Privacy Policy

Effective Date: 11 May 2026
Last Updated: 19 May 2026

This Privacy Policy describes how Deuce Creative Limited (“we”, “us”, “our”) collects, uses, and shares information when you use the Grofomo mobile application (the “App”) and the events.grofomo.com API service (the “Service”). By using Grofomo you agree to the practices described here.

1. Who We Are

Deuce Creative Limited, a company registered in the United Kingdom. For any privacy questions or requests, contact us at privacy@grofomo.com.

2. Information We Collect

2.1 Information you provide

• Nickname and avatar choice (if you set one). Used to identify you to friends within the app.
• Email address(only if you submit a Grofomo web form — for example, a marketing opt-in form, a pre-sale registration, or a similar interest form). Used — with your separate opt-in at the form — to send marketing email about events, ticket releases, and related news.
• Phone number (only if you submit a Grofomo web form and choose SMS or WhatsApp as a contact channel). Used only to send the communications you opted in to.
• Friend invite tokens (when you accept an invite from another user).
• Marketing notification preference (device-level): whether you have toggled marketing push notifications on for this device. This is a per-device preference, like any other notification setting, and is stored against your device identifier only. You can flip it at any time from Settings → Notificationsin the app or from your device’s system Settings.
• Marketing consent records (named): if you submit a Grofomo web form that captures marketing consent (e.g. a pre-sale registration or marketing opt-in form), we record — at the point of submission — which channels you consented to (email, SMS, WhatsApp), a timestamp, and the form and version you consented through, so we can demonstrate consent and honour any later withdrawal.

2.2 Information collected automatically

• Device identifier: a randomly-generated UUID created when you first open the app. Used to associate your local data (favourites, reminders, nickname) with your device.
• Push notification token: an Expo Push Token issued by our push-delivery processor, Expo. The token is derived from the underlying Apple (APNs) or Google (FCM) token but is scoped to our Expo project; we never see the raw APNs / FCM token. Used to deliver event reminders, friend-invite notifications, and any marketing pushes you have opted into.
• App and device metadata: platform (iOS / Android), app version, device locale, and approximate last-seen timestamp. Used for compatibility checks and to identify inactive sessions.
• Clipboard (read on launch): when you open the app, we briefly inspect the system clipboard to detect a pasted friend-invite link. We act only on values matching our invite-link format; we do not retain, transmit, or otherwise process clipboard contents. (iOS may display a system banner when this read occurs.)

2.3 Camera

The app requests camera access solely to scan QR codes that link to events, artists, or friend invites. Camera images are processed on-device in real time and never stored, uploaded, or transmitted.

2.4 What we do not collect

• We do not collect your precise or approximate location.
• We do not access your contacts, photo library, or microphone.
• We do not track you across other apps or websites.
• We do not access the iOS advertising identifier (IDFA) or the Android advertising ID, and Grofomo does not request App Tracking Transparency consent.
• We do not collect health, financial, biometric, or government-issued identifier information.

3. How We Use Information

We use the information above to:

1. Provide the core app experience: showing events, lineups, favourites, friends, and reminders.
2. Authenticate your device with our Service.
3. Deliver transactionalpush notifications — event reminders you have scheduled and friend-invite notifications — that are necessary for the core app experience.
4. Deliver marketingcommunications (push notifications, and — for users who have submitted a Grofomo web form — email, SMS, or WhatsApp) onlyto users who have explicitly opted in to the relevant channel. See §3.1 for full detail.
5. Investigate crashes or other issues using diagnostic information that you choose to share with us when reporting a problem (for example, by emailing support). Grofomo does not collect or transmit crash or telemetry data automatically.
6. Communicate essential service updates (e.g. critical bug fixes or material changes to this policy).

We do not sell your information, share it with advertisers, or use it for behavioural advertising.

3.1 Marketing Communications

Separately from transactional notifications, Grofomo may send you marketing communications about future events, ticket releases, lineup announcements, and related offers. Marketing is opt-in only, is never required to use the app, and is captured in two stages so that you only ever receive what you have specifically agreed to.

Stage 1 — Marketing push notifications.An in-app banner may invite you to enable marketing push notifications. Push notifications of any kind can only reach you if you have granted Grofomo push permission via your device’s system dialog — that OS-level permission is the underlying consent. The in-app Marketing notifications toggle then sits on top as a granular preference that controls whether your device is included when we send a marketing push (about future ticket releases and related news).

At this stage your preference is tied only to your device identifier — we do not yet hold your name, email, or phone number for marketing purposes. You can opt out at any time by:

• Toggling Marketing notifications off in Settings → Notifications within the app, or
• Revoking Grofomo’s push permission entirely in your device’s system Settings (this also stops transactional notifications).

Stage 2 — Web form opt-in.A marketing push notification (from Stage 1), or a link from elsewhere, may invite you to submit a Grofomo web form — for example, a marketing opt-in form, a pre-sale registration, or a similar interest form. Submitting any such form is a separate, explicit step in which you provide your name, email address, and (optionally) phone number, and tick the channels you want to hear from us on — email, SMS, and/or WhatsApp. At the point of submission we record:

• which channels you consented to,
• the timestamp,
• the form and version you consented through, and
• the link between your submitted personal data and the device identifier that opened the form, so we can recognise you across the app and our mailing lists.

You can withdraw consent for email, SMS, or WhatsApp marketing at any time by:

• using the unsubscribe link included in every marketing email,
• replying STOP to any marketing SMS,
• using WhatsApp’s “stop messages” option, or
• emailing privacy@grofomo.com to withdraw across all channels at once.

Withdrawing marketing consent stops the relevant communications. You will continue to receive transactional push notifications (e.g. reminders you have scheduled, friend-invite notifications) unless you disable those separately.

4. How We Share Information

• Service providers: we use Supabase (database hosting) and Expo / EAS (push notification delivery) as data processors. They access information only to provide their service to us and are bound by contractual confidentiality obligations.
• Legal disclosures: we may disclose information if required by a valid legal process, or to protect our rights, safety, or property.
• Business transfers: if Deuce Creative Limited is acquired or merges with another entity, your information may transfer as part of that transaction, subject to this policy.

We do not transfer your data outside the UK / EEA except via the standard contractual clauses or equivalent safeguards used by our service providers.

5. Data Retention

• Device records persist for as long as the device is active. If the app has not contacted the Service for 12 months, the associated record is automatically deleted.
• Push notification tokens are invalidated and removed from active use once APNs / FCM (via Expo) signals that they are no longer valid — for example, after you uninstall the app or revoke push permission. Tokens are deleted from our records together with the associated device row in line with the retention schedule above.
• Data captured via a Grofomo web form (name, email, optional phone, channel consents) persists until you withdraw consent across all channels or request deletion, at which point it is removed from active marketing use and deleted from our records within 30 days.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Deleteyour data (“right to erasure”).
• Object to or restrict processing of your data.
• Port your data to another service.
• Withdraw consentto marketing communications (per channel — see §3.1), to all push notifications (via your device’s system notification settings), or to the use of the app entirely (by uninstalling).

To exercise any of these rights, email privacy@grofomo.com. We will respond within 30 days.

UK / EEA residents have the right to lodge a complaint with their local data protection authority (in the UK, the Information Commissioner’s Office at ico.org.uk).

7. Data Deletion

Grofomo does not currently use user accounts — your in-app activity (nickname, avatar, favourites, friends, scheduled reminders) is associated with a per-device identifier. To request deletion of your device record and any associated data, uninstall the app and email privacy@grofomo.com with your device identifier (visible in Settings) and we will remove the corresponding server-side records.

If you have submitted a Grofomo web form (e.g. a marketing opt-in or pre-sale registration), you can have the data captured there deleted by emailing privacy@grofomo.com from the address you registered with.

8. Children

Grofomo is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with information, contact privacy@grofomo.com and we will delete it.

9. Security

We use TLS for all communication between the app and the Service. Device authentication uses HMAC-signed tokens. Service-provider credentials are stored in environment-scoped secrets. No system is perfectly secure, but we follow industry-standard practices.

10. Changes to This Policy

We may update this policy. Material changes will be announced via in-app notification or push notification at least 14 days before they take effect. The “Last Updated” date at the top of this page always reflects the most recent revision.

11. Contact

Deuce Creative Limited
Privacy Inquiries: privacy@grofomo.com

By using Grofomo, you acknowledge that you have read and understood this Privacy Policy.