Privacy

Version 3.0 — 12 May 2026

We are Woov. We respect your privacy and we only collect personal data we genuinely need to deliver the Woov experience. This policy explains what data we process, why, how we protect it, and what rights you have. It applies to our mobile application Woov (the “App”), our website www.woovapp.com (the “Website”), and the services we provide through them (together, the “Services”). We comply with the EU General Data Protection Regulation (GDPR) and applicable Dutch law (the “Relevant Legislation”).

1. About Woov

Woov is a festival companion app. It helps you:

Discover events
View line-ups, set times, and reminders
Build a personal schedule
Explore the festival map
Participate in moderated group chats per event

You can use most of the App without an account. An account is required only for features that involve interacting with other users (group chats) or personalised content.

2. Personal data we collect

We have deliberately minimised data collection. The categories below are exhaustive.

2.1 Account data (when you create an account)

You can sign up using Apple Sign-in, Google Sign-in, or email. Depending on the method, we receive and store:

Name or alias
Email address

2.2 Profile data (optional)

Profile picture (optional, user-uploaded)

We no longer collect hometown, age display, nationality, gender, tagline, or “secret identity” fields.

2.3 Chat content

When you participate in a moderated event group chat, we store the messages you send so they remain visible to other participants in that group. Chats are subject to moderation and a user-reporting mechanism; messages and accounts may be reviewed or removed if they violate our community rules.

2.4 Location data

We may collect coarse (approximate) location only, and only with your explicit OS-level permission. We use it to:

Suggest events near you

2.5 Device and technical data

When you use the App, we automatically collect:

Device brand, model, and OS version
App version and language
IP address (at the moment of request; not stored long-term in identifiable form)
Mobile advertising identifier (AAID on Android, IDFA on iOS) — only where permitted by your OS-level setting
Crash reports and diagnostic data

2.6 Usage data

We log how you use the App (events viewed, line-ups opened, schedule items added, chat participation counts, etc.) to improve the product. Where possible this data is pseudonymised.

2.7 Support communications

If you contact us, we store the content of that communication so we can respond and follow up.

3. Why we process your data (purposes and legal bases)

Purpose	Legal basis
Provide core App features (account, schedule, line-up, map, chat)	Performance of contract (Art. 6(1)(b) GDPR)
Coarse location to suggest nearby events	Consent (Art. 6(1)(a)) — OS-level permission
Moderation, abuse prevention, enforcement of community rules	Legitimate interest (Art. 6(1)(f))
Product analytics and improvement	Legitimate interest (Art. 6(1)(f))
Sharing your email with a festival organiser	Explicit consent (Art. 6(1)(a)) — see section 4
Legal compliance, fraud detection, security	Legal obligation / legitimate interest

You can withdraw any consent-based processing at any time without affecting the lawfulness of prior processing.

4. How we share data with festival organisers

This is the area where users most often want clarity, so we are specific:

By default, we share only aggregated and anonymised data with festival organisers (e.g. total App users at the event, aggregate engagement metrics). This data cannot be used to identify you and is therefore outside the scope of GDPR.
With your explicit, opt-in consent, you may choose to share your email address with a specific festival organiser — for example, to receive their communications. This is always opt-in, per organiser, and revocable. Where you give this consent, the festival organiser becomes an independent data controller of that email address and is responsible for how they use it under their own privacy policy.
We do not share your name, location, chat content, or other identifying data with organisers.

5. Other parties we share data with

5.1 Sub-processors

We use the following sub-processors to operate the Services. Each is bound by a data processing agreement.

Provider	Function	Data processed	Location
Amazon Web Services (AWS)	Application hosting, storage, databases	All user data	Ireland (EU) — GDPR
Google LLC — Firebase Cloud Messaging	Push notifications	Instance IDs	U.S.A. — SCCs
Google LLC — Firebase Realtime Database	Real-time data sync	IP addresses, user agents	U.S.A. — SCCs
Google LLC — Firebase Analytics	Product analytics	Mobile ad IDs, instance IDs, app instance IDs	U.S.A. — SCCs
Mapbox Inc	Map rendering	Anonymised location and usage data; opt-out available in App settings	U.S.A. — SCCs
Apple Inc	Apple Sign-in	Authentication tokens, email (relay supported)	U.S.A. — SCCs / Apple GDPR terms
Google LLC	Google Sign-in	Authentication tokens, email	U.S.A. — SCCs

For transfers outside the EEA we rely on the EU Standard Contractual Clauses (SCCs) and, where relevant, supplementary safeguards.

5.2 Legal, safety, and corporate transactions

We may also share data when we reasonably believe it is necessary to:

Comply with a valid legal process or governmental request
Investigate, prevent, or address breaches of our Terms of Service, fraud, security incidents, or threats to safety
Protect the rights, property, or safety of Woov, our users, or others
Effect a merger, acquisition, financing, or sale of assets — in which case we will notify users in advance via the App or Website

6. How long we keep your data

We store your personal data as long as your account is active. You can delete your account at any time in the app, after which your personal data will be deleted — as a rule within 30 calendar days. If you want your personal data deleted on a shorter notice, please send us an email via privacy@woovapp.com. We reserve the right to retain data regarding your use of our Services when it is irreversibly anonymised.

7. How we protect your data

Transport

HTTPS for the Website and all API traffic. JWT-based authentication for App sessions.

Hosting

AWS Ireland data centres with industry-standard physical and environmental controls.

Application security

Code reviews, dependency monitoring against published CVEs, secure-development training for engineers, application firewalls, and DDoS mitigation at the edge.

Data at rest

Encrypted with redundancy. Chat messages are stored in a dedicated database without directly attached identifying data.

Access control

Least-privilege access for Woov staff, NDAs, session logging.

Monitoring

Centralised logging, anomaly detection, vaulted log archiving.

Audits

Regular internal security reviews and a documented incident response process.

In the event of a personal data breach affecting your rights, we will notify you and the Dutch Data Protection Authority as required by Articles 33–34 GDPR.

8. Your rights

Under GDPR you have the right to:

Access the personal data we hold about you
Have inaccurate data corrected
Have your data deleted (“right to be forgotten”)
Restrict or object to specific processing
Receive a portable copy of your data, or have us send it to another controller
Withdraw consent at any time (without affecting prior processing)
Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl)

To exercise any of these, email privacy@woovapp.com. We respond within 30 days (extendable by up to two months for complex requests, as permitted by Art. 12(3) GDPR).

9. Age restriction

Woov is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, contact privacy@woovapp.com and we will delete it.

10. Cookies and similar technologies (Website)

The Website uses cookies and similar tracking technologies. Some are strictly necessary; others require your consent under the EU ePrivacy Directive and Dutch implementing law.

10.1 Categories we use

Category	Purpose	Consent required?
Strictly necessary	Security, remembering your cookie preferences	No — these are exempt under Art. 11.7a Dutch Telecommunications Act
Functional	Remembering language and display preferences	No, if first-party and limited to functionality
Analytics	Understanding how visitors use the Website (page views, navigation paths, performance)	Yes

We do not set non-essential cookies until you give consent through our cookie banner.

10.2 How consent works

When you first visit the Website you will see a cookie banner with two clear options:

Accept all — enables all categories
Reject all — only strictly necessary cookies are set

“Reject all” is presented with the same visual prominence as “Accept all”.

10.3 Mobile App

The App does not use browser cookies. Where similar tracking technologies are used in the App (e.g. mobile advertising identifiers, SDK-based analytics), they are governed by your OS-level permissions (App Tracking Transparency on iOS, equivalent controls on Android) and are described in section 2.5 above.

10.4 Third-party cookies

Where a third party sets cookies on the Website (e.g. embedded video, social sharing), that third party is an independent controller of the data collected via those cookies. Their cookies will only load after you accept the relevant category.

11. Links to other services

The App and Website may link to third-party content (e.g. organiser websites, ticketing partners). We are not responsible for their privacy practices. Read their policies before sharing any data with them.

12. Changes to this policy

We may update this policy. Material changes will be notified in the App and on the Website at least 14 days before they take effect. The current version and date are shown at the top of this page. Previous versions are available on request.

13. Contact

Privacy Contact
privacy@woovapp.com

Woov BV
Overhoeksplein 31
1031KS Amsterdam
The Netherlands