Privacy Policy

Last Updated: 14/01/2026

1. Who We Are

Platform: CouldWe (couldwe.com)
Contact for Privacy Inquiries: support@couldwe.com

2. Age Requirement

You must be at least 16 years old to create an account and use CouldWe. We do not knowingly collect or process personal data from individuals under 16.

3. Data We Collect and How We Use It

Account Creation:

Data Collected: First name, last name (optional), email, password and country (inferred from IP).
Purpose: To create and maintain your account, enable authentication, and personalize your experience.
Legal Basis: Provision of service (contractual necessity).

Profile Information:

Data Collected: Profile picture (optional), location (optional), timezone, country (provided by user and/or inferred from IP).
Purpose: To personalize your experience, display events in your local timezone, and improve the accuracy of date/time extraction from event pages.
Legal Basis: Provision of service (contractual necessity).
Note: Profile images are stored without signed URLs, which means they may be accessible via direct link. Users should avoid uploading sensitive personal images.

Third-Party Sign-In (Google):

Data Collected: First name, last name, and email from Google, plus inferred country.
Purpose: To streamline the sign-up and sign-in process.
Legal Basis: Provision of service (contractual necessity).
Note: Google's OAuth is used for sign-in, and Google reCAPTCHA may be used to verify that account creation and login attempts are made by real users, helping protect against spam and abuse.

Event Bookmarking:

Data Collected: URLs you submit, extracted event details (title, date/time, location, description), event images, and your timezone.
Purpose: To save and organize events from external websites. When you paste a URL, we fetch the page content and use AI to extract event details so you can bookmark things you might want to do.
Legal Basis: Provision of service (contractual necessity).
How It Works: When you add an event URL, we fetch the page using a third-party service (Microlink), extract structured data and page content, then use AI (OpenAI) to identify the event title, date, time, and location. Your timezone is sent to the AI to help interpret dates correctly. See sections 12-14 for more details on these services.

Admin Actions and Moderation:

Data Collected: Minimal logs including admin user ID and action taken, flagged content snapshots, a hash of logged-in user IDs, and their timezone.
Purpose: To maintain platform security, monitor system performance, and ensure compliance with community guidelines.
Legal Basis: Legitimate interests (ensuring community integrity and compliance).

Notifications (In-App & Email):

Data Collected: Notification content (e.g. account security alerts), email address for sending notifications.
Purpose: To keep you informed about important account activity (e.g. password resets, email changes, account security).
Legal Basis: Provision of service (contractual necessity).
Note: QStash is used for email queuing to manage sending notifications efficiently.

Support Inquiries:

Data Collected: Name, email, and message content sent to support@couldwe.com
Purpose: To assist with your questions or concerns.
Legal Basis: Provision of service (responding to your inquiries).

4. Cookies and Similar Technologies

We use cookies primarily for authentication and session management. These may include cookies from Supabase and Google (if you sign in with Google).

Purpose: To keep you logged in, maintain session state, and provide secure access.
Legal Basis: Provision of service (contractual necessity).

We currently do not use cookies for analytics or marketing. If we introduce these in the future, we will seek user permission if required.

5. Data Storage and Location

We use a combination of hosting, storage, and caching services, primarily located in the UK and EU:

Hosting & Caching (Vercel): The Platform is hosted on Vercel, which may use a global infrastructure. We aim to deploy in regions (such as the EU) that align with our privacy commitments. Some caching may occur globally for performance.
Supabase (Authentication & Database): EU-West-2
PlanetScale (Database): EU-West-2
AWS (Storage & CloudFront CDN): UK (London) for storage where possible, global CDN for content delivery
Upstash (Redis for Caching & QStash for Email Queue): EU-West-1
Resend (Email Sending): Europe (Ireland)
Google Cloud Platform (Sign-In, reCAPTCHA, Web Risk, Places): Primarily EU or US, depending on Google's infrastructure and policies.
Microlink (Page Fetching): Used to fetch web page content when you add event URLs. Processing location depends on Microlink's infrastructure.
OpenAI (Event Data Extraction & Moderation): Used for AI-powered extraction of event details and content moderation. Processing location depends on OpenAI's infrastructure.
Axiom (Logging): Axiom is used for dashboards and logs; data processed by Axiom may be stored within regions that Axiom operates in, and we aim to choose EU/UK where possible.
Sentry (Error Tracking): Sentry is used for error monitoring and debugging. It collects technical information about errors including stack traces, browser information, and user context when errors occur. Data is processed according to Sentry's data processing policies.

By using the Platform, you acknowledge that your data may be transferred and stored in these regions. CDNs and global infrastructure components may temporarily handle data outside the UK/EU for performance, but core storage remains centered in EU/UK regions where possible.

We perform regular database backups on PlanetScale to ensure data integrity and to enable recovery in case of technical issues or data loss. Backups are retained securely within the same region as the primary database (EU-West-2) and deleted in line with our standard retention policies.

6. How Long We Keep Your Data

We retain personal data only as long as necessary to provide our services or as required by law. Examples:

Event bookmarks and associated content: Until you delete them or your account is deleted
Link preview images: Stored on AWS S3 until the associated event is deleted
Admin logs: Typically stored for a limited time (e.g. ~95 days for logs)

Once you delete your account, we remove all personal data unless retention is required for legal or moderation reasons.

7. Your Rights

Subject to UK GDPR, you have the right to:

Access your personal data
Request Correction of inaccurate or incomplete data
Request Deletion of your personal data, unless retention is required by law or legitimate interest
Object or Restrict certain processing
Data Portability, where applicable

To exercise any of these rights, please contact support@couldwe.com. We aim to respond within 30 days. Verification may involve confirming your request via the email address associated with your account.

8. Security Measures

We use industry-standard security measures to protect your data, including secure hosting and access controls. While no method of transmission or storage is 100% secure, we continuously work to safeguard your information.

9. Children's Privacy

We do not allow users under 16 to create accounts. If you believe we have collected data from someone under 16, please contact us so we can delete it.

10. Changes to This Privacy Policy

As the platform evolves, we may update this Privacy Policy. The "Last Updated" date at the top reflects the latest changes. Initially, we will simply update the policy on our site. In the future, once the platform stabilizes, we may introduce more direct notifications for significant changes.

11. Future Considerations

If we introduce marketing or promotional communications in the future, we will seek your consent before sending such messages.

12. Use of OpenAI for Event Data Extraction and Content Moderation

We use OpenAI's services for two purposes: (1) to extract event details from web pages you bookmark, and (2) to check content for compliance with our community guidelines.

12.1 Event Data Extraction:

When you add an event URL, we use OpenAI's language models (GPT-4o-mini and GPT-4o) to intelligently extract event information from the page content, including the event title, date, time, and location.

Data Sent: Cleaned text content from the web page, structured data (JSON-LD, Open Graph tags) found on the page, and your timezone (e.g. "Europe/London") to help interpret dates correctly.
Purpose: To automatically populate event details so you don't have to manually enter them.
Legal Basis: Provision of service (contractual necessity).

12.2 Content Moderation:

We use OpenAI's moderation API to check extracted event content for compliance with our community guidelines.

Data Sent: Event title, description, and location text.
Purpose: To detect and prevent harmful or prohibited content.
Legal Basis: Legitimate interests (keeping the platform safe).

Data Handling:

Data sent to OpenAI is processed according to OpenAI's terms of service and privacy policy. We do not have control over how OpenAI may use this data internally after processing. For more information, visit OpenAI's Privacy Policy.

13. Use of Web Risk API for Link Safety Checks

We use a Web Risk API to check links posted in events for potential security threats such as phishing, malware, or other dangerous content. This means that when you or other users post links in events, these URLs may be sent to a third-party service for safety verification.

Purpose:

To protect users from potentially harmful websites and maintain platform security.

Legal Basis:

Legitimate interests (keeping the platform and users safe from online threats).

Scope:

Links added to events

Data Handling:

We only share the URL itself, with no additional personal data or context. The verification process is designed to minimise data processing while maintaining security.

By posting links on CouldWe, you acknowledge that such content may be processed by our security services in accordance with their data processing practices. The Web Risk API is provided by Google, and its use is subject to Google's data processing terms. For more information about Google's Web Risk API, you can visit Google Web Risk.

14. Use of Microlink for Page Fetching

When you add an event URL, we use Microlink (a third-party service) to fetch and render the web page content, particularly for pages that require JavaScript to display properly or have anti-bot protection.

Data Sent: The URL you submit.
Purpose: To reliably fetch page content from various event websites.
Legal Basis: Provision of service (contractual necessity).

For more information, visit Microlink.

15. Use of Google Places API for Location Data

We may use Google Places API to enrich location information extracted from event pages, providing more accurate venue details and map coordinates.

Data Sent: Location text extracted from event pages (venue name and/or address).
Purpose: To provide accurate venue information, addresses, and map locations for events.
Legal Basis: Provision of service (contractual necessity).

This service is provided by Google and subject to Google Maps Platform Terms.

16. Use of AWS Rekognition for Image Moderation

When event images are extracted from web pages, we use AWS Rekognition to check images for inappropriate or harmful content.

Data Sent: Event images extracted from web pages.
Purpose: To detect and prevent inappropriate images from being displayed on the platform.
Legal Basis: Legitimate interests (keeping the platform safe).

For more information about AWS Rekognition, visit AWS Rekognition.

Get In Touch: For questions or concerns about this Privacy Policy or your personal data, please email us at support@couldwe.com.

Privacy Policy

Last Updated: 14/01/2026

1. Who We Are

Platform: CouldWe (couldwe.com)
Contact for Privacy Inquiries: support@couldwe.com

2. Age Requirement

You must be at least 16 years old to create an account and use CouldWe. We do not knowingly collect or process personal data from individuals under 16.

3. Data We Collect and How We Use It

Account Creation:

Data Collected: First name, last name (optional), email, password and country (inferred from IP).
Purpose: To create and maintain your account, enable authentication, and personalize your experience.
Legal Basis: Provision of service (contractual necessity).

Profile Information:

Data Collected: Profile picture (optional), location (optional), timezone, country (provided by user and/or inferred from IP).
Purpose: To personalize your experience, display events in your local timezone, and improve the accuracy of date/time extraction from event pages.
Legal Basis: Provision of service (contractual necessity).
Note: Profile images are stored without signed URLs, which means they may be accessible via direct link. Users should avoid uploading sensitive personal images.

Third-Party Sign-In (Google):

Data Collected: First name, last name, and email from Google, plus inferred country.
Purpose: To streamline the sign-up and sign-in process.
Legal Basis: Provision of service (contractual necessity).
Note: Google's OAuth is used for sign-in, and Google reCAPTCHA may be used to verify that account creation and login attempts are made by real users, helping protect against spam and abuse.

Event Bookmarking:

Data Collected: URLs you submit, extracted event details (title, date/time, location, description), event images, and your timezone.
Purpose: To save and organize events from external websites. When you paste a URL, we fetch the page content and use AI to extract event details so you can bookmark things you might want to do.
Legal Basis: Provision of service (contractual necessity).
How It Works: When you add an event URL, we fetch the page using a third-party service (Microlink), extract structured data and page content, then use AI (OpenAI) to identify the event title, date, time, and location. Your timezone is sent to the AI to help interpret dates correctly. See sections 12-14 for more details on these services.

Admin Actions and Moderation:

Data Collected: Minimal logs including admin user ID and action taken, flagged content snapshots, a hash of logged-in user IDs, and their timezone.
Purpose: To maintain platform security, monitor system performance, and ensure compliance with community guidelines.
Legal Basis: Legitimate interests (ensuring community integrity and compliance).

Notifications (In-App & Email):

Data Collected: Notification content (e.g. account security alerts), email address for sending notifications.
Purpose: To keep you informed about important account activity (e.g. password resets, email changes, account security).
Legal Basis: Provision of service (contractual necessity).
Note: QStash is used for email queuing to manage sending notifications efficiently.

Support Inquiries:

Data Collected: Name, email, and message content sent to support@couldwe.com
Purpose: To assist with your questions or concerns.
Legal Basis: Provision of service (responding to your inquiries).

4. Cookies and Similar Technologies

We use cookies primarily for authentication and session management. These may include cookies from Supabase and Google (if you sign in with Google).

Purpose: To keep you logged in, maintain session state, and provide secure access.
Legal Basis: Provision of service (contractual necessity).

We currently do not use cookies for analytics or marketing. If we introduce these in the future, we will seek user permission if required.

5. Data Storage and Location

We use a combination of hosting, storage, and caching services, primarily located in the UK and EU:

Hosting & Caching (Vercel): The Platform is hosted on Vercel, which may use a global infrastructure. We aim to deploy in regions (such as the EU) that align with our privacy commitments. Some caching may occur globally for performance.
Supabase (Authentication & Database): EU-West-2
PlanetScale (Database): EU-West-2
AWS (Storage & CloudFront CDN): UK (London) for storage where possible, global CDN for content delivery
Upstash (Redis for Caching & QStash for Email Queue): EU-West-1
Resend (Email Sending): Europe (Ireland)
Google Cloud Platform (Sign-In, reCAPTCHA, Web Risk, Places): Primarily EU or US, depending on Google's infrastructure and policies.
Microlink (Page Fetching): Used to fetch web page content when you add event URLs. Processing location depends on Microlink's infrastructure.
OpenAI (Event Data Extraction & Moderation): Used for AI-powered extraction of event details and content moderation. Processing location depends on OpenAI's infrastructure.
Axiom (Logging): Axiom is used for dashboards and logs; data processed by Axiom may be stored within regions that Axiom operates in, and we aim to choose EU/UK where possible.
Sentry (Error Tracking): Sentry is used for error monitoring and debugging. It collects technical information about errors including stack traces, browser information, and user context when errors occur. Data is processed according to Sentry's data processing policies.

6. How Long We Keep Your Data

We retain personal data only as long as necessary to provide our services or as required by law. Examples:

Event bookmarks and associated content: Until you delete them or your account is deleted
Link preview images: Stored on AWS S3 until the associated event is deleted
Admin logs: Typically stored for a limited time (e.g. ~95 days for logs)

Once you delete your account, we remove all personal data unless retention is required for legal or moderation reasons.

7. Your Rights

Subject to UK GDPR, you have the right to:

Access your personal data
Request Correction of inaccurate or incomplete data
Request Deletion of your personal data, unless retention is required by law or legitimate interest
Object or Restrict certain processing
Data Portability, where applicable

8. Security Measures

9. Children's Privacy

We do not allow users under 16 to create accounts. If you believe we have collected data from someone under 16, please contact us so we can delete it.

10. Changes to This Privacy Policy

11. Future Considerations

If we introduce marketing or promotional communications in the future, we will seek your consent before sending such messages.

12. Use of OpenAI for Event Data Extraction and Content Moderation

We use OpenAI's services for two purposes: (1) to extract event details from web pages you bookmark, and (2) to check content for compliance with our community guidelines.

12.1 Event Data Extraction:

Data Sent: Cleaned text content from the web page, structured data (JSON-LD, Open Graph tags) found on the page, and your timezone (e.g. "Europe/London") to help interpret dates correctly.
Purpose: To automatically populate event details so you don't have to manually enter them.
Legal Basis: Provision of service (contractual necessity).

12.2 Content Moderation:

We use OpenAI's moderation API to check extracted event content for compliance with our community guidelines.

Data Sent: Event title, description, and location text.
Purpose: To detect and prevent harmful or prohibited content.
Legal Basis: Legitimate interests (keeping the platform safe).

Data Handling:

13. Use of Web Risk API for Link Safety Checks

Purpose:

To protect users from potentially harmful websites and maintain platform security.

Legal Basis:

Legitimate interests (keeping the platform and users safe from online threats).

Scope:

Links added to events

Data Handling:

We only share the URL itself, with no additional personal data or context. The verification process is designed to minimise data processing while maintaining security.

14. Use of Microlink for Page Fetching

Data Sent: The URL you submit.
Purpose: To reliably fetch page content from various event websites.
Legal Basis: Provision of service (contractual necessity).

For more information, visit Microlink.

15. Use of Google Places API for Location Data

We may use Google Places API to enrich location information extracted from event pages, providing more accurate venue details and map coordinates.

Data Sent: Location text extracted from event pages (venue name and/or address).
Purpose: To provide accurate venue information, addresses, and map locations for events.
Legal Basis: Provision of service (contractual necessity).

This service is provided by Google and subject to Google Maps Platform Terms.

16. Use of AWS Rekognition for Image Moderation

When event images are extracted from web pages, we use AWS Rekognition to check images for inappropriate or harmful content.

Data Sent: Event images extracted from web pages.
Purpose: To detect and prevent inappropriate images from being displayed on the platform.
Legal Basis: Legitimate interests (keeping the platform safe).

For more information about AWS Rekognition, visit AWS Rekognition.

Get In Touch: For questions or concerns about this Privacy Policy or your personal data, please email us at support@couldwe.com.