Privacy Policy
Effective date: 19 May 2026 · Last updated: 19 May 2026
This Privacy Policy describes how Go.Do AB ("Go.Do", "we", "us", "our") collects, uses, and protects your personal data when you use the Go.Do mobile application (iOS and Android, package nu.godo.app), the Go.Do organiser website at godo-dev.nu, and our backend services (together, the "Service").
Go.Do AB is the data controller for the personal data described in this policy, in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Swedish Data Protection Act (2018:218).
1. Who we are
Go.Do AB
Sweden
Registered address: [TBD — pending counsel]
Organisation number: [TBD — pending counsel]
Contact for privacy matters: privacy@godo.nu
We have appointed a privacy contact who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact us at the email above.
2. What data we collect
We collect only the data we need to operate the Service. Specifically:
2.1 Account information
- Email address — required to create an account, log in, and receive essential service emails (password reset, account notices).
- Name — required at registration and displayed in your profile.
- Password (if you registered with email and password) — stored as a salted hash using HMAC-SHA512 with a per-user random salt. We never store passwords in plain text and we never see your password. Accounts created via social login only (Apple or Google) have no password stored at all.
- Role — whether you are a regular user, an event organiser, or an administrator. This determines what features you can access.
2.2 Authentication providers (social login)
If you sign in with Google or Apple, we receive a stable identifier and your email address from that provider. We do not receive your social-network password.
- Google Sign-In via the official Google Identity Services library (mobile:
@react-native-google-signin/google-signin). - Apple Sign in with Apple via
expo-apple-authentication. Apple may return a private relay email; we treat it the same way as a normal email.
2.3 Location data (optional)
With your permission, the mobile app may use your approximate or precise location to find events near you and to show your position on the in-app map. You can grant or deny this permission at any time in your device settings. The Service still works without location access — you simply pick a city manually.
2.4 Calendar access (optional)
With your permission, the mobile app can read and write entries in your device calendar, so you can add an event you are interested in to your own calendar with one tap. We do not transmit your calendar contents to our servers; the read/write happens locally on your device.
2.5 In-app purchases and subscriptions
Premium features (such as Spotlight promotions and Premium subscriptions) are billed through Apple App Store (in-app purchases) or Google Play Billing. Apple and Google process your payment and we never see your card number or full payment details. We receive only:
- A receipt or purchase token that we validate server-side to confirm the purchase.
- The product identifier you purchased (e.g. premium tier).
- Purchase and renewal status, so we can grant or revoke entitlements.
2.6 Authentication tokens stored on your device
After login, we store a short-lived access token (about 5 minutes) and a refresh token in your device's secure storage (iOS Keychain / Android Keystore, via expo-secure-store). These tokens stay on your device and are sent only to our API when you make a request.
2.7 Usage data
We record, in general terms, how the Service is used: which event listings are viewed, which categories and filters are selected, and similar product analytics. We use this to improve the Service. We do not sell this data and we do not use it for cross-app tracking.
3. How we use your data
| Data type | Purpose |
|---|---|
| Email, name, password hash | Create and secure your account; sign you in. |
| Social-login identifier | Sign you in via Apple or Google. |
| Location | Show events near you; sort results by distance. |
| Calendar access | Add events you select to your device calendar. |
| Purchase receipts | Grant access to paid features; handle refunds. |
| Auth tokens | Keep you signed in securely between sessions. |
| Usage data | Improve the Service, fix bugs, prioritise features. |
4. Legal bases (GDPR Article 6)
- Performance of a contract (Art. 6(1)(b)) — to create your account, deliver the Service you signed up for, and process purchases.
- Legitimate interests (Art. 6(1)(f)) — to operate, secure, and improve the Service (e.g. fraud prevention, basic product analytics). We balance this against your rights and freedoms.
- Consent (Art. 6(1)(a)) — for optional features that require your permission, such as location and calendar access. You may withdraw consent at any time, with no effect on the lawfulness of processing before withdrawal.
- Legal obligation (Art. 6(1)(c)) — where we must retain records (for example, accounting records for purchases, under Swedish bookkeeping law).
5. Sharing and third-party processors
We do not sell your personal data. We share data only with the service providers ("processors") we need to run the Service. Each processor handles data on our instructions under a data processing agreement.
| Processor | Purpose | Location |
|---|---|---|
| Apple Inc. | iOS app distribution, Sign in with Apple, App Store in-app purchases. | US / global |
| Google LLC | Google Play distribution, Google Sign-In, Google Maps (event locations), Play Billing. | US / global |
| GleSYS AB | Primary infrastructure host (servers, database, backups). | Sweden (EU) |
| Resend | Transactional email delivery (password reset, account notices). | US / EU |
| Expo / EAS (Expo Inc.) | Mobile build and over-the-air update tooling. No end-user personal data is sent to Expo by the Service. | US |
[TBD — counsel to confirm whether any additional subprocessors are in use (analytics, error tracking, push notifications, etc.).]
6. International transfers
Most of your personal data is processed on servers located in Sweden (EU/EEA). However, certain processors (notably Apple, Google, Resend, and Expo) may transfer or access personal data outside the EEA — typically to the United States. Where this happens, we rely on the European Commission's Standard Contractual Clauses (SCCs) and any additional safeguards required under Articles 44–49 of the GDPR.
7. Data retention
- Active accounts — kept for as long as your account exists.
- Deleted accounts — personal data is deleted or anonymised within [TBD — proposed: 30 days] after you delete your account, except where we are required to retain certain records by law.
- Purchase / billing records — retained for [TBD — proposed: 7 years] to comply with the Swedish Bookkeeping Act (Bokföringslagen 1999:1078).
- Server logs — retained for [TBD — proposed: 90 days] for security and debugging.
- Backups — encrypted backups rotate out within [TBD — proposed: 30 days].
8. Your rights
Under the GDPR (Articles 15–22), you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify data that is inaccurate or incomplete (Art. 16).
- Erase your data ("right to be forgotten", Art. 17). You can do this yourself in the app — see Section 9 below.
- Restrict processing of your data (Art. 18).
- Data portability — receive your data in a machine-readable format (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time, where processing is based on consent (Art. 7(3)).
- Lodge a complaint with the Swedish supervisory authority, Integritetsskyddsmyndigheten (IMY) — imy.se — or with the supervisory authority in your EU country of residence.
To exercise any of these rights, email us at privacy@godo.nu. We will respond within one month (with a possible two-month extension for complex requests, as permitted by GDPR Art. 12(3)).
9. Account deletion
You can delete your Go.Do account at any time, directly inside the mobile app:
- Open the Go.Do app and sign in.
- Go to the Profile tab.
- Tap Delete Account and confirm.
Once you confirm, your account is scheduled for deletion. Personal data is removed or anonymised in accordance with the retention rules in Section 7. Some records (notably purchase / accounting records) must be kept by law and will be retained for the period required, then deleted.
If you cannot access the app for any reason, email privacy@godo.nu from the email address linked to your account and we will process the deletion for you.
10. Children's privacy
The Service is not intended for children under 16. We do not knowingly collect personal data from a child under 16. If you are a parent or guardian and you believe your child has provided us with personal data, please contact us and we will delete the data.
11. Security
- All communication with our API is encrypted over HTTPS (TLS).
- Passwords are stored as HMAC-SHA512 hashes with a unique salt per user. We never log or store plain-text passwords.
- In-app purchase receipts are validated server-side against Apple and Google — clients cannot grant themselves access to paid features.
- Access tokens on your device are stored in the operating system's secure storage (iOS Keychain / Android Keystore).
- We restrict internal access to personal data on a least-privilege basis and review access regularly.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you in the app or by email. Continuing to use the Service after a change means you accept the updated policy. We encourage you to review this page periodically.
13. Contact
For any privacy-related question or to exercise a right above, contact:
Go.Do AB
privacy@godo.nu
[Legal postal address TBD — pending counsel]
Last updated: 19 May 2026.