Privacy Policy

LOCI (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the LOCI web and mobile applications (collectively, the “Services”). Please read this policy carefully. If you disagree with its terms, please discontinue use of the Services.

1. Information We Collect

We collect information that you provide directly, information generated through your use of the Services, and information from third-party sources. The categories below describe what we collect and why.

1.1 Account & Identity Information

When you register for a LOCI account, we collect:

Full name— to personalize your experience and display on your profile
Email address— for account authentication, security-related notifications such as password resets, and marketing communications (with your consent)
Password— stored in hashed, salted form; never stored in plaintext

1.2 Location Data

LOCI is a location-aware event discovery platform. To deliver relevant results, we collect:

Precise geolocation(latitude/longitude) — when you grant location permissions in the mobile app or browser; used to surface nearby events, calculate distances, and power map features
Approximate location— derived from your IP address when precise location is unavailable
Manually entered locations— city, neighborhood, or venue searches you type into the app

You may revoke location permissions at any time through your device settings. Revoking location access limits certain discovery features but does not affect your ability to use core Services.

1.3 Event Preferences & Interests

To personalize your event feed, we collect:

Category preferences (Music, Sports, Food, Tech, Art, Drinks) selected during onboarding or in Settings
Saved and favorited events— events you bookmark or add to your personal calendar
Search history— artists, venues, and keyword searches within the app
Attendance signals— events you click, view, or purchase tickets for

1.4 Usage & Technical Data

We automatically collect the following when you interact with the Services:

Device information— device type, operating system, app version, and unique device identifiers
Log data— IP address, browser type, pages or screens visited, timestamps, and referring URLs
Session data— feature usage patterns, click events, and interaction flows
Performance metrics— crash reports, error logs, and latency data used for diagnostics and improvement
Analytics data— aggregated behavioral data processed through PostHog and similar analytics tools (see Section 3)

2. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery

Create and manage your LOCI account
Display personalized event recommendations based on your location and preferences
Process ticket purchases and redemptions through our affiliate checkout service
Power search, filtering, and map features using geospatial data

Communications

Send transactional emails for account security (such as password resets)
Deliver optional marketing messages about events, features, or promotions — only with your explicit consent, and you may opt out at any time

Platform Improvement

Analyze usage patterns to improve features, fix bugs, and optimize performance
Conduct A/B testing and product experiments on an aggregated or pseudonymous basis
Generate internal analytics and business intelligence

Safety & Legal Compliance

Detect and prevent fraud, abuse, and unauthorized access
Enforce our Terms of Service and applicable policies
Comply with legal obligations, court orders, and lawful government requests
Protect the rights, safety, and property of LOCI and our users

Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA) and the United Kingdom, we rely on the following legal bases:

Contract performance— account creation, authentication, and location-based event discovery
Legitimate interests— analytics, product improvement, fraud prevention, and security
Consent— marketing communications and non-essential cookies
Legal obligation— compliance with applicable law

3. Cookies and Tracking Technologies

LOCI uses cookies, pixel tags, local storage, and similar technologies to operate and improve the Services. The cookies we deploy fall into three categories:

3.1 Essential Cookies

These are strictly necessary for the Services to function and cannot be disabled.

Authentication tokens— keep you logged in securely across sessions using httpOnly cookies
CSRF protection tokens— prevent cross-site request forgery on state-changing requests
Session state— preserve UI state, in-progress forms, and navigation context

Because essential cookies are required for the Services to operate, they do not require your consent.

3.2 Analytics Cookies

With your consent, we use analytics tools to understand how users interact with LOCI:

PostHog— collects pseudonymized product analytics including page views, feature engagement, and funnel metrics. PostHog is configured to respect “Do Not Track” signals and offers opt-out controls.

You may opt out of analytics cookies at any time through your cookie preferences in Settings.

3.3 Preference Cookies

These cookies remember your choices to provide a more personalized experience:

Theme preferences— light/dark mode selections
Location defaults— saved home location or frequently searched areas
Category filters— default event category filters you have configured

You may clear preference cookies by resetting your profile settings or clearing browser storage. Withdrawal of consent for non-essential cookies does not affect the lawfulness of processing carried out before withdrawal.

4. Third-Party Services

LOCI integrates with the following third-party services to deliver core functionality. Each third party operates under its own privacy policy, and we encourage you to review them.

4.1 Ticketmaster

LOCI uses the Ticketmaster Discovery API to source event listings, artist metadata, and venue information displayed within the app. When you initiate a ticket purchase, you will be redirected to or interact with Ticketmaster's checkout flow. At that point, Ticketmaster's privacy policy governs the collection and use of your payment and ticketing information. LOCI does not store your full payment card details. See Ticketmaster's privacy policy at privacy.ticketmaster.com/privacy-policy.

4.2 Google Maps

LOCI uses the Google Maps JavaScript API and Geocoding API to render interactive maps, display venue locations, and convert addresses to geographic coordinates. When you interact with map features, your location and search queries may be transmitted to Google's servers. See Google's privacy policy at policies.google.com/privacy.

4.3 Neon (Database Infrastructure)

LOCI stores application data — including user accounts, saved events, and location history — in a Neon PostgreSQL database with PostGIS extensions. Neon provides the infrastructure layer for data persistence and does not independently access your personal data for its own purposes. Data is encrypted in transit (TLS) and at rest. See Neon's privacy policy at neon.tech/privacy-policy.

4.4 Other Service Providers

We may also share data with the following categories of service providers who process data on our behalf under contractual data processing agreements:

Cloud hosting and CDN providers for application delivery and static asset serving
Email service providers for transactional and marketing email delivery
Error monitoring tools for crash reporting and performance diagnostics
Payment processors for subscription or affiliate transaction processing

We do not sell your personal information to third parties, and we do not share it with third parties for their own independent marketing purposes.

5. Data Security

LOCI employs industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Technical Safeguards

All data is transmitted over encrypted connections using TLS/HTTPS
Authentication tokens are stored in httpOnly cookies, inaccessible to client-side JavaScript
Passwords are hashed and salted before storage; plaintext passwords are never retained
API access is protected by rate limiting, CSRF tokens, and security headers (CSP, HSTS, X-Frame-Options)
Database access is restricted to authorized services via API key authentication and network controls
Location and user data are stored in a PostGIS-enabled Neon database with encryption at rest

Organizational Safeguards

Access to production systems and user data is restricted on a least-privilege basis
Internal service-to-service communication is authenticated via signed API keys
Security incidents are logged, monitored, and subject to internal response procedures

While we work diligently to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the Services at your own risk. In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities in accordance with applicable law.

6. Your Privacy Rights

Your privacy rights vary depending on your jurisdiction. This section explains the rights available to all users, as well as additional rights for California and EEA/UK residents.

6.1 Rights Available to All Users

Regardless of where you live, you may:

Access your data— request a summary of the personal information we hold about you
Correct your data— update inaccurate account information in Settings or by contacting us
Delete your account— request deletion of your account and associated personal data
Withdraw consent— opt out of marketing emails at any time via the unsubscribe link or Settings
Data portability— request an export of your personal data in a machine-readable format

6.2 California Residents — CCPA / CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

Right to Know— request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties with whom we share your information
Right to Delete— request that we delete personal information we have collected from you, subject to certain exceptions (e.g., completing transactions, detecting fraud, complying with legal obligations)
Right to Correct— request correction of inaccurate personal information we hold about you
Right to Opt Out of Sale/Sharing— LOCI does not sell or share your personal information for cross-context behavioral advertising. If this practice changes, we will update this policy and provide a prominent opt-out mechanism.
Right to Limit Sensitive Information— request that we limit the use and disclosure of sensitive personal information (such as precise geolocation) to purposes permitted by law
Right to Non-Discrimination— we will not discriminate against you for exercising any CCPA rights

To submit a CCPA request, email privacy@loci.city with the subject line “CCPA Privacy Request” or use Settings → Privacy. We will verify your identity before processing your request and aim to respond within 45 calendar days; complex requests may require an additional 45-day extension with notice.

6.3 EEA and UK Residents — GDPR Rights

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR grant you the following rights:

Right of Access (Article 15)— obtain a copy of your personal data and information about how it is processed
Right to Rectification (Article 16)— correct inaccurate or incomplete personal data
Right to Erasure / “Right to Be Forgotten” (Article 17) — request deletion of your personal data where there is no compelling reason for continued processing
Right to Restriction of Processing (Article 18)— request that we limit how we use your data in certain circumstances
Right to Data Portability (Article 20)— receive your data in a structured, commonly used, machine-readable format
Right to Object (Article 21)— object to processing based on legitimate interests, including profiling
Right to Withdraw Consent— withdraw consent at any time where processing is based on consent, without affecting prior lawful processing

To exercise any of these rights, email privacy@loci.city. You also have the right to lodge a complaint with your local supervisory authority.

6.4 Opt-Out Mechanisms

Marketing emails:unsubscribe link in any email, or Settings → Notifications
Location tracking:device Settings → App Permissions → Location
Analytics cookies:Settings → Privacy → Cookie Preferences
Push notifications:device Settings → Notifications → LOCI
Account & data deletion:Settings → Account → Delete Account, or email privacy@loci.city

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account information (name, email): duration of account + 30 days after deletion request
Event preferences and saved events: duration of account
Precise location history: 90-day rolling window
Usage and analytics data: 24 months (anonymized after 12 months)
Transaction records: 7 years (tax and legal compliance)
Server and security logs: 90 days

When you request deletion of your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., financial records, fraud prevention logs). Anonymized or aggregated data that cannot identify you may be retained indefinitely.

8. Children's Privacy

LOCI is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13.

If you are under 13 years of age, you may not create an account or use the Services.

If we discover or are notified that we have inadvertently collected personal information from a child under 13, we will promptly delete the account and all associated personal data, cease any further collection or use of that data, and notify a parent or guardian if contact information is available.

If you are a parent or guardian and believe your child has provided personal information to LOCI without your consent, please contact us immediately at privacy@loci.city.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the “Last Updated” date at the top of this page
Notify registered users via email at least 14 days before the changes take effect
Display a prominent in-app notice for material changes affecting your rights or how we process data

For non-material changes (such as clarifications, formatting updates, or typographical corrections), we may update the policy without advance notice. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the revised policy, you may delete your account and discontinue use of the Services.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at privacy@loci.city.

CCPA requests: email privacy@loci.citywith subject line “CCPA Privacy Request”
GDPR requests (EEA/UK users): email privacy@loci.citywith subject line “GDPR Data Request”

If you are not satisfied with our response, you may escalate to the relevant data protection authority in your jurisdiction.