Last updated: May 28, 2026
This Privacy Policy explains how Urbanly ("Urbanly", "we", "us", "our") collects, uses, and shares information when you use the Urbanly website, progressive web app, mobile applications, APIs, and related services (the "Service"). It should be read together with our Terms of Service (which also covers our Community Guidelines and copyright-takedown procedure). Our use of cookies is described in Section 10 below.
For the purposes of the EU and UK General Data Protection Regulation ("GDPR") and equivalent laws, the controller of your personal data is Urbanly. You can reach us through the contact form on our website. We have not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR. Where required by Article 27 GDPR, we will appoint an EU representative and update this Policy with their details.
We do not intentionally collect "special categories" of data under Article 9 GDPR (such as health, political opinions, religious beliefs, or biometric identifiers). Please do not submit such data through the Service.
Where GDPR or UK GDPR applies, we rely on the following lawful bases (Article 6(1) GDPR):
| Purpose | Lawful basis |
|---|---|
| Creating and operating your account; delivering features you request | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional notifications, security alerts, and service messages | Performance of a contract (Art. 6(1)(b)) |
| Showing your public activities and coordinates on the map | Performance of a contract (Art. 6(1)(b)) and our legitimate interest in operating a community platform (Art. 6(1)(f)) |
| Approximate-location detection from IP | Legitimate interest in providing localised content and complying with regional law (Art. 6(1)(f)) |
| Analytics and aggregated usage statistics | Your consent in the EEA/UK/Switzerland (Art. 6(1)(a)); legitimate interest elsewhere (Art. 6(1)(f)) |
| Push notifications | Your consent (Art. 6(1)(a)) |
| Detecting, investigating, and preventing fraud, abuse, security incidents, and Terms violations | Legitimate interest in protecting users and the Service (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
| Complying with law, court orders, and regulatory requests | Legal obligation (Art. 6(1)(c)) |
| Defending or asserting legal claims | Legitimate interest (Art. 6(1)(f)) |
Where we rely on legitimate interest, we balance our interest against your rights and freedoms. You can object at any time on grounds relating to your particular situation (see Section 8).
We do not "sell" or "share" personal information for cross-context behavioural advertising as those terms are defined under U.S. state privacy laws (including CCPA/CPRA, the Virginia CDPA, the Colorado CPA, the Connecticut CTDPA, the Utah CPA, and the Texas TDPSA).
Personal data we process may be transferred to, and processed in, countries outside your country of residence, including the United States and Türkiye. Where required by law, we rely on appropriate safeguards for such transfers, including the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum), adequacy decisions (such as the EU–US Data Privacy Framework, where applicable to the recipient), or your explicit consent. You may request a copy of the safeguards through the contact form.
| Category | Retention |
|---|---|
| Account record and profile | For as long as your account is active. After deletion, removed within 30 days from primary systems and within 90 days from backups. |
| Public user content (reports, adoptions, comments) | For as long as your account is active, or until you remove the content. Aggregated, anonymised, or de-identified statistics may be retained indefinitely. |
| Server logs and security telemetry | Up to 90 days, unless retained longer for security or legal-claim purposes. |
| Analytics data (where consented) | Up to 14 months in Google Analytics 4, per default settings. |
| Communications with us | Up to 3 years from the last interaction. |
| Records required by law (e.g. tax, anti-fraud, dispute response) | For the period required by the applicable law, after which they are deleted or anonymised. |
We apply reasonable technical and organisational measures designed to protect personal data against accidental or unlawful loss, misuse, unauthorised access, disclosure, alteration, and destruction. These include transport encryption (HTTPS/TLS), encryption at rest for our managed database storage, scoped access controls, and standard cloud-provider security controls.
However, no method of transmission over the internet, no electronic storage, and no software is 100% secure. No internet-connected service — including ours — can be guaranteed to be free of bugs, vulnerabilities, or security incidents. To the maximum extent permitted by applicable law, you acknowledge and accept this inherent risk, and you agree that Urbanly is not liable for unauthorised access to or loss of data outside our reasonable control. Please do not submit any information to the Service that you would not be comfortable seeing made public.
Depending on your country of residence, you may have some or all of the following rights:
To exercise these rights, contact us through the website. We may need to verify your identity before responding, and we may decline requests where permitted by law (for example, requests that are manifestly unfounded, excessive, or would adversely affect the rights of others).
You can permanently delete your Urbanly account at any time:
Deletion is permanent. We remove your personal data from primary systems within 30 days and from routine backups within 90 days, except where retention is required by law or for the establishment, exercise, or defence of legal claims. Aggregated or fully de-identified statistics that cannot be linked back to you may be retained indefinitely. Public content you previously posted may persist in copies, caches, archives, or screenshots held by third parties; we cannot control or remove such third-party copies.
Cookies are small text files placed on your device when you visit a website. "Similar technologies" includes local storage, session storage, IndexedDB, and SDK-level identifiers used by mobile apps.
| Category | Purpose | Requires consent? |
|---|---|---|
| Strictly necessary | Authentication, session management, security, load balancing, CSRF protection, language preference. | No (exempt under ePrivacy Directive Art. 5(3)) |
| Functional | Remembering UI preferences (e.g. map zoom, theme). | No |
| Analytics | Aggregated, non-advertising usage statistics via Google Analytics 4 (gtag.js, Measurement ID G-4JBYL12MTB) and Firebase Analytics in our mobile apps. | Yes, in the EEA / UK / Switzerland |
| Third-party login | Set only if you actively choose to sign in with Google, Facebook, or Apple. Governed by the respective provider. | Set on your action |
If you access the Service from the European Economic Area, the United Kingdom, or Switzerland, we ask for your consent before loading analytics cookies. You can change your decision at any time by clearing your browser storage for our site, which will cause the consent prompt to appear again on your next visit. Outside those regions, analytics are enabled by default; you can still opt out at any time using your browser's privacy settings, an extension such as the Google Analytics Opt-out Browser Add-on, or by enabling "Do Not Track" / Global Privacy Control signals, which we honour where technically feasible. On iOS and Android, you can additionally use the operating-system-level tracking and analytics controls to limit what our mobile app reports.
Some cookies are set by third parties when their content or services are loaded into the Service (for example, Google Analytics, Cloudflare for security, or social-login providers when you initiate sign-in). Those cookies are governed by the third party's own cookie and privacy policies, over which we have no direct control. Most browsers let you view, manage, delete, and block cookies; blocking strictly necessary cookies may prevent parts of the Service from working.
The Service is not directed to children under 13, and we do not knowingly collect personal data from children under 13. In the EEA, our Service is not directed to children under the age of digital consent that applies in your country (16 by default, lower where a Member State has set a lower age). If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us via the website and we will delete it.
Sections 1, 3, 4, 5, 6, 7, 8, and 11 above describe the information required by GDPR Articles 13 and 14, the UK GDPR, and the Swiss Federal Act on Data Protection.
In the previous 12 months we may have collected the categories of personal information described in Section 2, from the sources described in Section 2, for the business and commercial purposes described in Section 3, and disclosed them to the categories of recipients described in Section 4. We do not sell or share personal information for cross-context behavioural advertising. We do not knowingly collect or sell the personal information of minors under 16. California residents have the right to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against for exercising any of these rights. You may submit a request via the contact form, and you may use an authorised agent (we may verify the agent's authority).
Residents of these states have rights to access, correct, delete, and obtain a portable copy of their personal data, to opt out of targeted advertising, the sale of personal data, and certain profiling, and to appeal a denial of any such request. We do not engage in targeted advertising or the sale of personal data. To submit a request or appeal a decision, contact us via the website.
Where the Turkish Personal Data Protection Law No. 6698 ("KVKK") applies, the data controller is Urbanly. You have the rights set out in Article 11 KVKK, including learning whether your data is processed, requesting information about that processing, requesting correction or deletion, and lodging a complaint with the Personal Data Protection Authority (KVKK).
Residents of these jurisdictions have substantially similar rights to those described above and may exercise them by contacting us via the website. We will comply with applicable local law.
For information about the accessibility of the Service and how to report accessibility issues, see our Accessibility Statement.
We may update this Privacy Policy from time to time. The "Last updated" date above shows when the latest version took effect. If a change is material, we will use reasonable efforts to bring it to your attention (for example, by posting a notice within the Service). Continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not accept the updated Policy, please stop using the Service and, if you wish, delete your account.
This Privacy Policy describes our current practices on a reasonable-effort basis. To the maximum extent permitted by applicable law, nothing in this Policy creates any contractual right, warranty, guarantee, or commitment beyond what is expressly required by law. In particular, the descriptions of our security measures, retention periods, and processing activities are provided for transparency and are not warranties of any specific outcome.
Questions about this Privacy Policy or our handling of your personal data? Please contact us through the contact form on our website.