Back

Privacy Policy

1. Who We Are (Data Controller)

GotBack is currently operated by an individual sole trader based in the United Kingdom, who is the data controller responsible for your personal data under the UK GDPR and (where applicable) the EU GDPR. The Terms of Service set out the rest of our identifying information; our registered business details and postal address are available on request.

To contact us about this policy or your data, email support@gotback.world.

2. Information We Collect

Account information

When you create an account via our authentication provider (Logto), we receive your name, email address, and profile picture. If you choose to add a phone number, we store it for future verification flows (such as messaging via WhatsApp); it is not used today and is never shown publicly.

Reports

When you report something lost or found, we collect a description, category (item or pet), the photos you upload, and the date and approximate location of the loss or find. Photos may include metadata embedded by your device — see “Photo metadata” below.

Photo metadata

Photos uploaded to GotBack may include EXIF metadata such as GPS coordinates, capture time, camera model, and orientation. We currently do not strip this metadata, because location information embedded in photos can help with accurate matching. If you do not want this metadata to be uploaded, remove it on your device before uploading (most phones offer a “remove location data” option in the share sheet).

Location data

We collect location information you provide when creating reports. We may also detect your approximate location to compute the distance between you and a post; where possible this is calculated locally on your device unless you choose to share an exact location. The exact location of a post is rounded before it is shown to other users.

Messages

We store messages you send to other users through our in-app messaging system to facilitate recovery. System messages (for example, escrow status updates) may be added to a conversation automatically. We do not read your messages routinely; we may access them in narrow circumstances for safety, fraud, or legal-compliance reasons (see section 7).

Payment & reward information

If you offer a reward or subscribe to Pro, our payment processor (Stripe) collects your card details, billing address, and the limited information they need to process the payment. GotBack never sees or stores card numbers; we only receive metadata such as the last four digits, brand, and expiry. If you receive payouts as a finder, Stripe Connect collects identity-verification (KYC) information and bank-account details — this is governed by Stripe’s privacy policy, not ours.

Subscription consent records

When you subscribe to Pro and tick the box to waive the 14-day digital-services withdrawal right, we record the exact text shown to you, the timestamp, your IP address, and your browser’s User-Agent string. This is the audit trail required by the UK Consumer Contracts Regulations 2013 and the EU Consumer Rights Directive.

Push-notification subscriptions

If you opt in to push notifications, your browser or device generates a push-subscription token (a URL plus encryption keys) and shares it with us. We send notifications through your operating-system push provider (Apple, Google, or Mozilla). The notification payload is encrypted between us and your device.

Embeddings and matching data

To suggest matches between lost and found posts, we generate vector representations (“embeddings”) of post content. Embeddings are stored on our self-hosted vector database and are not used to identify you directly.

Usage & device data

We automatically collect information about how you interact with the service, such as pages visited, features used, browser type, device model, IP address, and approximate region. With your consent, we may also record interaction sessions (see section 8 and the Cookie Policy).

3. Why We Collect This Data & the Lawful Basis

We process your personal data on the following lawful bases (UK GDPR / EU GDPR Article 6):

4. How We Use Your Information

5. AI Processing and Automated Decision-Making

GotBack uses third-party AI services to improve the experience:

These features produce suggestions, not decisions. A human (you or another user) reviews and acts on every suggested match or AI-generated description. We do not make decisions about you that have legal or similarly significant effects through fully automated means within the meaning of Article 22 UK GDPR / EU GDPR.

We do not use your User Content to train our own models, and our contracts prohibit our AI providers from using your inputs to train their general models.

6. Who We Share Information With

Visible to other users

Your display name, profile picture, post descriptions, uploaded photos, and the approximate location of a post are visible to other users on the platform. The exact location of a post is rounded before being shown publicly.

Never shared publicly

Your email address, phone number, exact device location, payment details, push tokens, and private messages are never shared publicly or with other users unless you choose to share them directly.

Service providers (sub-processors)

We rely on the following third-party services to operate GotBack. They process personal data on our behalf under data-processing agreements. The current list is published at gotback.world/subprocessors/; key providers are:

  • Logto — authentication and account management
  • Stripe — subscription billing, reward funds, and finder payouts via Stripe Connect (including KYC)
  • Resend — transactional email delivery
  • PostHog — product analytics and session replay (opt-in via the cookie banner)
  • Fireworks AI — AI-assisted description generation (see section 5)
  • Cloudflare — CDN, DNS, TLS, and DDoS protection
  • Hostinger — application hosting and database storage (data centre: Manchester, United Kingdom)

Uploaded photos are stored on our self-hosted object storage running on Hostinger and served via signed URLs. We do not sell your personal data, and we do not share it with advertisers.

Legal disclosures

We may disclose personal data where required to comply with a valid legal request, to enforce our Terms, to investigate fraud or abuse, or to protect the rights, property, or safety of GotBack, our users, or the public.

7. Access to Messages and User Content

We do not routinely read private messages between users. Limited personnel may access them where strictly necessary to: investigate a report of abuse or fraud; respond to a lawful request from a court or regulator; debug a technical problem you have reported; or defend a legal claim. Access is logged.

8. Cookies, Analytics, and Session Replay

We use a small number of cookies and similar technologies (such as localStorage) to keep you signed in, remember preferences, and — with your consent — measure how the service is used and record interaction sessions to improve the app. Analytics events and session replays are pseudonymous and are configured to mask sensitive content (card details, message bodies, and the like) where technically possible. For the full list and how to manage your choices, see our Cookie Policy.

9. International Transfers

Most of your data is stored in the United Kingdom (our hosting provider’s Manchester data centre). Some of our service providers (Logto, Stripe, PostHog, Resend, Fireworks AI, Cloudflare) may process your data outside the UK, including in the European Economic Area and the United States. Where such transfers occur, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Agreement / Addendum, together with any additional safeguards the provider offers (such as the EU–US Data Privacy Framework, where applicable).

10. Data Retention

11. Your Rights

Depending on your jurisdiction, you have the right to:

To delete your account and all associated data, go to Settings > Danger Zone. For other rights, contact us at support@gotback.world. We aim to respond within one month, as required by the UK GDPR; for complex or numerous requests we may extend by a further two months and will tell you why.

12. Children’s Privacy

GotBack is not intended for children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

13. Security

We use industry-standard measures to protect your data: TLS for data in transit, encryption at rest for our application database and object storage, role-based access for our staff, and isolated authentication via Logto. No system is completely secure, but we take security incidents seriously and will notify affected users and the relevant data-protection authority where required by law.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the “Last updated” date, and (for changes that affect your existing rights) by asking you to acknowledge the new policy when you next use the service. Your continued use of the service after non-material changes are posted constitutes your acceptance of the updated policy.

15. Contact Us

For privacy questions or data-protection requests: support@gotback.world

For legal notices and takedowns: legal@gotback.world