Privacy Policy

Introduction

Wee Inc Ltd, a company registered in Scotland at 7 Queens Gardens, Aberdeen, AB15 4YD, United Kingdom, trading as Close to the Door (“we”, “our”, or “us”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (“Close to the Door” or the “App”). The App is available globally, and this policy applies to all users unless a regional addendum below provides specific additional rights.

Please read this Privacy Policy carefully. By using the App, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the App.

Who Is the Controller of Your Data

Wee Inc Ltd (trading as Close to the Door) is the data controller responsible for your personal information under applicable privacy laws. Contact details are at the bottom of this policy.

Information We Collect

1. Information You Provide

Account Information

• Email address (required for account creation)
• Full name (from OAuth provider or manually entered)
• Profile picture (received from OAuth provider when you sign in with Google or Apple; not currently displayed in the App)
• Username (automatically generated, visible on leaderboard)

User-Generated Content

• Parking space submissions (location, address, accessibility features, notes)
• Edits to existing parking spaces
• Votes on parking space submissions
• Reports of incorrect or inappropriate content

Preferences

• Theme preference (light/dark/system)
• Notification settings
• Accessibility preferences
• Analytics consent choice

Sensitive Information (Optional)

• Disability status (driver / passenger / carer / prefer not to say)
• This is classified as special category data under EU/UK GDPR Article 9, sensitive personal information under the CPRA, and comparable categories under other privacy laws
• Collection requires your explicit, affirmative consent during onboarding
• You may select “Prefer not to say” or update this at any time in Settings
• This data is stored securely, is never shared with third parties or analytics services, and is used solely to improve accessibility features

2. Information Collected Automatically

Location Data

• Your device’s location when you use the map and navigation features
• Location is used in real time to show nearby spaces and provide turn-by-turn directions
• Location data is not permanently stored on our servers
• Location coordinates are excluded from analytics and error-reporting breadcrumbs
• You may deny location permission; the App continues to function with manual search

Device Information

• Device type and operating system version
• App version
• Unique device identifiers (for crash reporting and pseudonymous analytics; not used for cross-app tracking)

Usage Data (with your consent)

• Features you use within the App
• Screens you visit
• Actions you take (submissions, votes, searches)
• This data is pseudonymised and used only to improve the App
• Disability status is explicitly excluded from analytics tracking

3. Information from Third Parties

OAuth Providers (Google, Apple)

• When you sign in with Google or Apple, we receive your email address, name, and profile picture
• We do not receive or store your password

OpenStreetMap

• We display parking space data from OpenStreetMap
• We do not share your personal data with OpenStreetMap

How We Use Your Information

We use the information we collect to:

1. Provide the Service
   • Display nearby accessible parking spaces
   • Process your parking space submissions and edits
   • Show your contribution history
2. Improve the App (with your consent)
   • Understand how features are used
   • Identify and fix bugs
   • Develop new features
3. Communicate with You
   • Send notifications about your submissions (approved / rejected)
   • Notify you of votes on your contributions
   • Respond to support requests
4. Ensure Safety and Security
   • Moderate content submissions
   • Prevent spam and abuse
   • Enforce our Terms of Service
5. Comply with Legal Obligations
   • Respond to lawful requests from public authorities
   • Comply with court orders, subpoenas, and applicable laws
   • Exercise or defend legal claims

We do not sell your personal information, and we do not share it with third parties for cross-context behavioural advertising.

Legal Bases for Processing (EU/EEA/UK Users)

Where EU GDPR or UK GDPR applies, we rely on the following legal bases:

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Third-Party Services

We use the following third-party services. Each processes limited data under a written data-processing agreement.

Cloudflare (Hosting & Anonymous Performance Monitoring)

• Purpose: Hosts and serves our website; measures how quickly pages load for visitors via Real User Monitoring (RUM).
• Data shared: Standard request metadata (IP address, user agent, referrer) for hosting; anonymous Core Web Vitals and navigation timing for RUM.
• No cookies, no fingerprinting: RUM uses the Beacon API and does not set cookies or identify individual visitors. Measurements cannot be tied back to a specific user.
• Privacy policy: cloudflare.com/privacypolicy

Supabase (Database & Authentication)

• Purpose: Stores your account data, submissions, and preferences
• Data shared: Email, profile information, submissions, votes, reports
• Privacy policy: supabase.com/privacy

PostHog (Analytics) — Optional

• Purpose: Pseudonymous usage analytics to improve the App
• Data shared: Anonymised usage events (screens viewed, features used)
• Excluded data: Disability status and location coordinates are never sent to PostHog. Your user ID is sent so we can attribute pseudonymous events to your account.
• You can opt out: In Settings > Preferences > Anonymous Analytics
• Privacy policy: posthog.com/privacy

Sentry (Error Tracking)

• Purpose: Captures app crashes and errors to help us fix bugs
• Data shared: Error details, device info
• Excluded data: Location coordinates are scrubbed from error breadcrumbs
• Sampling: Only 10% of sessions are sampled in production
• Privacy policy: sentry.io/privacy

Mailchimp (Newsletter & Account Deletion Cascade)

• Purpose: Newsletter delivery if you opt in via our website; account deletion is also cascaded to Mailchimp, so your email is removed from our audience when you delete your account
• Data shared: Email address (only if you opted in to the newsletter)
• Legal basis: Explicit consent collected via double opt-in confirmation when you sign up. For the account-deletion cascade, performance of our legal obligation under GDPR Article 17 (right to erasure)
• You can opt out: Every newsletter contains an unsubscribe link
• Privacy policy: mailchimp.com/legal/privacy

Google Sign-In

• Purpose: Authentication
• Data shared: We receive your email, name, and profile picture
• Privacy policy: policies.google.com/privacy

Apple Sign-In

• Purpose: Authentication
• Data shared: We receive your email (or relay email) and name
• Privacy policy: apple.com/legal/privacy

Google Maps SDK

• Purpose: Display interactive maps
• Data shared: Map viewport coordinates
• Privacy policy: policies.google.com/privacy

Google Places API

• Purpose: Address search and autocomplete
• Data shared: Search queries, place IDs
• Privacy policy: policies.google.com/privacy

Navigation (External Map Apps)

When you tap “Navigate” on a parking space, the App opens your chosen external map app via a deep-link URL containing the destination coordinates. Routing, voice guidance, and your live location are handled entirely by the chosen map app — we do not run our own routing or voice-guidance service.

• Data shared: Destination coordinates only, embedded in the deep-link URL passed to the chosen map app
• Your live location: Determined by the chosen map app from your device, not transferred from us
• Voice guidance: Provided by the chosen map app, not by us
• Supported map apps and their privacy policies:
  • Google Maps: policies.google.com/privacy
  • Apple Maps: apple.com/legal/privacy
  • Waze (a Google subsidiary): waze.com/legal/privacy

Data Storage and Security

• Your data is stored on Supabase infrastructure (AWS data centres) in the regions selected for the App’s primary deployment
• All data transmission is encrypted using HTTPS/TLS 1.2 or higher
• Database access is restricted to authenticated server-side functions (no direct client access)
• We do not sell your personal information to third parties
• Administrative access is protected by multi-factor authentication
• We maintain incident-response procedures and will notify affected users and competent authorities where required by law

No system is perfectly secure. You acknowledge that you share information with us at your own risk.

International Data Transfers

The App is global. Depending on where you are located, your personal data may be transferred to, stored in, and processed in countries other than your own, including the United States, the European Union, the United Kingdom, and other regions where Supabase or our sub-processors operate.

Where required, we rely on the following legal mechanisms to protect your data during international transfers:

• EU Standard Contractual Clauses (2021/914) for transfers out of the EEA
• UK International Data Transfer Addendum to the EU SCCs for transfers out of the UK
• UK-US Data Bridge and the EU-US Data Privacy Framework where the recipient is certified
• Approved Binding Corporate Rules where applicable

We have completed and maintain a Transfer Risk Assessment in respect of each third country to which we transfer personal data, and we review it at least annually and whenever there is a material change (new sub-processor, change of region, or relevant regulatory development).

Account Deletion and Data Anonymisation

When you delete your account (Settings > Preferences > Delete Account):

• Deleted immediately: Your profile, notifications, favourites, achievements, points, leaderboard entries, push tokens, and session history
• Anonymised and retained: Your contributions — including approved parking space submissions, edits, votes, reviews (star ratings and review text), and reports — are anonymised and kept. The link between these contributions and your identity is permanently severed, so the contributions remain in the community database but cannot be traced back to you.
• Anonymised contributions are treated as non-personal data under Recital 26 of the EU/UK GDPR and equivalent provisions of other privacy laws, and they are not subject to future deletion requests because we no longer hold personal data about you in relation to them.
• This approach satisfies the right to erasure under GDPR Article 17 (which is fulfilled when personal data is rendered irreversibly anonymous), the right to delete under the CCPA/CPRA, and comparable rights under other privacy laws, while preserving the integrity of the community accessibility database.

Local Storage on Your Device

We store the following on your device:

• Offline Queue: Actions taken while offline (votes, reports, saves) are queued locally and synced when you reconnect
• Preferences: Your theme, accessibility, and notification settings
• Analytics Consent: Your choice about anonymous analytics
• Cache: Recent search results for faster loading

This data remains on your device and is sent to our servers only when explicitly synced.

Gamification Data

We track your contribution activity to power community features:

• Points: Earned when your parking space submissions are approved
• Trust Level: Automatically calculated based on your approved contributions
• Achievements: Milestones based on your contributions
• Leaderboard: Your username and points may appear on public leaderboards

This data helps recognise active contributors and is visible to other users via the leaderboard. Deleting your account removes this data.

Usernames

• Your username is automatically generated from curated, family-friendly word lists
• You can regenerate your username during onboarding (up to 20 attempts per hour)
• Usernames are designed to be anonymous — custom usernames are not permitted
• Your username appears on the public leaderboard and alongside your contributions

Data Retention

Your Privacy Rights (General)

Regardless of where you live, you may:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and personal data
• Export your data (data portability)
• Opt out of optional analytics
• Withdraw consent at any time
• Object to processing based on legitimate interests
• Complain to your local data protection authority

To exercise these rights, contact privacy@closetothedoor.com. We respond within 30 days in most jurisdictions (45 days for California residents, with a 45-day extension permitted where reasonably necessary).

We will verify your identity before acting on any request. Making a request does not affect the lawfulness of processing based on your consent before its withdrawal.

Children’s Privacy

The App is not directed at children. We apply the following minimum ages by region, reflecting local law:

If we learn that we have collected personal data from a user below the applicable minimum age, we will delete it. Parents or guardians who believe their child has provided information to us should contact privacy@closetothedoor.com.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Updating the “Last Updated” date at the top
• Showing an in-app notice for significant changes
• For material changes affecting your rights, we will obtain fresh consent where required by law

Your continued use of the App after changes constitutes acceptance of the new policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Regional Privacy Addenda

The following addenda describe additional rights that apply to users in specific jurisdictions. Where a regional right is broader than the general rights above, the regional right controls.

Addendum A — European Economic Area / United Kingdom (GDPR / UK-GDPR)

If you are located in the EEA or the UK:

• Legal bases are set out above under “Legal Bases for Processing”.
• Special-category data (disability status): processed only with your explicit consent under Article 9(2)(a). You may withdraw consent at any time in Settings. Withdrawal will not affect the lawfulness of processing before withdrawal.
• Data Protection Contact: For privacy queries, email privacy@closetothedoor.com. We have not appointed a statutory Data Protection Officer; our processing does not currently meet the mandatory-DPO thresholds in Article 37.
• Supervisory Authority: You have the right to lodge a complaint with your national supervisory authority — in the UK, the Information Commissioner’s Office (ico.org.uk); in Ireland, the Data Protection Commission (dataprotection.ie); in other EEA states, your local DPA. A full list is at edpb.europa.eu/about-edpb/about-edpb/members_en.
• International transfers: refer to the “International Data Transfers” section above.
• Automated decision-making: We do not engage in automated decision-making that produces legal or similarly significant effects.

Addendum B — California (CCPA / CPRA)

If you are a California resident:

• Categories of personal information we collect: Identifiers (email, username, device identifier); Customer records; Internet or network activity (usage analytics); Geolocation data (precise, only while you use map features); Inferences (trust level, gamification); Sensitive personal information (disability status, where you choose to provide it).
• Sources: Directly from you; OAuth providers; automatically from your device.
• Business purposes: Providing the Service; maintaining and improving the App; fraud prevention; legal compliance.
• Disclosure to third parties: We disclose personal information to service providers (Supabase, PostHog, Sentry, Google, Apple) under written contracts that prohibit use of the data for their own purposes.
• Sales and sharing: We do not “sell” personal information and do not “share” it for cross-context behavioural advertising as those terms are defined under the CPRA.
• Your rights under the CCPA/CPRA:
  • Right to Know / Access
  • Right to Delete
  • Right to Correct
  • Right to Opt Out of Sale or Sharing (not applicable — we do neither)
  • Right to Limit Use of Sensitive Personal Information (we already limit disability status to App functionality)
  • Right to Portability
  • Right to Non-Discrimination for exercising your rights
• How to exercise: Email privacy@closetothedoor.com. You may designate an authorised agent. We will verify identity using information already on file.
• Retention: refer to the “Data Retention” section above.
• Minors: We do not knowingly sell or share personal information of consumers under 16.
• Metrics: A summary of consumer requests received in the previous calendar year is available on request.

Addendum C — Other US State Privacy Laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Montana, Oregon, Delaware, Iowa, Tennessee, Indiana, New Jersey, New Hampshire, Minnesota, Maryland, or another US state with a comprehensive consumer-privacy law, you have rights substantially similar to the California rights above, including access, deletion, correction, portability, and opt-out of targeted advertising and profiling where applicable.

• We do not engage in targeted advertising or profiling with legal effects.
• To exercise rights, email privacy@closetothedoor.com. We will respond within the time frame required by your state’s law (typically 45 days).

Addendum D — Brazil (LGPD)

If you are located in Brazil (Lei Geral de Proteção de Dados, Law 13.709/2018):

• Legal bases for processing are set out above.
• DPO (Encarregado): For privacy queries, email privacy@closetothedoor.com.
• Your rights under Article 18 include: confirmation and access; correction; anonymisation, blocking, or deletion; portability; information about sharing; revocation of consent; opposition; review of automated decisions.
• Authority: You may complain to the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

Addendum E — Canada (PIPEDA + Quebec Law 25)

If you are located in Canada:

• We collect, use, and disclose personal information in accordance with PIPEDA and, where applicable, Quebec’s Act respecting the protection of personal information in the private sector (Law 25).
• You may access and correct your personal information by contacting privacy@closetothedoor.com.
• You may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, if you are in Quebec, the Commission d’accès à l’information (cai.gouv.qc.ca).
• Quebec users: you have additional rights of portability and the right to be informed of any automated decision-making.

Addendum F — Australia (Privacy Act 1988 / Australian Privacy Principles)

If you are located in Australia:

• We handle your personal information in accordance with the Australian Privacy Principles.
• You may access, correct, or complain by contacting privacy@closetothedoor.com.
• If unsatisfied, you may complain to the Office of the Australian Information Commissioner (oaic.gov.au).
• Cross-border disclosure: your information may be disclosed to overseas recipients (including in the US and EU). Where APP 8.1 applies, we take reasonable steps to ensure the recipient complies with the APPs.

Addendum G — Other Regions

If you are located in a jurisdiction not specifically addressed above (e.g., Japan (APPI), South Korea (PIPA), India (DPDP Act), South Africa (POPIA), New Zealand (Privacy Act 2020), Switzerland (FADP), Turkey (KVKK), UAE (PDPL)), you retain all rights provided under your local law. Email privacy@closetothedoor.com to exercise them.