Heat App

Privacy Policy







Privacy Policy






GDPR · LOPDGDD · EU/UK Compliant  ·  Last updated: April 2026






This Privacy Policy applies to all users of the Heat mobile application. Heat is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR), Spain’s LOPDGDD, and applicable EU data protection law.






1. Who we are






Heat is a real-time social discovery application operated by Abdi Bedel, trading as Heat (“we”, “us”, “our”).






Data Controller: Abdi Bedel, trading as Heat






Contact: getonheat@gmail.com






Website: getheatapp.com






Heat is currently operating as an unregistered sole trader / partnership. Company registration is in progress. This policy will be updated when a legal entity is formed.






2. What data we collect






2.1 Data you provide directly






First name






Profile photo






Age (date of birth not stored — only derived age)






Occupation (free text, optional)






Bio (free text, 160 characters, optional)






Where you are from (city or country)






Where you live (city)






Languages spoken






Gender (optional)






Crowd preferences selected during onboarding






Email address (if signing in with Google or Apple)






2.2 Data generated through your use of the app






Visibility state (Hidden / Visible / Checked In) — session only, resets at 6am






Check-in history (venue, timestamp) — retained for 30 days then auto-deleted






Intent signals (heading to a venue) — session only






Live Thread posts — anonymous, resets at 6am






Connection graph (who you have connected with)






Behavioural signals (session patterns, venue overlap) — used for affinity scoring, not shared






2.3 Location data






Approximate location (city/neighbourhood level) — used to show relevant venue energy






Precise location — used only for arrival detection and geofencing, never stored, never shared






Location is never displayed to other users. You are never a pin on the map.






2.4 Analytics data (PostHog + custom analytics)






App events (screens viewed, features used, session duration)






Device type and operating system






Crash reports and error logs






No advertising identifiers are used






3. Legal basis for processing (GDPR Article 6)






We rely on the following legal bases:






Contractual necessity (Article 6(1)(b)): Processing your name, photo, and profile data to provide the core service — you cannot use Heat without a profile.






Legitimate interests (Article 6(1)(f)): Analytics to improve the product, fraud prevention, session behavioural signals to compute affinity scores. We have conducted a balancing test and determined our interests do not override your rights.






Consent (Article 6(1)(a)): Push notifications, optional onboarding fields (gender, languages, bio). You may withdraw consent at any time in app settings.






Legal obligation (Article 6(1)(c)): Compliance with applicable law, responding to lawful requests from authorities.






4. Sensitive data






Heat collects gender (optional) and information about your social behaviour. These are processed under Article 9(2)(a) GDPR — explicit consent — and are used only for safety features and personalisation. Gender is never shown publicly without your explicit control.






5. How we use your data






To operate the Heat app and provide the social discovery service






To compute personalised vibe match and affinity scores






To send notifications you have consented to receive






To detect arrivals at venues (geofencing) and prompt check-ins






To prevent abuse, spam, and violations of our Community Guidelines






To improve the product using aggregated, anonymised analytics






To comply with legal obligations






We do not sell your personal data. We do not use your data for advertising profiling. We do not share your data with third parties for their marketing purposes.






6. Third-party processors






We use the following third-party services that process data on our behalf. All are bound by data processing agreements:






PostHog — product analytics. Data processed in the EU. Privacy policy: posthog.com/privacy






Google Sign-In (OAuth) — authentication only. Email address received and stored. Privacy policy: policies.google.com/privacy






Apple Sign-In — authentication only. Privacy policy: apple.com/legal/privacy






Google Places API — venue data. No personal data transmitted. Privacy policy: policies.google.com/privacy






Mapbox — map rendering. Approximate location used. Privacy policy: mapbox.com/legal/privacy






7. Data retention






Profile data: retained while your account is active. Deleted within 30 days of account deletion request.






Check-in history: auto-deleted on a 30-day rolling window. Deleted immediately on account deletion.






Session data (visibility state, thread posts, intent signals): reset automatically at 6:00am daily.






Live Thread posts: anonymous, no user ID stored. Reset at 6am. Cannot be linked back to you after reset.






Analytics data: retained for 12 months then aggregated and anonymised.






Connection graph: retained while your account is active. Deleted within 30 days of account deletion.






8. Your rights under GDPR






You have the following rights, which you can exercise by contacting us at getonheat@gmail.com:






Right of access (Article 15) — request a copy of all personal data we hold about you






Right to rectification (Article 16) — correct inaccurate or incomplete data






Right to erasure (Article 17) — request deletion of your data (‘right to be forgotten’)






Right to restriction (Article 18) — restrict how we process your data






Right to data portability (Article 20) — receive your data in a structured, machine-readable format






Right to object (Article 21) — object to processing based on legitimate interests






Right to withdraw consent — at any time, without affecting prior processing






We will respond to all requests within 30 days. You also have the right to lodge a complaint with the Spanish data protection authority (AEPD) at aepd.es or your local EU supervisory authority.






9. International transfers






PostHog processes analytics data within the EU. Google and Apple may transfer data outside the EEA under Standard Contractual Clauses (SCCs) as approved by the European Commission. Mapbox processes data under SCCs. We do not make ad hoc transfers of personal data outside the EEA.






10. Children






Heat is not intended for users under the age of 18. We enforce a minimum age of 18 during onboarding. Under Spanish law (LOPDGDD Article 7), digital consent age is 14, however due to the social and location-adjacent nature of Heat we apply the higher threshold of 18 globally. If we become aware that a user is under 18 we will delete their account and all associated data immediately.






11. Security






We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), hashed credentials, access controls, and regular security reviews. No system is completely secure — if you believe your account has been compromised please contact us immediately at getonheat@gmail.com.






12. Changes to this policy






We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification at least 14 days before the change takes effect. Continued use of Heat after that date constitutes acceptance of the updated policy. The current version is always available at tryheat.app/privacy.






13. Contact






Data Controller: Abdi Bedel, trading as Heat






Email: getonheat@gmail.com






For data subject requests: getonheat@gmail.com






Supervisory authority: Agencia Española de Protección de Datos (AEPD) — aepd.es






Heat · Privacy Policy · April 2026 · GDPR · LOPDGDD