Legal

Privacy Policy

Last updated: May 11, 2026 · Spotly / Novalco — GDPR compliant · Mobile application

1. Data Controller

The data controller for personal data collected through the Spotly mobile application is: Novalco Co-founders: Romane (on-site selection) and Esteban Villalon (technical director) Contact: esteban.villalon@novalco.fr

2. Data Collected

When you use the Spotly app, we may collect the following data: Account data (on registration) • First and last name • Email address • Password (encrypted, never stored in plain text) • Profile photo (optional, provided by you or via Sign in with Apple / Google) Usage data • Restaurants saved as favorites • Reviews and ratings submitted by you • Pages and features accessed within the app (via our internal analytics system) Location data (only when explicitly authorised) • Your approximate or precise location, used solely to display nearby restaurants • Location is never stored on our servers and is only processed locally on your device We do not collect sensitive data (racial origins, political or religious beliefs, health data).

3. Purposes of Processing

Your data is collected for the following purposes: • Managing your account and authenticating your identity • Providing app features (favorites, reviews, nearby restaurant search) • Improving the app through anonymised usage analytics • Sending transactional emails (account confirmation, password reset) • Complying with our legal obligations Legal basis: performance of a contract (accepted Terms of Service), consent (location permission), and legitimate interest (service improvement).

4. Retention Periods

Your data is retained for the following durations: • Account data: for the duration of your registration, then 3 years after your last login • Usage analytics: 13 rolling months • Published reviews: for the lifetime of the platform (data dissociated from your account on request) • Location data: never stored — processed in real time on your device only Beyond these periods, your data is deleted or anonymised.

5. Third-Party Services and Data Sharing

Spotly does not sell your personal data to third parties. Your data may be shared with the following processors as part of delivering the service: • Supabase — database and authentication hosting — servers in Europe (EU) • Vercel — web platform hosting — servers in Europe (EU) • Resend — transactional email delivery • Google Places API — used to display restaurant photos and reviews from Google Maps. No personal data about you is sent to Google. Reviews and photos are fetched in real time and never stored on our servers. • Apple (Sign in with Apple) — if you choose to sign in with Apple, your identity is authenticated via Apple's servers. We only receive a name and email, which you can choose to hide. All processors are bound by contractual obligations to protect data in compliance with GDPR.

6. Permissions Requested by the App

The Spotly app may request the following permissions on your device: Location (optional) Used to show restaurants near you. You can use the app fully without granting this permission. Location is never transmitted to our servers. Push notifications (optional) Used to notify you of relevant activity (e.g. a reply to your review). You can disable notifications at any time in your device settings. No access to your camera, photo library, microphone, or contacts is ever requested.

7. Google Places Data

The Spotly app displays restaurant photos and reviews sourced from Google Maps via the Google Places API. This data is: • Fetched live each time you view a restaurant page • Never stored in our database • Subject to Google's own Terms of Service and Privacy Policy We display up to 5 Google reviews and 6 Google photos per restaurant, in compliance with Google's usage policies.

8. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights: • Right of access: obtain a copy of your personal data • Right of rectification: correct inaccurate data • Right to erasure: request deletion of your data • Right to data portability: receive your data in a structured format • Right to object: object to certain types of processing • Right to restriction: temporarily suspend a processing activity To exercise any of these rights, contact us at esteban.villalon@novalco.fr, specifying your request and confirming your identity. We will respond within 30 days. If your request is not resolved to your satisfaction, you may lodge a complaint with the CNIL (www.cnil.fr).

9. Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or alteration: • Password encryption (bcrypt via Supabase Auth) • Encrypted communications (HTTPS/TLS) • Data access restricted to authorised team members only • Row-level security (RLS) policies isolating sensitive data in the database

10. Minors

The Spotly app is intended for users aged 16 or over. If you become aware that a minor under 16 has created an account, please contact us so that we can delete their data promptly.

11. Changes to This Policy

Spotly reserves the right to modify this policy at any time. In the event of a material change, you will be notified by email or within the app at your next login. The date of the last update is shown at the top of this document.

12. Contact

For any questions regarding the protection of your personal data: Novalco — Spotly Romane — Co-founder · on-site selection and restaurant evaluation Esteban Villalon — Co-founder · technical director esteban.villalon@novalco.fr