Privacy Policy

We collect the following types of information:

• Account information: Email address and optional display name when you register.
• Location data: We request your device location only to center the map on your area. We do not store or share your precise location.
• Payment information: Processed securely by Stripe or Apple/Google. We never store full credit card numbers.
• Usage data: Pages visited and features used, collected via analytics to improve the app.
• Location suggestions: If you suggest a location, we store the location details and associate them with your account to enforce usage limits.
• Tag suggestions: If you suggest a community tag for a location (e.g. "Nonprofit" or "Luxury Vintage"), we store the suggestion and your user ID to track review status and prevent duplicate submissions.
• Reactions and travel lists: Goblin subscribers can react to locations and save travel lists. This data is stored and associated with your account.
• Feedback: If you submit feedback through the app, we store your message and account identifier to help improve the service.

• To provide and improve the Cloth Goblin service.
• To process payments and verify your unlock or subscription status.
• To moderate community-submitted location suggestions.
• To send transactional emails (account confirmation, payment receipts). We do not send marketing email without consent.
• To detect abuse and enforce usage limits.

• Supabase (Supabase Inc., USA) — database and authentication hosting.
• Vercel (Vercel Inc., USA) — application hosting; transiently processes requests.
• Stripe — payment processing.
• RevenueCat — in-app subscription and purchase receipt validation on iOS and Android.
• Resend — transactional email delivery (account confirmation, receipts, notification emails).
• Google Maps Platform — map display and place search.
• Meta (Instagram Graph API) — if an Organization admin connects their Instagram account via our "Connect Instagram" button, we receive from Meta the IG user id, IG handle, a linked Facebook Page id, a long-lived access token (stored encrypted at rest), and the Organization's recently-published public Instagram posts. We use this data only to display the Organization's latest posts on their location drawer and, at our admins' discretion, on the public Featured page and homepage carousel. We do not use it for advertising, training, enrichment, or resale.
• Analytics provider — aggregated, anonymised usage data only.
• Law enforcement when required by applicable law — see Section 13 below for how we handle these requests.

Each of the vendors listed above is a service provider under the CCPA/CPRA (and a processor under GDPR) bound by a written data-processing agreement to use your information only to perform services for Cloth Goblin. These disclosures are not sales or shares of personal information. See Section 12 for our full non-broker, no-sale, no-share commitments.

We retain your account data for as long as your account is active.

Inactive free accounts: Accounts with the free Thrifter role that have not purchased a map unlock or subscription (on any platform — web, iOS, or Android) are considered inactive after 10 days. We send a reminder email at day 5 and a deletion warning email at day 9. If no action is taken, the account and all associated data are permanently and automatically deleted on day 10. Purchasing a map unlock or subscription at any point — including via in-app purchase on iOS or Android — prevents deletion.

Account deletion on request: You may permanently delete your account at any time from your account settings or by emailing support@clothgoblin.com. When your account is deleted: your profile, reactions, travel lists, tag suggestions, and authentication credentials are permanently erased immediately. Any locations you submitted remain on the map as part of the public directory, but the link to your account is removed. Account deletion is irreversible.

Payment records: If you have made a purchase through Cloth Goblin, your payment records (including customer records and transaction history) are retained by our payment processor, Stripe, for legal and financial record-keeping purposes. These records are considered financial records under applicable law and are not subject to deletion requests under GDPR or similar regulations. Stripe's own privacy policy governs how they handle this data.

Instagram data: If your Organization connected Instagram, you can remove the connection and all auto-fetched cached posts at any time from Org Panel → Overview → Disconnect Instagram, or by removing Cloth Goblin from Instagram's Settings → Apps and websites. When Instagram notifies us that you removed the app, we automatically delete the encrypted access token and the auto-fetched post cache. A dedicated Data Deletion page walks through every path.

Depending on where you live, you may have some or all of the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Portability: Receive your data in a structured, machine-readable format.
• Correction: Ask us to correct inaccurate or incomplete data.
• Deletion: Request deletion of your account and associated personal data (see Section 5).
• Restriction: Ask us to limit how we process your data in certain circumstances.
• Objection: Object to processing based on our legitimate interests.

How to make a request: Signed-in users can download a machine-readable copy of their data and permanently delete their account directly from Settings → Privacy. For access, correction, restriction, or objection requests that aren't covered by those self-service tools, email support@clothgoblin.com with the subject line "Data Request" describing what you need. We will respond within 30 days.

EU, EEA, and UK residents (GDPR / UK GDPR): Residents of European Union and European Economic Area member states, and of the United Kingdom, have all of the rights listed above under the General Data Protection Regulation (and UK GDPR post-Brexit). If you believe we have not handled your request appropriately, you have the right to lodge a complaint with your local data protection authority (for example, the ICO in the UK, or your national DPA in the EU).

California residents (CCPA / CPRA): Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to know what personal information we collect and how it is used, to request deletion, to correct inaccurate information, and to opt out of the sale or sharing of your data. We do not sell or share personal data.

Other US state residents: Residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, and Delaware have similar rights under their respective state privacy laws, including rights to access, correction, deletion, and portability. To exercise any of these rights, contact us using the method above.

Switzerland: Swiss residents have rights under the revised Federal Act on Data Protection (nFADP), including rights to access and correction of personal data held about them.

Canada (PIPEDA / provincial): Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation (Quebec's Law 25, Alberta's PIPA, British Columbia's PIPA), including access, correction, and withdrawal of consent. Complaints may be lodged with the Office of the Privacy Commissioner of Canada or your provincial regulator.

Brazil (LGPD): Residents of Brazil have rights under the Lei Geral de Proteção de Dados (LGPD), including access, correction, anonymisation, deletion, portability, and the right to information about sharing. Complaints may be directed to the Autoridade Nacional de Proteção de Dados (ANPD).

Australia (Privacy Act 1988 / APPs): Australian residents have rights under the Privacy Act 1988 and the Australian Privacy Principles, including access to and correction of personal information. Complaints may be directed to the Office of the Australian Information Commissioner (OAIC).

New Zealand (Privacy Act 2020): New Zealand residents have rights of access and correction under the Privacy Act 2020, overseen by the Office of the Privacy Commissioner.

Japan (APPI): Residents of Japan have rights under the Act on the Protection of Personal Information (APPI), including disclosure, correction, and cessation of use. Complaints may be directed to the Personal Information Protection Commission (PPC).

South Korea (PIPA): Korean residents have rights under the Personal Information Protection Act, including access, correction, deletion, and suspension of processing. Complaints may be directed to the Personal Information Protection Commission.

Singapore (PDPA): Singaporean residents have rights under the Personal Data Protection Act, including access and correction. Complaints may be directed to the Personal Data Protection Commission.

India (DPDP Act): Residents of India have rights under the Digital Personal Data Protection Act, 2023, including access, correction, and erasure of personal data, along with the right to nominate a representative.

We do not use your personal data to train AI models. Cloth Goblin does not sell or share your data with third-party AI providers for training purposes, and we do not use any AI-training clause to harvest your submissions.

The platform may use narrowly-scoped operational AI features (for example, detecting spammy or abusive user submissions, or generating short summaries of public location information). These features run against the minimum data needed and never use your account with training-retention enabled.

We do not make solely automated decisions that produce legal or similarly significant effects for you (e.g., fully-automated account bans). A human reviews moderation decisions before any enforcement action.

If you'd like to opt out of operational AI features entirely, email support@clothgoblin.com with the subject "AI Opt-Out". A self-service toggle is on the roadmap.