Privacy Policy
Last updated: 30 May 2026
1. Data controller
The data controller is Hugo Nectoux (autónomo), Spain, contactable at hugo@barhio.com and at the postal address shown in our Aviso Legal. For any privacy matter, write to hugo@barhio.com.
2. What data we collect and why
| Category | Examples | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | email, password hash, username, display name, avatar, bio | Create & manage your account | Contract (6.1.b) |
| Saved places | place IDs, visited/wishlist status, your 1–5★ ratings, notes, date saved | Core service: your saved places | Contract (6.1.b) |
| Lists | list titles, descriptions, ordering, public/private flag, public slug | Create & share lists | Contract (6.1.b) |
| Social graph | friend requests, accepted friendships | Friend features & friend ratings | Contract (6.1.b) |
| Location | device location while using the map | Center the map, show nearby/saved places | Consent (6.1.a) via OS permission |
| Device & push | Expo push token, device type | Send notifications you enabled | Consent / Contract |
| Restaurant Pro | business contact, claim verification, billing status | Provide & bill the Pro service | Contract (6.1.b) |
| Payment data | handled by Stripe; we receive status, not full card data | Process subscriptions | Contract (6.1.b) / Legal obligation (accounting) |
| Capture inputs | the Instagram/Google Maps URL you choose to share to Barhio | Extract a place from the URL | Consent / Contract (you initiate it) |
| Google Maps import | places you choose to import from your existing Google saved places | Bulk-import them into your Barhio account | Consent (6.1.a) — you trigger and authorise it |
| Usage/diagnostics | basic logs, error data | Security, maintenance | Legitimate interests (6.1.f) |
3. AI-assisted place extraction
When you share a link (e.g. an Instagram URL) to Barhio, that URL is sent to Anthropic's Claude API (via our secure server function) to identify the place referenced, then matched against Google Places. We send the URL and minimal context — not your account identity beyond what is needed to return the result.
3b. Google Maps import
If you choose to import your existing Google Maps saved places, you authorise Barhio to read the places you select from your Google account and copy them into your Barhio account as your saved places. We import only the place data needed for that purpose and do not access unrelated Google account data. You can delete imported places individually or in bulk at any time.
4. How content is shared with other users
- Your saves are private by default and visible only to accepted friends per your settings.
- A public list is accessible to anyone with the link, including non-users, and shows the list name, places, and ratings you chose to include.
- Friend ratings you give are visible, in aggregated and individual form, to your accepted friends on the relevant place page.
5. Recipients / processors
We share data with service providers acting on our instructions:
| Provider | Role | Data |
|---|---|---|
| Supabase | Auth, database, storage, realtime — EU region | Account, saved places, lists, social graph, avatars |
| Google Places | Place lookup | Search terms, place IDs |
| Mapbox | Map rendering | Coordinates / map tiles requests |
| Anthropic (Claude API) | AI place extraction | Shared URLs |
| Stripe | Restaurant payments | Billing data (restaurant users) |
| Expo (push) | Notifications | Push token |
| Vercel | Web hosting (public lists, dashboard) | Web request data |
We do not sell your personal data.
6. International transfers
Your core account data is stored in the EU/EEA (Supabase, EU region). Some processors are based in the United States and may process limited data there: Anthropic (shared URLs for place extraction), Stripe (restaurant billing), Google (Places lookups and, if you use it, Maps import), Mapbox and Vercel (web requests), and Expo (push tokens).
For these transfers we rely on appropriate safeguards under the GDPR — the EU Standard Contractual Clauses and/or, where applicable, the EU–US Data Privacy Framework. You can request details of the safeguards at hugo@barhio.com.
7. Retention
- Account data: kept while your account is active.
- On account deletion: personal data is deleted or anonymised, except data we must keep by law (e.g. invoicing/accounting records for restaurant subscriptions — generally kept for the periods required under Spanish tax and commercial law) and short-term backups.
- Public-list copies already obtained by others (e.g. a shared URL screenshot) are outside our control.
8. Your rights
Under GDPR you may: access your data; rectify it; erase it; restrict or object to processing; port your data; and withdraw consent at any time (e.g. location, notifications) without affecting prior processing. Exercise these at hugo@barhio.com. You may also complain to a supervisory authority. As the controller is established in Spain, the lead authority is the AEPD (aepd.es); users in France may also contact the CNIL (cnil.fr).
9. Minors
The Service is intended for users aged 16 and over and is not directed at children. We do not knowingly collect data from anyone below that age.
10. Security
We use RLS at the database level, encrypted secrets, and provider-side security. No system is perfectly secure; we will notify you and the authority of qualifying breaches as required.
11. Automated decision-making
We do not make decisions producing legal or similarly significant effects about you by purely automated means. Friend ratings are aggregations of human ratings, not profiling of you.
12. Changes
We will post updates here and change the "Last updated" date; material changes will be notified.
Contact: hugo@barhio.com