Privacy Policy

This Privacy Policy describes how GayOut ("we", "us", "our") collects, uses, discloses, and protects information when you visit gayout.com, use any subdomain, mobile-friendly page, API, or related service (together, the "Service"). By using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.

1. Who we are & how to contact us

GayOut is operated by ACTV-TEC Ltd. ("the Operator"), a company organised under the laws of the State of Israel. References to "we", "us", or "GayOut" mean the Operator and its affiliates.

For any privacy question, request, or complaint, contact our Data Protection Officer:

• Privacy/DPO email: privacy@gayout.com
• General contact: info@gayout.com
• Postal address: available on written request to privacy@gayout.com

2. Information we collect

2.1 Information you give us

• Hotspot submissions: name, address, phone, website, email, opening hours, photos, and descriptions you submit when listing a venue.
• Reviews and tips: the text, ratings, and any photos you post.
• Account & magic-link emails: the email address you use to manage a hotspot or to receive a one-time login link.
• Newsletter sign-ups: your email address.
• Payment information for Promoted/Premium subscriptions: handled directly by PayPal — we never receive or store your full card number; we only receive a subscription identifier and limited transaction metadata.
• Communications: messages you send to support@gayout.com or info@gayout.com.

2.2 Information collected automatically

• Device & technical data: IP address, browser type and version, operating system, screen size, language preference, time zone.
• Usage data: pages viewed, links clicked, search queries, time spent, referring URL.
• Cookies and similar technologies: see Section 7.
• Approximate location: derived from your IP address (city/country level only). We do not request precise GPS unless you explicitly opt in to a "near me" feature.

2.3 Information from third parties

• Google Sign-In (if used): your name, email, and profile picture (with your consent).
• Google Places, TripAdvisor: publicly available venue information used to enrich our directory.
• Resend: email delivery and bounce metadata for transactional emails.
• PayPal: subscription status and payment events via webhooks.

3. How we use your information

• Operate, maintain, and improve the Service.
• Display venue listings, events, photos, and reviews.
• Enable account-free authentication via magic links and Google Sign-In.
• Process Promoted and Premium subscriptions and send transactional emails.
• Detect and prevent fraud, abuse, spam, and security threats.
• Comply with legal obligations and respond to lawful requests.
• Send service announcements (rare) and the optional newsletter (only if you sign up).
• Generate aggregated, de-identified analytics — for example, monthly visitors per city.

4. Legal bases (GDPR / UK GDPR)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

• Performance of a contract — when you submit a hotspot, subscribe, or use a paid feature.
• Legitimate interests — to operate the Service, prevent fraud, and improve features. Our legitimate interests are balanced against your rights and freedoms; you can object at any time.
• Consent — for non-essential cookies, the newsletter, and any optional features you explicitly enable. You can withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation — to comply with tax, accounting, anti-money-laundering, or law-enforcement requirements.

5. When we share information

We do not sell personal information. We share only as needed to operate the Service:

• Service providers who process data on our behalf under contract and confidentiality (PayPal, Resend, Anthropic, Google, OpenStreetMap, our hosting provider).
• Public listings — content you submit to a public hotspot or review is visible to all visitors.
• Legal compliance — when required by law, court order, or to protect rights, property, or safety.
• Business transfers — in the event of a merger, acquisition, or sale of assets, your information may be transferred. You will be notified before any transfer changes how this Policy applies.

6. Third-party services we use

The following processors may receive your data when you use the Service. Each operates under its own privacy policy:

• PayPal — payments and subscriptions. Policy
• Resend — transactional email delivery. Policy
• Anthropic — AI processing for the Trip Planner and translations. We do not send personal information; only the text you explicitly request to process.
• Google — Maps API, Places API, optional Google Sign-In, Google Analytics (if enabled). Policy
• TripAdvisor — venue data and reviews via API.
• hCaptcha — bot protection on submission forms.
• OpenStreetMap Foundation — map tiles for the world map.
• fonts.bunny.net — privacy-friendly fonts (no user tracking).

For B2B partners: if you are a venue chain, integrator, ticketing platform, or other business partner that requires a formal Data Processing Agreement under Article 28 GDPR (or an equivalent contract under your applicable law), please review our standard DPA template at https://www.gayout.com/dpa and contact dpo@gayout.com to execute it.

7. Cookies & similar technologies

We use cookies and similar technologies to keep you signed in, remember preferences, and (where you consent) measure usage.

• Essential cookies — strictly necessary for sign-in, fraud protection, and core features. Cannot be disabled.
• Functional cookies — remember your language, dark mode, and saved favourites.
• Analytics cookies — only with your consent. We use Google Analytics with anonymised IPs and short retention.
• Marketing cookies — only with your consent. Used to measure the effectiveness of any campaigns.

You can manage cookies through our cookie banner or your browser settings. Disabling cookies may break certain features (e.g., sign-in, locally stored favourites).

8. International data transfers

Your information may be processed in Israel, the European Union, the United States, and other countries where our service providers are located. Where we transfer personal data outside the EEA, the UK, or other regions with data-protection laws, we rely on appropriate safeguards:

• Standard Contractual Clauses approved by the European Commission.
• EU–US Data Privacy Framework (where the recipient is certified).
• Adequacy decisions (e.g., Israel benefits from an EU adequacy decision for commercial transfers).
• Other lawful mechanisms permitted under applicable laws.

9. Data retention

• Hotspot submissions: retained as long as the listing is live; archived (not deleted) on request.
• Reviews: retained as long as the venue exists; you can request deletion of your own reviews.
• Magic-link tokens: 7 days. Manage sessions: 30 days.
• Subscription records: retained for up to 7 years to comply with tax and accounting laws.
• Email logs: 90 days, then aggregated.
• Server logs: 30 days unless an investigation is ongoing.
• Backup copies: rotated every 90 days.

10. Security

We use industry-standard security measures, including TLS 1.3 in transit, hashed and salted authentication tokens, encrypted database fields for sensitive data, regular vulnerability scanning, and role-based access controls. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

11. Your rights

Depending on where you live, you have some or all of the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate information.
• Erasure — request deletion ("right to be forgotten").
• Restriction — pause processing while we resolve a dispute.
• Portability — receive your data in a machine-readable format.
• Object — to processing based on legitimate interests, including direct marketing.
• Withdraw consent — at any time, where processing is based on consent.
• Lodge a complaint with a supervisory authority (Section 16).

Get a copy of your data: visit /my-data for a self-service export. You'll receive a one-time email link, then can download every record we hold about you as a machine-readable JSON file.

Self-service deletion (right to erasure): visit /delete-my-data. We email you a confirmation link, you review what will be deleted, then type DELETE to confirm. Your personal data is anonymised immediately; backup copies are purged within 30 days.

To exercise any other right, email privacy@gayout.com. We respond within 30 days (extendable by 60 days for complex requests, with notice).

12. Region-specific rights

European Economic Area & United Kingdom (GDPR / UK GDPR)

You have all the rights listed in Section 11. The Data Controller is ACTV-TEC Ltd. (Israel). Our representative in the EU is available on request to privacy@gayout.com.

California, USA (CCPA / CPRA)

If you are a California resident, you have the right to: know what personal information we collect; delete it; correct inaccuracies; opt out of sale or sharing (we do not sell or share your information for cross-context behavioural advertising); limit use of sensitive personal information; and not be discriminated against for exercising your rights. Authorised agents may submit requests with proof of authorisation. Email privacy@gayout.com with subject "California Privacy Request".

Brazil (LGPD)

You have the rights to confirmation of processing, access, correction, anonymisation, blocking, deletion, portability, information about sharing, revocation of consent, and review of automated decisions.

Canada (PIPEDA & provincial laws)

You may request access to your personal information, ask us to correct it, and withdraw consent (subject to legal or contractual restrictions).

Australia (Privacy Act 1988 & APPs)

You may request access to and correction of your personal information. Complaints can be made to the Office of the Australian Information Commissioner (OAIC).

Israel (Privacy Protection Law, 5741-1981)

You have a right to inspect data held about you, request corrections, and request deletion under section 14 of the Israeli Privacy Protection Law. The database is registered as required by law.

South Africa (POPIA), Switzerland (FADP), Japan (APPI), South Korea (PIPA), India (DPDP Act)

Where these laws apply to you, we extend equivalent rights of access, correction, and deletion. Contact privacy@gayout.com.

13. Children's privacy

The Service is intended for adults aged 18 or older. We do not knowingly collect personal information from anyone under 16 (or under 13 in the United States, per COPPA). If you believe a child has provided us information, please contact us and we will delete it promptly.

14. Do Not Track & Global Privacy Control

We currently do not respond to Do Not Track ("DNT") browser signals because no industry standard for DNT compliance exists. We honour the Global Privacy Control (GPC) signal as an opt-out of sale/sharing of personal information, where applicable.

15. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent version. We will notify users of material changes by email (if we have your address) or by a prominent notice on the site at least 30 days before changes take effect.

16. Complaints & supervisory authorities

If you have a complaint, please email privacy@gayout.com first. You also have the right to lodge a complaint with a data-protection authority:

• EU: the supervisory authority of your member state — list here.
• UK: Information Commissioner's Office — ico.org.uk
• California: California Privacy Protection Agency (CPPA).
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD).
• Canada: Office of the Privacy Commissioner of Canada (OPC).
• Australia: Office of the Australian Information Commissioner (OAIC).
• Israel: Privacy Protection Authority (PPA).

© 2026 GayOut. This Privacy Policy is provided for informational purposes and does not constitute legal advice. If you require legal counsel, please consult a qualified attorney.