Privacy Policy

Last updated: 1/17/2026

1. Introduction

WhereTo ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

2.1 Information from Google OAuth

When you sign in with Google, we collect:

  • Your name
  • Your email address
  • Your profile picture

2.2 User-Generated Content

We collect information you provide, including:

  • Items you add to shops
  • Photos you upload
  • Comments and corrections
  • Product confirmations and votes
  • Shop information you create or edit

2.3 Usage Data

We automatically collect:

  • Items you view or save
  • Shops you use
  • Your reputation score and user level
  • Your contribution history

2.4 Local Storage

We store the following data locally in your browser:

  • Recently viewed items (last 50 items)
  • Preferred currency
  • Cookie consent preferences

3. How We Use Your Information

We use your information to:

  • Provide and maintain the WhereTo service
  • Authenticate your account
  • Calculate and display your reputation and user level
  • Moderate content and prevent abuse
  • Improve our service and user experience
  • Communicate with you about service updates

4. Third-Party Services

4.1 Google OAuth

We use Google OAuth for authentication. Your data is processed according to Google's Privacy Policy.

4.2 Cloudinary (Image Hosting)

All uploaded photos are stored on Cloudinary's servers. Images are subject to Cloudinary's Privacy Policy.

4.3 Google Gemini Vision API

When you use the bulk upload feature, images are sent to Google's Gemini Vision API for AI-powered data extraction. This is subject to Google's Privacy Policy.

4.4 Sentry (Error Tracking)

We use Sentry for error monitoring and performance tracking. Sentry collects error logs and session data (no personally identifiable information is sent). Data is stored on Sentry's EU servers. See Sentry's Privacy Policy.

5. Cookies

We use the following cookies:

  • Essential Cookies: NextAuth session cookies (required for authentication)

You can manage cookie preferences through the cookie consent banner.

6. Your GDPR Rights

Under GDPR, you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request anonymization of your account (personal data removed, contributions preserved)
  • Right to Data Portability: Export your data in JSON format
  • Right to Object: Object to processing of your data
  • Right to Restrict Processing: Request limitation of data processing
  • Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, visit your account settings.

7. Data Retention

We retain your data for as long as your account is active. When you request account deletion:

  • Personal Information: Your name, email, and profile photo are permanently removed
  • Account Access: All sessions and OAuth connections are terminated
  • Contributions Preserved: Your items, photos, and comments remain in the system as anonymous contributions attributed to "[Deleted User]"
  • Personal Preferences: Your saved items, viewed history, and shop preferences are deleted

This approach ensures GDPR compliance while maintaining the value and integrity of community contributions.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption, secure authentication, and regular security audits.

9. Children's Privacy

WhereTo is not intended for users under 16 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your GDPR rights, please contact us through your account settings.

12. Data Controller Information

For the purposes of GDPR, the data controller is the WhereTo service operator. You can contact the data controller through the application settings.