Privacy Policy
GotBack (“we”, “our”, “us”) is a community platform that helps people recover what they’ve lost. This Privacy Policy explains how we collect, use, and protect your personal information when you use our service at gotback.world and the GotBack app.
1. Who We Are (Data Controller)
GotBack is currently operated by an individual sole trader based in the United Kingdom, who is the data controller responsible for your personal data under the UK GDPR and (where applicable) the EU GDPR. The Terms of Service set out the rest of our identifying information; our registered business details and postal address are available on request.
To contact us about this policy or your data, email support@gotback.world.
2. Information We Collect
Account information
When you create an account via our authentication provider (Logto), we receive your name, email address, and profile picture. If you choose to add a phone number, we store it for future verification flows (such as messaging via WhatsApp); it is not used today and is never shown publicly.
Reports
When you report something lost or found, we collect a description, category (item or pet), the photos you upload, and the date and approximate location of the loss or find. Photos may include metadata embedded by your device — see “Photo metadata” below.
Photo metadata
Photos uploaded to GotBack may include EXIF metadata such as GPS coordinates, capture time, camera model, and orientation. We currently do not strip this metadata, because location information embedded in photos can help with accurate matching. If you do not want this metadata to be uploaded, remove it on your device before uploading (most phones offer a “remove location data” option in the share sheet).
Location data
We collect location information you provide when creating reports. We may also detect your approximate location to compute the distance between you and a post; where possible this is calculated locally on your device unless you choose to share an exact location. The exact location of a post is rounded before it is shown to other users.
Messages
We store messages you send to other users through our in-app messaging system to facilitate recovery. System messages (for example, escrow status updates) may be added to a conversation automatically. We do not read your messages routinely; we may access them in narrow circumstances for safety, fraud, or legal-compliance reasons (see section 7).
Payment & reward information
If you offer a reward or subscribe to Pro, our payment processor (Stripe) collects your card details, billing address, and the limited information they need to process the payment. GotBack never sees or stores card numbers; we only receive metadata such as the last four digits, brand, and expiry. If you receive payouts as a finder, Stripe Connect collects identity-verification (KYC) information and bank-account details — this is governed by Stripe’s privacy policy, not ours.
Subscription consent records
When you subscribe to Pro and tick the box to waive the 14-day digital-services withdrawal right, we record the exact text shown to you, the timestamp, your IP address, and your browser’s User-Agent string. This is the audit trail required by the UK Consumer Contracts Regulations 2013 and the EU Consumer Rights Directive.
Push-notification subscriptions
If you opt in to push notifications, your browser or device generates a push-subscription token (a URL plus encryption keys) and shares it with us. We send notifications through your operating-system push provider (Apple, Google, or Mozilla). The notification payload is encrypted between us and your device.
Embeddings and matching data
To suggest matches between lost and found posts, we generate vector representations (“embeddings”) of post content. Embeddings are stored on our self-hosted vector database and are not used to identify you directly.
Usage & device data
We automatically collect information about how you interact with the service, such as pages visited, features used, browser type, device model, IP address, and approximate region. With your consent, we may also record interaction sessions (see section 8 and the Cookie Policy).
3. Why We Collect This Data & the Lawful Basis
We process your personal data on the following lawful bases (UK GDPR / EU GDPR Article 6):
- Performance of a contract (Art. 6(1)(b)) — to operate your account, host your posts and messages, match lost with found posts, handle reward holds and payouts, deliver transactional emails and notifications, process subscriptions, and provide support.
- Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent fraud and abuse, debug and improve the service using aggregated and pseudonymous data, defend legal claims, and send occasional non-marketing product announcements to existing users (which you can opt out of at any time via the one-click unsubscribe link in every email).
- Consent (Art. 6(1)(a)) — for analytics cookies and session replay, push notifications, and any future optional features that ask for it. You may withdraw consent at any time without affecting processing that already took place.
- Legal obligation (Art. 6(1)(c)) — to retain tax, accounting, and anti-fraud records, respond to lawful requests from authorities, and comply with the EU Digital Services Act and UK consumer-protection law.
4. How We Use Your Information
- Matching: We compare lost and found reports based on descriptions, categories, photos, and locations. This includes generating embeddings for semantic search and sending photos and text to a third-party AI provider for description enhancement (see section 5).
- Communication: We enable messaging between users to facilitate recovery and send transactional notifications about matches, claims, payment status, and account activity. We may also include occasional product announcements in our transactional emails; every email contains a one-click unsubscribe link.
- Payments & payouts: We use your information to process subscription payments, hold reward funds, release them to finders, and reconcile platform fees.
- Service improvement: We use aggregated and pseudonymous usage data to improve our matching, performance, and the user experience.
- Safety & fraud prevention: We use account, device, and usage information to detect and prevent fraudulent or abusive activity, both on GotBack and in connection with payments.
- Legal compliance: We use your information to comply with applicable laws, respond to lawful requests, and enforce our Terms.
5. AI Processing and Automated Decision-Making
GotBack uses third-party AI services to improve the experience:
- Description enhancement (Fireworks AI). When you create a post, the photo and any text you provide are sent to a vision model operated by Fireworks AI to suggest a clearer description. Their contract with us prohibits training on your inputs.
- Embeddings and similarity search. We generate embeddings of post content and store them on our self-hosted vector database to surface possible matches.
These features produce suggestions, not decisions. A human (you or another user) reviews and acts on every suggested match or AI-generated description. We do not make decisions about you that have legal or similarly significant effects through fully automated means within the meaning of Article 22 UK GDPR / EU GDPR.
We do not use your User Content to train our own models, and our contracts prohibit our AI providers from using your inputs to train their general models.
6. Who We Share Information With
Visible to other users
Your display name, profile picture, post descriptions, uploaded photos, and the approximate location of a post are visible to other users on the platform. The exact location of a post is rounded before being shown publicly.
Never shared publicly
Your email address, phone number, exact device location, payment details, push tokens, and private messages are never shared publicly or with other users unless you choose to share them directly.
Service providers (sub-processors)
We rely on the following third-party services to operate GotBack. They process personal data on our behalf under data-processing agreements. The current list is published at gotback.world/subprocessors/; key providers are:
- Logto — authentication and account management
- Stripe — subscription billing, reward funds, and finder payouts via Stripe Connect (including KYC)
- Resend — transactional email delivery
- PostHog — product analytics and session replay (opt-in via the cookie banner)
- Fireworks AI — AI-assisted description generation (see section 5)
- Cloudflare — CDN, DNS, TLS, and DDoS protection
- Hostinger — application hosting and database storage (data centre: Manchester, United Kingdom)
Uploaded photos are stored on our self-hosted object storage running on Hostinger and served via signed URLs. We do not sell your personal data, and we do not share it with advertisers.
Legal disclosures
We may disclose personal data where required to comply with a valid legal request, to enforce our Terms, to investigate fraud or abuse, or to protect the rights, property, or safety of GotBack, our users, or the public.
7. Access to Messages and User Content
We do not routinely read private messages between users. Limited personnel may access them where strictly necessary to: investigate a report of abuse or fraud; respond to a lawful request from a court or regulator; debug a technical problem you have reported; or defend a legal claim. Access is logged.
8. Cookies, Analytics, and Session Replay
We use a small number of cookies and similar technologies (such as localStorage) to keep you signed in, remember preferences, and — with your consent — measure how the service is used and record interaction sessions to improve the app. Analytics events and session replays are pseudonymous and are configured to mask sensitive content (card details, message bodies, and the like) where technically possible. For the full list and how to manage your choices, see our Cookie Policy.
9. International Transfers
Most of your data is stored in the United Kingdom (our hosting provider’s Manchester data centre). Some of our service providers (Logto, Stripe, PostHog, Resend, Fireworks AI, Cloudflare) may process your data outside the UK, including in the European Economic Area and the United States. Where such transfers occur, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Agreement / Addendum, together with any additional safeguards the provider offers (such as the EU–US Data Privacy Framework, where applicable).
10. Data Retention
- Account data, posts, and messages are retained while your account is active.
- Deleting your account via Settings > Danger Zone permanently removes your posts, profile, messages, embeddings, and personal data within 30 days, subject to the carve-outs below.
- Payment, escrow, payout, and tax records (including subscription-consent records) are retained for at least six (6) years from the end of the relevant accounting period, in line with UK tax and accounting requirements. Stripe retains its own records under its policies.
- Fraud, safety, and abuse records may be retained for as long as we have a legitimate interest in keeping them, typically up to two (2) years after the matter is resolved.
- Backups are retained for a short rolling window for disaster-recovery purposes; deletion requests propagate to backups within that window.
- Pseudonymous analytics data (PostHog) is retained according to our PostHog project retention setting and is not used to identify you after deletion.
11. Your Rights
Depending on your jurisdiction, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate or incomplete data
- Request deletion of your data and account
- Export your data in a portable, machine-readable format
- Object to or restrict certain processing, including processing based on legitimate interests
- Withdraw consent at any time (for example, by changing your cookie choice, turning off push notifications, or unsubscribing from non-essential emails)
- Lodge a complaint with your local data-protection authority (in the UK, the Information Commissioner’s Office)
To delete your account and all associated data, go to Settings > Danger Zone. For other rights, contact us at support@gotback.world. We aim to respond within one month, as required by the UK GDPR; for complex or numerous requests we may extend by a further two months and will tell you why.
12. Children’s Privacy
GotBack is not intended for children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.
13. Security
We use industry-standard measures to protect your data: TLS for data in transit, encryption at rest for our application database and object storage, role-based access for our staff, and isolated authentication via Logto. No system is completely secure, but we take security incidents seriously and will notify affected users and the relevant data-protection authority where required by law.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the “Last updated” date, and (for changes that affect your existing rights) by asking you to acknowledge the new policy when you next use the service. Your continued use of the service after non-material changes are posted constitutes your acceptance of the updated policy.
15. Contact Us
For privacy questions or data-protection requests: support@gotback.world
For legal notices and takedowns: legal@gotback.world