PrivacyPolicy.
Privacy Policy
Last updated: April 2026
This is the short version of our privacy policy. You can read the long, lawyered-up version at /privacy/legal — but the short version covers what 99% of couples want to know.
What we collect
The minimum to make the service work.
When you create an account: your first name, email address, and chosen username. Pronouns are optional and visible only on your profile. Display name and photo are optional.
When you use the service: which spots and plans you saved, which you completed, what you reviewed, and how you got to a page (referrer + the few page-specific signals we use to make rankings work).
When you opt in: city, vibes, partner email — to seed your home page and link a partner account.
That's all. We don't ask for phone numbers, addresses, or marketing demographics. We don't track location in the background. We don't fingerprint your browser.
What we never do
- We never sell your data. Not to advertisers, not to data brokers, not to "partners" we don't directly disclose to you.
- We never DM or push-notify you about engagement (likes, follows, "trending" content). The only notifications we send relate to plans you've made and people you've explicitly linked.
- We never train an external AI on your reviews without explicit, separate consent. Internal recommendation models use only aggregated signals.
- We never share your saves with anyone, including a linked partner — unless you turned on save-syncing in settings.
Cookies and similar
We use a small number of cookies that are strictly necessary (login, CSRF, locale preference) plus an optional analytics cookie that you can decline at first visit. Declining doesn't degrade the service.
We don't use third-party advertising cookies. The only third-party scripts on the site are: Google Fonts (CSS, no tracking), TheFork's booking widget (only when you click it), and our own image CDN.
Booking partners
When you click through to a booking partner, that partner becomes a separate data controller for the booking transaction. We tell you that on the handoff page. They get only the data needed to complete the booking — typically name, email, phone if you provided one, and the date/time. They don't get your saves, your plan history, or anything else.
We send three kinds of email:
- Plan reminders — three days before, day-of, day-after. Triggered by you scheduling a plan. Default on; toggle off in settings.
- Reviews on plans you wrote — when someone reviews a plan you authored. Default on.
- Weekly digest — Thursday at noon, four spots in the city you read from. Default on; one click to opt out at the bottom of every digest.
We don't send "we miss you" emails or promotional emails for paid features. There aren't any.
Profile visibility
Your profile (/u/@yourhandle) is public by default — your reviews and published plans are indexable by search engines. Toggle that off in Settings → Privacy and your profile becomes invisible to non-followers, search engines, and DateSpots search results.
Saves are private by default. Plans default to "private" (only you) on creation; you choose Public, Followers, or Friends when you publish.
Your rights
You can:
- Download a full export of your data anytime (Settings → Data export). The export includes everything you've authored or saved. It arrives by email within 24 hours.
- Delete your account anytime (Settings → Delete account). We process within 30 days. Public reviews are anonymised rather than deleted to preserve rankings — email us first if you want them fully removed.
- Correct anything that's wrong. Most fields you can edit yourself; for the rest, email [email protected].
- Object to processing. We honour objections immediately for marketing-adjacent processing; for service-essential processing (you can't sign in without us processing your password, for instance) we'll explain why and offer alternatives where possible.
For EU/UK couples: these are your GDPR Articles 15–22 rights. We honour them within one month, free.
Where the data lives
DateSpots data lives in EU data centres (Frankfurt, primary; Amsterdam, replica). Some sub-processors operate from the US under standard contractual clauses — primarily our email service (Postmark) and our error-monitoring service (Sentry). They never see review content; only metadata required for delivery and error context.
We list every sub-processor with a current data-processing agreement in the About page.
Security
Passwords are hashed with bcrypt (cost factor 12). Magic-link tokens are single-use, hashed (sha256) at rest, and expire in 15 minutes. We use signed sessions, HTTPS everywhere, and standard Laravel-stack security controls. We rotate signing keys yearly.
If we ever have a data breach affecting you, we'll tell you within 72 hours of detection and what you can do about it.
Children
DateSpots is for adults. We do not knowingly collect data from anyone under 16. If you think we have, email [email protected] and we'll delete it.
Changes to this policy
We update this policy when the service materially changes. When we do, we email every account at least 14 days before the change takes effect. We don't bury changes in a routine notification.
Contact
Privacy questions: [email protected] (real address, real human). General contact: [email protected]. EU/UK postal address: DateSpots B.V., Postbus, 1011 KK Amsterdam, Netherlands.
— The DateSpots team
Privacy Policy
Last updated: April 2026
This is the short version of our privacy policy. You can read the long, lawyered-up version at /privacy/legal — but the short version covers what 99% of couples want to know.
What we collect
The minimum to make the service work.
When you create an account: your first name, email address, and chosen username. Pronouns are optional and visible only on your profile. Display name and photo are optional.
When you use the service: which spots and plans you saved, which you completed, what you reviewed, and how you got to a page (referrer + the few page-specific signals we use to make rankings work).
When you opt in: city, vibes, partner email — to seed your home page and link a partner account.
That's all. We don't ask for phone numbers, addresses, or marketing demographics. We don't track location in the background. We don't fingerprint your browser.
What we never do
- We never sell your data. Not to advertisers, not to data brokers, not to "partners" we don't directly disclose to you.
- We never DM or push-notify you about engagement (likes, follows, "trending" content). The only notifications we send relate to plans you've made and people you've explicitly linked.
- We never train an external AI on your reviews without explicit, separate consent. Internal recommendation models use only aggregated signals.
- We never share your saves with anyone, including a linked partner — unless you turned on save-syncing in settings.
Cookies and similar
We use a small number of cookies that are strictly necessary (login, CSRF, locale preference) plus an optional analytics cookie that you can decline at first visit. Declining doesn't degrade the service.
We don't use third-party advertising cookies. The only third-party scripts on the site are: Google Fonts (CSS, no tracking), TheFork's booking widget (only when you click it), and our own image CDN.
Booking partners
When you click through to a booking partner, that partner becomes a separate data controller for the booking transaction. We tell you that on the handoff page. They get only the data needed to complete the booking — typically name, email, phone if you provided one, and the date/time. They don't get your saves, your plan history, or anything else.
We send three kinds of email:
- Plan reminders — three days before, day-of, day-after. Triggered by you scheduling a plan. Default on; toggle off in settings.
- Reviews on plans you wrote — when someone reviews a plan you authored. Default on.
- Weekly digest — Thursday at noon, four spots in the city you read from. Default on; one click to opt out at the bottom of every digest.
We don't send "we miss you" emails or promotional emails for paid features. There aren't any.
Profile visibility
Your profile (/u/@yourhandle) is public by default — your reviews and published plans are indexable by search engines. Toggle that off in Settings → Privacy and your profile becomes invisible to non-followers, search engines, and DateSpots search results.
Saves are private by default. Plans default to "private" (only you) on creation; you choose Public, Followers, or Friends when you publish.
Your rights
You can:
- Download a full export of your data anytime (Settings → Data export). The export includes everything you've authored or saved. It arrives by email within 24 hours.
- Delete your account anytime (Settings → Delete account). We process within 30 days. Public reviews are anonymised rather than deleted to preserve rankings — email us first if you want them fully removed.
- Correct anything that's wrong. Most fields you can edit yourself; for the rest, email [email protected].
- Object to processing. We honour objections immediately for marketing-adjacent processing; for service-essential processing (you can't sign in without us processing your password, for instance) we'll explain why and offer alternatives where possible.
For EU/UK couples: these are your GDPR Articles 15–22 rights. We honour them within one month, free.
Where the data lives
DateSpots data lives in EU data centres (Frankfurt, primary; Amsterdam, replica). Some sub-processors operate from the US under standard contractual clauses — primarily our email service (Postmark) and our error-monitoring service (Sentry). They never see review content; only metadata required for delivery and error context.
We list every sub-processor with a current data-processing agreement in the About page.
Security
Passwords are hashed with bcrypt (cost factor 12). Magic-link tokens are single-use, hashed (sha256) at rest, and expire in 15 minutes. We use signed sessions, HTTPS everywhere, and standard Laravel-stack security controls. We rotate signing keys yearly.
If we ever have a data breach affecting you, we'll tell you within 72 hours of detection and what you can do about it.
Children
DateSpots is for adults. We do not knowingly collect data from anyone under 16. If you think we have, email [email protected] and we'll delete it.
Changes to this policy
We update this policy when the service materially changes. When we do, we email every account at least 14 days before the change takes effect. We don't bury changes in a routine notification.
Contact
Privacy questions: [email protected] (real address, real human). General contact: [email protected]. EU/UK postal address: DateSpots B.V., Postbus, 1011 KK Amsterdam, Netherlands.
— The DateSpots team