مساحة عمل مشتركة
مكتبة
مقهى / أخرى

جارٍ التحميل…

الخريطةالسجلالمحفوظاتتسجيل الدخول

Privacy Policy

Last updated: April 27, 2026

This policy explains what personal data Prizz processes about you, why, on what legal basis, with whom we share it, how long we keep it, and what rights you have. It is written to comply with the EU General Data Protection Regulation (GDPR) and equivalent frameworks.

1. Who is the controller

The data controller is the operator of Prizz, reachable at hello@prizz.io. If you have questions about this policy, want to exercise a right, or want to raise a complaint, that’s the address.

2. What we collect

2.1 Account data

When you register: your email, a hashed password (bcrypt — we never see the plaintext), a display name, your preferred language, and an optional avatar. We generate a random internal user ID (UUID) that is the stable identifier for your account.

2.2 Contributions

Venues, verifications, photos, speed tests, comments, and votes you submit are stored and associated with your account. They are public by design — that’s the point of a community map.

2.3 Verifier coordinates (anti-fraud)

When you verify a venue, we record the geographic coordinates your browser reported at the moment of submission, together with the reported accuracy and the distance to the venue. This is used to (a) prevent users from claiming they are somewhere they are not, and (b) detect physically impossible jumps between consecutive verifications. These coordinates are stored against your account but are visible only to administrators for fraud review; they are not shown publicly. Administrators may grant specific trusted users a permission that allows them to verify a venue without being on-site (for example, partner reviewers); when this permission is in effect, the verification is accepted regardless of distance, but the coordinates are still recorded.

2.4 Search queries

When you search the map, we log the query text, the number of results returned, your locale, whether the search included a location hint, and your user ID if you are signed in. These logs are first-party only — they are never sent to our analytics provider — and are used to identify gaps in venue coverage (queries that returned zero results).

2.5 Email-related tokens

We store short-lived tokens for email confirmation (24h) and password reset (1h). They are deleted as soon as they are used or expire.

2.6 Live geolocation (no storage)

The map and the verification flow ask for your device location at the moment you use them. Your live position is held in your browser only and is sent to our server only as described in section 2.3. We do not maintain a location history or background tracking.

2.7 Analytics events

We capture cookieless usage events through Umami Cloud — see section 4 for details.

2.8 Error reports

If the operator has configured Sentry, anonymized crash reports may be sent there. They do not include your email or password. They may include the URL you were visiting and a stack trace.

3. Why and on what basis

  • Provide the service (account, contributions, photos, search) — Article 6(1)(b) GDPR, performance of a contract.
  • Verifier coordinates and fraud detection — Article 6(1)(f), legitimate interest in keeping the community map honest.
  • Search query logs and product analytics — Article 6(1)(f), legitimate interest in improving the service. You can object (see section 7).
  • Transactional emails (verification, password reset) — Article 6(1)(b) and (f).
  • Security, abuse prevention, audit logs — Article 6(1)(f).

4. Who we share it with

We use a small number of sub-processors. We do not sell personal data, ever.

  • Umami Cloud (umami.is) — cookieless product analytics. Counts unique visitors using a daily-rotating salted hash of your IP and browser, discarded every 24 hours. We send page views and event names like signup, verify_started, add_venue, search, search_no_results. We do notsend raw search queries, your email, location, or password. If you are signed in, we associate events with your internal user ID (UUID) so we can see which signed-in features get used. Umami respects the “Do Not Track” browser signal.
  • Sentry (sentry.io) — error monitoring, only if configured by the operator. Receives stack traces and the URL of the broken page. No password, no location.
  • Backblaze B2 — object storage for venue photos. Photos are public.
  • Email delivery (SMTP) — your email address is sent to the configured mail provider so that confirmation and reset messages reach you.
  • Hosting provider— the operator’s server provider, which processes data on our behalf as a sub-processor.
  • Map tiles — your browser fetches map tiles directly from OpenFreeMap. Their server sees your IP address and the tiles you request, the same way it would for any website embedding their tiles.

5. International transfers

Some sub-processors above (notably Sentry and Backblaze) are based in the United States. When data is transferred outside the European Economic Area, we rely on the EU–US Data Privacy Framework where the recipient is certified, or on Standard Contractual Clauses approved by the European Commission. You can contact us for a list of the mechanisms in force.

6. How long we keep it

  • Account data — until you delete your account.
  • Public contributions(venues, verifications, photos, speed tests) — kept indefinitely as part of the community map. When you delete your account they are re-attributed to a generic “Deleted user” and can no longer be linked back to you.
  • Verifier coordinates — kept for the lifetime of the verification record, since they are part of the fraud audit trail. They are not shown publicly.
  • Search queries — raw rows are deleted after 90 days.
  • Email tokens — deleted on use or expiry (24h / 1h).
  • Umami analytics— retained according to Umami Cloud’s policy.
  • Server logs — typically rotated within 30 days.

7. Your rights

Under the GDPR you have the right to:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data. You can edit your profile from Settings.
  • Erasure — delete your account from Settings. This is irreversible. Public contributions are reassigned to a generic record (see section 6).
  • Restriction — ask us to limit processing while a dispute is open.
  • Portability — receive your account data in a structured, machine-readable format. Email us.
  • Object — to processing based on legitimate interest (analytics, search-query logging). Email us and we will exclude your account from these logs going forward and delete past entries.
  • Lodge a complaintwith your national supervisory authority (in the EU, your country’s data protection authority).

To exercise any of these rights, email hello@prizz.io. We respond within one month.

8. Cookies and tracking technologies

We use a single cookie/local-storage entry: the NextAuth session cookie required to keep you signed in. Umami Cloud is cookieless. We do not use third-party advertising trackers. We do not run cross-site tracking. There is no cookie banner because the only cookie we set is strictly necessary for the service to function.

9. Children

Prizz is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us and we will delete it.

10. Automated decision-making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. The WorkScore algorithm scores venues, not people.

11. Security

Connections are encrypted with TLS. Passwords are hashed with bcrypt. Administrative actions are logged in an internal audit trail. Access to operator infrastructure is restricted to authorized personnel.

12. Changes to this policy

We will update this page when we change how we process data. The “Last updated” date at the top reflects the most recent revision. Material changes (e.g. new sub-processors handling personal data) will be communicated in-app or by email where appropriate.

13. Contact

For any privacy question, request, or complaint: hello@prizz.io.