Privacy Policy

Effective date: 2026-04-23

This policy describes how Vieta ("we", "us") handles personal data when you use our app and related web services. The service is operated from Lithuania and is intended primarily for users in the European Economic Area (EU member states plus Iceland, Liechtenstein, and Norway). We act as the data controller.

1. What the service does

Vieta is a map-based application for discovering events. You can browse events aggregated from public sources, create and save your own events, and store reminder preferences. Using the app does not require an account.

2. Data we collect from you

When you create an account:

Email — used as your login identifier and for account-related notifications.
Password — stored only as a cryptographic hash; we never see or retain your plaintext password.
Optional profile fields — display name, bio, profile photo URL, and personal website, if you provide them.

When you use the app:

Events you create — the data you submit (name, description, location, time, etc.).
Events you save — the list of events you have bookmarked and any reminder preferences.
Authentication tokens — web session tokens valid for up to 14 days and API tokens valid for up to 90 days.

Device location. The app requests your device location to display your position on the map and calculate distance to nearby events. If you center the map on your location, the app requests events for the visible map area, which can reveal an approximate area to our servers. When you create an event and pick a point on the map, the coordinates you choose are sent to our servers as part of that event and may also be sent from your device to the public OpenStreetMap Nominatim service so it can return a human-readable address.

3. Data we aggregate from public sources

A portion of the events shown in the app is sourced from publicly accessible event pages on third-party platforms. For each aggregated event we may retain the title, description, time, public location, the public name and URL of the organizer, and other public metadata needed to display the listing. We do not collect attendee lists, private messages, or any content that requires authentication to access. We do not currently expose source-platform images for aggregated events in the public app.

Our lawful basis for processing this information under Article 6(1)(f) GDPR is our legitimate interest in providing an event-discovery service.

4. How we use your data

To authenticate you and keep you signed in.
To display events you have created or saved.
To send transactional messages related to your account, such as email confirmation.
To provide optional event translation when you request it.
To allow you to request removal of aggregated content about you.
To operate and maintain the service.

We do not use your data for advertising. We do not operate behavioural tracking or analytics SDKs inside the app.

5. Who we share data with

We do not sell your data. We do not share your data with advertisers or data brokers. Categories of sub-processors and external service providers:

Hosting — Akamai (Linode).
Transactional email — Resend, if we send you account-related email.
Public geocoding — OpenStreetMap Nominatim, queried by your device when you search for or reverse-geocode a location during event creation.
Optional translation — Langbly, if you request translation of an event in the app.
Map tiles — Carto, Esri, or OpenStreetMap, depending on the map style you choose in the app.

We may disclose data if legally required by a competent authority in Lithuania.

6. International transfers

Primary processing is within the EEA. Where a sub-processor may process data outside the EEA, we rely on Standard Contractual Clauses and applicable safeguards under Chapter V GDPR.

7. Your rights

Under the GDPR, you have the right to:

Access a copy of your personal data.
Correct data that is inaccurate — most account fields are editable in the app.
Delete your account and associated data — contact us at the email below.
Restrict or object to processing.
Port your data to another service.
Withdraw consent where processing is based on consent.
Lodge a complaint with the State Data Protection Inspectorate of Lithuania (Valstybinė duomenų apsaugos inspekcija, vdai.lrv.lt) or the authority in your country.

If you are the subject of aggregated content — for example, named as the organizer of a public event we have surfaced — you may submit a takedown request at /takedown without creating an account. Approved requests can result in deletion of the matching record and, where technically possible, measures to prevent the same source record from being re-collected.

8. Retention

Aggregated event data — retained indefinitely as part of our historical event archive. Individuals who are the subject of this data can request its removal at any time via the takedown form linked in Section 7.
User accounts — retained until you request deletion.
Authentication tokens — auto-expire (up to 14 days web, 90 days API).
Takedown requests — retained as a compliance record of our response.
Server logs — up to 30 days.

9. Children

The service is not directed at children under 16. If we learn we have collected personal data from a child under 16 without appropriate parental authorisation, we will delete it.

10. Cookies

Mobile app: no cookies.
Web interface: a session cookie for login state and, if you choose "remember me", a signed remember-me cookie. No tracking or advertising cookies.

11. Billing and payments

Viewing events is free. We do not currently offer paid promotional placement. If we introduce paid placement for user-created events in the future, we will update this policy and disclose the relevant payment processor before checkout. We do not monetize content aggregated from third-party platforms. If we later introduce payments, we will not store full payment card details ourselves.

12. Security

HTTPS, hashed passwords (bcrypt), least-privilege access. No service can guarantee perfect security; you use the service at your own risk.

13. Changes to this policy

We may update this policy. When we do, we will update the "Effective date" above and, for material changes, notify account holders by email.

14. Contact

For privacy questions or data-subject requests:
privacy@vieta.app