← Back

Privacy & data

Last updated 2026-05-06

G Spot is a small app for rating Guinness across the UK and Ireland. We try to hold as little of your data as we can get away with, and to tell you exactly what we do hold. This page is the plain-English version of that — written to also satisfy the UK GDPR and the Data Protection Act 2018.

Who runs G Spot

G Spot is run by Josh Yeeles as a personal project. The data controller for the purposes of UK GDPR is Josh Yeeles. You can contact us at yeelesjosh@gmail.com for any data-related question, including to exercise the rights described below.

What we collect

When you use G Spot, the following data ends up in our systems:

Account

Your email address (from Apple sign-in or magic-link sign-in), a username and display name you choose, an avatar URL if you provide one, and your account creation timestamp.

Check-ins

The pubs you rate, your numerical ratings (overall, head, pour, taste), any note you write, any photo you upload, and the timestamp. Photos are stored in Supabase Storage in a folder keyed to your user ID.

Friendships

Connections between your account and other G Spot users that one of you has accepted.

Push subscriptions (optional)

If you turn on push notifications, your browser issues an endpoint URL plus encryption keys to your push provider (Apple, Google, or Mozilla). We store those plus your last-known approximate latitude/longitude and your notification radius. These rows are not linked to your account — they're keyed only by the browser-issued endpoint.

Pub suggestions (optional)

If you submit a correction to a pub's data, we store the suggested change, an optional note, and any name you typed in. These are visible only to admins.

Technical logs

Our hosts (Vercel for the app, Supabase for the database) record IP addresses, request paths, and timestamps for security and debugging. We don't combine these with your account data.

We do not collect: your real name, home address, phone number, payment details, precise GPS history, or anything from third-party trackers. There are no third-party advertising or analytics scripts on G Spot.

Why we collect it (lawful basis)

Most of the data above is processed under the “performance of a contract” lawful basis — we need it to deliver the service you signed up for. Your check-ins, friendships, and account fall under this.

Push notifications and your approximate location for notifications are processed only with your explicit consent (the browser permission prompt), and you can withdraw that consent any time by disabling notifications in your browser or in the app.

Technical logs are processed under our legitimate interest in keeping the service secure and operating correctly.

Where your data lives

The database, your photos, and authentication records sit in Supabase, which runs on Amazon Web Services. The web app itself is hosted on Vercel. Both providers encrypt data at rest with AES-256 and require TLS 1.2 or higher in transit; G Spot only ever talks to them over HTTPS.

Depending on the Supabase region, your data may be processed inside the European Economic Area or in the United States. Where data leaves the UK, it is transferred under Standard Contractual Clauses or an equivalent safeguard recognised by the UK Information Commissioner's Office.

Who we share it with

We don't sell or rent your data. The only third parties that see it are the providers we depend on to run the service:

Supabase

Hosts the database, authentication, and photo storage.

Vercel

Hosts the web application and edge network.

Apple

If you choose to sign in with Apple, Apple shares your email (or a relay address) with us. We don't share anything back.

Apple / Google / Mozilla push services

If you enable notifications, the messages we send are routed by the push service tied to your browser. The push service sees the message metadata but not your account identity.

How long we keep your data, and how it's disposed of

For so long as your account exists, we keep it. We do not run automatic time-based deletion on active accounts because the point of G Spot is to let you build up a long-running record of your pints.

When you delete your account from Settings → Danger Zone, the following happens immediately, in this order:

  • Every photo you uploaded is permanently removed from Supabase Storage.
  • Every check-in you logged is deleted from the database.
  • Every friendship row that names you (in either direction) is deleted.
  • Your profile row is deleted.
  • Your authentication record is deleted, so you can't sign back in with the same email without creating a new account from scratch.
  • Your browser session is signed out.

Supabase keeps point-in-time backups of the database for disaster recovery. Deleted rows persist in those backups until they roll off, which on our current plan takes up to seven days. We do not access backups except to restore from a real incident, and we cannot retrieve a single deleted user from a backup on request.

Server logs at Vercel and Supabase that may contain your IP address are retained for up to 30 days for security and debugging, then rotated out automatically.

Push subscription rows that fail to deliver (e.g. you uninstalled the app, or revoked permission) are removed automatically the next time we try to send to them.

If you would prefer that we delete your account on your behalf rather than self-serving, email yeelesjosh@gmail.com from the address on the account and we'll do it within 30 days, as required by UK GDPR Article 17.

Your rights

Under UK GDPR you have the right to:

  • Access a copy of the personal data we hold on you.
  • Correctdata that's wrong (most of yours you can edit yourself in Settings — for anything else, email us).
  • Delete your data — covered by the self-service flow above, or by emailing us.
  • Restrict or object to particular processing.
  • Portability— receive your data in a machine- readable format. Email us and we'll send a JSON export.
  • Withdraw consent for processing that relies on it (e.g. push notifications).
  • Complain to the ICO.If you think we've handled your data badly, you can lodge a complaint with the Information Commissioner's Office at ico.org.uk/make-a-complaint. We'd rather you give us a chance to fix it first, but it's your call.

Cookies and similar tech

G Spot uses two kinds of cookies, both necessary for the app to work — there are no advertising or analytics cookies:

  • Supabase authentication cookies (httpOnly, secure, SameSite) that keep you signed in.
  • An admin session cookie if you're an admin user.

Local browser storage (not strictly cookies) is used to remember your last map position and a few interface preferences. None of that is sent off your device.

Age

G Spot is about Guinness. The legal drinking age in the UK and Ireland is 18. By using G Spot you confirm you are at least 18. We do not knowingly process the data of anyone under 18; if you believe a minor has signed up, please email us so we can investigate and delete the account.

Changes to this policy

We'll update this page when our processing changes. The “Last updated” date at the top is the source of truth. For changes that materially affect how we use your data we'll also notify active accounts in-app or by email before the change takes effect.

Questions? Email yeelesjosh@gmail.com.