PRIVACY POLICY | GLOBE

3.1 Account and Identity Data

When you create a Globe account, we collect:

• Your name and email address
• Profile photo (pulled from your Google or Apple account if you use Google or Apple Sign-In, or optionally self uploaded)
• A username (generated automatically from your email on registration, which you can change), display initials, and avatar colour
• Authentication credentials — if you sign in via Google or Apple Sign-In, we receive a verified email address and display name from the provider. We never receive or store your Google or Apple password.
• Your date of birth — collected during the new-user onboarding wizard and editable later in My Account → My Profile. We use it only to confirm you meet our minimum age and our purchasing age threshold (see §11). It is self-reported and we do not verify it against any document.
• Optional profile details you choose to add: short bio, home city, travel style/interests, preferred currency, time zone, language, and week-start preference

Identity data is first collected through the onboarding wizard, which prompts every new account (including users who sign in with Google/Apple or who join from an invite link) for a display name, username, and date of birth (all required) before they use the app. Optional profile details — home city, profile photo, and travel interests — can be added during onboarding or later in My Account → My Profile.

3.2 Trip and Group Data

When you create or participate in a trip, we collect:

• Trip name, type, description, and dates you provide
• Your availability for the trip dates
• Your budget range per person
• Destination preferences, searches, and votes
• Itinerary items, tasks, stays, and notes you create or contribute
• Expense records you enter, including amounts, categories, dates, and who paid
• Proposal content — including title, description, price, any link, and any additional information you add (e.g. custom notes, flight numbers)
• Location coordinates (latitude and longitude) associated with proposals, stays, and destination searches — these are coordinates of places you select, not your device's real-time GPS position (see §3.3)
• Your "trip input" — optional per-trip fields you can fill in and share with your trip group: dietary preferences and a free-text dietary/allergy note, an accessibility/mobility note, and a general note. The dietary/allergy and accessibility notes may reveal health-related information; they are entirely optional, you choose what to share, and we process them only with your explicit consent (see §4.6). They are visible to the other members of that trip.
• Your travel history — the places you have visited, stored in your personal travel history. Each record can link back to the trip(s) on which you visited the place. Visited places are partly auto-derived from your trips' schedules and can also be confirmed, corrected or added by you (see §3.5). Your travel history is visible to your mutual friends, like your bucket list.
• Trip reviews — if you rate or write a short review of a trip during its wrap-up, your rating and review text are stored on your membership record for that trip and are visible to the other members of the trip.
• Personal notes — if you are a Globe Pro member you can create private notes that are not tied to a trip; their content, title and timestamps are stored and are accessible only to you.
• Your relationship data — your friend connections and friend requests (other users are found by username or email). This includes your friend groups(named, reusable groupings of your friends used to invite people): the people in a group are visible to one another, any member of a group — not only its creator — can rename it, change its emoji, or add and remove other members (the creator can't be removed), any member can leave at any time, and being added to a group sends the added member an in-app notification. It also includes any users you have blocked — a private record visible only to you. When you block someone, Globe immediately and silently severs any existing friendship between you, cancels any pending friend requests or trip invites in either direction, and offers to remove you from any trips you share with them. We also store friend-suggestion dismissals (so a "People you may know" suggestion you dismiss does not reappear on any device), your personal wishlist ("bucket list") places, and any past trips you add manually.
• Your friend activity feed — Globe keeps a personal activity feed showing trip-related events from your mutual friends (for example when a friend creates a trip, completes one, or confirms a place they visited). Each entry includes the friend's name and the action; the feed is visible only to you.
• Shared-schedule links you create
• During a trip's wrap-up phase, whether and when you completed your wrap-up tasks (e.g. confirming your visited places, marking the "add photos" task done) is shown to your co-travellers so the group can see who has finished — the underlying visited places themselves stay private to you and your mutual friends.

3.3 Device Location

Globe uses your device's GPS in the following ways. We never prompt automatically — the location permission request only appears when you explicitly take an action that needs it.

• Weather card. If you tap "Enable location" on a trip's weather card, we take a one-off position reading to show local weather; the coordinates are rounded (to roughly 1 km) when sent to the weather provider and are not stored in our database and not tracked in the background.
• Chat location sharing. From the trip chat you can share a location with your trip group in three ways:
  • A place pin — a place you search for and select (resolved via Google Places; the place's coordinates, not your device's position).
  • Your current location — a one-off static pin of your device's current GPS position at the moment you tap share.
  • Live location — your precise GPS position, broadcast to your trip group for a time window you choose (15, 30 or 60 minutes — capped at one hour). Live sharing is opt-in each time, visible only to the members of that trip, foreground-only (it stops when you leave the chat screen or the app is backgrounded), and stoppable at any time; it also stops automatically when the time window expires. While active, your position is stored in a per-trip live-location record that trip members can read to see the moving pin; it auto-expires at the end of the window. Sharing your current or live location requires foreground-location permission (on iOS the "while using the app" location permission; on Android the fine/coarse location permission), which your device only requests when you start a share — never at app launch.

We collect device location only for these features and do not use it for advertising or background tracking.

3.4 Photos, Documents and Media

When you upload photos or documents (images and PDFs) to a trip — including media shared in trip chat — we collect and store:

• The file itself (photos in the trip album; PDFs/images in trip documents)
• A compressed thumbnail generated automatically for display (for images)
• Metadata associated with the upload (upload timestamp, uploader identity within the group, file name, type and size)
• Likes and reactions other group members make on your photos

Important: photos and documents you upload to a trip are visible to all members of that trip group. Before uploading, ensure you have the right to share the content and that it does not contain sensitive personal data of others without their consent.

3.5 Usage, Analytics and Diagnostic Data

We collect limited technical, product-analytics and diagnostic data. We want to be clear about what we do not do: we do not use advertising identifiers, we do not build advertising profiles, and we do not sell data that identifies you.

• Product analytics — opt-in. With your consent, Globe uses Google Analytics for Firebase (GA4) to understand how the app is used so we can improve it. Collection is off by default and only starts after you accept the consent banner shown on first launch (web and native); you can withdraw consent at any time in My Account → Settings → Privacy. When enabled, we record a small set of structured product events — account sign-up, trip created, trip phase changed, photo uploaded, invite link shared, checkout started, and purchase completed — together with non-identifying parameters (e.g. member count, subscription tier, value/currency). These events carry no content (no trip titles, messages, names or photos). Your Firebase user ID is associated with the events so they can be tied to your account. On iOS, accepting analytics also triggers Apple's App Tracking Transparency prompt.
• Crash and error diagnostics — always on, legitimate interest. Globe uses Sentry (EU data residency) on web, iOS and Android to detect and fix crashes and errors. When the app hits an uncaught error or crash, we send Sentry a stack trace, recent in-app breadcrumbs, and basic device/OS/app-version context, collected from all sessions. Separately, we sample a small fraction of sessions (about 10% by default) for performance traces — page-load and navigation timing on web, and app-start and navigation timing on native — so we can monitor latency. This is privacy-minimised: no IP address or cookies are auto-attached and the only user identifier attached is your Firebase user ID — never your email or name. Error and diagnostic monitoring is not part of the analytics opt-in; we run it under our legitimate interest in keeping Globe secure and working. On the web, these reports are routed through our Cloudflare infrastructure so that browser content-blockers do not silently drop them. We also collect content-security-policy (CSP) violation reports, which contain only technical data and no user identifiers or content, to help us tune our security policy before it is enforced.
• Anti-abuse / app integrity. To prove that requests come from a genuine Globe client and to protect our backends and proxy from abuse, we use Firebase App Check: Google reCAPTCHA v3 on the web, Google Play Integrity on Android, and Apple App Attest / DeviceCheck on iOS. These send device/browser/app-integrity signals to Google or Apple to produce a short-lived attestation token; the tokens are not stored by us. We also apply rate limits to public endpoints (see §8.6 and §12).
• Travel-history derivation. During a trip's wrap-up you are invited to confirm, correct or remove the places you visited before they are saved. For members who do not confirm, we automatically derive their visited places from the trip's schedule — after the trip is filed to the Timeline, or by a periodic automated process — and add them to that member's travel history. This is an automated step that writes inferred location history to your account; the resulting visited places are visible to your mutual friends, like the rest of your travel history.
• Operational and support data. App version, platform (iOS/Android/web), and the screen you were on are collected only when you contact support or report content, to help us respond. Your IP address is processed transiently by our infrastructure providers (Google/Firebase, Cloudflare) to deliver and secure the service and apply rate limits — not to profile you for advertising. For cost-anomaly detection, our Cloudflare infrastructure also writes a short server-side log line for upstream requests, recording your Firebase user ID, IP address and basic request metadata, retained per Cloudflare's settings. A device push-notification token and its platform are stored so we can send notifications you have allowed (see §13).

3.6 Chat and Poll Data

Globe includes a real-time group chat and polling feature within each trip. Messages you send and poll responses you submit are stored in our database and visible to all members of your trip group. Chat supports text, GIFs, photos, documents, shared locations, emoji reactions, replies, and mentions of proposals and of other members (mentioning a member notifies them). You can delete your own messages at any time.

3.7 Payment Data

Globe never collects or stores your payment card details. Payments are processed by our payment providers:

• On the web, by Stripe, which collects your billing name and address and your card details directly on its hosted checkout.
• On iOS/Android, by RevenueCat together with the Apple App Store / Google Play, which process the payment.

From these providers we store only what we need to give you access: a Stripe customer identifier, your subscription / Trip Pass status, and billing cycle. For purchases made under our guardian-assisted flow for users who are not yet 18 (see §11), Stripe requires the cardholder to authenticate via 3-D Secure (Strong Customer Authentication) with their bank; this authentication is handled by Stripe and your bank, and we store no additional data from it. Please refer to the providers' own privacy policies for how they handle payment data.

3.8 Communications Data

If you contact us for support, or report content within the app, we collect the content of your message or report and your contact details (and limited technical context such as app version and platform) in order to respond and to keep a record. These requests are handled through our support desk provider (Atlassian Jira Service Management — see §6.2).

If you ask to be notified about upcoming "Max" plans, we store that interest signal on your profile. We do not send marketing emails today; any future marketing outreach would be optional and separately consented.

4.1 Performance of a Contract (Article 6(1)(b))

We process your account data, trip and group data, chat data, and payment/subscription data because it is necessary to provide the Globe service you have signed up for.

4.2 Legitimate Interests (Article 6(1)(f))

We process limited data based on our legitimate interest in:

• Keeping Globe secure and preventing abuse (e.g. rate limiting, app-integrity attestation, and fraud prevention)
• Detecting and fixing crashes and errors and monitoring performance (crash/error diagnostics — see §3.5)
• Monitoring operational costs and detecting billing anomalies (see §3.5)
• Operating and supporting the service, and responding to your requests
• Moderating content — we may access content (for example a chat message, photo, document or proposal) when you or another user reports it, or in order to handle your support request

You can object to processing based on legitimate interests — see Section 9.

4.3 Consent (Article 6(1)(a))

Where we rely on your consent — for example device permissions such as location and notifications, and optional product analytics — we ask for it explicitly and you can withdraw it at any time (analytics consent is managed in My Account → Settings → Privacy).

4.4 Legal Obligation (Article 6(1)(c))

We may process data where required by applicable Belgian or EU law, including tax and accounting obligations.

4.5 Vital Interests (Article 6(1)(d))

In exceptional circumstances, we may process data where it is necessary to protect the vital interests of you or another person. This basis will rarely apply in the context of Globe's services.

4.6 Explicit Consent for Special-Category Data (Article 9(2)(a))

Globe lets you optionally share dietary/allergy information and accessibility/mobility needs with your trip group (see §3.2). Because these can reveal health information, or religious beliefs (for example a halal or kosher diet) — special categories of data under Article 9 GDPR — we rely on Article 9(2)(a) explicit consent: these fields are blank by default, clearly marked optional ("only share what you're comfortable with"), and we process them only because you deliberately choose to enter and share them with your group for trip planning. You can edit or remove this information at any time — by clearing the field, leaving the trip, or deleting your account — and you are never required to provide it.

6.1 Within Your Trip Group

The following is visible to all members of your trip group by design:

• Your name, username, and profile photo
• Your availability and budget range (unless the organiser has enabled anonymous mode)
• Any trip input you choose to share (dietary, accessibility and general notes)
• Your destination votes and preferences
• Proposals you submit, including location and price
• Expenses you record
• Photos and documents you upload
• Messages, reactions, poll responses, and any locations you share in the group chat
• Any trip review (rating and text) you write
• During wrap-up, whether/when you have completed your wrap-up tasks

Some data is also visible to your mutual friends outside a specific trip — your travel history and bucket list, and the membership of any friend groups you share.

6.2 Service Providers (Data Processors)

We share data with trusted third-party providers. Most act as our data processors under a data processing agreement; a few — the sign-in, app-store and GIF providers — act as independent controllers under their own privacy policies (we disclose them here and minimise what we send them):

• Google Firebase / Google Cloud — core cloud infrastructure (Authentication, Firestore database, Cloud Storage, Cloud Functions, Hosting, Cloud Messaging for push notifications, and App Check). Our Cloud Functions run in the EU region.
• Google LLC — Google Sign-In (verifies your identity and shares your name and email on sign-in); the Google Places, Maps and Weather APIs used for destination search, maps and weather (sent via a Cloudflare Worker proxy); Google reCAPTCHA v3 used by App Check on the web for anti-abuse attestation; Google Play Integrity used by App Check on Android; and Google Analytics for Firebase (GA4) for opt-in product analytics.
• Apple Inc. — Apple Sign-In (web and iOS), which verifies your identity and shares your name and email with us on first sign-in; and Apple App Attest / DeviceCheck used by App Check on iOS for anti-abuse attestation.
• Sentry (Functional Software, Inc.) — crash/error reporting and a small sample of performance diagnostics on web, iOS and Android (EU data-residency region). Receives a stack trace, in-app breadcrumbs, device/OS/app-version context and your Firebase user ID — never your email or name. Web reports transit through our Cloudflare Worker.
• Cloudflare — proxy layer for our Places, Maps, Weather, GIF and image requests, and a transit point that forwards our web error/CSP reports to Sentry. Cloudflare may process request metadata, including IP addresses, for delivery and rate limiting, and we write a minimal operational cost log there. Privacy policy: cloudflare.com/privacypolicy
• KLIPY (Kikliko, Inc.) — GIF search and trending content in chat, acting as an independent data controller under its own privacy policy (it has appointed an EU representative under GDPR Art. 27). When you use the GIF picker we send only your GIF search terms and a pseudonymised identifier (a salted one-way hash of your user ID, never the raw ID or any account data); because these requests are proxied through our Cloudflare Worker, KLIPY does not receive your real IP address.
• Stripe — payment processing for web purchases (billing name, address and card data are handled by Stripe), including 3-D Secure authentication for guardian-assisted purchases.
• RevenueCat — manages in-app purchases on iOS/Android. It receives your Globe user identifier and store receipt data.
• Apple App Store / Google Play — process in-app payments on their platforms.
• Atlassian (Jira Service Management) — our support desk. Support requests and content reports include your email, name, user identifier, the content reported, and technical context (platform, app version).
• Wikimedia Foundation — public destination images. No personal data is sent.
• Expo / Expo Application Services — delivers the app and over-the-air updates; receives device runtime version and update channel.

6.3 Legal Requirements

We may disclose data if required by law, court order, or to protect the rights and safety of Globe, our users, or others.

6.4 Business Transfers

If Globe is involved in a merger, acquisition, or asset sale, your data may be transferred. We will provide notice before your data becomes subject to a different Privacy Policy.

6.5 With Your Consent

For any sharing not described above, we will ask for your explicit consent.

7.1 Mobile app

The Globe mobile app does not use browser cookies or advertising identifiers. It stores data locally on your device (using the device's local storage) for your login session, your preferences, and offline caching. It runs opt-in product analytics only after you accept the consent banner, and runs crash/error diagnostics for security and stability (see §3.5).

7.2 Web application

The Globe web app uses your browser's local storage and IndexedDB (not cookies) for three purposes: your authentication session (Firebase Auth), offline data caching (Firestore), and preference keys you set explicitly (such as your chosen language, theme and notification settings). It does not set advertising cookies and does not use third-party advertising trackers. It does load Google reCAPTCHA v3 (via Firebase App Check) for anti-abuse attestation, and — with your consent — Google Analytics for Firebase. On first visit, the web app shows an informational cookie/storage disclosure banner explaining the essential storage and the reCAPTCHA script, with a link to this policy; analytics remain off until you opt in.

7.3 Do Not Track

Globe does not track you across third-party websites and does not use advertising trackers, so there is no cross-site tracking to which a "Do Not Track" signal would apply.

8.1 Active Accounts

Data associated with your account is retained for as long as your account remains active. Optional trip input you share — including the dietary/allergy and accessibility notes described in §3.2 — lives on your membership record for that trip; it is removed when you clear the field or leave the trip, and is anonymised with your other participant data when you delete your account.

8.2 Free-Tier Trip Archiving and Content Lock

For trips without an active Trip Pass:

• 90 days after the trip end date, the trip is archived and its content is locked. Members lose read access to the trip's content (photos, documents, chat messages, expenses, itinerary, etc.) and see an upgrade prompt instead — unless a Trip Pass has been purchased for the trip (which restores access for everyone) or the individual member has an active Globe Pro subscription, which lets that member read their own locked past trips (see §8.3).
• Archived trips and their files are never deleted — the data remains intact.
• Buying a Trip Pass restores full access for everyone, permanently. A member with active Globe Pro can read their own locked past trips for as long as their subscription is active (see §8.3).
• Separately, an organiser can move a completed trip to the Timeline to declutter the active list ("hidden"). This is a display change only — a hidden trip stays fully readable; it is not the same as the 90-day content lock above.

8.3 Trip Pass and Globe Pro Storage

• For trips with an active Trip Pass, trip data and photos are retained and remain accessible to all members for as long as we operate the service (no automatic archiving or content lock applies).
• Globe Pro is a per-user benefit: it grants the individual subscriber continued read access to their own content-locked past trips for as long as they subscribe (including the 90-day grace period after cancellation). It does not keep a trip permanently unlocked for the whole group — non-subscribing co-travellers of a free trip still see the content lock until a Trip Pass is purchased.

8.4 Account Deletion

When you delete your account (which requires you to re-authenticate first):

• Your profile and personal data — profile, bucket list, travel history (including trip-confirmation markers), friend connections, friend groups, blocked-user records, friend-suggestion dismissals, your friend activity feed, personal notes, product-interest signals (such as the Max-tier waitlist flag), and notifications — are permanently deleted, along with your uploaded files (such as your avatar) and your login credentials. This happens immediately, not after a delay.
• In trips you shared with others, your contributions — including any trip reviews, wrap-up task-completion timestamps, and the dietary/accessibility notes you shared — are anonymised to a "Deleted user" placeholder so the group's records stay coherent. Expense records you were part of are kept intact for the group's financial accuracy, and photos or documents you uploaded remain in the shared trip for other members.
• We cancel your Stripe subscription and delete your RevenueCat record on a best-effort basis. An App Store or Google Play subscription must be cancelled by you in the relevant store — we cannot cancel it for you.
• Financial records required for tax obligations may be retained for up to 7 years.

8.5 Chat Messages

Chat messages within a trip are retained for the life of the trip and remain visible to its members. For performance the app loads messages in pages (about 100 at a time), but older messages remain available as you scroll back. You can delete your own messages, and deleting your account anonymises the messages you sent.

8.6 Short-Lived and Operational Data

• Live-location shares exist only while you are actively sharing. At the end of the window you set (up to one hour) the share is deactivated and is no longer broadcast to or readable by trip members; the inactive record may remain in our database until routine cleanup removes it.
• Blocked-user records are kept until you unblock the person (or delete your account).
• Rate-limit counters are short-lived server-side records holding only a time window and a count, keyed to a salted hash of the IP address (never the raw IP) or to your user ID.
• Product-analytics events (Google Analytics for Firebase / GA4) are retained for the period set on our Firebase/GA4 property (GA4's default event-data retention is 2 months, extendable to 14 months). Withdrawing analytics consent stops further collection but does not by itself delete events already collected by Google.
• Crash/error and performance reports are retained by Sentry per its default retention (typically around 30–90 days).
• Operational logs (e.g. the Cloudflare cost log) are retained per the provider's log-retention settings.

8.7 Support Communications

Records of support requests and content reports are retained for as long as necessary to handle and document the request, in line with our support-desk provider's retention.