Back to home

Privacy Policy for nyte

Last updated: April 19, 2026

1. Data Controller

Felix Bohr, Bamberger Str. 20, 63811 Stockstadt am Main, Germany

Email: legal@nyte-events.com

2. Overview

nyte is a platform for discovering nightlife events, checking in at venues, earning rewards, and connecting with friends. nyte consists of the nyte mobile app (iOS/Android), the nyte website (nyte-events.com), and the nyte business platform for venue owners and event promoters.

This privacy policy explains which personal data we collect across all nyte services, why we collect it, and how we process it. We comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

3. Data We Collect

3.1 Account Data

When you create an account, we collect: email address (required), password (required, hashed by Firebase Authentication), first name (required, displayed to friends in chats and at events), username (required, unique, for friend search), birthday (required, for age verification), and optionally a profile photo.

During onboarding you may also provide your interests (e.g., bars, clubs, raves) and music genre preferences (e.g., techno, house, hip-hop). These are stored on our servers. Genre preferences are used to personalize your event feed (events matching your preferences are shown more prominently). Interests are collected for future personalization features but are not currently used.

If you sign up with Google or Apple, we receive your email and name. We request only the minimum scopes necessary. When signing in with Apple, you can choose to hide your email address — Apple will provide a private relay address instead.

We also store the version of the Terms of Service and Privacy Policy you have accepted, along with the date of acceptance. This is required to demonstrate the validity of your consent under Art. 7(1) GDPR (accountability principle).

Legal basis for account data: Contract performance (Art. 6(1)(b) GDPR). Legal basis for consent records: Compliance with legal obligation (Art. 6(1)(c) GDPR).

3.2 Location Data

If you grant permission, we collect GPS coordinates to show distances to events, display nearby venues on the map, and improve recommendations. Location data is processed on your device in real-time and is not stored on our servers.

Legal basis: Consent (Art. 6(1)(a) GDPR).

3.3 Event and Attendance Data

We collect: event registrations, check-in records (timestamp, event, venue), ticket tokens (hashed), present status (visible to friends), claimed offers, friends list submissions, and promoter/venue follows.

When you register for an event, your friends can see that you are attending. When you check in, your friends can see that you are currently at the event. You can hide your real-time presence from friends in the app settings at any time. Your attendance and presence data is always collected regardless of this setting, as it is needed for the check-in and rewards system.

During check-in, venue staff can see your display name, age, and entry discounts. During voucher redemption, staff can see your display name and voucher details.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

3.4 Rewards and Transaction Data

We record: points balance, points ledger (transaction history), tier status, vouchers, bonus grants, drink code redemptions, and coupon redemptions. Your tier status may affect entry pricing at venues — higher tiers can receive automatic entry discounts. When you scan a drink QR code at a venue, a consumption record (drink name, price, venue, timestamp, points earned) is created. Drink QR tokens expire after 60 seconds.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

3.5 Social and Messaging Data

We collect: friendships, direct messages, group chats (name, members, messages, image), event/venue shares in conversations, and referral codes. When you use or create a referral code, a permanent link between inviter and invitee is stored to track referral rewards eligibility. For partner/invite codes, we additionally store the name of the person who used the code alongside the code creator's user ID.

Your username and profile photo are discoverable via friend search.

Blocking: When you block another user, their user ID is stored in your account data. Blocked users cannot send you messages or friend requests.

Reporting: When you report a user or message, we store: your user ID, the reported user's ID, the reason you selected, any description you provide, and — for message reports — a snapshot of the reported message text at the time of reporting. Reports are reviewed by our team and retained for up to 2 years or as long as necessary to enforce our community guidelines, whichever is shorter.

Legal basis: Contract performance (Art. 6(1)(b) GDPR); legitimate interest in maintaining platform safety (Art. 6(1)(f) GDPR) for reports and block lists.

3.6 Push Notification and In-App Messaging Data

If you allow notifications, we store your push token and use it to deliver both push notifications and in-app messages (stored in your notifications inbox) for: message notifications, friend requests, event reminders (up to 5h before), voucher expiry reminders (24h before a voucher expires), promoter announcements, and platform-wide service messages from nyte — including feature announcements, product updates, event recommendations, and promotional content (e.g. special offers, new-city launches, seasonal highlights).

You can revoke this consent at any time by disabling notifications in your device's system settings; existing in-app messages can still be received until you delete the app.

Legal basis: Consent (Art. 6(1)(a) GDPR) — given by granting the OS push-notifications prompt and, separately, the in-app notifications screen during onboarding.

3.7 Photos and Media

We store: profile photos, group chat images, and friends list photos in Firebase Cloud Storage.

Friends list submissions from non-users (guests): If you submit a friends list entry for an event without having a nyte account, we collect your name, optionally your Instagram handle, and a photo. Your IP address is used for rate limiting (max 3 submissions per day) and is stored temporarily. This data is visible to the event organizer for approval purposes.

Legal basis for guest submissions: Consent (Art. 6(1)(a) GDPR) — you choose to submit this data. Legal basis for IP rate limiting: Legitimate interest (Art. 6(1)(f) GDPR).

Legal basis for photos: Consent (Art. 6(1)(a) GDPR).

3.8 Device and Technical Data

We collect: device type (for push capability), camera access (QR scanning only — no images stored), photo library access (only selected photos uploaded), and IP address (temporary, for rate limiting).

  • Clipboard access — used when you copy a share link or invite code. Only data you explicitly choose to copy is written to the clipboard; we do not read from the clipboard.

  • Email existence check — during sign-up, we check whether an email address is already registered. This check is rate-limited (50 requests per IP per hour) and does not require authentication. The email is not stored as part of this check; only temporary rate-limit counters (keyed by IP address) are created.

We do not collect advertising identifiers, browser fingerprints, or device model information.

3.9 Local Device Storage

Stored locally on your device only (not sent to our servers): language/region preferences, filter preferences, voucher tokens, auth session, notification banner timestamps, checked-in event IDs (to track which events you have already checked into), and active event selection. This local storage is technically necessary for the service to function (§ 25 Abs. 2 Nr. 2 TTDSG) and does not require separate consent.

3.10 Website Data

On nyte-events.com: Vercel Analytics collects anonymous page view and performance data without cookies. IP addresses may be processed temporarily but are not stored by Vercel. Legal basis: Legitimate interest in website optimization (Art. 6(1)(f) GDPR) — we have a legitimate interest in understanding website usage to improve the service; this interest is balanced against your privacy as no personal profiles are created and no cookies are used.

Waitlist data is stored via Supabase with your consent. We collect: your email address, the city you selected, your user type (regular user / club owner / brand), and your consent flags (general updates, launch notification). UTM source/medium/campaign parameters are stored if present in the URL when you sign up, used solely to understand which marketing channels drive signups.

When we send you a marketing email based on your consent (e.g. the launch announcement when you opted in via "notify me at launch"), we record a timestamp of that send on your record. This is used to (a) prevent duplicate emails, and (b) document compliance with your consent under Art. 7(1) GDPR (accountability principle). The timestamp itself is processed under Art. 6(1)(c) GDPR (legal obligation to demonstrate consent).

Legal basis for waitlist data: Consent (Art. 6(1)(a) GDPR). You can revoke this consent and request deletion at any time by emailing legal@nyte-events.com.

3.11 Business User Data

Venue owners/promoters: business role, promoter profiles, venue data, event data, drink code batches, coupon batches, notification history, and aggregated insights (no individual user data). When a promoter creates an event at a venue they do not own, a venue verification request is sent to the venue owner containing the promoter's name and event details.

3.12 Contract Partner Data

When business partners (e.g., venues or event organizers) enter into contracts with nyte — such as the content usage consent for displaying their images, descriptions, and event materials in the nyte app — we store the personal data contained in the contract (name, address, email of the authorized representative) as well as the signed contract document itself. We use this data exclusively to administer the contractual relationship and to comply with statutory retention obligations.

Legal basis: Contract performance (Art. 6(1)(b) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR) under §§ 257 HGB and 147 AO. Retention: Up to 10 years after the end of the contractual relationship, in line with German commercial and tax law requirements.

4. Third-Party Services

  • Google Firebase (Google LLC) — Authentication, database, storage, cloud functions — Privacy Policy
  • Google OAuth (Google LLC) — Google Sign-In (openid, email, profile scopes) — Privacy Policy
  • Google Maps (Google LLC) — Map tiles and location markers on Android (event locations, search-radius selection); IP address and visible map area transmitted. iOS uses Apple Maps natively. — Privacy Policy
  • Google Places API (Google LLC) — Address autocomplete on Android when setting your search location; transmits search query and IP. iOS uses Apple MapKit locally. — Privacy Policy
  • Apple Sign-In (Apple Inc.) — Apple authentication — Privacy Policy
  • Expo (Expo Inc.) — Push notification delivery — Privacy Policy
  • Spotify (Spotify AB) — Public playlist metadata for events — Privacy Policy
  • Vercel (Vercel Inc.) — Website hosting, anonymous analytics — Privacy Policy
  • Supabase (Supabase Inc.) — Waitlist email storage — Privacy Policy

Data location: Our processors are based in the United States. Data transfers are protected as follows: Google LLC (Firebase) and Vercel Inc. are certified under the EU-US Data Privacy Framework (DPF) — transfers are based on the EU adequacy decision (Art. 45 GDPR). Apple Inc., Expo Inc., and Supabase Inc. are not DPF-certified — transfers are based on Standard Contractual Clauses (SCCs, Art. 46(2)(c) GDPR) with supplementary technical measures (encryption in transit and at rest). You can verify DPF certifications at dataprivacyframework.gov.

5. Data Visible to Other Users and Venue Staff

Other users can see:

  • Your username and profile photo (via friend search)
  • Your first name, profile photo, and username (visible to friends in chats, at events, and in friend lists)
  • That you are attending an event (visible to friends in event details)
  • That you are currently at an event after check-in (visible to friends in the live event view — can be disabled in settings)
  • Messages you send in direct and group chats

Users you have blocked cannot see your messages or contact you. Your block list is not visible to other users.

When you share events or venues in a conversation, a snapshot of the event or venue details (title, image, date, venue name, city) is stored as part of the message and visible to all conversation participants.

Venue staff can see in the guest management screen: your first name, username, and profile photo for all users on the guest list or friends list. During check-in (ticket scanning): your first name, username, age, friends list status, tier name, and all active entry vouchers (type, cost, discount percentage). During voucher redemption: your first name, username, reward type, expiry, and validity status. Event owners can view aggregated statistics (total check-ins, attendance counts) but cannot see individual user data through the insights feature.

6. Data Retention

All personal data is retained until you delete your account (Settings > Delete Account). Location data is never stored. Rate-limiting data (counters that track how many times a specific action was performed (e.g., sign-up attempts per IP address) to prevent abuse) becomes obsolete after its time window (1 hour or 1 day depending on the operation) and is no longer used. Waitlist emails are retained until you request removal. Reports (including message snapshots) are retained for up to 2 years and may be retained after your account is deleted if they relate to ongoing moderation actions.

Note on account deletion: Redeemed coupons and used drink codes are anonymized (your user ID is replaced with "deleted_user") rather than fully deleted, because deleting these records would make the codes reusable. All other personal data is permanently deleted.

7. Data Security

We use HTTPS encryption, hashed passwords (Firebase Auth), SHA-256 hashed tokens, Firestore security rules with field validation, atomic transactions, input validation and length limits, per-user rate limiting, PKCE for OAuth, and file size/type validation on uploads.

8. Your Rights (GDPR)

You have the right to: access your data (Art. 15), rectify it (Art. 16), restrict processing (Art. 18), data portability (Art. 20), erasure (Art. 17 — via Settings > Delete Account), withdraw consent (Art. 7(3) — for push notifications, location, photos, and interests/genre preferences), and object to processing (Art. 21).

To exercise these rights, contact us at legal@nyte-events.com. We will respond within one month of receiving your request (Art. 12(3) GDPR). In complex cases, this period may be extended by two further months, in which case we will inform you.

Supervisory authority: Bayerisches Landesamt fuer Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — www.lda.bayern.de

9. Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place. Event feed personalization (sorting events by your genre preferences) is basic content personalization and does not produce legal or similarly significant effects.

10. Obligation to Provide Data

Providing your email address, first name, username, and birthday is required to create an account and use nyte. If you do not provide this data, you cannot use the service. Providing your profile photo, interests, genre preferences, and location is optional — the service functions without them, but some features (personalized event feed, distance display) may be limited.

11. Cookies

The nyte app and website do not use tracking cookies.

12. Children's Data

nyte is for users aged 16 and older. We do not knowingly collect data from users under 16.

13. Changes

We may update this policy and will notify you of significant changes. The current version is always at nyte-events.com/privacy.

14. Contact

Felix Bohr — legal@nyte-events.com — Bamberger Str. 20, 63811 Stockstadt am Main, Germany