Privacy Policy

Version 2.1
Effective date: 11 May 2026 · Last reviewed: 11 May 2026 · Change history

This Privacy Policy explains how Goyova Pty Ltd (ACN [INSERT ACN], "Goyova", "we", "us", "our") collects, uses, discloses, and protects your personal information when you use the Goyova mobile application, the goyova.com website, and related services (together, the "Service").

Goyova is bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs). Depending on where you live, additional laws apply — including the EU and UK General Data Protection Regulations, the California Consumer Privacy Act as amended by the CPRA, Korea's Personal Information Protection Act, Brazil's LGPD, and Canada's PIPEDA.

What Goyova is, in plain English. A travel discovery app for natural spectacles (wildlife migrations, blooms, auroras, meteor showers, seasonal phenomena). You can browse, plan trips, and share short visit reports with photos. You don't create an account. You're identified only by a random ID generated on your device. The app is free, contains no advertising, and we don't sell your data.
On this page Summary at a glance Who we are What we collect What we don't collect How we use it Legal bases Sharing International transfers Retention Security Data breach Your rights Australia EU / UK California Korea Other regions Children Tracking Automated decisions Planned features App Stores Changes Contact & complaints

1. SUMMARY AT A GLANCE

The full policy below is binding. This summary is provided for convenience.

WhatPlain English
IdentityGoyova Pty Ltd, an Australian company. Contact: support@goyova.com.
AccountsNot required. Goyova currently has no account system. You use the app anonymously, identified only by a random device ID.
GPS locationUsed on your device to show nearby events and sort by distance. We do not transmit or store your precise location on our servers.
Community visit reportsOptional. When you choose to post, the location and date you enter are visible to all users (the app tells you this in the form). Photos have their EXIF metadata stripped before storage.
Selling dataWe do not sell or "share" your personal information for cross-context behavioural advertising.
AdvertisingNone. No ads. No advertising identifiers (IDFA / AAID). No tracking across apps or websites.
AnalyticsPostHog on EU servers. Anonymous usage events only — no cookies, no profile, no PII.
Delete your dataSettings → Your Data → Clear my data wipes your votes, reports, and request post deletion. Or email support@goyova.com.
Push notificationsNot yet active. The Alerts tab shows your in-app alert preferences only. Push delivery is planned for a future release and will require your permission.
Australian usersYou can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

2. WHO WE ARE

Goyova Pty Ltd
ACN: [INSERT ACN]
Registered office: [INSERT REGISTERED OFFICE STREET ADDRESS, STATE, POSTCODE], Australia
Contact: support@goyova.com
Website: goyova.com

For EU/EEA, UK, Swiss, and Brazilian users, Goyova acts as the data controller of personal information processed through the Service.

Our privacy officer can be reached at the address above. All privacy questions, rights requests, security reports, IP/copyright notices, and moderation appeals should be sent to support@goyova.com with a clear subject line (e.g., "Privacy request — access" or "DMCA notice"). We may add separate addresses as we grow.

3. WHAT WE COLLECT AND WHY

3.1 Random device identifier

The first time you open the Goyova app, your device generates a random, anonymous ID (alphanumeric string) and stores it locally. This ID is the only identifier we use, since the app has no account system. It is:

  • Used to associate community posts, votes, and reports with your device
  • Used to prevent duplicate votes and duplicate reports of the same content
  • Used to enforce blocking — when you block another user, your device ID and theirs are recorded so we can filter their posts out of your view
  • Used to enforce moderation against devices that repeatedly breach our Acceptable Use Policy

    • The device ID is not linked to your name, email, phone number, or any other real-world identifier. Under the GDPR, it is pseudonymous personal data. Clearing app data or uninstalling regenerates it.

    3.2 Location data (GPS)

    Permission requested: Foreground location only ("When in Use" on iOS; ACCESS_FINE_LOCATION on Android). We never request background location.

    Purpose: To calculate distance from your position to natural events and sort the Explore feed by proximity.

    How it works: Your GPS coordinates are processed locally on your device. We do not transmit, store, or retain your precise location on our servers. If you deny location permission, the app continues to work but cannot show distance-based results.

    3.3 Camera and photo library

    Permission requested: Photo Library access, requested only when you tap "Add" inside a visit-report form.

    Purpose: To let you attach up to five photos to a visit report.

    We do not access your camera or photo library in the background. You can use the entire app without granting this permission.

    3.4 Community visit reports (optional)

    When you voluntarily submit a visit report on a spectacle page, we store on our servers:

  • Display name — optional, free-text up to 40 characters. If provided, it appears publicly on your post. It persists on your device for future posts.
  • Visit location — required, the place name you type (a city, region, or landmark). Minimum 2 characters. Shown publicly on your post.
  • Visit date — required day/month/year. Future dates not allowed. Shown publicly.
  • Comment — optional free text up to 280 characters. Shown publicly.
  • Photos — optional, up to 5 per report, JPEG/PNG/WebP, maximum 5MB each.

    • At the moment you fill in the form, the app shows you a just-in-time notice: "📍 '[your location]' and your visit date will be visible to all users". By tapping "Post report" you confirm that you understand and consent to this public display.

    3.5 Photo processing — EXIF stripping

    Every photo you upload is processed server-side before storage:

  • EXIF metadata (including any embedded GPS coordinates, camera serial number, software version, and timestamps) is stripped
  • The image content itself is uploaded to our content delivery network (Cloudflare R2)
  • The only location and date associated with your photo are those you typed in the form

    • 3.6 Voting and reporting actions

    When you vote on or report a community post, we store:

  • Your device ID
  • The post or photo ID you acted on
  • Vote direction (up/down) OR report category (spam, harassment, offensive, misleading, other) and optional free-text reason
  • Timestamp

    • Reports are reviewed by our moderation team. Content reported by three or more unique devices is automatically hidden pending review. When your content is auto-hidden you receive a notification of the most common reason and information about how to appeal (see Section 12 and Acceptable Use Policy).

    3.7 Content moderation by OpenAI

    To filter clearly unsafe content (sexual material involving minors, credible violent threats, etc.) before it is posted, the comment, display name, and visit location you submit are sent to OpenAI's content-moderation API in real time when you tap "Post". OpenAI returns a classification result; if the content is flagged as unsafe under our content standards, your submission is rejected with an error. OpenAI processes this content under its API Terms (no training on API inputs, deletion within 30 days). If the OpenAI service is unavailable, the moderation pass fails open (the post proceeds), but the post remains subject to community reporting and human review.

    3.8 Blocked-users records

    When you tap "Block this user" on a post, we record the pair of device IDs (yours as the blocker, theirs as the blocked). This is used to filter their content out of your view. You can review and unblock anyone you have blocked under Settings → Community → Blocked users.

    3.9 Geocoding queries

    When you type a place name in the Explore search bar, or enter an address in a trip-planning form (hotel, car rental, tour), your text query is sent to OpenStreetMap's Nominatim service to translate it to coordinates. Nominatim sees the search text and your IP address. We do not send Nominatim any other personal data.

    3.10 Trip planning (stored locally)

    Trips you create — pinned events, hotels, flights, car rentals, tours, dates, notes — are stored only on your device using the system's AsyncStorage. They are not synced to our servers, not backed up, and are lost if you uninstall the app or clear app data.

    3.11 Local alert preferences (Alerts tab)

    When you tap the bell icon on an event and toggle "Alert when in season" or "Alert when someone posts", that preference is stored only on your device. The Alerts tab reads these local preferences and displays the events you have alerted on. No push notifications are currently delivered. When push delivery is enabled in a future release, we will request your operating-system push permission separately and update this policy before any tokens are transmitted.

    3.12 Technical information (automatic)

    Like any internet service, our infrastructure providers automatically log technical information when your device interacts with our servers:

  • IP address (used for security, abuse prevention, and rate limiting; not used to identify you)
  • Approximate region derived from IP (country/city only)
  • Device type, operating system, and app version
  • Timestamps of requests
  • Crash and error logs (without personally identifying content)

    • This information is retained briefly for security and reliability purposes (see Section 9).

    3.13 Customer support correspondence

    If you email support@goyova.com, we receive your email address and the contents of your message. We use this only to respond to you and maintain a record of the enquiry.

    4. WHAT WE DO NOT COLLECT

    We do not collect, and we have no technical mechanism in the app to collect:

  • Your real name (unless you choose to put it in the optional display-name field of a post)
  • Your email address (the app has no account system; we only receive your email if you write to support)
  • Your phone number
  • Your contacts, calendar, SMS, or call history
  • Your browsing history outside the Service
  • Payment or financial information (Goyova has no in-app purchases; affiliate bookings happen on third-party partner sites)
  • Microphone audio
  • Background location (we only request "when in use")
  • Health, fitness, biometric, sexual orientation, religious, political, or trade-union data
  • Advertising identifiers (Apple's IDFA, Google's AAID)
  • Any data when the app is not actively in use

    • 5. HOW WE USE YOUR DATA

    DataPurpose
    GPS (on-device)Calculate distances and sort the Explore feed
    Device IDAssociate your community contributions with your device; deduplicate votes/reports; enforce blocking; ban repeat offenders
    Visit reports (location, date, comment, photos, display name)Display your visit report to other users on the same spectacle page
    Photos (high-rated, location-verified)May be promoted as the main event photo and may be used to update event location accuracy. You can request removal at any time.
    OpenAI moderation callsBlock obviously unsafe content (CSAM, credible threats) before it is published
    Vote and report recordsOperate community ranking and moderation
    Blocked-users recordsFilter blocked users' content from your view
    Geocoding textResolve place names to map coordinates
    Technical logsService reliability, security, abuse prevention, debugging
    Support emailRespond to your enquiry
    Anonymous analyticsUnderstand which features are used so we can improve them

    We do not use your data for: advertising of any kind, sale to third parties, "sharing" for cross-context behavioural advertising as defined under California law, profiling or scoring, automated decisions producing legal or similarly significant effects (see Section 21), or training general-purpose AI models.

    6. LEGAL BASES FOR PROCESSING

    6.1 Under the Australian Privacy Act

    We collect personal information for the primary purpose of providing the Service (APP 3). We use and disclose information only for that primary purpose or a directly related secondary purpose you would reasonably expect (APP 6), unless you consent to another use or another exception applies. The Service is designed so that you can use most features anonymously (APP 2).

    6.2 Under the GDPR (EU/EEA) and UK GDPR

    ProcessingLegal basis (Art 6 GDPR)
    Showing distance-based events using GPSPerformance of a contract (Art 6(1)(b)) — you requested the feature by granting permission
    Device ID for community attribution, deduplication, blocking, and abuse preventionLegitimate interests (Art 6(1)(f)) — operating a community-safety feature
    Community posts: visit location, date, comment, photos, display nameYour explicit consent (Art 6(1)(a)) — given when you tap "Post report" after seeing the in-form notice that your location and date will be visible to all users
    OpenAI moderation pre-publication scanLegitimate interests (Art 6(1)(f)) — protecting the community and complying with our legal obligations under the EU Digital Services Act and equivalent laws
    Voting and reportingLegitimate interests (Art 6(1)(f))
    BlockingPerformance of a contract (Art 6(1)(b)) — you requested this
    Technical logs, security, abuse preventionLegitimate interests (Art 6(1)(f)) — protecting the Service and users
    Responding to legal requestsLegal obligation (Art 6(1)(c))

    You may withdraw consent at any time. Withdrawing consent for community posts means we will delete the relevant posts (see Settings → Your Data → Clear my data, or email support@goyova.com).

    6.3 No special-category data

    We do not knowingly process special-category data (health, race, religion, biometrics, etc.) under Art 9 GDPR. Please don't include such information in posts or emails — if you do, contact us to have it removed.

    7. DATA SHARING AND THIRD PARTIES

    We share personal information only with the service providers necessary to operate the Service. Each is contractually prohibited from using your data for their own purposes. We do not sell or "share" personal information as those terms are defined under California law.

    ProviderRoleData processedLocationSafeguard
    Supabase Inc. (supabase.com) Database, storage, future authentication Community posts, photos metadata, blocked-users records, vote/report logs United States EU Standard Contractual Clauses; UK IDTA; AU APP 8 contractual obligations
    Cloudflare Inc. API hosting (Workers), content delivery, security IP address, request metadata, rate-limit counters Global edge network Cloudflare Data Processing Addendum and SCCs
    Cloudflare R2 Photo file storage Photo files (after EXIF stripping) Auto-selected region Same as Cloudflare DPA
    OpenAI, L.L.C. Content moderation (real-time scan of submitted text before publication) Comment text, display name, and visit location at moment of submission. No device ID transmitted. United States OpenAI API terms (no training on API inputs; 30-day retention)
    CARTO (carto.com) Map tile rendering (the dark map background) Your IP, viewport coordinates, device info Global CDN CARTO Privacy Policy and SCCs
    OpenStreetMap Foundation / Nominatim Place-name geocoding (Explore search; trip-form addresses) Your search text, your IP UK (primary) / Global OpenStreetMap Foundation Privacy Policy
    PostHog Inc. (posthog.com) Anonymous product analytics Anonymous usage events: screen views, feature use, app version, device type. No cookies. No PII. EU servers (Frankfurt — eu.i.posthog.com) PostHog EU region — data does not leave the EU. PostHog DPA.
    Unsplash, Pexels, Pixabay, Wikimedia Commons Event photo CDN delivery (curated spectacle imagery, not user-uploaded photos) Your IP and device info (transmitted when your device loads photos from their CDNs) Global CDN Each provider's privacy policy applies to that connection
    Booking partners via AWIN and direct affiliate links (Booking.com, Expedia, Hotels.com, TripAdvisor, Sixt, Kiwi, GetYourGuide, Trivago, Rentalcars) Affiliate accommodation, car-hire, flight, and tour bookings If you tap an affiliate link, you leave Goyova and the partner site/app collects whatever data it collects. We do not transmit your personal information to these partners. Varies Each partner's privacy policy applies. See Terms of Service Section 14.

    7.1 Disclosures required by law

    We may disclose personal information when legally required — for example, in response to a subpoena, court order, valid regulatory request, or to protect the safety of users or the public. We resist over-broad requests and require valid legal process.

    7.2 Business transfers

    If Goyova is involved in a merger, acquisition, financing, reorganisation, or sale of assets, personal information may be transferred as part of the transaction. We will require the recipient to honour this Privacy Policy or notify you and give you a meaningful choice before any new use applies.

    8. INTERNATIONAL DATA TRANSFERS

    Several providers listed above process data outside Australia and outside your country of residence. For each transfer:

  • EU/EEA and Swiss users — transfers outside the European Economic Area rely on European Commission adequacy decisions where available, or the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) signed with each provider, together with supplementary measures (TLS encryption in transit, encryption at rest, access controls, EXIF stripping for photos).
  • UK users — transfers outside the United Kingdom rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
  • Australian users — we comply with Australian Privacy Principle 8. Before disclosing personal information to an overseas recipient, we take such steps as are reasonable to ensure the recipient does not breach the APPs.
  • Korean users — by using the Service after reviewing this policy, you consent to the transfer of your personal information to the recipients listed in Section 7 outside Korea, as required by Articles 17 and 28-8 of PIPA.

    • 9. DATA RETENTION

    DataRetention period
    Device IDStored locally on your device until you uninstall, clear app data, or use "Clear my data" in Settings. Not retained on our servers in isolation; associated with your community contributions if any.
    Community posts, photos, locations, datesRetained until you delete them (in-app), we remove them through moderation, or you use Settings → Your Data → Clear my data. Photos previously promoted as "main event photo" may be retained even after device-clearing unless you specifically request removal via support@goyova.com.
    Vote recordsRetained while the post exists. Deleted with the post or via "Clear my data".
    Report recordsUp to 24 months for moderation history and abuse-pattern detection, then deleted or anonymised.
    Blocked-users recordsRetained until you unblock or use "Clear my data".
    Technical logs (IP, request metadata)Up to 90 days for security and abuse-prevention purposes, then deleted or anonymised.
    OpenAI moderation callsNot retained by Goyova. OpenAI retains for up to 30 days under its API terms.
    Analytics events (PostHog)Up to 13 months, then aggregated and anonymised.
    Support correspondenceUp to 3 years for service-history and dispute-resolution purposes.
    Records required by law (tax, fraud, legal claims)For the period required by applicable law (typically 7 years in Australia for tax records).
    Permanent device-block list (repeat AUP offenders)Indefinite, for the sole purpose of preventing repeat abuse.

    We never retain GPS coordinates from your device on our servers.

    10. SECURITY

    We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure, including both technical and organisational measures as required by Australian Privacy Principle 11.3 (as strengthened by the Privacy and Other Legislation Amendment Act 2024).

    Technical measures

  • All data in transit encrypted using TLS 1.2 or higher
  • Data at rest encrypted using provider-managed encryption
  • API credentials and secrets stored in encrypted environment variables, never in client-side code
  • Row-level security policies enforced at the database layer
  • Rate limiting on all sensitive endpoints (posting, voting, reporting, uploads, account-data deletion)
  • File-type and file-size validation on every upload (JPEG/PNG/WebP only, max 5MB)
  • EXIF metadata stripped from every uploaded photo before storage
  • Pre-publication content moderation via OpenAI (Section 3.7)
  • Automated text sanitisation (HTML stripping, quote escaping) on all user-submitted text

    • Organisational measures

  • Access to personal information limited to personnel with a legitimate operational need (least privilege)
  • Access revoked promptly when no longer required
  • Personnel bound by confidentiality obligations
  • Documented incident-response procedure reviewed at least annually
  • Data-processing agreements with all sub-processors listed in Section 7
  • Community posts auto-hidden when reported by 3+ unique devices, pending human moderation review

    • No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to support@goyova.com with subject line "Security disclosure".

    11. DATA BREACH NOTIFICATION

    If we become aware of a data breach likely to result in serious harm:

    1. We will notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable under the Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988).
    2. We will notify affected individuals as soon as practicable.
    3. For EU/UK affected individuals, we will notify the lead supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33, and notify affected individuals without undue delay where required by Article 34.
    4. For residents of other jurisdictions, we will comply with applicable breach-notification laws (California Civil Code §1798.82, PIPA Article 34, LGPD Article 48, PIPEDA Section 10.1).

    12. YOUR RIGHTS — UNIVERSAL

    Regardless of where you live, you can:

  • Delete a specific post — tap "Edit" on your own post, then "Delete this post" (immediate).
  • Clear all your data — Settings → Your Data → Clear my data. This requests deletion of all your posts and photos from our servers within 30 days, and immediately removes your votes, reports, blocked-users records, and device ID from your phone.
  • Unblock users — Settings → Community → Blocked users.
  • Use the app without posting — submission is entirely optional.
  • Email support@goyova.com with any rights request. Please describe what you want and (if known) provide the device ID associated with your installation so we can locate your data.

    • Because Goyova has no account system, we identify your data via the device ID stored on your installation. If you have already cleared your device ID, please describe your posts (location, approximate date) so we can find them.

    We respond to rights requests within 30 days. For complex or multiple requests we may extend by a further 60 days and will tell you why.

    No moderation appeal: if your post has been hidden or removed, you can appeal by emailing support@goyova.com with subject "Moderation appeal" and the post ID (sent in the auto-hide notification, if any).

    13. AUSTRALIAN USERS — ADDITIONAL RIGHTS

    If you are in Australia, the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles give you the right to:

  • Access your personal information held by Goyova (APP 12)
  • Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13)
  • Anonymity / pseudonymity in dealings with us where practicable (APP 2 — the entire Service operates this way by default; you do not need to identify yourself to us at any point)
  • Complain if you believe Goyova has interfered with your privacy

    • How to complain: please first contact us at support@goyova.com. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the:

    Office of the Australian Information Commissioner (OAIC)
    Phone: 1300 363 992
    Web: oaic.gov.au/privacy/privacy-complaints
    Post: GPO Box 5288, Sydney NSW 2001

    You may also have a separate cause of action under the statutory tort of serious invasion of privacy introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth), in force since 10 June 2025.

    14. EU / EEA / UK / SWISS USERS — ADDITIONAL RIGHTS

    If you are in the EU, EEA, UK, or Switzerland, you have the right to:

  • Access a copy of personal data we hold about you (Art 15 GDPR)
  • Rectify inaccurate or incomplete data (Art 16)
  • Erase your data ("right to be forgotten") (Art 17)
  • Restrict processing (Art 18)
  • Object to processing based on legitimate interests (Art 21)
  • Data portability — receive your data in a structured, machine-readable format (Art 20)
  • Withdraw consent at any time, where processing is based on consent (Art 7(3))
  • Lodge a complaint with your national supervisory authority (Art 77). UK users may complain to the ICO at ico.org.uk.
  • Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (Art 22) — see Section 21.

    • To exercise any right, email support@goyova.com. There is no fee for a reasonable rights request.

    15. CALIFORNIA RESIDENTS — CCPA / CPRA

    California residents have the following rights under the CCPA as amended by the CPRA:

  • Right to know the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom it is shared
  • Right to delete personal information we have collected from you
  • Right to correct inaccurate personal information
  • Right to opt out of "sale" or "sharing" for cross-context behavioural advertising. Goyova does not sell or share personal information — there is nothing to opt out of.
  • Right to limit the use and disclosure of "sensitive personal information". Goyova does not collect sensitive personal information as defined under the CCPA / CPRA.
  • Right of non-discrimination for exercising these rights

    • Notice at collection (Cal. Civ. Code §1798.100(b)): the categories of personal information we collect and the purposes are set out in Sections 3 and 5. We do not collect personal information for any purpose not described in this policy. Retention periods are in Section 9.

    To exercise these rights: email support@goyova.com with subject "California Privacy Request".

    16. KOREAN USERS — PIPA

    If you are in the Republic of Korea, the Personal Information Protection Act applies. In addition to the universal rights in Section 12, you have the right to:

  • Be notified of personal information processing (PIPA Art 20)
  • Request access, correction, deletion, and suspension of processing (PIPA Arts 35–37)
  • Withdraw consent at any time (PIPA Art 22)
  • Be informed before personal information is transferred outside Korea (PIPA Art 28-8) — this policy serves as that notification
  • File a complaint with the Personal Information Protection Commission (PIPC) at pipc.go.kr or the Korea Internet & Security Agency (KISA) at kisa.or.kr

    • 17. OTHER REGIONS

    If you are in Brazil (LGPD), Canada (PIPEDA), Japan (APPI), Singapore (PDPA), New Zealand (Privacy Act 2020), South Africa (POPIA), or another jurisdiction with applicable privacy law, you have the rights granted by your local law. Please contact support@goyova.com to exercise them.

    18. CHILDREN'S PRIVACY

    Goyova is rated 12+ on the Apple App Store and Teen on the Google Play Store due to user-generated content.

    Under 13: Goyova is not directed at children under 13. We do not knowingly collect personal information from a child under 13. The app does not currently include an age-gate; we identify under-13 use only through reports or context. If you are a parent or guardian and believe a child under 13 has submitted content, please contact support@goyova.com and we will delete it within 30 days.

    Ages 13–17: Users aged 13–17 may use the Service with parental awareness. We do not collect sensitive personal information from any user, do not target users under 18 with profiling, and do no behavioural advertising of any kind.

    Australia (Children's Online Privacy Code): Goyova's primary purpose is travel discovery and trip planning, not social interaction; we therefore consider Goyova a "designated internet service" rather than a "social media service" under the Online Safety Act 2021 (Cth). We will monitor the Children's Online Privacy Code being developed by the OAIC under the Privacy and Other Legislation Amendment Act 2024 and update this policy as required when it commences.

    UK (Age Appropriate Design Code): If you are in the UK and a child, we apply the standards of the ICO's Children's Code, including data minimisation, transparency in age-appropriate language, and disabling geolocation by default.

    19. COOKIES AND TRACKING TECHNOLOGIES

    Mobile app

    The Goyova app does not use cookies (mobile apps are not browsers) and does not use advertising identifiers (IDFA on iOS, AAID on Android). We do not display Apple's App Tracking Transparency prompt because the app does not engage in "tracking" as defined in Apple's policy.

    Website (goyova.com)

    Our marketing website uses only essential first-party cookies necessary to display content correctly. We do not use third-party analytics cookies, advertising cookies, or social-network trackers on the website. If this changes, this section will be updated and EU/UK users will be presented with a cookie consent banner.

    20. AUTOMATED DECISION-MAKING

    We do not make decisions about you based solely on automated processing that produce legal effects concerning you or similarly significantly affect you (within the meaning of GDPR Art 22, UK GDPR, and the new transparency rules under the Privacy and Other Legislation Amendment Act 2024 (Cth) taking effect on 10 December 2026).

    The Service uses automated systems for limited operational purposes only:

  • OpenAI pre-publication moderation — flags clearly unsafe content (CSAM, credible threats, etc.) and rejects the submission. You see the error and can edit and re-submit.
  • Auto-hide on community report — posts reported by 3 or more unique devices are automatically hidden pending human review. You are notified and can appeal.
  • Main event photo selection — based on community votes and location-confidence signals. Photographers can request removal at any time.
  • Distance-based feed ranking — based on your foreground GPS, on-device.

    • None of these decisions produce legal or similarly significant effects on you. You can request human review of any such decision by contacting support@goyova.com.

    21. FUTURE FEATURES (DISCLOSED IN ADVANCE)

    For transparency, the following features are being built but are not yet active in the current version of the Service:

  • User accounts — we may introduce optional email/password accounts to let you sync alert preferences and trips across devices. When enabled, this policy will be updated to describe the data collected at signup (email, hashed password, optional username) and you will be required to consent before creating an account. No account data is collected today.
  • Push notifications — we may enable push delivery of in-season alerts and new-visit-report notifications. When enabled, the app will request your operating-system push permission, and we will store a push token associated with your device. No push tokens are collected today.
  • Commercial Contributor Programme — we may offer an opt-in programme that allows you to commercially license your photos to third parties. This is distinct from the current "Founding Contributor" badge programme (which is non-commercial recognition). If launched, joining will require a separate explicit consent (GDPR Art 7 / PIPA Art 22 compliant) and a separate agreement.

    • We will update this policy and notify you in-app before any of these features become active.

    22. APP STORES

    Goyova is distributed through the Apple App Store and the Google Play Store. Apple Inc. and Google LLC are not parties to this Privacy Policy. Apple and Google collect their own data when you download, install, or use apps subject to their respective privacy policies:

  • Apple: apple.com/legal/privacy
  • Google: policies.google.com/privacy

    • Our Apple "Privacy Nutrition Label" and Google Play "Data Safety" disclosures summarise the same practices described in this policy.

    23. CHANGES TO THIS POLICY

    We may update this Privacy Policy. The version number and effective date at the top will reflect the latest revision. For material changes — that is, changes that materially affect your privacy or expand our uses of your personal information — we will give reasonable advance notice through:

  • An in-app notice on next launch
  • A prominent banner on goyova.com

    • Continued use of the Service after the effective date of a material change means you accept the updated policy. See the Change Log.

    24. CONTACT AND COMPLAINTS

    All enquiries: support@goyova.com

    Please include a clear subject line so we can route your message correctly:

  • "Privacy request — access / deletion / correction / portability"
  • "Security disclosure"
  • "DMCA notice" or "Copyright notice"
  • "DSA notice" (EU users reporting illegal content)
  • "Moderation appeal"
  • "California Privacy Request"

    • Postal:
    Goyova Pty Ltd
    [INSERT REGISTERED OFFICE ADDRESS]
    Australia

    If you are unsatisfied with our response, refer to Sections 13–17 for the supervisory authority in your jurisdiction.