders; we extract the structured booking and discard the message body.
We do not use Sensitive Personal Information to infer characteristics about you. To limit our use, disconnect the relevant connector at /account, or email privacy@youconic.com.
11. Security
We protect your data with measures including: TLS in transit, encryption at rest in our Postgres database, hashed passwords (Supabase, Argon2), encrypted OAuth tokens, role-restricted database access, row-level security on every table containing personal data, audit logging on admin actions, and least-privilege access controls for our small operations team. We do not write credentials to logs and we rotate sub-processor keys on a regular schedule.
No system is unbreakable. If we discover a breach affecting your personal data, we will notify the relevant supervisory authorities within 72 hours where required by GDPR Art. 33, and we will notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34).
12. Retention
The retention period for each category of data is in the table in §2. In summary:
- Account & profile — kept for the life of the account, deleted within 7 days of account deletion (35 days from backups).
- Behavioural events (saves, dismissals, visits) — retained for the life of the account; aggregated, anonymised cohort data retained beyond.
- Connector raw history (e.g. raw Spotify plays, raw calendar reads) — purged on a rolling 90-day window.
- Server logs at our hosting provider (Vercel) — auto-pruned after 30 days.
- Consent log and DSAR audit trail — retained for as long as necessary to demonstrate compliance, typically 6 years from the date of acceptance / fulfilment.
13. Children
Youconic is intended for adults aged 18 or older. We do not knowingly collect personal data from anyone under 18 and do not direct the service at children. If we discover that a user is under 18, we will close the account and delete their data. If you believe a child has provided us with personal data, write to privacy@youconic.com and we will act promptly. (US Children's Online Privacy Protection Act / GDPR Art. 8.)
14. Cookies and similar technologies
We use cookies sparingly. We do not use third-party advertising cookies, fingerprinting libraries, or session-replay tools. The full list of cookies and their purposes is on the Cookie Policy.
15. Changes to this policy
When we change this policy, we bump the version number at the top of the page. If the change is material — meaning it expands the purposes for which we use your data, adds a sub-processor in a new jurisdiction, or reduces your rights in any way — we will email everyone with an account at least 30 days before the change takes effect. We do not slip changes through.
The current version is 2026-05-09. A list of past versions is available on request to privacy@youconic.com.
16. Governing law
This policy is governed by the laws of England and Wales, without prejudice to the mandatory rights of consumers in their country of residence.
Privacy Policy · Version 2026-05-09 · Contact privacy@youconic.com