Skip to content
The HundredOnly 100 seatsWaitlist Opens in 7dLaunch 12 June 2026London · iOS + AndroidFirst nights 9 JuneCheck inEarn XPClimb the leaderboardLock lifetime statusGold TickIcon for a yearnumbered brass pinNever reissued while activeBoard locks 8 Jun · 23:59 GMTLocked status100 seats everLondon remembers who arrives firstThe HundredOnly 100 seatsWaitlist Opens in 7dLaunch 12 June 2026London · iOS + AndroidFirst nights 9 JuneCheck inEarn XPClimb the leaderboardLock lifetime statusGold TickIcon for a yearnumbered brass pinNever reissued while activeBoard locks 8 Jun · 23:59 GMTLocked status100 seats everLondon remembers who arrives first
MYSOVAMYSOVABack to home

Privacy Policy

Last updated: 17 April 2026 (Version 1.0)

1. Controller & Contact

The data controller for personal data processed through the MYSOVA waitlist site (app.mysova.co.uk) and the MYSOVA mobile application is:

MYSOVA LTD
Company number: 17154283
Registered in England and Wales
Registered office: London, United Kingdom (full address available on the Companies House public register)

Data protection enquiries: privacy@mysova.co.uk
Designated data protection contact: Pavel Vassiltsenko (Director)
ICO registration: Filed April 2026 (registration number to be added once issued)

MYSOVA LTD has fewer than 250 employees and does not perform large-scale processing of special-category data or systematic monitoring on a scale that triggers the statutory obligation to appoint a Data Protection Officer under UK GDPR Article 37. The Director acts as the accountable owner for data protection and is the contact point for all enquiries.

In this policy, “MYSOVA”, “we”, “us”, and “our” refer to MYSOVA LTD. “You” and “your” refer to the person whose data we are processing.

2. Scope

This privacy policy applies to all personal data processed through:

  • The MYSOVA app— our consumer mobile application for nightlife discovery, check-ins, XP, and social features (iOS and Android).
  • app.mysova.co.uk— this waitlist and account site, including any referral redirects and status pages.
  • mysova.co.uk— our marketing website.
  • Support channels— email and any other channels through which you contact us.

This policy explains what personal data we collect, how we use it, with whom we share it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It does not cover third-party websites or services linked from our platform — please review their own privacy policies.

3. Data We Collect

We collect the following categories of personal data:

Waitlist Data (this site)

  • Email address (used to confirm your spot and contact you at launch)
  • Referral code (if you arrived via someone else's referral link)
  • Approximate IP address — for rate-limiting and abuse prevention

Account Data (the app)

  • Email address (used for login and communications)
  • Date of birth (used for 18+ age verification)
  • Username and display name
  • Profile photo(s) you choose to upload
  • Subscription tier and payment status

Location Data (the app)

  • Check-in coordinates when you voluntarily check in to a venue
  • Approximate location within a 75-metre radius of the venue (for check-in verification)
  • We do not track your location in the background or when the app is closed

Usage Data (the app)

  • Venues you have visited and check-in timestamps
  • XP earned, streaks, badges unlocked, and rank history
  • Challenges completed and leaderboard position
  • Oracle AI queries and interaction history

Social Data (the app)

  • Paths connections (mutual opt-in matches with other users)
  • Messages sent within the app (one-to-one and party chats)
  • Party membership and Mega Check-In participation
  • Block, report, and other safety actions you take

Device Data

  • Operating system and app version
  • Crash reports and performance diagnostics (error monitoring, app only)
  • Push notification device token (via Expo)

4. How We Use Your Data

We use your personal data for the following purposes:

Waitlist operation. To confirm your place in the queue, send launch and status updates, calculate your queue position, and apply referral rewards.

Service delivery. To create and maintain your account, enable check-ins, calculate XP and streaks, award badges, and provide all core app features.

Personalisation. Our Oracle AI uses your interests, check-in history, tier, and the current time to generate personalised venue recommendations.

Social features. To power the Paths matching system, facilitate messaging, support party creation, and show activity from people you are connected with.

Push notifications. To send you alerts about friend check-ins, new Paths matches, event reminders, level-ups, and (with your consent) marketing messages.

Service improvement. To analyse how the app is used in aggregate, fix bugs via crash reports, and improve features over time.

Safety and moderation. To investigate reports of abuse, hide content flagged by users, and meet our obligations under the Online Safety Act 2023.

Age verification. To verify that all users are aged 18 or over at the point of registration, as required by law.

Legal compliance. To comply with our obligations under UK tax law, consumer protection law, anti-fraud requirements, and lawful requests from public authorities.

5. Legal Basis for Processing

Under the UK GDPR, we process your personal data on the following legal bases:

Contract (Article 6(1)(b)).Processing necessary to deliver the core MYSOVA service you have signed up for — account creation, check-ins, XP, social features, messaging, and waitlist operation.

Consent (Article 6(1)(a)).Optional marketing communications, precise location for venue check-ins, and analytics. You may withdraw consent at any time in Settings > Notifications, in your device's privacy settings, or by contacting us. Withdrawal does not affect the lawfulness of processing carried out beforehand.

Legitimate Interests (Article 6(1)(f)). Security monitoring, fraud prevention, crash reporting, abuse investigations, and improving app performance, where our interests are balanced against your rights and freedoms.

Legal Obligation (Article 6(1)(c)). Age verification, tax record-keeping (HMRC), illegal-content takedown under the Online Safety Act 2023, and compliance with court orders or other lawful requests.

6. Third-Party Processors

We share limited data with trusted third-party processors to deliver our service. Each processor operates under a written data processing agreement (typically the processor's standard DPA, accepted electronically). Copies are available on request. We do not sell your personal data to any third party.

Supabase— database hosting, authentication, real-time data. Hosted in the European Union (Frankfurt). Privacy policy: supabase.com/privacy.

Vercel— web hosting and edge compute for app.mysova.co.uk and mysova.co.uk. United States and EU edge regions. Privacy policy: vercel.com/legal/privacy-policy.

Error monitoring (app only)— crash reporting and performance monitoring for the MYSOVA mobile application. Crash reports may include device information, app version, and stack traces. The waitlist site (app.mysova.co.uk) uses Vercel’s built-in platform logs and does not send data to a third-party error monitor. When a third-party provider is used for app crash reporting, processor details will be published here.

Mapbox— map rendering, venue location display, and geocoding for the in-app map. United States. Privacy policy: mapbox.com/legal/privacy.

Anthropic— AI processor for Oracle recommendations and content moderation assistance. Inputs are anonymised — no names, emails, or phone numbers are sent. Anthropic does not use our data to train its models. United States. Privacy policy: anthropic.com/privacy.

Resend— transactional email delivery (account confirmations, launch updates). United States. Privacy policy: resend.com/legal/privacy-policy.

Apple App Store / Google Play— subscription payments and app distribution. Payment transactions are processed directly by Apple (App Store) and Google (Play Store). MYSOVA does not store your payment card details. You can manage subscriptions through your device settings.

Expo— push notification infrastructure. Push tokens are managed via Expo. Notification payloads contain only the data needed to deliver the alert. Privacy policy: expo.dev/privacy.

Stripe (planned)— subscription billing for any future MYSOVA-direct payments. Not yet wired for the consumer app.

Twilio (planned)— SMS one-time passwords for account verification. Not yet wired.

7. International Transfers

MYSOVA is a UK company. Our primary database is hosted in the European Union. Some of our third-party processors operate in the United States. Where personal data is transferred from the United Kingdom to a country without a UK adequacy decision, we rely on one or more of the following safeguards:

  • UK International Data Transfer Agreement (IDTA)— the post-Brexit transfer mechanism issued by the Information Commissioner's Office.
  • EU Standard Contractual Clauses (SCCs) with the UK Addendum— used in the alternative where a processor's template DPA is built around the EU SCCs.
  • Transfer risk assessments where required, evaluating the legal framework of the recipient country and supplementary measures (e.g. encryption, pseudonymisation).

You may request a copy of the relevant transfer safeguards by emailing privacy@mysova.co.uk.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy:

  • Waitlist email addresses: retained until launch + 12 months, then deleted unless converted to an account.
  • Account data (profile, settings, preferences): retained until you request account deletion + 30 days' grace period.
  • Payment and billing records: 6 years from the date of the transaction (HMRC requirement).
  • Raw location data: 90 days, after which it is aggregated and the raw coordinates deleted.
  • Check-in history: retained while your account is active + 30 days after deletion.
  • Direct messages: 1 year after the last activity in the conversation.
  • Crash reports and device diagnostics (app only): retained for up to 90 days by our error-monitoring provider.
  • Marketing consent records: duration of consent + 2 years (PECR evidence).
  • Block, report, and safety records: 3 years from the date of the action.
  • Anonymised, aggregated analytics: retained indefinitely (cannot be linked back to you).

When retention periods expire, data is securely deleted or irreversibly anonymised. When you delete your account, your personal data is permanently removed within 30 days, except where we are required to retain it to comply with a legal obligation or to resolve a dispute.

9. Cookies & Tracking

This website (app.mysova.co.uk).We use Vercel Analytics and Vercel Speed Insights to measure aggregate traffic and Core Web Vitals. These services are privacy-respecting by design: they do not set tracking cookies, do not build cross-site advertising profiles, and process only anonymised page-view and performance signals. Because the personal-data exposure is minimal, we do not currently display a cookie banner on this site — if that position changes (for example, if we add a processor that does set tracking cookies), we will publish a banner and update this section.

The MYSOVA app (iOS and Android). Native mobile apps do not use browser cookies. We use the following forms of in-app tracking:

Essential (required for the service to function):

  • Supabase session tokens stored in the device's secure storage to keep you logged in
  • Device push notification tokens

These cannot be disabled without stopping core functionality.

Analytics (optional, opt-in):

  • Aggregated usage analytics to understand how the app is used and improve features
  • You may opt out at any time in Settings > Privacy or by contacting privacy@mysova.co.uk

We do not use cross-site tracking, browser fingerprinting, or advertising networks.

10. Your Rights Under UK GDPR

As a UK resident, you have the following rights in respect of your personal data:

Right of access (Article 15). Request a copy of the personal data we hold about you, along with information about how it is processed.

Right to rectification (Article 16). Request correction of inaccurate or incomplete personal data.

Right to erasure (Article 17). Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.

Right to restrict processing (Article 18). Ask us to limit how we process your data in certain circumstances (e.g. while a dispute is resolved).

Right to data portability (Article 20). Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to object (Article 21). Object to processing based on legitimate interest, and to direct marketing at any time.

Rights related to automated decision-making (Article 22). You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not make such decisions: matching, recommendations, and AI outputs are advisory only and do not restrict your access to features.

Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time in Settings or by contacting us.

To exercise any right, email privacy@mysova.co.uk. We will respond within one calendar month of receipt, in line with UK GDPR Article 12(3). We may ask for proof of identity before processing your request. There is no fee unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse the request (in which case we will tell you why and how to complain).

11. Children

MYSOVA is strictly for users aged 18 and over.

We require all users to provide their date of birth at registration. Users who do not meet the 18+ age requirement are prevented from creating an account.

If we become aware that a user under 18 has created an account, we will immediately suspend the account and delete all associated personal data.

If you believe a minor is using MYSOVA, please contact us at privacy@mysova.co.uk.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encryption at rest — all personal data stored in our database is encrypted at rest using AES-256.
  • Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
  • Least privilege access — database access is restricted through Row Level Security (RLS) policies, ensuring users can only access their own data.
  • Authentication security — passwords are hashed using industry-standard algorithms; session tokens are rotated regularly.
  • Audit logging — access to sensitive data and administrative actions is logged for security review.
  • Rate limiting — API endpoints are rate-limited to prevent brute-force and denial-of-service attacks.
  • Vulnerability monitoring — we use automated tools to detect and remediate vulnerabilities in our dependencies.

No system is completely secure. If you believe your account has been compromised, contact privacy@mysova.co.uk immediately.

13. Online Safety Act 2023 Disclosures

MYSOVA is a user-to-user service for the purposes of the Online Safety Act 2023. We take the following steps to keep the platform safe:

  • Age assurance. A date-of-birth gate at registration restricts the service to users aged 18 and over.
  • Reporting. Every user can report inappropriate content, harassment, or safety concerns via the in-app reporting tools (photos, messages, profiles).
  • Blocking. Every user can block another user, hiding their content and preventing further contact.
  • Auto-moderation. Content that receives multiple independent reports is automatically hidden pending review.
  • Illegal content. We act expeditiously to remove illegal content upon receiving notice, including child sexual abuse material, terrorism content, intimate-image abuse, and the other priority offences listed in the Act.
  • Cooperation. We cooperate with law enforcement and Ofcom (the regulator under the Act) where required.

Our internal risk assessment for illegal content is reviewed at least annually and after any material change to the platform.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

When we make material changes, we will update the version number and effective date at the top of this page, and notify you via email and/or an in-app notification at least 14 days before the changes take effect. Where required by law, we will seek your consent. Previous versions are available on request.

Your continued use of MYSOVA after the effective date of any updated policy constitutes acceptance of the revised terms. We track which version of this policy you have accepted via a consent_version field in your account record.

15. Contact Us & ICO Complaints

For all privacy-related enquiries, requests, or complaints:

Email: privacy@mysova.co.uk
Company: MYSOVA LTD
Registered in: England and Wales (Company No. 17154283)
Registered office: London, United Kingdom

We aim to respond to all privacy requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Make a complaint: ico.org.uk/make-a-complaint
Website: ico.org.uk
Helpline: 0303 123 1113

We encourage you to contact us first so we can try to resolve your concern directly.

MYSOVA Ltd · London, United Kingdom · Company No. 17154283