Legal Document

Privacy Policy

Last updated: June 12, 2026 · Version 1.0 · Estimated reading time: 15 minutes

At a glance

• We collect the data needed to run a personalised event discovery app — and nothing more
• We do not sell your data and we do not run advertising networks
• When you buy a ticket, the event organiser receives your name and email
• Your data is stored on servers in the United States (Supabase, Clerk, Stream Chat, Groq)
• You can delete your account — and your data — at any time
• We are registered with (or registering with) Ghana's Data Protection Commission under Act 843

1. Who We Are

GoOutside is operated by Soro Technologies ("we", "us", "our"), a company incorporated in Ghana. GoOutside is a social-first event discovery platform that helps people in Ghana discover, attend, and share events.

Detail	Information
Company	Soro Technologies
Location	Accra, Ghana
Privacy email	privacy@gooutside.club
DPC Registration	Pending — will be published upon receipt
Data Protection Supervisor	To be inserted upon DPC registration

We are registered with (or in the process of registering with) the Data Protection Commission of Ghana as required under the Data Protection Act, 2012 (Act 843).

2. What This Policy Covers

This policy applies to the GoOutside web application (gooutside.club), associated subdomains, and the mobile app when available.

It does not apply to: third-party websites GoOutside links to, event organisers' own data practices (they are independent data controllers), or third-party payment processors.

3. Information We Collect

3.1 Account & Identity Data

Data	How Collected	Why
Email address	At sign-up	Account creation, communications, ticket delivery
First name and last name	Sign-up or Google OAuth	Identity, public profile, ticket name
Password	At sign-up	Authentication — managed by Clerk; we never see your plain-text password
Profile photo (avatar)	Uploaded by you	Public profile display
Username (handle)	Set during onboarding	Public identity on the platform
Phone number	Optional	Account security, event communications
Twitter/X username	Optional, if you connect Twitter	Social profile linking

3.2 Profile & Preference Data

Data	Purpose
Bio	Public profile display
Home city	Localises your event feed
Interest categories (Music, Tech, Food, etc.)	Feed personalisation
Vibe preferences (frequency, crew size, time-of-day)	Feed personalisation
Onboarding event history ('events you've attended before')	Calculates your starting Pulse Score
Pulse Score and tier	Rewards eligibility; visible on public profile
Notification preferences	Controls which notifications you receive

Your interests, vibe, and city are also stored in a preference cookie (go_prefs) for 30 days so the app loads quickly without a database call on each visit.

3.3 Location Data

Type 1 — City (always collected): You select your home city during onboarding. Stored in your profile, used to filter your feed, and visible on your public profile.

Type 2 — GPS / Precise Location (only with your permission): If you grant location permission, we capture your GPS coordinates and send them to Google's Geocoding API to resolve to a formatted address. We only request this when you explicitly trigger a location feature. We do not track your location continuously or in the background, and do not share precise coordinates with event organisers.

Type 3 — IP-Derived Location (automatic): Your IP address is sent to ip-api.com to approximate your city, region, and country. Used for analytics and regional event surfacing.

Type 4 — Live Event Location (events only): During live events (3 hours before to 5 hours after end), your GPS may power live location features at the venue, visible to other authenticated users. Automatically deleted when the window closes.

3.4 Behavioral & Interaction Data

Signals about how you interact with content, used to power your personalised feed and Pulse Score.

Signal Type	Examples
Event interactions	Card views, dwell time (ms), clicks, saves, dismissals, share, ticket intent, check-in
Page-level data	Pages visited, time spent, scroll depth, bounce detection
Micro-events	Individual clicks/hovers, cursor position, search queries, cart adds/removes
Behavioral profile (computed)	Device tier, price sensitivity, peak usage hours, discovery style, conversion rates — internal use only

3.5 Device & Technical Data

Data	Source
IP address	Automatically, on every visit
Browser type and version	HTTP request
Operating system	HTTP request
Device type (mobile/tablet/desktop)	HTTP request
Referrer URL	HTTP request
Session token	Generated client-side on first visit

3.6 Browser Fingerprint Data

We want to be transparent: GoOutside uses browser fingerprinting for fraud prevention and security. This collects more detailed technical signals than standard device data. Here is exactly what we collect on every page load:

Signal	What it captures
Canvas fingerprint	Hash of how your browser renders 2D graphics — unique to your device/browser combination
WebGL fingerprint	Hash from your GPU's 3D rendering, including GPU vendor and renderer name
Audio context fingerprint	Hash of how your browser processes audio
CPU cores / RAM	Number of logical processors and approximate available RAM in GB
Screen dimensions and resolution	Width, height, pixel ratio, color depth
Installed fonts count	Number of fonts accessible to the browser
Browser language / timezone / platform	Language setting, device timezone, OS platform string
Touch support	Number of touch points supported
Connection type and download speed	Network category and approximate speed
Battery level and charging state	Battery % and charging status (where browser supports this API)
Ad blocker / Do Not Track / Incognito mode	Whether these browser features are active
WebRTC support	Whether peer-to-peer networking is supported

Why: To detect fraud, bot traffic, and account takeover attempts. Also links pre-sign-in browsing to your account after sign-up to seed your first personalised feed.

You can request deletion of fingerprint data at privacy@gooutside.club. Privacy extensions like Canvas Blocker or Privacy Badger will limit the effectiveness of this tracking.

3.7 Payment & Transaction Data

GoOutside uses Paystack for all payments. We do not store your card number, CVV, expiry date, or bank account details. Paystack handles all of that under PCI-DSS compliance.

What GoOutside stores after a successful payment:

Data	Stored in
Paystack transaction reference	GoOutside database
Payment amount (GHS)	GoOutside database
Payment channel (card / mobile money / bank)	GoOutside database
Payment status and timestamps	GoOutside database
Ticket type, quantity, attendee name and email	GoOutside database
Payment metadata from Paystack (may include card network type)	GoOutside database

Pulse Points ledger: Every earn or spend is recorded as an append-only entry that is never deleted — your complete rewards transaction history.

3.8 Social Graph Data

Data	Visibility
Users you follow	Visible on your public profile
Your followers	Visible on your public profile
Organizers you follow	Visible on your public profile
Friend requests	Private — not visible to others
Blocked users	Strictly private

Your follow relationships are used as social signals in other users' feeds ("3 people you follow are going to this event").

3.9 Content Data

Content	Stored	Visibility
Posts (text ≤500 chars)	GoOutside database	Public by default
Post images	Supabase Storage	Public by default
Snippets (post-event reviews ≤280 chars)	GoOutside database	Visible on profile and event page
Reviews and star ratings	GoOutside database	Publicly visible on event page
Moderation reports you file	GoOutside database	Visible only to GoOutside moderation team

3.10 Communications Data

Direct messages are powered by Stream Chat (GetStream.io). Message content is stored on Stream Chat servers — not on GoOutside servers. We store only: which users have a conversation, the last message timestamp, and an 80-character message preview.

In-app notifications are stored in our database and visible only to you.

Transactional emails are sent via Resend, which receives your email and name for delivery.

3.11 AI Interaction Data

When you use AI Chat, Weekend Assistant, or "Why This?", the following is sent to Groq (our AI provider) on US servers:

Your message text and up to 10 prior messages in the conversation
Your interest categories, Pulse Score and tier, home city
Titles of recently saved and attended events

Groq does not use your data to train AI models. Do not share sensitive personal information (health details, home address, financial details) in AI queries.

3.12 Information We Infer

Some information is not typed directly by you, but is inferred from your use of GoOutside. We use these inferences to make discovery feel less random and to protect the platform.

Inference	Examples	Use
Event taste	Music-heavy, food-focused, tech-curious, nightlife-oriented, family-friendly	Ranking your home feed and search results
Budget sensitivity	Free-event preference, low-ticket preference, premium-event interest	Showing more relevant tickets and rewards
Timing preference	Weeknight, weekend, afternoon, late-night	Weekend Assistant and feed ordering
Social discovery style	Often follows friends, often saves solo, often buys after social proof	Social signals and recommendations
Abuse or fraud risk	Suspicious device fingerprint, unusual payment behavior, spam-like activity	Security review and account protection

These inferences are internal. We do not sell them, and we do not give organizers your individual behavioral profile.

3.13 Information Others Provide About You

Other users may create information involving you. For example, someone may follow you, invite you to a conversation, mention you in a post, send you a direct message, report your content, or scan your ticket at an event entrance.

We process that information to operate the relevant feature, protect the service, and maintain accurate event and ticket records. If the information is public content, it may remain visible until deleted by the person who posted it or removed by GoOutside.

3.14 Avatar and Profile Photo Data

GoOutside supports two profile image types: uploaded profile photos and generated Navii avatars. Uploaded photos are stored in Supabase Storage. Generated avatars are deterministic images created from a seed such as your user ID or email-derived identifier.

If you upload a photo, you are responsible for having the right to use it. Your profile photo or generated avatar may be visible anywhere your public profile appears, including posts, comments, followers lists, organizer pages, and messages.

3.15 Sensitive Information

GoOutside is not designed for processing sensitive personal information such as health details, religious beliefs, political opinions, national identification numbers, precise home addresses, or financial account details. Please do not put this information in your profile, posts, direct messages, support requests, or AI prompts unless it is strictly necessary.

If you choose to post or send sensitive information, we process it only to provide the feature you used, enforce our policies, respond to support requests, comply with law, or protect users and the platform.

4. Why We Collect It — Purposes of Processing

Purpose	Data Used
Account creation and management	Identity data, email, password, profile data
Personalised event feed	Interests, vibe, location, behavioral data, social graph
Ticket purchasing and fulfillment	Identity, payment reference, attendee details
Pulse Score calculation	Event saves, check-ins, purchases, posts, referrals
Rewards and redemption	Pulse Points ledger, user ID, reward catalog
Direct messaging	User ID, conversation metadata (content via Stream Chat)
AI-powered event discovery	Interests, score, city, conversation history (via Groq)
Fraud prevention and security	IP address, browser fingerprint, device data
Analytics and service improvement	Behavioral data (aggregated and anonymised where possible)
Legal compliance	Identity, payment records, IP logs
Transactional communications	Email address, name, ticket details
Marketing communications	Email, name — only with your explicit consent

5. Legal Basis for Processing

Processing Activity	Legal Basis
Account registration and management	Contract — necessary to provide the service
Ticket purchasing and fulfillment	Contract — necessary to complete the transaction
Feed personalisation based on stated interests	Contract / Legitimate interests
Behavioral profiling for feed improvement	Legitimate interests — improving platform relevance
Browser fingerprinting	Legitimate interests — fraud prevention and security
Pre-login tracking via go_vid cookie	Legitimate interests — security and fraud prevention
GPS / precise location collection	Consent — you explicitly grant permission
Sending marketing emails	Consent — you opt in (never pre-ticked)
AI chat queries sent to Groq	Contract — necessary to operate the AI feature
Payment processing via Paystack	Contract — necessary to process your payment
Retaining payment records for 7 years	Legal obligation — Ghana Revenue Authority tax requirements
Legal disclosures to authorities	Legal obligation

Where we rely on legitimate interests, we have carried out a balancing test and concluded our interests do not override your rights. You may object to any such processing — see Section 12.

6. How We Share Your Data

6.1 Sharing With Event Organizers — Read This First

When you purchase a ticket, the event organiser receives your name, email address, ticket type, and order reference. This is necessary for event entry management.

The organiser does not receive: your payment card details, phone number, Pulse Score, behavioral data, private messages, or precise GPS location.

Organizers are independent data controllers for the attendee data they receive. We recommend reviewing the organiser privacy notice before purchasing.

6.2 Third-Party Service Providers

Provider	Data Received	Purpose
Clerk (auth.clerk.com)	Email, name, avatar, username	Authentication
Supabase (supabase.com)	All application data	Database and file storage
Stream Chat (getstream.io)	User ID, display name, avatar, all DM content	Real-time messaging
Paystack (paystack.com)	Email, payment amount, ticket reference	Payment processing
Resend (resend.com)	Email address, name	Transactional email delivery
Groq (groq.com)	Message text, interests, city, pulse score, event history	AI features
Google Maps Platform	GPS coordinates, location search text	Reverse geocoding and location autocomplete
ip-api.com	Raw IP address	IP-to-city geolocation on new sessions
Vercel (vercel.com)	HTTP request metadata, IP addresses	Web hosting

6.3 What We Never Do

• We do not sell your personal data to any third party
• We do not share your data with advertising networks
• We do not use your identity (name, photo) in ads shown to other users
• We do not read your private messages — DM content is processed only by Stream Chat
• We do not share your precise GPS location with event organisers
• We do not use your AI chat queries to train machine learning models
• We do not send your payment card details to anyone other than Paystack

7. What Others Can See

GoOutside has social features, so some information is designed to be visible to other people. The visibility depends on the feature you use and the choices you make.

Information	Typical Visibility	Notes
Name, username, avatar, bio, city, Pulse tier	Public profile	Visible to signed-in users and may appear in previews, search, posts, comments, followers lists, and messages
Posts, post images, snippets, reviews, ratings	Public by default	Other users may screenshot, quote, or share public content outside GoOutside
Followers and following	Visible on profile	Used for social proof such as friends attending or saving events
Event saves and RSVPs	May be shown as social signals	For example, users may see that people they follow are interested in an event
Ticket purchases	Private except as needed for event entry	Organizers receive attendee details needed to manage admission
Direct messages	Visible to conversation participants	DMs are not public, but they are not end-to-end encrypted
Moderation reports and blocked users	Private	Visible only to GoOutside moderation or support staff as needed
Precise GPS location	Private unless using a live location feature	Never shared with organizers for ordinary ticket purchases

Public content can be copied or reshared by other people. Even if you delete public content later, GoOutside cannot control copies that others already made outside the app.

8. Partners, Vendors, and Integrated Services

GoOutside relies on specialist vendors to provide authentication, storage, payments, messaging, email, hosting, maps, and AI features. These vendors process data for the specific service they provide to GoOutside, subject to their own security and privacy commitments.

Category	Vendor	Role	Data Usually Processed
Authentication	Clerk	Creates sessions, handles passwords and OAuth	Email, name, avatar, user ID, session metadata
Database and storage	Supabase	Stores app data and uploaded media	Profiles, events, posts, ticket records, images, notification rows
Messaging	Stream Chat	Real-time direct messages	User IDs, names, avatars, message content, channel metadata
Payments	Paystack	Processes card, mobile money, and bank payments	Email, amount, payment method metadata, transaction reference
Email	Resend	Sends transactional and notification emails	Recipient email, name, message template, delivery metadata
AI	Groq	Processes AI assistant prompts	Prompt text, limited profile context, event context
Maps	Google Maps Platform	Location search and reverse geocoding	Coordinates or place search text
Hosting	Vercel	Serves the web app and API routes	Request metadata, IP address, logs

We may add, replace, or remove vendors as GoOutside grows. When a new vendor materially changes how your personal data is processed, we will update this policy.

9. International Data Transfers

GoOutside is a Ghanaian company, but several key service providers operate primarily in the United States. Your personal data is therefore transferred outside Ghana.

Service	Data Transferred	Location
Clerk	Identity and auth data	United States (AWS)
Supabase	All application data	United States (AWS)
Stream Chat	All DM content	United States
Groq	AI query data	United States
Resend	Email delivery data	United States
Google Maps	GPS coordinates, location queries	United States (Google Cloud)
ip-api.com	IP addresses	ip-api.com infrastructure
Vercel	HTTP request metadata	United States / global CDN

By creating a GoOutside account and accepting this Privacy Policy, you consent to your personal data being transferred to and processed in the United States by the service providers listed above. If you object, contact us at privacy@gooutside.club or delete your account.

10. Pulse Score & Automated Profiling

Your Pulse Score is calculated algorithmically from your behavior on GoOutside. This constitutes automated profiling under Act 843 and GDPR.

Activity	Points
Buying a ticket	+25 PP
Checking in at an event	+50 PP
Creating a post	+10 PP
Saving an event	+5 PP
Referring a friend	+100 PP
5th event attended (milestone)	+150 PP
10th event attended (milestone)	+150 PP
Monthly attendance streak	+75 PP

Your lifetime Pulse Points determine your tier (Newcomer → Regular → Plugged In → Scene King → Legend), visible on your public profile and determining reward eligibility.

Your rights regarding profiling: View your full ledger at Dashboard → Rewards → Activity. Request a human review of any calculation you believe is inaccurate by emailing privacy@gooutside.club. You may object to profiling, though this may limit your access to rewards.

11. Messages and Notifications

GoOutside may notify you about account security, ticket purchases, event changes, direct messages, follows, friend activity, organizer updates, rewards, and product announcements.

Channel	What We Send	How to Control It
In-app notifications	Ticket updates, follows, comments, rewards, message alerts	Dashboard notification settings
Browser push notifications	Time-sensitive alerts such as new direct messages	Browser permission settings and GoOutside notification settings
Email	Receipts, ticket confirmations, security notices, optional digests and marketing	Unsubscribe links and account settings
Direct messages	Messages from other GoOutside users	Block users, decline requests, or adjust message notification settings

Some communications are transactional and cannot be fully disabled while your account is active, such as security alerts, payment receipts, critical ticket updates, and legal notices.

Direct messages are stored and delivered by Stream Chat. They are private to conversation participants, but they are not end-to-end encrypted. GoOutside or Stream may access message content where required for abuse prevention, support, legal compliance, or security.

12. Cookies & Tracking Technologies

Cookie	Type	Duration	Purpose
`go_vid`	Essential	90 days	Visitor identifier — set before sign-in, used for fraud detection and seeding your first feed
`go_done`	Essential	30 days	Records onboarding completion
`go_prefs`	Functional	30 days	Stores city, interests, vibe, Pulse tier locally for fast page loads — readable by JavaScript
`go_draft`	Functional	1 day	Temporarily stores partial profile data including GPS coordinates during onboarding
Clerk session cookies	Essential	Session	Authentication session management

No advertising cookies. GoOutside does not use Google Analytics, Facebook Pixel, Hotjar, or any advertising network tracking technologies.

Shopping cart data is stored in browser localStorage until you checkout or clear browser storage.

See our Cookie Policy for full details on managing cookies.

13. Data Retention

Data Category	Retention Period
Active account data (profile, preferences, posts)	Life of your account
Deleted posts and content	Removed from public view immediately; purged from backups within 90 days
Behavioral interaction data	Life of account; anonymised if account is deleted
Browser fingerprint data	Life of account; deleted with account
Payment records and ticket purchases	7 years (Ghana Revenue Authority tax compliance)
Pulse Points ledger	Life of account (append-only)
AI chat conversations	Life of account; can be deleted on request
IP address and session logs	12 months
Deleted account — profile data	Deleted within 30 days of account deletion request
Deleted account — payment records	Retained 7 years (legal obligation)
Deleted account — behavioral data	Anonymised within 30 days
Database backups	Overwritten within 90 days

14. Data Security

All data in transit is encrypted via HTTPS/TLS
Database access is protected by Supabase Row Level Security (RLS)
Server-side database client uses a service-role key never exposed to the browser
Authentication (passwords, sessions) managed by Clerk using industry-standard security
Payment card data is never stored on our systems — Paystack's PCI-DSS infrastructure handles this
Ticket QR codes are cryptographically signed JWTs with bcrypt-hashed secrets

Breach notification: In the event of a breach posing risk to your rights, we will notify the Data Protection Commission of Ghana within 72 hours and notify affected users as soon as practicable.

15. Your Rights

Right	How to Exercise
Right to Be Informed	This Privacy Policy is our primary disclosure
Right of Access — request a copy of your data	Email privacy@gooutside.club — subject: 'Data Access Request'. Response within 30 days.
Right to Correction — fix inaccurate data	Dashboard → Profile → Edit, or email us
Right to Deletion — delete your account and data	Dashboard → Profile → Settings → Delete Account. Profile data deleted within 30 days.
Right to Object to direct marketing	Use the unsubscribe link in any email, or email us. We stop immediately.
Right to Object to legitimate-interest processing	Email privacy@gooutside.club — we will cease unless we demonstrate compelling grounds
Right to Withdraw Consent (GPS, marketing)	Revoke in device settings or email us. Withdrawal does not affect prior processing.
Right to Data Portability — export your data as JSON	Email privacy@gooutside.club — subject: 'Data Export Request'
Right to Lodge a Complaint	Data Protection Commission Ghana — dataprotection.org.gh

We acknowledge all requests within 5 business days and respond fully within 30 days.

16. How to Manage or Delete Your Information

You can manage much of your information directly inside GoOutside. Some changes may take effect immediately in the app but remain in backups for a limited period.

Action	Where	What Happens
Edit profile	Dashboard -> Profile	Updates your name, username, avatar, bio, city, and public profile details
Change notification preferences	Dashboard -> Settings	Controls message, social, event, reward, organizer, and marketing notifications
Delete posts or reviews	Relevant post, profile, or event page	Removes the content from public display; backup copies expire later
Block a user	User profile or message thread	Limits that user ability to interact with you
Export data	Email privacy@gooutside.club	We provide a machine-readable copy where technically feasible
Delete account	Dashboard -> Profile -> Settings or email us	Profile and non-required data are deleted or anonymised; legal records may be retained

Deleting your account does not automatically delete records we must keep for legal, tax, fraud prevention, dispute resolution, payment reconciliation, or security reasons.

17. Legal Requests, Safety, and Harm Prevention

We may access, preserve, use, or disclose information if we believe in good faith that doing so is reasonably necessary to:

Comply with Ghanaian law, court orders, subpoenas, production orders, or valid requests from government authorities
Enforce our Terms of Service, event rules, payment rules, or organizer obligations
Detect, prevent, or investigate fraud, spam, account takeover, bot activity, platform abuse, or security incidents
Protect the rights, property, safety, and integrity of GoOutside, Soro Technologies, users, event attendees, organizers, vendors, or the public
Respond to emergency situations involving risk of death, serious injury, or imminent harm

Where legally permitted and appropriate, we try to limit disclosures to the minimum information necessary for the request or safety purpose.

18. Children's Privacy

GoOutside is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has created an account, contact privacy@gooutside.club and we will delete it promptly.

Note: Ghana's Data Protection Bill 2025 (pending enactment) is expected to introduce parental consent requirements. We will update this policy when it comes into force.

19. For Event Organizers

When you collect attendee data through the GoOutside ticket flow, you become an independent data controller for that data. You are responsible for having your own privacy notice, using attendee data only for event management, and complying with Ghana's Data Protection Act 2012.

What GoOutside provides to organizers: Attendee name, email, ticket type, and order reference. Aggregate analytics (total sales, revenue, check-in rates). Not provided: payment card details, Pulse Scores, private messages, or precise GPS location.

A Data Processing Agreement (DPA) is available on request at privacy@gooutside.club.

20. Ghana Data Protection Act 2012 (Act 843)

GoOutside (operated by Soro Technologies) is registered with or registering with the Data Protection Commission of Ghana. Our DPC Registration Number will be published here upon receipt.

Principle	How GoOutside Complies
Accountability	Soro Technologies takes full responsibility for all personal data held and processed
Lawfulness	Valid legal basis documented for every processing activity (see Section 5)
Specification of purpose	All purposes stated before or at the time of collection (see Section 4)
Compatibility	Data is not used beyond stated purposes
Quality	Users can update data at any time via profile settings
Openness	Full disclosure via this Privacy Policy
Security safeguards	Technical and organisational measures described in Section 11
Data subject participation	All rights honoured as described in Section 12

Complaints: Data Protection Commission of Ghana — dataprotection.org.gh · P.O. Box CT 1719, Cantonments, Accra

21. For Users in the European Economic Area

If you are in the EEA, Switzerland, or the United Kingdom, you have additional rights under the GDPR: right to restriction of processing, right to object to automated decision-making (see Section 8), and the right to lodge a complaint with the supervisory authority in your country of residence.

For transfers of EEA user data to the United States, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

22. Changes to This Policy

When we make material changes, we will: (1) post the updated policy at gooutside.club/privacy, (2) update the "Last updated" date, and (3) send email notification at least 14 days before changes take effect. Previous versions are available on request.

23. Contact Us

Type	Contact
General privacy enquiries	privacy@gooutside.club
Data access / deletion / export requests	Email privacy@gooutside.club — subject: "Data Access Request" / "Data Deletion Request" / "Data Export Request". Response within 30 days.
Mailing address	Soro Technologies, Accra, Ghana
DPC complaints	dataprotection.org.gh

GoOutside Privacy Policy — Version 1.0 · June 12, 2026