proactivity

Privacy Policy

Effective May 18, 2026

Short version

We collect as little as possible. Your email if you sign in. Your location, in real time, if you let us — we don't keep it.
We don't sell your data and we don't use third-party analytics or tracking pixels.
We show ads from Google AdSense on the website and Google AdMob in the mobile app. Both use Google's privacy controls; the EU/UK/Switzerland consent banner is shown where required. The mobile app requests non-personalized ads by default, so no advertising-ID tracking happens unless we add explicit opt-in.
Some pages link to lodging partners (Vrbo, Expedia) as affiliate links. When you click one, the partner may set a tracking cookie so we get a small commission if you book. The price you pay is the same.
You can ask us to delete your account or your data any time via our contact form.

1. Who we are

Proactivity is an events aggregator that helps people find things to do nearby in the next week or two. "Proactivity," "we," and "us" refer to the operator of the proactivity.app website and the Proactivity mobile app. If you have a question about this policy, send us a message via our contact form.

2. What we collect, and why

Information you give us

Email address. Required to sign in (we use a one-time magic link, no password). Optional if you submit a rating or use the "submit your event" contact form. Stored so we can identify you on future sign-ins and so you can manage your account.
Name. Optional. If you provide one with a rating it's displayed publicly alongside your review.
Ratings and reviews. Star ratings (1-5) and optional review text you submit about events or organizers. Public once an administrator approves them.
Organizer submissions. If you act as an event organizer, the organization name, URL, event details, and any URLs you submit for us to scrape. Reviewed by an administrator before becoming public.
Payment info. If you subscribe to Plus, card details are entered directly into Stripe — we never see or store them. We keep your Stripe customer and subscription IDs.

Information we collect automatically

Location (only with your permission). The browser or mobile OS asks before we get your coordinates. We use them in real time to query nearby events. We do not store your location alongside your account, and we do not track your location over time.
Anonymous click counters. When you tap an event card or a category chip, we increment a counter on that event/category. The counter is not linked to your identity — we use it to order popular categories and surface frequently-viewed events.
Approximate IP address. Logged by our hosting provider for security and abuse prevention. For submissions (ratings, contact form) we keep the originating IP to help moderation if needed.
Cookies and local storage. See "Cookies and similar technologies" below.

What we don't collect

No advertising IDs from your mobile device. AdMob serves non-personalized ads by default, so the IDFA prompt on iOS is not shown.
No social-media tracking pixels.
No fingerprinting or cross-site tracking on our own behalf.
Aside from Google Analytics (described below) we don't run other third-party analytics — no Mixpanel, no Segment, no Heap, etc.

3. How we use what we collect

To authenticate you and keep you signed in.
To return events relevant to where you are.
To moderate user-submitted content (ratings, organizer claims, event drafts, URL submissions).
To send you transactional emails: the magic-link sign-in email and notifications about submissions you made.
To run the Plus subscription (Stripe webhooks update your status).
To prevent abuse and respond to reports.

We do not use your data for behavioral advertising on our own behalf and we do not sell your personal information.

4. Who we share data with

The following service providers process data on our behalf. Each has its own privacy commitments.

Vercel (hosting). Processes HTTP requests to the website. Privacy policy.
Neon (database). Stores the records described above. Privacy policy.
Resend (email delivery). Sends sign-in and notification emails. Privacy policy.
Stripe (payments). Handles all card data for Plus subscriptions. Privacy policy.
Google Analytics (website). Aggregates anonymized traffic data (page views, referrers, approximate country/region) so we can understand which features are useful. Sets the _ga family of cookies. We do not configure Google Analytics to receive your email, name, or other identifying information. Privacy policy.
Google AdSense (advertising, website). Loads ads on the website and may set cookies for ad personalization. Subject to Google's consent banner in the EU/UK/Switzerland. Privacy policy.
Google AdMob (advertising, mobile app). The mobile-app counterpart to AdSense. We request non-personalized ads only by default, which means we don't ask the OS for your advertising identifier (IDFA on iOS) and AdMob shows contextual ads rather than ads targeted to your activity. AdMob's data disclosure.
CJ Affiliate (Commission Junction) (affiliate links). On some pages we link to lodging partners (Vrbo, Expedia). When you click one of these links, CJ may set a tracking cookie so that a partner can attribute a resulting booking to us and pay us a small commission. You pay nothing extra. CJ's privacy policy.
Google OAuth (admin sign-in only). Used only by Proactivity administrators to sign in to the moderation tools — not by regular users.

We may also share data when legally required (subpoenas, court orders) or to protect our rights and the safety of our users.

5. Cookies and similar technologies

On the website:

proactivity_user — your sign-in session cookie, signed with HMAC. Lasts 30 days. Required for sign-in to work.
proactivity_admin — same purpose but for administrators only.
Local storage — stores your onboarding choice, preferred event categories, and (on mobile) your session token. This data never leaves your device unless you sync it via a backup.
AdSense cookies — set by Google for ad delivery and (with your consent) ad personalization. Managed by Google's consent banner where required.
Google Analytics cookies (_ga, _ga_*) — used to distinguish unique sessions and aggregate traffic. Subject to the same consent flow Google applies in the EU/UK/Switzerland.

The mobile app does not use the AdSense web SDK. It does load Google AdMob (described above) to serve banner ads, which may set or read local advertising data. It stores the same kind of preference data as the website (session, interests, onboarding state) in the OS's app storage.

6. Your rights

Wherever you live, you can contact us to:

See what data we have about you.
Correct it.
Delete your account and all data tied to it. We'll honor this within 30 days.
Receive a copy of your data in a portable format.
Object to specific uses or restrict processing.

If you live in the EEA, UK, or Switzerland

Under the GDPR, you have additional rights including the right to lodge a complaint with your local data protection authority. Our legal bases for processing are: contract (running the service you signed up for), consent (location, ad personalization), and legitimate interest (preventing abuse, moderating submissions).

If you live in California

Under the CCPA, you have the right to know what we collect, to delete it, and to opt out of "sale" of your personal information. We don't sell personal information.

7. Children's privacy

Proactivity is not directed at children under 13. We don't knowingly collect data from anyone under 13. If you believe we've inadvertently collected data from a child, contact us and we'll delete it.

8. Data retention

We keep account data as long as your account is active. If you delete your account, we delete the personal data tied to you within 30 days. Anonymized aggregates (e.g. click counters on events) may persist because they aren't linked to anyone.

Public content you posted (approved ratings/reviews, events you organized) may remain visible after account deletion in anonymous form (no submitter name shown). On request we'll remove it entirely.

9. Security

We use HTTPS everywhere, hash and sign session tokens with HMAC, and rely on the security posture of the providers listed above. No system is perfectly secure, and no method of transmission over the internet is 100% safe — but we try to apply reasonable practices.

10. International transfers

Our hosting, database, and email providers may process data in the United States or other countries. If you're outside the US, your data is transferred to and processed in countries that may not have the same data protection laws as your country.

11. Changes to this policy

We may update this policy from time to time. We'll change the "Effective" date at the top. For material changes, we'll try to notify you (e.g., via email or a banner). Continued use after a change means you accept the updated policy.

12. Contact

Questions, requests, or complaints? Send us a message.