Privacy Policy

1. Who We Are

Short Hops (shorthops.uk) is operated by Ashwin ("we", "us", "our"). For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller.

Contact us at: [email protected]

2. Data We Collect

We collect the following categories of personal data:

Category	What	How collected
Account	Email address; name and profile picture if you use Google Sign-In	When you create an account or sign in with Google
Activity	Pubs you save, pub crawls you create, votes you cast	When you use those features
Location	Your device's GPS coordinates	When you tap "Find pubs near me" — browser permission required, not stored on our servers
Analytics	Anonymised page view counts and general geographic region	Automatically via Cloudflare Analytics. No cookies. No personal identifiers.
Technical	IP address, browser type, device type	Standard web server logs, retained briefly by Cloudflare for security purposes

We do not collect payment information, precise movement history, or any special-category data (health, ethnicity, beliefs, etc.).

3. Legal Basis for Processing

Under the UK GDPR, we rely on the following lawful bases:

• Contract (Art. 6(1)(b)): Processing your email address and account activity is necessary to provide the Short Hops service you have signed up for.
• Consent (Art. 6(1)(a)): Location access is processed only with your explicit browser-level consent, which you may withdraw at any time via your browser or device settings.
• Legitimate interests (Art. 6(1)(f)): Anonymised analytics help us understand how the product is used and improve it. This does not override your rights because the data carries no personal identifiers.

4. How We Use Your Data

• To create and maintain your account
• To sync your saved pubs and crawls across devices
• To display personalised content (your favourites, your votes)
• To respond to feedback or support requests you send us
• To monitor for abuse and ensure the security of the service
• To understand aggregate usage patterns and improve the product

We will never use your data to serve you advertising, build marketing profiles, or make automated decisions about you.

5. Third-Party Processors

We use the following sub-processors to operate the service. Each is bound by a data processing agreement and appropriate safeguards for international transfers:

Processor	Purpose	Location
Supabase Inc.	Database, authentication, and API infrastructure. Stores your account and activity data.	AWS eu-west-2 (London). Supabase Inc. is a US company; data is stored in UK/EU region under Standard Contractual Clauses.
Google LLC	OAuth authentication ("Continue with Google"). If you use this option, Google processes your account credentials.	United States. Governed by Google's privacy policy. Transfer covered by UK adequacy regulations for US service providers.
Cloudflare Inc.	Content delivery network, DDoS protection, and anonymous analytics.	Global CDN. No personal data in analytics. Network logs retained per Cloudflare's standard retention policy.

We do not sell, rent, or share your personal data with any other third party.

6. Data Retention

• Account data: Retained for as long as your account is active. If you delete your account, your personal data is permanently deleted within 30 days, except where we are required by law to retain it longer.
• Activity data (saved pubs, crawls, votes): Deleted with your account.
• Location data: Never stored on our servers. Used only in-session on your device to calculate nearby pubs.
• Analytics data: Anonymised aggregate counts with no retention limit, as they carry no personal identifiers.

7. Your Rights Under UK GDPR

You have the following rights in relation to your personal data. To exercise any of them, email us at [email protected] and we will respond within one month.

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may ask us to correct inaccurate or incomplete data.
• Right to erasure: You may ask us to delete your personal data ("right to be forgotten").
• Right to restriction: You may ask us to restrict processing while a dispute is resolved.
• Right to data portability: You may request your data in a structured, machine-readable format.
• Right to object: You may object to processing based on legitimate interests.
• Right to withdraw consent: Where we rely on consent (location), you may withdraw it at any time without affecting prior processing.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK supervisory authority — at ico.org.uk or by calling 0303 123 1113.

8. International Transfers

Our primary data storage is in the AWS eu-west-2 (London) region via Supabase. Where data is transferred outside the UK (for example, to Google or Cloudflare infrastructure), we rely on either UK adequacy regulations, Standard Contractual Clauses, or the UK International Data Transfer Agreement (IDTA) as the appropriate transfer mechanism.

9. Cookies

Short Hops does not use tracking or advertising cookies. Supabase sets a session token in your browser's local storage to keep you signed in. This is technically necessary for authentication and is not used for tracking. Cloudflare Analytics operates without any cookies or personal identifiers.

10. Children

Short Hops is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be flagged on the app. The "Effective date" at the top of this page will always reflect the current version. Continued use of Short Hops after a change constitutes acceptance of the updated policy.

12. Contact

All privacy enquiries: [email protected]
We aim to respond to all requests within 5 working days and are required to respond within one month under UK GDPR.